News aggregator

CVE-2018-18794

National Vulnerability Database - Fri, 11/16/2018 - 13:29
School Event Management System 1.0 allows CSRF via user/controller.php?action=edit.
Categories: Security News

CVE-2018-18795

National Vulnerability Database - Fri, 11/16/2018 - 13:29
School Event Management System 1.0 has SQL Injection via the student/index.php or event/index.php id parameter.
Categories: Security News

CVE-2018-18796

National Vulnerability Database - Fri, 11/16/2018 - 13:29
Library Management System 1.0 has SQL Injection via the "Search for Books" screen.
Categories: Security News

CVE-2018-18797

National Vulnerability Database - Fri, 11/16/2018 - 13:29
School Attendance Monitoring System 1.0 has CSRF via /user/user/edit.php.
Categories: Security News

CVE-2018-18799

National Vulnerability Database - Fri, 11/16/2018 - 13:29
School Attendance Monitoring System 1.0 has CSRF via event/controller.php?action=photos.
Categories: Security News

CVE-2018-18801

National Vulnerability Database - Fri, 11/16/2018 - 13:29
The BSEN Ordering software 1.0 has SQL Injection via student/index.php?view=view&id=[SQL] or index.php?q=single-item&id=[SQL].
Categories: Security News

CVE-2018-18803

National Vulnerability Database - Fri, 11/16/2018 - 13:29
Curriculum Evaluation System 1.0 allows SQL Injection via the login screen, related to frmCourse.vb and includes/user.vb.
Categories: Security News

CVE-2018-18804

National Vulnerability Database - Fri, 11/16/2018 - 13:29
Bakeshop Inventory System 1.0 has SQL injection via the login screen, related to include/publicfunction.vb.
Categories: Security News

CVE-2018-15692

National Vulnerability Database - Fri, 11/16/2018 - 13:29
Inova Partner 5.0.5-RELEASE, Build 0510-0906 and earlier allows authenticated users authorization bypass and data manipulation in certain functions.
Categories: Security News

CVE-2018-15693

National Vulnerability Database - Fri, 11/16/2018 - 13:29
Inova Partner 5.0.5-RELEASE, Build 0510-0906 and earlier allows authenticated users authorization bypass via insecure direct object reference.
Categories: Security News

CVE-2018-16395

National Vulnerability Database - Fri, 11/16/2018 - 13:29
An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.
Categories: Security News

CVE-2018-1639

National Vulnerability Database - Fri, 11/16/2018 - 10:29
The Report Builder of Jazz Reporting Service 5.0 through 5.0.2 and 6.0 through 6.0.6 could allow an authenticated user to obtain sensitive information beyond its assigned privileges. IBM X-Force ID: 144579.
Categories: Security News

CVE-2018-1797

National Vulnerability Database - Fri, 11/16/2018 - 10:29
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using Enterprise bundle Archives (EBA) could allow a local attacker to traverse directories on the system. By persuading a victim to extract a specially-crafted ZIP archive containing "dot dot slash" sequences (../), an attacker could exploit this vulnerability to write to arbitrary files on the system. Note: This vulnerability is known as "Zip-Slip". IBM X-Force ID: 149427.
Categories: Security News

CVE-2018-7359

National Vulnerability Database - Fri, 11/16/2018 - 10:29
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by heap-based buffer overflow vulnerability, which may allow an attacker to execute arbitrary code.
Categories: Security News

CVE-2018-7360

National Vulnerability Database - Fri, 11/16/2018 - 10:29
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by information exposure vulnerability, which may allow an unauthenticated attacker to get the GPON SN information via appviahttp service.
Categories: Security News

CVE-2018-7361

National Vulnerability Database - Fri, 11/16/2018 - 10:29
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by null pointer dereference vulnerability, which may allows an attacker to cause a denial of service.
Categories: Security News

CVE-2018-7362

National Vulnerability Database - Fri, 11/16/2018 - 10:29
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by improper access control vulnerability, which may allows an unauthorized user to perform unauthorized operations on the router.
Categories: Security News

CVE-2018-7363

National Vulnerability Database - Fri, 11/16/2018 - 10:29
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by improper authorization vulnerability. Since appviahttp service has no authorization delay, an attacker can be allowed to brute force account credentials.
Categories: Security News

CVE-2018-9071

National Vulnerability Database - Fri, 11/16/2018 - 09:29
Lenovo Chassis Management Module (CMM) prior to version 2.0.0 allows unauthenticated users to retrieve information related to the current authentication configuration settings. Exposed settings relate to password lengths, expiration, and lockout configuration.
Categories: Security News

CVE-2018-9073

National Vulnerability Database - Fri, 11/16/2018 - 09:29
Lenovo Chassis Management Module (CMM) prior to version 2.0.0 utilizes a hardcoded encryption key to protect certain secrets. Possession of the key can allow an attacker that has already compromised the server to decrypt these secrets.
Categories: Security News

Pages