News aggregator

CVE-2018-6858

National Vulnerability Database - Sun, 02/11/2018 - 22:29
Cross Site Scripting (XSS) exists in PHP Scripts Mall Facebook Clone Script.
Categories: Security News

CVE-2018-6860

National Vulnerability Database - Sun, 02/11/2018 - 22:29
Arbitrary File Upload and Remote Code Execution exist in PHP Scripts Mall Schools Alert Management Script 2.0.2 via a profile picture.
Categories: Security News

CVE-2018-6861

National Vulnerability Database - Sun, 02/11/2018 - 22:29
Cross Site Scripting (XSS) exists in PHP Scripts Mall Lawyer Search Script 1.0.2 via a profile update parameter.
Categories: Security News

CVE-2018-6862

National Vulnerability Database - Sun, 02/11/2018 - 22:29
Cross Site Scripting (XSS) exists in PHP Scripts Mall Bitcoin MLM Software 1.0.2 via a profile field.
Categories: Security News

CVE-2018-6863

National Vulnerability Database - Sun, 02/11/2018 - 22:29
SQL Injection exists in PHP Scripts Mall Select Your College Script 2.0.2 via a Login Parameter.
Categories: Security News

CVE-2018-6864

National Vulnerability Database - Sun, 02/11/2018 - 22:29
Cross Site Scripting (XSS) exists in PHP Scripts Mall Multi religion Responsive Matrimonial 4.7.2 via a user profile update parameter.
Categories: Security News

CVE-2018-6880

National Vulnerability Database - Sun, 02/11/2018 - 22:29
EmpireCMS 6.6 through 7.2 allows remote attackers to discover the full path via an array value for a parameter to class/connect.php.
Categories: Security News

CVE-2018-6881

National Vulnerability Database - Sun, 02/11/2018 - 22:29
EmpireCMS 6.6 allows remote attackers to discover the full path via an array value for a parameter to admin/tool/ShowPic.php.
Categories: Security News

CVE-2018-6888

National Vulnerability Database - Sun, 02/11/2018 - 22:29
An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a user account due to the lack of an anti-CSRF token.
Categories: Security News

CVE-2018-6889

National Vulnerability Database - Sun, 02/11/2018 - 22:29
An issue was discovered in Typesetter 5.1. It suffers from a Host header injection vulnerability, Using this attack, a malicious user can poison the web cache or perform advanced password reset attacks or even trigger arbitrary user re-direction.
Categories: Security News

CVE-2018-6912

National Vulnerability Database - Sun, 02/11/2018 - 21:29
The decode_plane function in libavcodec/utvideodec.c in FFmpeg through 3.4.2 allows remote attackers to cause a denial of service (out of array read) via a crafted AVI file.
Categories: Security News

CVE-2017-18174

National Vulnerability Database - Sun, 02/11/2018 - 13:29
In the Linux kernel before 4.7, the amd_gpio_remove function in drivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function, leading to a double free.
Categories: Security News

CVE-2018-6892

National Vulnerability Database - Sun, 02/11/2018 - 13:29
An issue was discovered in CloudMe before 1.11.0. An unauthenticated remote attacker that can connect to the "CloudMe Sync" client application listening on port 8888 can send a malicious payload causing a buffer overflow condition. This will result in an attacker controlling the program's execution flow and allowing arbitrary code execution.
Categories: Security News

CVE-2018-6891

National Vulnerability Database - Sun, 02/11/2018 - 01:29
Bookly #1 WordPress Booking Plugin Lite before 14.5 has XSS via a jQuery.ajax request to ng-payment_details_dialog.js.
Categories: Security News

CVE-2018-1000056

National Vulnerability Database - Fri, 02/09/2018 - 18:29
Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
Categories: Security News

CVE-2018-1000057

National Vulnerability Database - Fri, 02/09/2018 - 18:29
Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs. Jenkins however transforms provided password values, e.g. replacing environment variable references, which could result in values different from but similar to configured passwords being provided to the build. Those values are not subject to masking, and could allow unauthorized users to recover the original password.
Categories: Security News

CVE-2018-1000058

National Vulnerability Database - Fri, 02/09/2018 - 18:29
Jenkins Pipeline: Supporting APIs Plugin 2.17 and earlier have an arbitrary code execution due to incomplete sandbox protection: Methods related to Java deserialization like readResolve implemented in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.
Categories: Security News

CVE-2018-1000059

National Vulnerability Database - Fri, 02/09/2018 - 18:29
ValidFormBuilder version 4.5.4 contains a PHP Object Injection vulnerability in Valid Form unserialize method that can result in Possible to execute unauthorised system commands remotely and disclose file contents in file system.
Categories: Security News

CVE-2018-1000060

National Vulnerability Database - Fri, 02/09/2018 - 18:29
Sensu, Inc. Sensu Core version Before 1.2.0 & before commit 46ff10023e8cbf1b6978838f47c51b20b98fe30b contains a CWE-522 vulnerability in Sensu::Utilities.redact_sensitive() that can result in sensitive configuration data (e.g. passwords) may be logged in clear-text. This attack appear to be exploitable via victims with configuration matching a specific pattern will observe sensitive data outputted in their service log files. This vulnerability appears to have been fixed in 1.2.1 and later, after commit 46ff10023e8cbf1b6978838f47c51b20b98fe30b.
Categories: Security News

CVE-2018-1000061

National Vulnerability Database - Fri, 02/09/2018 - 18:29
ARM mbedTLS version development branch, 2.7.0 and earlier contains a CWE-670, Incorrect condition control flow leading to incorrect return, leading to data loss vulnerability in ssl_write_real(), library/ssl_tls.c:7142 that can result in Leads to data loss, can be escalated to DoS and authorization bypass in application protocols. This attack appear to be exploitable via network connectivity.
Categories: Security News

Pages