News aggregator

CVE-2016-10592

National Vulnerability Database - Fri, 06/01/2018 - 14:29
jser-stat is a JSer.info stat library. jser-stat downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.
Categories: Security News

CVE-2016-10594

National Vulnerability Database - Fri, 06/01/2018 - 14:29
ipip is a Node.js module to query geolocation information for an IP or domain, based on database by ipip.net. ipip downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.
Categories: Security News

CVE-2016-10595

National Vulnerability Database - Fri, 06/01/2018 - 14:29
jdf-sass is a fork from node-sass, jdf use only. jdf-sass downloads executable resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested file with an attacker controlled file if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2016-10596

National Vulnerability Database - Fri, 06/01/2018 - 14:29
imageoptim is a Node.js wrapper for some images compression algorithms. imageoptim downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested tarball with an attacker controlled tarball if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2016-10597

National Vulnerability Database - Fri, 06/01/2018 - 14:29
cobalt-cli downloads resources over HTTP, which leaves it vulnerable to MITM attacks.
Categories: Security News

CVE-2016-10598

National Vulnerability Database - Fri, 06/01/2018 - 14:29
arrayfire-js is a module for ArrayFire for the Node.js platform. arrayfire-js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2018-10382

National Vulnerability Database - Fri, 06/01/2018 - 13:29
MODX Revolution 2.6.3 has XSS.
Categories: Security News

CVE-2018-11551

National Vulnerability Database - Fri, 06/01/2018 - 13:29
AXON PBX 2.02 contains a DLL hijacking vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. The vulnerability exists because a DLL file is loaded by 'pbxsetup.exe' improperly.
Categories: Security News

CVE-2018-11552

National Vulnerability Database - Fri, 06/01/2018 - 13:29
There is a reflected XSS vulnerability in AXON PBX 2.02 via the "AXON->Auto-Dialer->Agents->Name" field. The vulnerability exists due to insufficient filtration of user-supplied data. A remote attacker can execute arbitrary HTML and script code in a browser in the context of the vulnerable application.
Categories: Security News

CVE-2018-11581

National Vulnerability Database - Fri, 06/01/2018 - 13:29
Cross-site scripting (XSS) vulnerability on Brother HL-L2340D and HL-L2380DW series printers allows remote attackers to inject arbitrary web script or HTML via the url parameter to etc/loginerror.html.
Categories: Security News

CVE-2018-11670

National Vulnerability Database - Fri, 06/01/2018 - 13:29
An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that allows attackers to execute arbitrary PHP code via the content parameter to index.php?m=admin&c=media&a=fileconnect.
Categories: Security News

CVE-2018-11671

National Vulnerability Database - Fri, 06/01/2018 - 13:29
An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that can add an admin account via index.php?m=admin&c=access&a=adduserhandle.
Categories: Security News

CVE-2018-3743

National Vulnerability Database - Fri, 06/01/2018 - 13:29
Open redirect in hekto <=0.2.3 when target domain name is used as html filename on server.
Categories: Security News

CVE-2018-3746

National Vulnerability Database - Fri, 06/01/2018 - 13:29
The pdfinfojs NPM module versions <= 0.3.6 has a command injection vulnerability that allows an attacker to execute arbitrary commands on the victim's machine.
Categories: Security News

CVE-2018-3755

National Vulnerability Database - Fri, 06/01/2018 - 13:29
XSS in sexstatic <=0.6.2 causes HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name.
Categories: Security News

CVE-2017-2852

National Vulnerability Database - Fri, 06/01/2018 - 11:29
An exploitable denial-of-service vulnerability exists in the unserialization of lists functionality of Natus Xltek NeuroWorks 8. A specially crafted network packet can cause an out-of-bounds read, resulting in a denial of service. An attacker can send a malicious packet to trigger this vulnerability.
Categories: Security News

CVE-2017-2858

National Vulnerability Database - Fri, 06/01/2018 - 11:29
An exploitable denial-of-service vulnerability exists in the traversal of lists functionality of Natus Xltek NeuroWorks 8. A specially crafted network packet can cause an out-of-bounds read, resulting in a denial of service. An attacker can send a malicious packet to trigger this vulnerability.
Categories: Security News

CVE-2017-2860

National Vulnerability Database - Fri, 06/01/2018 - 11:29
An exploitable denial-of-service vulnerability exists in the lookup entry functionality of KeyTrees in Natus Xltek NeuroWorks 8. A specially crafted network packet can cause an out-of-bounds read, resulting in a denial of service. An attacker can send a malicious packet to trigger this vulnerability.
Categories: Security News

CVE-2018-11485

National Vulnerability Database - Fri, 06/01/2018 - 11:29
The MULTIDOTS WooCommerce Quick Reports plugin 1.0.6 and earlier for WordPress is vulnerable to Stored XSS. It allows an attacker to inject malicious JavaScript code on the WooCommerce -> Orders admin page. The attack is possible by modifying the "referral_site" cookie to have an XSS payload, and placing an order.
Categories: Security News

CVE-2018-11486

National Vulnerability Database - Fri, 06/01/2018 - 11:29
An issue was discovered in the MULTIDOTS Advance Search for WooCommerce plugin 1.0.9 and earlier for WordPress. This plugin is vulnerable to a stored Cross-site scripting (XSS) vulnerability. A non-authenticated user can save the plugin settings and inject malicious JavaScript code in the Custom CSS textarea field, which will be loaded on every site page.
Categories: Security News

Pages