News aggregator

CVE-2018-5513

National Vulnerability Database - Fri, 06/01/2018 - 10:29
On F5 BIG-IP 13.1.0-13.1.0.3, 13.0.0, 12.1.0-12.1.3.3, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1, a malformed TLS handshake causes TMM to crash leading to a disruption of service. This issue is only exposed on the data plane when Proxy SSL configuration is enabled. The control plane is not impacted by this issue.
Categories: Security News

CVE-2018-5521

National Vulnerability Database - Fri, 06/01/2018 - 10:29
On F5 BIG-IP 12.1.0-12.1.3.1, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1, carefully crafted URLs can be used to reflect arbitrary content into GeoIP lookup responses, potentially exposing clients to XSS.
Categories: Security News

CVE-2018-5522

National Vulnerability Database - Fri, 06/01/2018 - 10:29
On F5 BIG-IP 13.0.0, 12.0.0-12.1.2, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1, when processing DIAMETER transactions with carefully crafted attribute-value pairs, TMM may crash.
Categories: Security News

CVE-2018-5523

National Vulnerability Database - Fri, 06/01/2018 - 10:29
On F5 BIG-IP 13.1.0-13.1.0.3, 13.0.0, 12.1.0-12.1.3.1, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1 and Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced.
Categories: Security News

CVE-2018-5524

National Vulnerability Database - Fri, 06/01/2018 - 10:29
Under certain conditions, on F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.1, or 11.6.1 HF2-11.6.3.1, virtual servers configured with Client SSL or Server SSL profiles which make use of network hardware security module (HSM) functionality are exposed and impacted by this issue.
Categories: Security News

CVE-2018-5525

National Vulnerability Database - Fri, 06/01/2018 - 10:29
A local file vulnerability exists in the F5 BIG-IP Configuration utility on versions 13.0.0, 12.1.0-12.1.2, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1 that exposes files containing F5-provided data only and do not include any configuration data, proxied traffic, or other potentially sensitive customer data.
Categories: Security News

CVE-2018-5526

National Vulnerability Database - Fri, 06/01/2018 - 10:29
Under certain conditions, on F5 BIG-IP ASM 13.1.0-13.1.0.5, Behavioral DOS (BADOS) protection may fail during an attack.
Categories: Security News

CVE-2018-7949

National Vulnerability Database - Fri, 06/01/2018 - 10:29
The iBMC (Intelligent Baseboard Management Controller) of some Huawei servers have a privilege escalation vulnerability. A remote attacker may send some specially crafted login messages to the affected products. Due to improper authentication design, successful exploit enables low privileged users to get or modify passwords of highly privileged users.
Categories: Security News

CVE-2018-7950

National Vulnerability Database - Fri, 06/01/2018 - 10:29
The iBMC (Intelligent Baseboard Management Controller) of some Huawei servers have a JSON injection vulnerability due to insufficient input validation. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Successful exploit may allow attackers to obtain the management privilege of the system.
Categories: Security News

CVE-2018-7951

National Vulnerability Database - Fri, 06/01/2018 - 10:29
The iBMC (Intelligent Baseboard Management Controller) of some Huawei servers have a JSON injection vulnerability due to insufficient input validation. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Successful exploit may allow attackers to obtain the management privilege of the system.
Categories: Security News

CVE-2018-7976

National Vulnerability Database - Fri, 06/01/2018 - 10:29
There is a stored cross-site scripting (XSS) vulnerability in Huawei eSpace Desktop V300R001C00 and V300R001C50 version. Due to the insufficient validation of the input, an authenticated, remote attacker could exploit this vulnerability to send abnormal messages to the system and perform a XSS attack. A successful exploit could cause the eSpace Desktop to hang up, and the function will restore to normal after restarting the eSpace Desktop.
Categories: Security News

CVE-2018-11646

National Vulnerability Database - Fri, 06/01/2018 - 09:29
webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as distributed in Safari Technology Preview Release 57, mishandles an unset pageURL, leading to an application crash.
Categories: Security News

CVE-2018-8921

National Vulnerability Database - Fri, 06/01/2018 - 09:29
Cross-site scripting (XSS) vulnerability in File Sharing Notify Toast in Synology Drive before 1.0.2-10275 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name.
Categories: Security News

CVE-2018-8922

National Vulnerability Database - Fri, 06/01/2018 - 09:29
Improper access control vulnerability in Synology Drive before 1.0.2-10275 allows remote authenticated users to access non-shared files or folders via unspecified vectors.
Categories: Security News

CVE-2018-11645

National Vulnerability Database - Fri, 06/01/2018 - 08:29
psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine the existence and size of arbitrary files, a similar issue to CVE-2016-7977.
Categories: Security News

Vuln: Apple macOS/iCloud/iOS/watchOS/tvOS/iTunes CVE-2018-4224 Local Authorization Bypass Vulnerability

SecurityFocus Vulnerabilities - Fri, 06/01/2018 - 00:00
Apple macOS/iCloud/iOS/watchOS/tvOS/iTunes CVE-2018-4224 Local Authorization Bypass Vulnerability
Categories: Security News

Vuln: Apple iOS and Safari CVE-2018-4247 Remote Denial of Service Vulnerability

SecurityFocus Vulnerabilities - Fri, 06/01/2018 - 00:00
Apple iOS and Safari CVE-2018-4247 Remote Denial of Service Vulnerability
Categories: Security News

Vuln: Apple Safari CVE-2018-4205 Address Bar Spoofing Vulnerability

SecurityFocus Vulnerabilities - Fri, 06/01/2018 - 00:00
Apple Safari CVE-2018-4205 Address Bar Spoofing Vulnerability
Categories: Security News

Vuln: WordPress CVE-2018-10101 Security Vulnerability

SecurityFocus Vulnerabilities - Fri, 06/01/2018 - 00:00
WordPress CVE-2018-10101 Security Vulnerability
Categories: Security News

CVE-2018-6552

National Vulnerability Database - Thu, 05/31/2018 - 18:29
Apport does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion, possibly gain root privileges, or escape from containers. The is_same_ns() function returns True when /proc/<global pid>/ does not exist in order to indicate that the crash should be handled in the global namespace rather than inside of a container. However, the portion of the data/apport code that decides whether or not to forward a crash to a container does not always replace sys.argv[1] with the value stored in the host_pid variable when /proc/<global pid>/ does not exist which results in the container pid being used in the global namespace. This flaw affects versions 2.20.8-0ubuntu4 through 2.20.9-0ubuntu7, 2.20.7-0ubuntu3.7, 2.20.7-0ubuntu3.8, and 2.20.1-0ubuntu2.15 through 2.20.1-0ubuntu2.17.
Categories: Security News

Pages