News aggregator

CVE-2018-9209

National Vulnerability Database - Mon, 11/19/2018 - 13:29
Unauthenticated arbitrary file upload vulnerability in FineUploader php-traditional-server <= v1.2.2
Categories: Security News

CVE-2018-9207

National Vulnerability Database - Mon, 11/19/2018 - 12:29
Arbitrary file upload in jQuery Upload File <= 4.0.2
Categories: Security News

CVE-2018-15759

National Vulnerability Database - Mon, 11/19/2018 - 09:29
Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perform broker operations.
Categories: Security News

CVE-2018-15761

National Vulnerability Database - Mon, 11/19/2018 - 09:29
Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges.
Categories: Security News

CVE-2018-17190

National Vulnerability Database - Mon, 11/19/2018 - 09:29
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
Categories: Security News

CVE-2018-1841

National Vulnerability Database - Mon, 11/19/2018 - 09:29
IBM Cloud Private 2.1.0 could allow a local user to obtain the CA Private Key due to it being world readable in boot/master node. IBM X-Force ID: 150901.
Categories: Security News

CVE-2018-18519

National Vulnerability Database - Mon, 11/19/2018 - 03:29
BestXsoftware Best Free Keylogger 5.2.9 allows local users to gain privileges via a Trojan horse "%PROGRAMFILES%\BFK 5.2.9\syscrb.exe" file because of insecure permissions for the BUILTIN\Users group.
Categories: Security News

Vuln: Oracle Java SE/Java SE Embedded CVE-2018-3139 Remote Security Vulnerability

SecurityFocus Vulnerabilities - Mon, 11/19/2018 - 00:00
Oracle Java SE/Java SE Embedded CVE-2018-3139 Remote Security Vulnerability
Categories: Security News

Vuln: Oracle Java SE/Java SE Embedded CVE-2018-3136 Remote Security Vulnerability

SecurityFocus Vulnerabilities - Mon, 11/19/2018 - 00:00
Oracle Java SE/Java SE Embedded CVE-2018-3136 Remote Security Vulnerability
Categories: Security News

Vuln: Oracle Java SE/Java SE Embedded CVE-2018-13785 Remote Security Vulnerability

SecurityFocus Vulnerabilities - Mon, 11/19/2018 - 00:00
Oracle Java SE/Java SE Embedded CVE-2018-13785 Remote Security Vulnerability
Categories: Security News

Vuln: Oracle Java SE/Java SE Embedded/JRockit CVE-2018-3214 Remote Security Vulnerability

SecurityFocus Vulnerabilities - Mon, 11/19/2018 - 00:00
Oracle Java SE/Java SE Embedded/JRockit CVE-2018-3214 Remote Security Vulnerability
Categories: Security News

CVE-2018-19355

National Vulnerability Database - Sun, 11/18/2018 - 19:29
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfiles), order (for upload destinations under modules/files), or cart (for upload destinations under modules/cartfiles).
Categories: Security News

CVE-2008-7320

National Vulnerability Database - Sun, 11/18/2018 - 14:29
** DISPUTED ** GNOME Seahorse through 3.30 allows physically proximate attackers to read plaintext passwords by using the quickAllow dialog at an unattended workstation, if the keyring is unlocked. NOTE: this is disputed by a software maintainer because the behavior represents a design decision.
Categories: Security News

CVE-2018-19358

National Vulnerability Database - Sun, 11/18/2018 - 14:29
GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig and policy XML elements) are not used.
Categories: Security News

CVE-2018-19351

National Vulnerability Database - Sun, 11/18/2018 - 12:29
Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHandler and NbconvertPostHandler do not set a Content Security Policy to prevent this.
Categories: Security News

CVE-2018-19352

National Vulnerability Database - Sun, 11/18/2018 - 12:29
Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely.
Categories: Security News

CVE-2018-19353

National Vulnerability Database - Sun, 11/18/2018 - 12:29
The ansilove_ansi function in loaders/ansi.c in libansilove 1.0.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted file.
Categories: Security News

CVE-2018-19349

National Vulnerability Database - Sat, 11/17/2018 - 17:29
In SeaCMS v6.64, there is SQL injection via the admin_makehtml.php topic parameter because of mishandling in include/mkhtml.func.php.
Categories: Security News

CVE-2018-19350

National Vulnerability Database - Sat, 11/17/2018 - 17:29
In SeaCMS v6.6.4, there is stored XSS via the member.php?action=chgpwdsubmit email parameter during a password change, as demonstrated by a data: URL in an OBJECT element.
Categories: Security News

CVE-2018-19341

National Vulnerability Database - Sat, 11/17/2018 - 16:29
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation near NULL starting at FoxitReader!std::basic_ostream >::operator<<+0x0000000000087906" issue.
Categories: Security News

Pages