News aggregator

Vuln: Davolink DVW-3200N CVE-2018-10618 Information Disclosure Vulnerability

SecurityFocus Vulnerabilities - Tue, 07/31/2018 - 00:00
Davolink DVW-3200N CVE-2018-10618 Information Disclosure Vulnerability
Categories: Security News

Vuln: Johnson Controls Metasys and BCPro CVE-2018-10624 Information Disclosure Vulnerability

SecurityFocus Vulnerabilities - Tue, 07/31/2018 - 00:00
Johnson Controls Metasys and BCPro CVE-2018-10624 Information Disclosure Vulnerability
Categories: Security News

Vuln: WECON LeviStudioU Multiple Buffer Overflow Vulnerabilities

SecurityFocus Vulnerabilities - Tue, 07/31/2018 - 00:00
WECON LeviStudioU Multiple Buffer Overflow Vulnerabilities
Categories: Security News

CVE-2018-3772

National Vulnerability Database - Mon, 07/30/2018 - 14:29
Concatenating unsanitized user input in the `whereis` npm module < 0.4.1 allowed an attacker to execute arbitrary commands. The `whereis` module is deprecated and it is recommended to use the `which` npm module instead.
Categories: Security News

CVE-2018-3773

National Vulnerability Database - Mon, 07/30/2018 - 14:29
There is a stored Cross-Site Scripting vulnerability in Open Graph meta properties read by the `metascrape` npm module <= 3.9.2.
Categories: Security News

CVE-2018-10847

National Vulnerability Database - Mon, 07/30/2018 - 13:29
prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance.
Categories: Security News

CVE-2018-10898

National Vulnerability Database - Mon, 07/30/2018 - 13:29
A vulnerability was found in openstack-tripleo-heat-templates before version 8.0.2-40. When deployed using Director using default configuration, Opendaylight in RHOSP13 is configured with easily guessable default credentials.
Categories: Security News

CVE-2018-10883

National Vulnerability Database - Mon, 07/30/2018 - 12:29
A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.
Categories: Security News

CVE-2018-10903

National Vulnerability Database - Mon, 07/30/2018 - 12:29
A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.
Categories: Security News

CVE-2018-9064

National Vulnerability Database - Mon, 07/30/2018 - 12:29
In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user may abuse a web API debug call to retrieve the credentials for the System Manager user.
Categories: Security News

CVE-2018-9065

National Vulnerability Database - Mon, 07/30/2018 - 12:29
In Lenovo xClarity Administrator versions earlier than 2.1.0, an attacker that gains access to the underlying LXCA file system user may be able to retrieve a credential store containing the service processor user names and passwords for servers previously managed by that LXCA instance, and potentially decrypt those credentials more easily than intended.
Categories: Security News

CVE-2018-9066

National Vulnerability Database - Mon, 07/30/2018 - 12:29
In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user can, under specific circumstances, inject additional parameters into a specific web API call which can result in privileged command execution within LXCA's underlying operating system.
Categories: Security News

CVE-2017-7514

National Vulnerability Database - Mon, 07/30/2018 - 11:29
A cross-site scripting (XSS) flaw was found in how the failed action entry is processed in Red Hat Satellite before version 5.8.0. A user able to specify a failed action could exploit this flaw to perform XSS attacks against other Satellite users.
Categories: Security News

CVE-2017-7518

National Vulnerability Database - Mon, 07/30/2018 - 11:29
A flaw was found in the Linux kernel before version 4.12 in the way the KVM module processed the trap flag(TF) bit in EFLAGS during emulation of the syscall instruction, which leads to a debug exception(#DB) being raised in the guest stack. A user/process inside a guest could use this flaw to potentially escalate their privileges inside the guest. Linux guests are not affected by this.
Categories: Security News

CVE-2018-13280

National Vulnerability Database - Mon, 07/30/2018 - 10:29
Use of insufficiently random values vulnerability in SYNO.Encryption.GenRandomKey in Synology DiskStation Manager (DSM) before 6.2-23739 allows man-in-the-middle attackers to compromise non-HTTPS sessions via unspecified vectors.
Categories: Security News

CVE-2016-9597

National Vulnerability Database - Mon, 07/30/2018 - 10:29
It was found that Red Hat JBoss Core Services erratum RHSA-2016:2957 for CVE-2016-3705 did not actually include the fix for the issue found in libxml2, making it vulnerable to a Denial of Service attack due to a Stack Overflow. This is a regression CVE for the same issue as CVE-2016-3705.
Categories: Security News

CVE-2017-7482

National Vulnerability Database - Mon, 07/30/2018 - 10:29
In the Linux kernel before version 4.12, Kerberos 5 tickets decoded when using the RXRPC keys incorrectly assumes the size of a field. This could lead to the size-remaining variable wrapping and the data pointer going over the end of the buffer. This could possibly lead to memory corruption and possible privilege escalation.
Categories: Security News

Bugtraq: secuvera-SA-2018-03: Command Injection, Broken Access Control and Evil-Twin-Attack in Microsoft Wireless Display Adapter V2 - CVE-2018-8306

SecurityFocus Vulnerabilities - Mon, 07/30/2018 - 10:20
secuvera-SA-2018-03: Command Injection, Broken Access Control and Evil-Twin-Attack in Microsoft Wireless Display Adapter V2 - CVE-2018-8306
Categories: Security News

Bugtraq: [SECURITY] [DSA 4258-1] ffmpeg security update

SecurityFocus Vulnerabilities - Mon, 07/30/2018 - 10:20
[SECURITY] [DSA 4258-1] ffmpeg security update
Categories: Security News

Bugtraq: [SECURITY] [DSA 4257-1] fuse security update

SecurityFocus Vulnerabilities - Mon, 07/30/2018 - 10:20
[SECURITY] [DSA 4257-1] fuse security update
Categories: Security News

Pages