News aggregator

CVE-2018-10314

National Vulnerability Database - Wed, 05/09/2018 - 23:29
Cross-site scripting (XSS) vulnerability in Open-AudIT Community 2.2.0 allows remote attackers to inject arbitrary web script or HTML via a crafted name of a component, as demonstrated by the action parameter in the Discover -> Audit Scripts -> List Scripts -> Download section.
Categories: Security News

CVE-2018-10942

National Vulnerability Database - Wed, 05/09/2018 - 23:29
modules/attributewizardpro/file_upload.php in the Attribute Wizard addon 1.6.9 for PrestaShop 1.4.0.1 through 1.6.1.18 allows remote attackers to execute arbitrary code by uploading a .phtml file.
Categories: Security News

CVE-2018-8060

National Vulnerability Database - Wed, 05/09/2018 - 23:29
HWiNFO AMD64 Kernel driver version 8.98 and lower allows an unprivileged user to send an IOCTL to the device driver. If input and/or output buffer pointers are NULL or if these buffers' data are invalid, a NULL/invalid pointer access occurs, resulting in a Windows kernel panic aka Blue Screen. This affects IOCTLs higher than 0x85FE2600 with the HWiNFO32 symbolic device name.
Categories: Security News

CVE-2018-8061

National Vulnerability Database - Wed, 05/09/2018 - 23:29
HWiNFO AMD64 Kernel driver version 8.98 and lower allows an unprivileged user to send IOCTL 0x85FE2608 to the device driver with the HWiNFO32 symbolic device name, resulting in direct physical memory read or write.
Categories: Security News

CVE-2018-8824

National Vulnerability Database - Wed, 05/09/2018 - 23:29
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute a SQL Injection through function calls in the code parameter.
Categories: Security News

CVE-2018-9111

National Vulnerability Database - Wed, 05/09/2018 - 23:29
Cross Site Scripting (XSS) exists on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15 via the configuration of a user account. An attacker can execute arbitrary script on an unsuspecting user's browser.
Categories: Security News

CVE-2018-9112

National Vulnerability Database - Wed, 05/09/2018 - 23:29
A low privileged admin account with a weak default password of admin exists on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15. In addition, its web management page relies on the existence or values of cookies when performing security-critical operations. One can gain privileges by modifying cookies.
Categories: Security News

CVE-2018-10952

National Vulnerability Database - Wed, 05/09/2018 - 22:29
In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCTL 0x00222088.
Categories: Security News

CVE-2018-10953

National Vulnerability Database - Wed, 05/09/2018 - 22:29
In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCTL 0x0022204C.
Categories: Security News

CVE-2018-10954

National Vulnerability Database - Wed, 05/09/2018 - 22:29
In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCTL 0x00222550.
Categories: Security News

CVE-2018-10955

National Vulnerability Database - Wed, 05/09/2018 - 22:29
In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCTL 0x00222548.
Categories: Security News

CVE-2018-10957

National Vulnerability Database - Wed, 05/09/2018 - 22:29
CSRF exists on D-Link DIR-868L devices, leading to (for example) a change to the Admin password. hedwig.cgi and pigwidgeon.cgi are two of the affected components.
Categories: Security News

CVE-2018-10958

National Vulnerability Database - Wed, 05/09/2018 - 22:29
In types.cpp in Exiv2 0.26, a large size value may lead to a SIGABRT during an attempt at memory allocation for an Exiv2::Internal::PngChunk::zlibUncompress call.
Categories: Security News

CVE-2018-10962

National Vulnerability Database - Wed, 05/09/2018 - 22:29
An issue was discovered in Shanghai 2345 Security Guard 3.7.0. 2345MPCSafe.exe, 2345SafeTray.exe, and 2345Speedup.exe allow local users to bypass intended process protections, and consequently terminate processes, because mouse_event is not properly considered.
Categories: Security News

CVE-2018-10963

National Vulnerability Database - Wed, 05/09/2018 - 22:29
The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file.
Categories: Security News

CVE-2018-10949

National Vulnerability Database - Wed, 05/09/2018 - 21:29
mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 allows Account Enumeration by leveraging a Discrepancy between the "HTTP 404 - account is not active" and "HTTP 401 - must authenticate" errors.
Categories: Security News

CVE-2018-10950

National Vulnerability Database - Wed, 05/09/2018 - 21:29
mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows Information Exposure through Verbose Error Messages containing a stack dump, tracing data, or full user-context dump.
Categories: Security News

CVE-2018-10951

National Vulnerability Database - Wed, 05/09/2018 - 21:29
mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows zimbraSSLPrivateKey read access via a GetServer, GetAllServers, or GetAllActiveServers call in the Admin SOAP API.
Categories: Security News

CVE-2018-6020

National Vulnerability Database - Wed, 05/09/2018 - 17:29
In Silex SX-500 all versions and GE MobileLink(GEH-500) version 1.54 and prior, authentication is not verified when making certain POST requests, which may allow attackers to modify system settings.
Categories: Security News

CVE-2018-6021

National Vulnerability Database - Wed, 05/09/2018 - 17:29
Silex SD-320AN version 2.01 and prior and GE MobileLink(GEH-SD-320AN) version GEH-1.1 and prior have a system call parameter that is not properly sanitized, which may allow remote code execution.
Categories: Security News

Pages