News aggregator

CVE-2019-5042

National Vulnerability Database - Wed, 09/18/2019 - 17:15
An exploitable Use-After-Free vulnerability exists in the way FunctionType 0 PDF elements are processed in Aspose.PDF 19.2 for C++. A specially crafted PDF can cause a dangling heap pointer, resulting in a use-after-free. An attacker can send a malicious PDF to trigger this vulnerability.
Categories: Security News

CVE-2019-5066

National Vulnerability Database - Wed, 09/18/2019 - 17:15
An exploitable use-after-free vulnerability exists in the way LZW-compressed streams are processed in Aspose.PDF 19.2 for C++. A specially crafted PDF can cause a dangling heap pointer, resulting in a use-after-free condition. To trigger this vulnerability, a specifically crafted PDF document needs to be processed by the target application.
Categories: Security News

CVE-2019-5067

National Vulnerability Database - Wed, 09/18/2019 - 17:15
An uninitialized memory access vulnerability exists in the way Aspose.PDF 19.2 for C++ handles invalid parent object pointers. A specially crafted PDF can cause a read and write from uninitialized memory, resulting in memory corruption and possibly arbitrary code execution. To trigger this vulnerability, a specifically crafted PDF document needs to be processed by the target application.
Categories: Security News

CVE-2019-5532

National Vulnerability Database - Wed, 09/18/2019 - 17:15
VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability due to the logging of credentials in plain-text for virtual machines deployed through OVF. A malicious user with access to the log files containing vCenter OVF-properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine).
Categories: Security News

CVE-2019-5534

National Vulnerability Database - Wed, 09/18/2019 - 17:15
VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability where Virtual Machines deployed from an OVF could expose login information via the virtual machine's vAppConfig properties. A malicious actor with access to query the vAppConfig properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine).
Categories: Security News

CVE-2019-13550 (webaccess)

National Vulnerability Database - Wed, 09/18/2019 - 17:15
In WebAccess, versions 8.4.1 and prior, an improper authorization vulnerability may allow an attacker to disclose sensitive information, cause improper control of generation of code, which may allow remote code execution or cause a system crash.
Categories: Security News

CVE-2019-9678 (ipc-hdbw4x2x_firmware, ipc-hdw1x2x_firmware, ipc-hdw2x2x_firmware, ipc-hdw4x2x_firmware, ipc-hdw5x2x_firmware, ipc-hfw1x2x_firmware, ipc-hfw2x2x_firmware, ipc-hfw4x2x_firmware, ipc-hfw5x2x_firmware)

National Vulnerability Database - Wed, 09/18/2019 - 15:15
Some Dahua products have the problem of denial of service during the login process. An attacker can cause a device crashed by constructing a malicious packet. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for versions which Build time is before August 18, 2019.
Categories: Security News

CVE-2019-9679 (ipc-hdbw4x2x_firmware, ipc-hdw1x2x_firmware, ipc-hdw2x2x_firmware, ipc-hdw4x2x_firmware, ipc-hdw5x2x_firmware, ipc-hfw1x2x_firmware, ipc-hfw2x2x_firmware, ipc-hfw4x2x_firmware, ipc-hfw5x2x_firmware)

National Vulnerability Database - Wed, 09/18/2019 - 15:15
Some of Dahua's Debug functions do not have permission separation. Low-privileged users can use the Debug function after logging in. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for versions which Build time is before August 18,2019.
Categories: Security News

CVE-2019-9680 (ipc-hdbw4x2x_firmware, ipc-hdw1x2x_firmware, ipc-hdw2x2x_firmware, ipc-hdw4x2x_firmware, ipc-hdw5x2x_firmware, ipc-hfw1x2x_firmware, ipc-hfw2x2x_firmware, ipc-hfw4x2x_firmware, ipc-hfw5x2x_firmware)

National Vulnerability Database - Wed, 09/18/2019 - 15:15
Some Dahua products have information leakage issues. Attackers can obtain the IP address and device model information of the device by constructing malicious data packets. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for versions which Build time is before August 18, 2019.
Categories: Security News

CVE-2019-9677 (ipc-hdbw4x2x_firmware, ipc-hdw1x2x_firmware, ipc-hdw2x2x_firmware, ipc-hdw4x2x_firmware, ipc-hdw5x2x_firmware, ipc-hfw1x2x_firmware, ipc-hfw2x2x_firmware, ipc-hfw4x2x_firmware, ipc-hfw5x2x_firmware)

National Vulnerability Database - Wed, 09/18/2019 - 15:15
The specific fields of CGI interface of some Dahua products are not strictly verified, an attacker can cause a buffer overflow by constructing malicious packets. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for versions which Build time is before August 18, 2019.
Categories: Security News

CVE-2019-14458

National Vulnerability Database - Wed, 09/18/2019 - 14:15
VIVOTEK IP Camera devices with firmware before 0x20x allow a denial of service via a crafted HTTP header.
Categories: Security News

CVE-2019-1975

National Vulnerability Database - Wed, 09/18/2019 - 13:15
A vulnerability in the web-based interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to execute a cross-frame scripting (XFS) attack on an affected device. This vulnerability is due to insufficient HTML iframe protection. An attacker could exploit this vulnerability by directing a user to an attacker-controlled web page that contains a malicious HTML iframe. A successful exploit could allow the attacker to conduct clickjacking or other clientside browser attacks.
Categories: Security News

CVE-2019-12620

National Vulnerability Database - Wed, 09/18/2019 - 13:15
A vulnerability in the statistics collection service of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to inject arbitrary values on an affected device. The vulnerability is due to insufficient authentication for the statistics collection service. An attacker could exploit this vulnerability by sending properly formatted data values to the statistics collection service of an affected device. A successful exploit could allow the attacker to cause the web interface statistics view to present invalid data to users.
Categories: Security News

CVE-2019-14254

National Vulnerability Database - Wed, 09/18/2019 - 12:15
An issue was discovered in the secure portal in Publisure 2.1.2. Because SQL queries are not well sanitized, there are multiple SQL injections in userAccFunctions.php functions. Using this, an attacker can access passwords and/or grant access to the user account "user" in order to become "Administrator" (for example).
Categories: Security News

CVE-2019-14252

National Vulnerability Database - Wed, 09/18/2019 - 12:15
An issue was discovered in the secure portal in Publisure 2.1.2. Once successfully authenticated as an administrator, one is able to inject arbitrary PHP code by using the adminCons.php form. The code is then stored in the E:\PUBLISURE\webservice\webpages\AdminDir\Templates\ folder even if removed from the adminCons.php view (i.e., the rogue PHP file can be hidden).
Categories: Security News

CVE-2019-14253

National Vulnerability Database - Wed, 09/18/2019 - 12:15
An issue was discovered in servletcontroller in the secure portal in Publisure 2.1.2. One can bypass authentication and perform a query on PHP forms within the /AdminDir folder that should be restricted.
Categories: Security News

CVE-2018-1847

National Vulnerability Database - Wed, 09/18/2019 - 11:15
IBM Financial Transaction Manager (FTM) for Multi-Platform (MP) v2.0.0.0 through 2.0.0.5, v2.1.0.0 through 2.1.0.4, v2.1.1.0 through 2.1.1.4, and v3.0.0.0 through 3.0.0.8 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 150946.
Categories: Security News

CVE-2019-15843

National Vulnerability Database - Wed, 09/18/2019 - 11:15
A malicious file upload vulnerability was discovered in Xiaomi Millet mobile phones 1-6.3.9.3. A man-in-the-middle attacker could write files or read privileged data.
Categories: Security News

CVE-2019-16399

National Vulnerability Database - Wed, 09/18/2019 - 10:15
Western Digital WD My Book World through II 1.02.12 suffers from Broken Authentication, which allows an attacker to access the /admin/ directory without credentials. An attacker can easily enable SSH from /admin/system_advanced.php?lang=en and login with the default root password welc0me.
Categories: Security News

CVE-2019-16403

National Vulnerability Database - Wed, 09/18/2019 - 08:15
In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers.
Categories: Security News

Pages