Weekly Update: a new vulnerability is published on the National Vulnerability Database (38 items)

New vulnerabilities from the NVD: CVE-2017-16778 An access control weakness in the DTMF tone receiver of Fermax Outdoor Panel allows physical attackers to inject a Dual-Tone-Multi-Frequency (DTMF) tone to invoke an access grant that would allow physical access to a restricted floor/level. By design, only a residential unit owner may allow such an access grant. However, due to incorrect access control, an attacker could inject it via the speaker unit to perform an access grant to gain unauthorized access, as demonstrated by a loud DTMF tone representing '1' and a long '#' (697 Hz and 1209 Hz, followed by 941 Hz and 1477 Hz). Published at: December 24, 2019 at 04:15PM View on website December 24, 2019 at 05:48PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-18288 CrushFTP through 8.3.0 is vulnerable to credentials theft via URL redirection. Published at: December 26, 2019 at 03:15AM View on website December 26, 2019 at 08:50AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-20492 An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control (issue 2 of 6). Published at: December 26, 2019 at 07:15PM View on website December 26, 2019 at 09:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-2736 In NetworkManager 0.9.2.0, when a new wireless network was created with WPA/WPA2 security in AdHoc mode, it created an open/insecure network. Published at: December 26, 2019 at 10:15PM View on website December 26, 2019 at 11:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-1474 A locally locally exploitable DOS vulnerability was found in pax-linux versions 2.6.32.33-test79.patch, 2.6.38-test3.patch, and 2.6.37.4-test14.patch. A bad bounds check in arch_get_unmapped_area_topdown triggered by programs doing an mmap after a MAP_GROWSDOWN mmap will create an infinite loop condition without releasing the VM semaphore eventually leading to a system crash. Published at: December 26, 2019 at 09:15PM View on website December 26, 2019 at 11:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-5290 ircd-ratbox 3.0.9 mishandles the MONITOR command which allows remote attackers to cause a denial of service (system out-of-memory event). Published at: December 26, 2019 at 11:15PM View on website December 27, 2019 at 01:50AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4318 File injection vulnerability in Ruby gem Features 0.3.0 allows remote attackers to inject malicious html in the /tmp directory. Published at: December 26, 2019 at 11:15PM View on website December 27, 2019 at 01:50AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-2011 WordPress W3 Super Cache Plugin before 1.3.2 contains a PHP code-execution vulnerability which could allow remote attackers to inject arbitrary code. This issue exists because of an incomplete fix for CVE-2013-2009. Published at: December 26, 2019 at 11:15PM View on website December 27, 2019 at 01:50AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-4420 An information disclosure flaw was found in the way the Java Virtual Machine (JVM) implementation of Java SE 7 as provided by OpenJDK 7 incorrectly initialized integer arrays after memory allocation (in certain circumstances they had nonzero elements right after the allocation). A remote attacker could use this flaw to obtain potentially sensitive information. Published at: December 26, 2019 at 11:15PM View on website December 27, 2019 at 01:50AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-3462 A flaw was found in SSSD version 1.9.0. The SSSD's access-provider logic causes the result of the HBAC rule processing to be ignored in the event that the access-provider is also handling the setup of the user's SELinux user context. Published at: December 26, 2019 at 11:15PM View on website December 27, 2019 at 01:50AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-3088 Belkin N900 router (F9K1104v1) contains an Authentication Bypass using "Javascript debugging". Published at: December 27, 2019 at 01:15AM View on website December 27, 2019 at 03:50AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-3085 An authentication bypass exists in the web management interface in Belkin F5D8236-4 v2. Published at: December 27, 2019 at 01:15AM View on website December 27, 2019 at 03:50AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2014-4559 Multiple cross-site scripting (XSS) vulnerabilities in test-plugin.php in the Swipe Checkout for WP e-Commerce plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) api_key, (2) payment_page_url, (3) merchant_id, (4) api_url, or (5) currency parameter. Published at: December 27, 2019 at 04:15PM View on website December 27, 2019 at 05:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2014-4525 Cross-site scripting (XSS) vulnerability in magpie/scripts/magpie_slashbox.php in the Ebay Feeds for WordPress plugin 1.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the rss_url parameter. Published at: December 27, 2019 at 04:15PM View on website December 27, 2019 at 05:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2014-4523 Cross-site scripting (XSS) vulnerability in the Easy Career Openings plugin 0.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. Published at: December 27, 2019 at 04:15PM View on website December 27, 2019 at 05:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2016-1000029 Tenable Nessus before 6.8 has a stored XSS issue that requires admin-level authentication to the Nessus UI, and would potentially impact other admins (Tenable IDs 5218 and 5269). Published at: December 27, 2019 at 05:15PM View on website December 27, 2019 at 07:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2016-1000028 Tenable Nessus before 6.8 has a stored XSS issue that requires admin-level authentication to the Nessus UI, and would only potentially impact other admins. (Tenable ID 5198). Published at: December 27, 2019 at 05:15PM View on website December 27, 2019 at 07:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4695 Winamp 5.63: Invalid Pointer Dereference leading to Arbitrary Code Execution Published at: December 27, 2019 at 06:15PM View on website December 27, 2019 at 07:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4693 WordPress Xorbin Digital Flash Clock 1.0 has XSS Published at: December 27, 2019 at 06:15PM View on website December 27, 2019 at 07:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4691 Sencha Labs Connect has XSS with connect.methodOverride() Published at: December 27, 2019 at 06:15PM View on website December 27, 2019 at 07:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4665 SPBAS Business Automation Software 2012 has CSRF. Published at: December 27, 2019 at 06:15PM View on website December 27, 2019 at 07:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4664 SPBAS Business Automation Software 2012 has XSS. Published at: December 27, 2019 at 06:15PM View on website December 27, 2019 at 07:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-5027 Collabtive 1.0 has incorrect access control Published at: December 27, 2019 at 08:15PM View on website December 27, 2019 at 09:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4985 Multiple Vivotek IP Cameras remote authentication bypass that could allow access to the video stream Published at: December 27, 2019 at 07:15PM View on website December 27, 2019 at 09:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4982 AVTECH AVN801 DVR has a security bypass via the administration login captcha Published at: December 27, 2019 at 07:15PM View on website December 27, 2019 at 09:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4976 Hikvision DS-2CD7153-E IP Camera has security bypass via hardcoded credentials Published at: December 27, 2019 at 07:15PM View on website December 27, 2019 at 09:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4975 Hikvision DS-2CD7153-E IP Camera has Privilege Escalation Published at: December 27, 2019 at 07:15PM View on website December 27, 2019 at 09:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4868 Karotz API 12.07.19.00: Session Token Information Disclosure Published at: December 27, 2019 at 07:15PM View on website December 27, 2019 at 09:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4867 Electronic Arts Karotz Smart Rabbit 12.07.19.00 allows Python module hijacking Published at: December 27, 2019 at 07:15PM View on website December 27, 2019 at 09:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4859 INSTEON Hub 2242-222 lacks Web and API authentication Published at: December 27, 2019 at 07:15PM View on website December 27, 2019 at 09:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4796 ReviewBoard 1.6.17 allows code execution by attaching PHP scripts to review request Published at: December 27, 2019 at 07:15PM View on website December 27, 2019 at 09:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4764 Samsung Galaxy S3/S4 exposes an unprotected component allowing an unprivileged app to send arbitrary SMS texts to arbitrary destinations without permission. Published at: December 27, 2019 at 07:15PM View on website December 27, 2019 at 09:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4763 Samsung Galaxy S3/S4 exposes an unprotected component allowing arbitrary SMS text messages without requesting permission. Published at: December 27, 2019 at 07:15PM View on website December 27, 2019 at 09:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4743 Static HTTP Server 1.0 has a Local Overflow Published at: December 27, 2019 at 07:15PM View on website December 27, 2019 at 09:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4692 Xorbin Analog Flash Clock 1.0 extension for Joomia has XSS Published at: December 27, 2019 at 07:15PM View on website December 27, 2019 at 09:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4621 Magnolia CMS before 4.5.9 has multiple access bypass vulnerabilities Published at: December 27, 2019 at 07:15PM View on website December 27, 2019 at 09:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2007-0158 thttpd 2007 has buffer underflow. Published at: December 27, 2019 at 08:15PM View on website December 27, 2019 at 09:50PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-4980 Multiple stack-based buffer overflows in CFProfile.exe in Toshiba ConfigFree Utility 8.0.38 allow user-assisted attackers to execute arbitrary code. Published at: December 27, 2019 at 11:15PM View on website December 28, 2019 at 01:50AM via National Vulnerability Database