News aggregator

CVE-2018-20632 (advance_b2b_script)

National Vulnerability Database - Thu, 03/21/2019 - 12:00
PHP Scripts Mall Advance B2B Script 2.1.4 has stored Cross-Site Scripting (XSS) via the FIRST NAME or LAST NAME field.
Categories: Security News

CVE-2018-20633 (advance_b2b_script)

National Vulnerability Database - Thu, 03/21/2019 - 12:00
PHP Scripts Mall Advance B2B Script 2.1.4 has Cross-Site Request Forgery (CSRF) via the Edit Profile feature.
Categories: Security News

CVE-2018-20634 (advance_b2b_script)

National Vulnerability Database - Thu, 03/21/2019 - 12:00
PHP Scripts Mall Advance B2B Script 2.1.4 allows remote attackers to cause a denial of service (changed Page structure) via JavaScript code in the First Name field.
Categories: Security News

CVE-2018-20635 (advance_b2b_script)

National Vulnerability Database - Thu, 03/21/2019 - 12:00
PHP Scripts Mall Advance B2B Script 2.1.4 has directory traversal via a direct request for a listing of an image directory such as an assets/ directory.
Categories: Security News

CVE-2018-20636

National Vulnerability Database - Thu, 03/21/2019 - 12:00
PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has HTML injection via the First Name field.
Categories: Security News

CVE-2018-20637

National Vulnerability Database - Thu, 03/21/2019 - 12:00
PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 allows remote attackers to cause a denial of service (unrecoverable blank profile) via crafted JavaScript code in the First Name and Last Name field.
Categories: Security News

CVE-2018-20638

National Vulnerability Database - Thu, 03/21/2019 - 12:00
PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has directory traversal via a direct request for a listing of an image directory such as an assets/ directory.
Categories: Security News

CVE-2018-20639

National Vulnerability Database - Thu, 03/21/2019 - 12:00
PHP Scripts Mall Entrepreneur Job Portal Script 3.0.1 has HTML injection via the Search Bar.
Categories: Security News

CVE-2018-20640

National Vulnerability Database - Thu, 03/21/2019 - 12:00
PHP Scripts Mall Entrepreneur Job Portal Script 3.0.1 has stored Cross-Site Scripting (XSS) via the Full Name field.
Categories: Security News

CVE-2018-20212 (twiki)

National Vulnerability Database - Thu, 03/21/2019 - 12:00
bin/statistics in TWiki 6.0.2 allows cross-site scripting (XSS) via the webs parameter.
Categories: Security News

CVE-2018-20218

National Vulnerability Database - Thu, 03/21/2019 - 12:00
An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. The login form passes user input directly to a shell command without any kind of escaping or validation in /usr/share/www/check.lp file. An attacker is able to perform command injection using the "password" parameter in the login form.
Categories: Security News

CVE-2018-20219

National Vulnerability Database - Thu, 03/21/2019 - 12:00
An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. After successful authentication, the device sends an authentication cookie to the end user such that they can access the devices web administration panel. This token is hard-coded to a string in the source code (/usr/share/www/check.lp file). By setting this cookie in a browser, an attacker is able to maintain access to every ENC-400 device without knowing the password, which results in authentication bypass. Even if a user changes the password on the device, this token is static and unchanged.
Categories: Security News

CVE-2018-20220

National Vulnerability Database - Thu, 03/21/2019 - 12:00
An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. While the web interface requires authentication before it can be interacted with, a large portion of the HTTP endpoints are missing authentication. An attacker is able to view these pages before being authenticated, and some of these pages may disclose sensitive information.
Categories: Security News

CVE-2018-20221

National Vulnerability Database - Thu, 03/21/2019 - 12:00
Secure/SAService.rem in Deltek Ajera Timesheets 9.10.16 and prior are vulnerable to remote code execution via deserialization of untrusted user input from an authenticated user. The executed code will run as the IIS Application Pool that is running the application.
Categories: Security News

CVE-2018-20323

National Vulnerability Database - Thu, 03/21/2019 - 12:00
www/soap/application/MCSoap/Logs.php in MailCleaner Community Edition 2018.08 allows remote attackers to execute arbitrary OS commands.
Categories: Security News

CVE-2018-20340

National Vulnerability Database - Thu, 03/21/2019 - 12:00
Yubico libu2f-host 1.1.6 contains unchecked buffers in devs.c, which could enable a malicious token to exploit a buffer overflow. An attacker could use this to attempt to execute malicious code using a crafted USB device masquerading as a security token on a computer where the affected library is currently in use. It is not possible to perform this attack with a genuine YubiKey.
Categories: Security News

CVE-2018-20121 (podcast_generator)

National Vulnerability Database - Thu, 03/21/2019 - 12:00
Podcast Generator 2.7 has stored cross-site scripting (XSS) via the URL addcategory parameter.
Categories: Security News

CVE-2018-20140 (zenphoto)

National Vulnerability Database - Thu, 03/21/2019 - 12:00
Zenphoto 1.4.14 has multiple cross-site scripting (XSS) vulnerabilities via different URL parameters.
Categories: Security News

CVE-2018-20141 (abantecart)

National Vulnerability Database - Thu, 03/21/2019 - 12:00
AbanteCart 1.2.12 has reflected cross-site scripting (XSS) via the sort parameter, as demonstrated by a /apparel--accessories?sort= substring.
Categories: Security News

CVE-2018-20162

National Vulnerability Database - Thu, 03/21/2019 - 12:00
Digi TransPort LR54 4.4.0.26 and possible earlier devices have Improper Input Validation that allows users with 'super' CLI access privileges to bypass a restricted shell and execute arbitrary commands as root.
Categories: Security News

Pages