News aggregator

CVE-2018-15155

National Vulnerability Database - Wed, 08/15/2018 - 13:29
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/fax/fax_dispatch.php after modifying the "hylafax_enscript" global variable in interface/super/edit_globals.php.
Categories: Security News

CVE-2018-15156

National Vulnerability Database - Wed, 08/15/2018 - 13:29
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/fax/faxq.php after modifying the "hylafax_server" global variable in interface/super/edit_globals.php.
Categories: Security News

CVE-2018-15172

National Vulnerability Database - Wed, 08/15/2018 - 13:29
TP-Link WR840N devices have a buffer overflow via a long Authorization HTTP header.
Categories: Security News

CVE-2018-8200

National Vulnerability Database - Wed, 08/15/2018 - 13:29
A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session, aka "Device Guard Code Integrity Policy Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8204.
Categories: Security News

CVE-2018-8204

National Vulnerability Database - Wed, 08/15/2018 - 13:29
A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session, aka "Device Guard Code Integrity Policy Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8200.
Categories: Security News

CVE-2018-15147

National Vulnerability Database - Wed, 08/15/2018 - 13:29
SQL injection vulnerability in interface/forms_admin/forms_admin.php from library/registry.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'id' parameter.
Categories: Security News

CVE-2018-15148

National Vulnerability Database - Wed, 08/15/2018 - 13:29
SQL injection vulnerability in interface/patient_file/encounter/search_code.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'text' parameter.
Categories: Security News

CVE-2018-15149

National Vulnerability Database - Wed, 08/15/2018 - 13:29
SQL injection vulnerability in interface/forms/eye_mag/php/Anything_simple.php from library/forms.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'encounter' parameter.
Categories: Security News

CVE-2018-15150

National Vulnerability Database - Wed, 08/15/2018 - 13:29
SQL injection vulnerability in interface/de_identification_forms/de_identification_screen2.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'temporary_files_dir' variable in interface/super/edit_globals.php.
Categories: Security News

CVE-2018-15151

National Vulnerability Database - Wed, 08/15/2018 - 13:29
SQL injection vulnerability in interface/de_identification_forms/find_code_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter.
Categories: Security News

CVE-2018-15152

National Vulnerability Database - Wed, 08/15/2018 - 13:29
Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access (1) portal/add_edit_event_user.php, (2) portal/find_appt_popup_user.php, (3) portal/get_allergies.php, (4) portal/get_amendments.php, (5) portal/get_lab_results.php, (6) portal/get_medications.php, (7) portal/get_patient_documents.php, (8) portal/get_problems.php, (9) portal/get_profile.php, (10) portal/portal_payment.php, (11) portal/messaging/messages.php, (12) portal/messaging/secure_chat.php, (13) portal/report/pat_ledger.php, (14) portal/report/portal_custom_report.php, or (15) portal/report/portal_patient_report.php without authenticating as a patient.
Categories: Security News

CVE-2018-15153

National Vulnerability Database - Wed, 08/15/2018 - 13:29
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/main/daemon_frame.php after modifying the "hylafax_server" global variable in interface/super/edit_globals.php.
Categories: Security News

CVE-2018-0952

National Vulnerability Database - Wed, 08/15/2018 - 13:29
An Elevation of Privilege vulnerability exists when Diagnostics Hub Standard Collector allows file creation in arbitrary locations, aka "Diagnostic Hub Standard Collector Elevation Of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Microsoft Visual Studio, Windows 10 Servers.
Categories: Security News

CVE-2018-10369

National Vulnerability Database - Wed, 08/15/2018 - 13:29
A Cross-site scripting (XSS) vulnerability was discovered on Intelbras Win 240 V1.1.0 devices. An attacker can change the Admin Password without a Login.
Categories: Security News

CVE-2018-10917

National Vulnerability Database - Wed, 08/15/2018 - 13:29
pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso repositories.
Categories: Security News

CVE-2018-11687

National Vulnerability Database - Wed, 08/15/2018 - 13:29
An integer overflow in the distributeBTR function of a smart contract implementation for Bitcoin Red (BTCR), an Ethereum ERC20 token, allows the owner to accomplish an unauthorized increase of digital assets by providing a large address[] array, as exploited in the wild in May 2018, aka the "ownerUnderflow" issue.
Categories: Security News

CVE-2018-12056

National Vulnerability Database - Wed, 08/15/2018 - 13:29
The maxRandom function of a smart contract implementation for All For One, an Ethereum gambling game, generates a random value with publicly readable variables because the _seed value can be retrieved with a getStorageAt call. Therefore, it allows attackers to always win and get rewards.
Categories: Security News

CVE-2018-15138

National Vulnerability Database - Wed, 08/15/2018 - 13:29
Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=../ URIs.
Categories: Security News

CVE-2018-15146

National Vulnerability Database - Wed, 08/15/2018 - 13:29
SQL injection vulnerability in interface/de_identification_forms/find_immunization_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter.
Categories: Security News

CVE-2018-1455

National Vulnerability Database - Wed, 08/15/2018 - 11:29
IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 11029.
Categories: Security News

Pages