News aggregator

CVE-2018-12524

National Vulnerability Database - Mon, 06/18/2018 - 07:29
An issue was discovered in perfSONAR Monitoring and Debugging Dashboard (MaDDash) 2.0.2. A direct request to /lib/ provides a directory listing.
Categories: Security News

CVE-2018-12525

National Vulnerability Database - Mon, 06/18/2018 - 07:29
An issue was discovered in perfSONAR Monitoring and Debugging Dashboard (MaDDash) 2.0.2. A direct request to /images/ provides a directory listing.
Categories: Security News

Bugtraq: [SECURITY] [DSA 4231-1] libgcrypt20 security update

SecurityFocus Vulnerabilities - Mon, 06/18/2018 - 07:20
[SECURITY] [DSA 4231-1] libgcrypt20 security update
Categories: Security News

Bugtraq: [SECURITY] [DSA 4230-1] redis security update

SecurityFocus Vulnerabilities - Mon, 06/18/2018 - 07:20
[SECURITY] [DSA 4230-1] redis security update
Categories: Security News

Bugtraq: [SECURITY] [DSA 4229-1] strongswan security update

SecurityFocus Vulnerabilities - Mon, 06/18/2018 - 07:20
[SECURITY] [DSA 4229-1] strongswan security update
Categories: Security News

Bugtraq: [security bulletin] MFSBGN03810 rev.1 - Universal CMDB, Deserialization Java Objects and CSRF

SecurityFocus Vulnerabilities - Mon, 06/18/2018 - 07:20
[security bulletin] MFSBGN03810 rev.1 - Universal CMDB, Deserialization Java Objects and CSRF
Categories: Security News

Vuln: Microsoft Windows CVE-2018-8210 Remote Code Execution Vulnerability

SecurityFocus Vulnerabilities - Mon, 06/18/2018 - 00:00
Microsoft Windows CVE-2018-8210 Remote Code Execution Vulnerability
Categories: Security News

CVE-2018-12026

National Vulnerability Database - Sun, 06/17/2018 - 16:29
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in turn can result in information disclosure and privilege escalation.
Categories: Security News

CVE-2018-12027

National Vulnerability Database - Sun, 06/17/2018 - 16:29
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said socket are writable by a normal user that is not the application's user, then that non-application user can swap that directory with something else, resulting in traffic being redirected to a non-application user's process through an alternative Unix domain socket.
Categories: Security News

CVE-2018-12028

National Vulnerability Database - Sun, 06/17/2018 - 16:29
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an error, it would cause Passenger's process manager to kill said reported arbitrary PID.
Categories: Security News

CVE-2018-12029

National Vulnerability Database - Sun, 06/17/2018 - 16:29
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but before it was chowned, leads to the target of the link being chowned via the path. Targeting sensitive files such as root's crontab file allows privilege escalation.
Categories: Security News

CVE-2018-12071

National Vulnerability Database - Sun, 06/17/2018 - 16:29
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.
Categories: Security News

CVE-2018-12072

National Vulnerability Database - Sun, 06/17/2018 - 16:29
An issue was discovered in Cloud Media Popcorn A-200 03-05-130708-21-POP-411-000 firmware. It is configured to provide TELNET remote access (without a password) that pops a shell as root. If an attacker can connect to port 23 on the device, he can completely compromise it.
Categories: Security News

CVE-2018-12073

National Vulnerability Database - Sun, 06/17/2018 - 16:29
An issue was discovered on Eminent EM4544 9.10 devices. The device does not require the user's current password to set a new one within the web interface. Therefore, it is possible to exploit this issue (e.g., in combination with a successful XSS, or at an unattended workstation) to change the admin password to an attacker-chosen value without knowing the current password.
Categories: Security News

CVE-2018-12104

National Vulnerability Database - Sun, 06/17/2018 - 16:29
Cross-site scripting (XSS) vulnerability in Airbnb Knowledge Repo 0.7.4 allows remote attackers to inject arbitrary web scripts or HTML via the post comments functionality, as demonstrated by the post/posts/new_report.kp URI.
Categories: Security News

CVE-2018-10997

National Vulnerability Database - Sun, 06/17/2018 - 13:29
Etere EtereWeb before 28.1.20 has a pre-authentication blind SQL injection in the POST parameters txUserName and txPassword.
Categories: Security News

CVE-2018-11218

National Vulnerability Database - Sun, 06/17/2018 - 13:29
Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2 because of stack-based buffer overflows.
Categories: Security News

CVE-2018-11219

National Vulnerability Database - Sun, 06/17/2018 - 13:29
An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2, leading to a failure of bounds checking.
Categories: Security News

CVE-2018-10377

National Vulnerability Database - Sun, 06/17/2018 - 12:29
PortSwigger Burp Suite before 1.7.34 has Improper Certificate Validation of the Collaborator server certificate, which might allow man-in-the-middle attackers to obtain interaction data.
Categories: Security News

CVE-2018-10969

National Vulnerability Database - Sun, 06/17/2018 - 12:29
SQL injection vulnerability in the Pie Register plugin before 3.0.10 for WordPress allows remote attackers to execute arbitrary SQL commands via the invitation codes grid.
Categories: Security News

Pages