News aggregator

CVE-2017-18264

National Vulnerability Database - Tue, 05/01/2018 - 13:29
An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions (e.g., version 5). This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). This occurs because some implementations of the PHP substr function return false when given '' as the first argument.
Categories: Security News

CVE-2017-17020

National Vulnerability Database - Tue, 05/01/2018 - 12:29
On D-Link DCS-5009 devices with firmware 1.08.11 and earlier, DCS-5010 devices with firmware 1.14.09 and earlier, and DCS-5020L devices with firmware before 1.15.01, command injection in alphapd (binary responsible for running the camera's web server) allows remote authenticated attackers to execute code through sanitized /setSystemAdmin user input in the AdminID field being passed directly to a call to system.
Categories: Security News

CVE-2018-10365

National Vulnerability Database - Tue, 05/01/2018 - 12:29
An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized.
Categories: Security News

CVE-2018-10583

National Vulnerability Database - Tue, 05/01/2018 - 12:29
An information disclosure vulnerability occurs when LibreOffice 6.0.3 and Apache OpenOffice Writer 4.1.5 automatically process and initiate an SMB connection embedded in a malicious file, as demonstrated by xlink:href=file://192.168.0.2/test.jpg within an office:document-content element in a .odt XML document.
Categories: Security News

CVE-2018-8938

National Vulnerability Database - Tue, 05/01/2018 - 12:29
A Code Injection issue was discovered in DlgSelectMibFile.asp in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can inject a specially crafted SNMP MIB file that could allow them to execute arbitrary commands and code on the WhatsUp Gold server.
Categories: Security News

CVE-2018-8939

National Vulnerability Database - Tue, 05/01/2018 - 12:29
An SSRF issue was discovered in NmAPI.exe in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can submit specially crafted requests via the NmAPI executable to (1) gain unauthorized access to the WhatsUp Gold system, (2) obtain information about the WhatsUp Gold system, or (3) execute remote commands.
Categories: Security News

CVE-2018-1502

National Vulnerability Database - Tue, 05/01/2018 - 10:29
IBM Content Manager Enterprise Edition Resource Manager 8.4.3 and 9.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 141338.
Categories: Security News

CVE-2018-10371

National Vulnerability Database - Tue, 05/01/2018 - 09:29
An issue was discovered in the wunderfarm WF Cookie Consent plugin 1.1.3 for WordPress. A persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in a victim's web browser via a page title.
Categories: Security News

CVE-2018-10581

National Vulnerability Database - Tue, 05/01/2018 - 09:29
In Octopus Deploy 3.4.x before 2018.4.7, an authenticated user is able to view/update/save variable values within the Tenant Variables area for Environments that do not exist within their associated Team scoping. This occurs in situations where this authenticated user also belongs to multiple teams, where one of the Teams has the VariableEdit permission or VariableView permissions for the Environment.
Categories: Security News

Vuln: PHP CVE-2017-16642 Heap Based Buffer Overflow Vulnerability

SecurityFocus Vulnerabilities - Tue, 05/01/2018 - 00:00
PHP CVE-2017-16642 Heap Based Buffer Overflow Vulnerability
Categories: Security News

Vuln: NTP CVE-2018-7185 Denial of Service Vulnerability

SecurityFocus Vulnerabilities - Tue, 05/01/2018 - 00:00
NTP CVE-2018-7185 Denial of Service Vulnerability
Categories: Security News

Vuln: NTP CVE-2018-7184 Denial of Service Vulnerability

SecurityFocus Vulnerabilities - Tue, 05/01/2018 - 00:00
NTP CVE-2018-7184 Denial of Service Vulnerability
Categories: Security News

Bugtraq: Advisory - Sourcetree for Windows - CVE-2018-5226

SecurityFocus Vulnerabilities - Mon, 04/30/2018 - 21:20
Advisory - Sourcetree for Windows - CVE-2018-5226
Categories: Security News

Bugtraq: [SECURITY] [DSA 4186-1] gunicorn security update

SecurityFocus Vulnerabilities - Mon, 04/30/2018 - 21:20
[SECURITY] [DSA 4186-1] gunicorn security update
Categories: Security News

Bugtraq: [SECURITY] [DSA 4185-1] openjdk-8 security update

SecurityFocus Vulnerabilities - Mon, 04/30/2018 - 21:20
[SECURITY] [DSA 4185-1] openjdk-8 security update
Categories: Security News

Bugtraq: [SECURITY] [DSA 4184-1] sdl-image1.2 security update

SecurityFocus Vulnerabilities - Mon, 04/30/2018 - 21:20
[SECURITY] [DSA 4184-1] sdl-image1.2 security update
Categories: Security News

CVE-2018-1000172

National Vulnerability Database - Mon, 04/30/2018 - 18:29
Imagely NextGEN Gallery version 2.2.30 and earlier contains a Cross Site Scripting (XSS) vulnerability in Image Alt & Title Text. This attack appears to be exploitable via a victim viewing the image in the administrator page. This vulnerability appears to have been fixed in 2.2.45.
Categories: Security News

CVE-2018-10575

National Vulnerability Database - Mon, 04/30/2018 - 18:29
An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false.
Categories: Security News

CVE-2018-10576

National Vulnerability Database - Mon, 04/30/2018 - 18:29
An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Improper authentication handling by the native Access Point web UI allows authentication using a local system account (instead of the dedicated web-only user).
Categories: Security News

CVE-2018-10364

National Vulnerability Database - Mon, 04/30/2018 - 17:29
BigTree before 4.2.22 has XSS in the Users management page via the name or company field.
Categories: Security News

Pages