News aggregator

CVE-2018-16844

National Vulnerability Database - Wed, 11/07/2018 - 09:29
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.
Categories: Security News

CVE-2018-16845

National Vulnerability Database - Wed, 11/07/2018 - 09:29
nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.
Categories: Security News

CVE-2018-8021

National Vulnerability Database - Wed, 11/07/2018 - 09:29
Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.
Categories: Security News

CVE-2018-19047

National Vulnerability Database - Wed, 11/07/2018 - 00:29
** DISPUTED ** mPDF through 7.1.6, if deployed as a web application that accepts arbitrary HTML, allows SSRF, as demonstrated by a '<img src="http://192.168' substring that triggers a call to getImage in Image/ImageProcessor.php. NOTE: the software maintainer disputes this, stating "If you allow users to pass HTML without sanitising it, you're asking for trouble."
Categories: Security News

CVE-2018-19052

National Vulnerability Database - Wed, 11/07/2018 - 00:29
An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character.
Categories: Security News

CVE-2018-19053

National Vulnerability Database - Wed, 11/07/2018 - 00:29
PbootCMS 1.2.2 allows remote attackers to execute arbitrary PHP code by specifying a .php filename in a "SET GLOBAL general_log_file" statement, followed by a SELECT statement containing this PHP code.
Categories: Security News

Vuln: Microsoft Office CVE-2017-11882 Memory Corruption Vulnerability

SecurityFocus Vulnerabilities - Wed, 11/07/2018 - 00:00
Microsoft Office CVE-2017-11882 Memory Corruption Vulnerability
Categories: Security News

Vuln: Microsoft Windows Common Controls ActiveX Control CVE-2012-1856 Remote Code Execution Vulnerability

SecurityFocus Vulnerabilities - Wed, 11/07/2018 - 00:00
Microsoft Windows Common Controls ActiveX Control CVE-2012-1856 Remote Code Execution Vulnerability
Categories: Security News

Vuln: Novell NetIQ Sentinel CVE-2016-1000031 Remote Code Execution Vulnerability

SecurityFocus Vulnerabilities - Wed, 11/07/2018 - 00:00
Novell NetIQ Sentinel CVE-2016-1000031 Remote Code Execution Vulnerability
Categories: Security News

CVE-2018-19050

National Vulnerability Database - Tue, 11/06/2018 - 23:29
MetInfo 6.1.3 has XSS via the admin/index.php?a=dogetpassword langset parameter.
Categories: Security News

CVE-2018-19051

National Vulnerability Database - Tue, 11/06/2018 - 23:29
MetInfo 6.1.3 has XSS via the admin/index.php?a=dogetpassword abt_type parameter.
Categories: Security News

CVE-2018-12411

National Vulnerability Database - Tue, 11/06/2018 - 18:29
The administrative daemon (tibdgadmind) of TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition, TIBCO ActiveSpaces - Developer Edition, and TIBCO ActiveSpaces - Enterprise Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition: 3.3.0; 3.4.0; 3.5.0, TIBCO ActiveSpaces - Developer Edition: 3.0.0; 3.1.0; 3.3.0; 3.4.0; 3.5.0, and TIBCO ActiveSpaces - Enterprise Edition: 3.0.0; 3.1.0; 3.2.0; 3.3.0; 3.4.0; 3.5.0.
Categories: Security News

CVE-2018-12412

National Vulnerability Database - Tue, 11/06/2018 - 18:29
The realm server (tibrealmserver) component of TIBCO Software Inc. TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc. TIBCO FTL - Community Edition: versions up to and including 5.4.0, TIBCO FTL - Developer Edition: versions up to and including 5.4.0, TIBCO FTL - Enterprise Edition: versions up to and including 5.4.0.
Categories: Security News

CVE-2018-12413

National Vulnerability Database - Tue, 11/06/2018 - 18:29
The Schema repository server (tibschemad) component of TIBCO Software Inc.'s TIBCO Messaging - Apache Kafka Distribution - Schema Repository - Community Edition, and TIBCO Messaging - Apache Kafka Distribution - Schema Repository - Enterprise Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc. TIBCO Messaging - Apache Kafka Distribution - Schema Repository - Community Edition: 1.0.0, and TIBCO Messaging - Apache Kafka Distribution - Schema Repository - Enterprise Edition: 1.0.0.
Categories: Security News

CVE-2018-12414

National Vulnerability Database - Tue, 11/06/2018 - 18:29
The Rendezvous Routing Daemon (rvrd), Rendezvous Secure Routing Daemon (rvrsd), Rendezvous Secure Daemon (rvsd), Rendezvous Cache (rvcache), and Rendezvous Daemon Manager (rvdm) components of TIBCO Software Inc.'s TIBCO Rendezvous, TIBCO Rendezvous Developer Edition, TIBCO Rendezvous for z/Linux, TIBCO Rendezvous for z/OS, TIBCO Rendezvous Network Server, TIBCO Substation ES contain vulnerabilities which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Rendezvous: versions up to and including 8.4.5, TIBCO Rendezvous Developer Edition: versions up to and including 8.4.5, TIBCO Rendezvous for z/Linux: versions up to and including 8.4.5, TIBCO Rendezvous for z/OS: versions up to and including 8.4.5, TIBCO Rendezvous Network Server: versions up to and including 1.1.2, and TIBCO Substation ES: versions up to and including 2.12.2.
Categories: Security News

CVE-2018-12415

National Vulnerability Database - Tue, 11/06/2018 - 18:29
The Central Administration server (emsca) component of TIBCO Software Inc.'s TIBCO Enterprise Messaging Service, TIBCO Enterprise Messaging Service - Community Edition, and TIBCO Enterprise Messaging Service - Developer Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Enterprise Messaging Service: versions up to and including 8.4.0, TIBCO Enterprise Messaging Service - Community Edition: versions up to and including 8.4.0, and TIBCO Enterprise Messaging Service - Developer Edition versions up to and including 8.4.0.
Categories: Security News

CVE-2018-14667

National Vulnerability Database - Tue, 11/06/2018 - 17:29
The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
Categories: Security News

CVE-2018-17186

National Vulnerability Database - Tue, 11/06/2018 - 15:29
An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.
Categories: Security News

CVE-2018-16472

National Vulnerability Database - Tue, 11/06/2018 - 14:29
A prototype pollution attack in cached-path-relative versions <=1.0.1 allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain causing a DoS attack.
Categories: Security News

CVE-2018-16473

National Vulnerability Database - Tue, 11/06/2018 - 14:29
A path traversal in takeapeek module versions <=0.2.2 allows an attacker to list directory and files.
Categories: Security News

Pages