четвъртък, 14 май 2020 г.

Weekly Update: a new vulnerability is published on the National Vulnerability Database (31 items)

New vulnerabilities from the NVD: CVE-2016-11021

setSystemCommand on D-Link DCS-930L devices before 2.12 allows a remote attacker to execute code via an OS command in the SystemCommand parameter.
Published at: March 09, 2020 at 03:15AM
View on website

March 09, 2020 at 07:48AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-7968

nwbc_ext2int in SAP NetWeaver Application Server before Security Note 2183189 allows XXE attacks for local file inclusion via the sap/bc/ui2/nwbc/nwbc_ext2int/ URI.
Published at: March 09, 2020 at 04:15PM
View on website

March 09, 2020 at 06:48PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-7344

HikaShop Joomla Component before 2.6.0 has XSS via an injected payload[/caption].
Published at: March 09, 2020 at 04:15PM
View on website

March 09, 2020 at 06:48PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-7343

JNews Joomla Component before 8.5.0 has XSS via the mailingsearch parameter.
Published at: March 09, 2020 at 04:15PM
View on website

March 09, 2020 at 06:48PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-6918

Lexmark Markvision Enterprise (MVE) before 2.4.1 allows remote attackers to execute arbitrary commands by uploading files. (
Published at: March 09, 2020 at 07:15PM
View on website

March 09, 2020 at 09:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-1159

In ZOHO Password Manager Pro (PMP) 8.3.0 (Build 8303) and 8.4.0 (Build 8400,8401,8402), underprivileged users can obtain sensitive information (entry password history) via a vulnerable hidden service.
Published at: March 09, 2020 at 07:15PM
View on website

March 09, 2020 at 09:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-7342

JNews Joomla Component before 8.5.0 allows SQL injection via upload thumbnail, Queue Search Field, Subscribers Search Field, or Newsletters Search Field.
Published at: March 09, 2020 at 07:15PM
View on website

March 09, 2020 at 09:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-7341

JNews Joomla Component before 8.5.0 allows arbitrary File Upload via Subscribers or Templates, as demonstrated by the .php5 extension.
Published at: March 09, 2020 at 07:15PM
View on website

March 09, 2020 at 09:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-7340

JEvents Joomla Component before 3.4.0 RC6 has SQL Injection via evid in a Manage Events action.
Published at: March 09, 2020 at 07:15PM
View on website

March 09, 2020 at 09:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-7339

JCE Joomla Component 2.5.0 to 2.5.2 allows arbitrary file upload via a .php file extension for an image file to the /com_jce/editor/libraries/classes/browser.php script.
Published at: March 09, 2020 at 07:15PM
View on website

March 09, 2020 at 09:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-7338

SQL Injection exists in AcyMailing Joomla Component before 4.9.5 via exportgeolocorder in a geolocation_longitude request to index.php.
Published at: March 09, 2020 at 07:15PM
View on website

March 09, 2020 at 09:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2014-1634

SQL Injection exists in Advanced Newsletter Magento extension before 2.3.5 via the /store/advancednewsletter/index/subscribeajax/an_category_id/ PATH_INFO.
Published at: March 09, 2020 at 07:15PM
View on website

March 09, 2020 at 09:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-1487

Lexmark Markvision Enterprise before 2.3.0 misuses the Apache Commons Collections Library, leading to remote code execution because of Java deserialization.
Published at: March 09, 2020 at 09:15PM
View on website

March 09, 2020 at 11:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2011-4538

Lexmark X, W, T, E, and C devices before 2012-02-09 allow attackers to obtain sensitive information by reading passwords within exported settings.
Published at: March 09, 2020 at 09:15PM
View on website

March 09, 2020 at 11:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2011-3269

Lexmark X, W, T, E, C, 6500e, and 25xxN devices before 2011-11-15 allow attackers to obtain sensitive information via a hidden email address in a Scan To Email shortcut.
Published at: March 09, 2020 at 09:15PM
View on website

March 09, 2020 at 11:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-10065

An issue was discovered in Open Ticket Request System (OTRS) 7.0 through 7.0.6. An attacker who is logged into OTRS as a customer user can use the search result screens to disclose information from internal FAQ articles, a different vulnerability than CVE-2019-9753.
Published at: March 10, 2020 at 03:15PM
View on website

March 10, 2020 at 05:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-18894

Certain older Lexmark devices (C, M, X, and 6500e before 2018-12-18) contain a directory traversal vulnerability in the embedded web server.
Published at: March 10, 2020 at 03:15PM
View on website

March 10, 2020 at 05:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-14502

controllers/quizzes.php in the Kiboko Chained Quiz plugin before 1.0.9 for WordPress allows remote unauthenticated users to execute arbitrary SQL commands via the 'answer' and 'answers' parameters.
Published at: March 10, 2020 at 03:15PM
View on website

March 10, 2020 at 05:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-10992

In HPE Storage Essentials 9.5.0.142, there is Unauthenticated Java Deserialization with remote code execution via OS commands in a request to invoker/JMXInvokerServlet, aka PSRT110461.
Published at: March 10, 2020 at 03:15PM
View on website

March 10, 2020 at 05:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2012-1096

NetworkManager 0.9 and earlier allows local users to use other users' certificates or private keys when making a connection via the file path when adding a new connection.
Published at: March 10, 2020 at 07:15PM
View on website

March 10, 2020 at 09:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2012-1094

JBoss AS 7 prior to 7.1.1 and mod_cluster do not handle default hostname in the same way, which can cause the excluded-contexts list to be mismatched and the root context to be exposed.
Published at: March 10, 2020 at 07:15PM
View on website

March 10, 2020 at 09:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2012-1101

systemd 37-1 does not properly handle non-existent services, which causes a denial of service (failure of login procedure).
Published at: March 11, 2020 at 05:15PM
View on website

March 11, 2020 at 07:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2013-1753

The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.
Published at: March 11, 2020 at 07:15PM
View on website

March 11, 2020 at 09:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2011-2487

The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack.
Published at: March 11, 2020 at 06:15PM
View on website

March 11, 2020 at 09:02PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-1000111

Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
Published at: March 11, 2020 at 10:15PM
View on website

March 12, 2020 at 01:02AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-20586

bitcoind and Bitcoin-Qt prior to 0.17.1 allow injection of arbitrary data into the debug log via an RPC call.
Published at: March 12, 2020 at 11:15PM
View on website

March 13, 2020 at 12:49AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-19516

messagepartthemes/default/defaultrenderer.cpp in messagelib in KDE Applications before 18.12.0 does not properly restrict the handling of an http-equiv="REFRESH" value.
Published at: March 12, 2020 at 11:15PM
View on website

March 13, 2020 at 12:49AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-10704

yidashi yii2cmf 2.0 has XSS via the /search q parameter.
Published at: March 12, 2020 at 11:15PM
View on website

March 13, 2020 at 12:49AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-18350

bitcoind and Bitcoin-Qt prior to 0.15.1 have a stack-based buffer overflow if an attacker-controlled SOCKS proxy server is used. This results from an integer signedness error when the proxy server responds with an acknowledgement of an unexpected target domain name.
Published at: March 12, 2020 at 11:15PM
View on website

March 13, 2020 at 12:49AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-3641

bitcoind and Bitcoin-Qt prior to 0.10.2 allow attackers to cause a denial of service (disabled functionality such as a client application crash) via an "Easy" attack.
Published at: March 12, 2020 at 11:15PM
View on website

March 13, 2020 at 12:49AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2009-5159

Invision Power Board (aka IPB or IP.Board) 2.x through 3.0.4, when Internet Explorer 5 is used, allows XSS via a .txt attachment.
Published at: March 13, 2020 at 05:15PM
View on website

March 13, 2020 at 06:49PM

via National Vulnerability Database

 

Няма коментари:

Публикуване на коментар