News aggregator

CVE-2017-2795

National Vulnerability Database - Fri, 09/07/2018 - 12:29
An exploitable heap corruption vulnerability exists in the Txo functionality of Antenna House DMC HTMLFilter as used by MarkLogic 8.0-6. A specially crafted xls file can cause a heap corruption resulting in arbitrary code execution. An attacker can send/provide malicious XLS file to trigger this vulnerability.
Categories: Security News

CVE-2018-3952

National Vulnerability Database - Fri, 09/07/2018 - 11:29
An exploitable code execution vulnerability exists in the connect functionality of NordVPN 6.14.28.0. A specially crafted configuration file can cause a privilege escalation, resulting in the execution of arbitrary commands with system privileges.
Categories: Security News

CVE-2018-4010

National Vulnerability Database - Fri, 09/07/2018 - 11:29
An exploitable code execution vulnerability exists in the connect functionality of ProtonVPN VPN client 1.5.1. A specially crafted configuration file can cause a privilege escalation, resulting in the ability to execute arbitrary commands with the system's privileges.
Categories: Security News

CVE-2017-1114

National Vulnerability Database - Fri, 09/07/2018 - 11:29
IBM Campaign 9.1, 9.1.2, and 10 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 121152.
Categories: Security News

CVE-2017-1115

National Vulnerability Database - Fri, 09/07/2018 - 11:29
IBM Campaign 9.1, 9.1.2, and 10 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 121153.
Categories: Security News

CVE-2018-1567

National Vulnerability Database - Fri, 09/07/2018 - 11:29
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through the SOAP connector with a serialized object from untrusted sources. IBM X-Force ID: 143024.
Categories: Security News

CVE-2018-1756

National Vulnerability Database - Fri, 09/07/2018 - 11:29
IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, information in the back-end database. IBM X-Force ID: 148599.
Categories: Security News

CVE-2018-1757

National Vulnerability Database - Fri, 09/07/2018 - 11:29
IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 could allow an attacker to obtain sensitive information due to missing authentication in IGI for the survey application. IBM X-Force ID: 148601.
Categories: Security News

CVE-2018-1789

National Vulnerability Database - Fri, 09/07/2018 - 11:29
IBM API Connect v2018.1.0 through v2018.3.4 could allow an attacker to send a specially crafted request to conduct a server side request forgery attack. IBM X-Force ID: 148939.
Categories: Security News

CVE-2018-0662

National Vulnerability Database - Fri, 09/07/2018 - 10:29
Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier) allow an attacker on the same network segment to add malicious files on the device and execute arbitrary code.
Categories: Security News

CVE-2018-0663

National Vulnerability Database - Fri, 09/07/2018 - 10:29
Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier) use hardcoded credentials which may allow an remote authenticated attacker to execute arbitrary OS commands on the device via unspecified vector.
Categories: Security News

CVE-2018-16657

National Vulnerability Database - Fri, 09/07/2018 - 10:29
In Kamailio before 5.0.7 and 5.1.x before 5.1.4, a crafted SIP message with an invalid Via header causes a segmentation fault and crashes Kamailio. The reason is missing input validation in the crcitt_string_array core function for calculating a CRC hash for To tags. (An additional error is present in the check_via_address core function: this function also misses input validation.) This could result in denial of service and potentially the execution of arbitrary code.
Categories: Security News

CVE-2018-16658

National Vulnerability Database - Fri, 09/07/2018 - 10:29
An issue was discovered in the Linux kernel before 4.18.6. An information leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940.
Categories: Security News

CVE-2018-0653

National Vulnerability Database - Fri, 09/07/2018 - 10:29
Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via Wiki page view.
Categories: Security News

CVE-2018-0654

National Vulnerability Database - Fri, 09/07/2018 - 10:29
Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the modal for creating Wiki page.
Categories: Security News

CVE-2018-0655

National Vulnerability Database - Fri, 09/07/2018 - 10:29
Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the app settings section of admin page.
Categories: Security News

CVE-2018-0657

National Vulnerability Database - Fri, 09/07/2018 - 10:29
Cross-site scripting vulnerability in EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE (EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, and GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier) allow an attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors.
Categories: Security News

CVE-2018-0658

National Vulnerability Database - Fri, 09/07/2018 - 10:29
Input validation issue in EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier allows an attacker with administrative rights to execute arbitrary PHP code on the server via unspecified vectors.
Categories: Security News

CVE-2018-0659

National Vulnerability Database - Fri, 09/07/2018 - 10:29
Directory traversal vulnerability in ver.2.8.4.0 and earlier and ver.3.3.0.0 and earlier allows an attacker to create or overwrite existing files via specially crafted ATC file.
Categories: Security News

CVE-2018-0660

National Vulnerability Database - Fri, 09/07/2018 - 10:29
Directory traversal vulnerability in ver.2.8.4.0 and earlier and ver.3.3.0.0 and earlier allows an attacker to create arbitrary files via specially crafted ATC file.
Categories: Security News

Pages