сряда, 6 май 2020 г.

Weekly Update: a new vulnerability is published on the National Vulnerability Database (39 items)

New vulnerabilities from the NVD: CVE-2019-19699

There is Authenticated remote code execution in Centreon Infrastructure Monitoring Software through 19.10 via Pollers misconfiguration, leading to system compromise via apache crontab misconfiguration, This allows the apache user to modify an executable file executed by root at 22:30 every day. To exploit the vulnerability, someone must have Admin access to the Centreon Web Interface and create a custom main.php?p=60803&type=3 command. The user must then set the Pollers Post-Restart Command to this previously created command via the main.php?p=60901&o=c&server_id=1 URI. This is triggered via an export of the Poller Configuration.
Published at: April 06, 2020 at 07:15PM
View on website

April 06, 2020 at 10:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11053

An issue was discovered on Samsung mobile devices with software through 2015-11-11 (supporting FRP/RL). There is a Factory Reset Protection (FRP) bypass. The Samsung ID is SVE-2015-5131 (January 2016).
Published at: April 07, 2020 at 04:15PM
View on website

April 07, 2020 at 06:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11052

An issue was discovered on Samsung mobile devices with L(5.0/5.1) software. je_free in libQjpeg.so in Qjpeg in Qt 5.5 allows memory corruption via a malformed JPEG file. The Samsung ID is SVE-2015-5110 (January 2016).
Published at: April 07, 2020 at 04:15PM
View on website

April 07, 2020 at 06:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11051

An issue was discovered on Samsung mobile devices with J(4.2) (Qualcomm Wi-Fi chipsets) software. There is a buffer overflow in the Qualcomm WLAN Driver. The Samsung ID is SVE-2016-5326 (February 2016).
Published at: April 07, 2020 at 04:15PM
View on website

April 07, 2020 at 06:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11050

An issue was discovered on Samsung mobile devices with S3(KK), Note2(KK), S4(L), Note3(L), and S5(L) software. An attacker can rewrite the IMEI by flashing crafted firmware. The Samsung ID is SVE-2016-5562 (March 2016).
Published at: April 07, 2020 at 04:15PM
View on website

April 07, 2020 at 06:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11049

An issue was discovered on Samsung mobile devices with software through 2016-01-16 (Shannon333/308/310 chipsets). The IMEI may be retrieved and modified because of an error in managing key information. The Samsung ID is SVE-2016-5435 (March 2016).
Published at: April 07, 2020 at 04:15PM
View on website

April 07, 2020 at 06:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11048

An issue was discovered on Samsung mobile devices with L(5.0/5.1) (Spreadtrum or Marvell chipsets) software. There is a Factory Reset Protection (FRP) bypass. The Samsung ID is SVE-2016-5421 (March 2016).
Published at: April 07, 2020 at 04:15PM
View on website

April 07, 2020 at 06:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11047

An issue was discovered on Samsung mobile devices with JBP(4.2) and KK(4.4) (Marvell chipsets) software. The ACIPC-MSOCKET driver allows local privilege escalation via a stack-based buffer overflow. The Samsung ID is SVE-2016-5393 (April 2016).
Published at: April 07, 2020 at 04:15PM
View on website

April 07, 2020 at 06:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11046

An issue was discovered on Samsung mobile devices with JBP(4.3), KK(4.4), and L(5.0/5.1) software. Because of a misused whitelist, attackers can reach the radio layer (aka RIL or RILD) to place calls or send SMS messages. The Samsung ID is SVE-2016-5733 (May 2016).
Published at: April 07, 2020 at 04:15PM
View on website

April 07, 2020 at 06:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11045

An issue was discovered on Samsung mobile devices with L(5.0/5.1) software. The Gallery library allow memory corruption via a malformed image. The Samsung ID is SVE-2016-5317 (May 2016).
Published at: April 07, 2020 at 04:15PM
View on website

April 07, 2020 at 06:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11044

An issue was discovered on Samsung mobile devices with L(5.0/5.1) and M(6.0) (with Fingerprint support) software. The check of an application's signature can be bypassed during installation. The Samsung ID is SVE-2016-5923 (June 2016).
Published at: April 07, 2020 at 04:15PM
View on website

April 07, 2020 at 06:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11043

An issue was discovered on Samsung mobile devices with M(6.0) software. The S/MIME implementation in EAS uses DES (where 3DES is intended). The Samsung ID is SVE-2016-5871 (June 2016).
Published at: April 07, 2020 at 04:15PM
View on website

April 07, 2020 at 06:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11042

An issue was discovered on Samsung mobile devices with L(5.0/5.1) and M(6.0) software. There is a SIM Lock bypass. The Samsung ID is SVE-2016-5381 (June 2016).
Published at: April 07, 2020 at 04:15PM
View on website

April 07, 2020 at 06:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11041

An issue was discovered on Samsung mobile devices with KK(4.4) software. Attackers can bypass the lockscreen by sending an AT command over USB. The Samsung ID is SVE-2015-5301 (June 2016).
Published at: April 07, 2020 at 04:15PM
View on website

April 07, 2020 at 06:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-18692

An issue was discovered on Samsung mobile devices with M(6.0) and N(7.0) (MSM8939, MSM8996, MSM8998, Exynos7580, Exynos8890, or Exynos8895 chipsets) software. There is a race condition, with a resultant buffer overflow, in the sec_ts touchscreen sysfs interface. The Samsung ID is SVE-2016-7501 (January 2017).
Published at: April 07, 2020 at 05:15PM
View on website

April 07, 2020 at 08:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11040

An issue was discovered on Samsung mobile devices with L(5.0/5.1) (with USB OTG MyFile2014_L_ESS support) software. There is a Factory Reset Protection (FRP) bypass. The Samsung ID is SVE-2015-5068 (June 2016).
Published at: April 07, 2020 at 05:15PM
View on website

April 07, 2020 at 08:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11039

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), and M(6.0) (AP + CP MDM9x35, or Qualcomm Onechip) software. There is a NULL pointer dereference issue in the IPC socket code. The Samsung ID is SVE-2016-5980 (July 2016).
Published at: April 07, 2020 at 05:15PM
View on website

April 07, 2020 at 08:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11038

An issue was discovered on Samsung mobile devices with software through 2016-04-05 (incorporating the Samsung Professional Audio SDK). The Jack audio service doesn't implement access control for shared memory, leading to arbitrary code execution or privilege escalation. The Samsung ID is SVE-2016-5953 (July 2016).
Published at: April 07, 2020 at 05:15PM
View on website

April 07, 2020 at 08:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11037

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-6604. Reason: This candidate is a reservation duplicate of CVE-2016-6604. Notes: All CVE users should reference CVE-2016-6604 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Published at: April 07, 2020 at 05:15PM
View on website

April 07, 2020 at 08:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11036

An issue was discovered on Samsung mobile devices with M(6.0) software. There is a Factory Reset Protection (FRP) bypass. The Samsung ID is SVE-2016-6008 (August 2016).
Published at: April 07, 2020 at 05:15PM
View on website

April 07, 2020 at 08:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11035

An issue was discovered on Samsung mobile devices with software through 2016-05-27 (Exynos AP chipsets). A local graphics user can cause a Kernel Crash via the fb0(DECON) frame buffer interface. The Samsung ID is SVE-2016-7011 (October 2016).
Published at: April 07, 2020 at 05:15PM
View on website

April 07, 2020 at 08:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11034

An issue was discovered on Samsung mobile devices with L(5.0/5.1) and M(6.0) software. The decode function in Qjpeg in Qt 5.7 allows attackers to trigger a system crash via a malformed image. The Samsung ID is SVE-2016-6560 (October 2016).
Published at: April 07, 2020 at 05:15PM
View on website

April 07, 2020 at 08:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11033

An issue was discovered on Samsung mobile devices with M(6.0) software. There is a heap-based buffer overflow in tlc_server. The Samsung IDs are SVE-2016-7220 and SVE-2016-7225 (November 2016).
Published at: April 07, 2020 at 05:15PM
View on website

April 07, 2020 at 08:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11032

An issue was discovered on Samsung mobile devices with M(6.0) software. An attacker can disable all Sound functionality by broadcasting an unprotected intent. The Samsung IDs are SVE-2016-7179 and SVE-2016-7182 (November 2016).
Published at: April 07, 2020 at 05:15PM
View on website

April 07, 2020 at 08:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11031

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), and M(6.0) software. AntService allows a system_server crash and reboot. The Samsung ID is SVE-2016-7044 (November 2016).
Published at: April 07, 2020 at 05:15PM
View on website

April 07, 2020 at 08:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11030

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), and M(6.0) (with Hrm sensor support) software. The sysfs of the MAX86902 sensor driver does not prevent concurrent access, leading to a race condition and resultant heap-based buffer overflow. The Samsung ID is SVE-2016-7341 (December 2016).
Published at: April 07, 2020 at 05:15PM
View on website

April 07, 2020 at 08:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11029

An issue was discovered on Samsung mobile devices with L(5.0/5.1), M(6.0), and N(7.0) software. Attackers can read the password of the Mobile Hotspot in the log because of an unprotected intent. The Samsung ID is SVE-2016-7301 (December 2016).
Published at: April 07, 2020 at 05:15PM
View on website

April 07, 2020 at 08:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11028

An issue was discovered on Samsung mobile devices with software through 2016-09-13 (Exynos AP chipsets). There is a stack-based buffer overflow in the OTP TrustZone trustlet. The Samsung IDs are SVE-2016-7173 and SVE-2016-7174 (December 2016).
Published at: April 07, 2020 at 05:15PM
View on website

April 07, 2020 at 08:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11027

An issue was discovered on Samsung mobile devices with M(6.0) software. In the Shade Locked state, a physically proximate attacker can read notifications on the lock screen. The Samsung ID is SVE-2016-7132 (December 2016).
Published at: April 07, 2020 at 05:15PM
View on website

April 07, 2020 at 08:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11026

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), and M(6.0) software. BootReceiver allows attackers to trigger a system crash because of incorrect exception handling. The Samsung ID is SVE-2016-7118 (December 2016).
Published at: April 07, 2020 at 05:15PM
View on website

April 07, 2020 at 08:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-11025

An issue was discovered on Samsung mobile devices with software through 2016-09-13 (Exynos AP chipsets). There is a memcpy heap-based buffer overflow in the OTP service. The Samsung ID is SVE-2016-7114 (December 2016).
Published at: April 07, 2020 at 05:15PM
View on website

April 07, 2020 at 08:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-18647

An issue was discovered on Samsung mobile devices with M(6,x) and N(7.0) software. The TA Scrypto v1.0 implementation in Secure Driver has a race condition with a resultant buffer overflow. The Samsung IDs are SVE-2017-8973, SVE-2017-8974, and SVE-2017-8975 (November 2017).
Published at: April 07, 2020 at 07:15PM
View on website

April 07, 2020 at 10:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-9545

An issue was discovered in xdLocalStorage through 2.0.5. The receiveMessage() function in xdLocalStorage.js does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages.
Published at: April 07, 2020 at 09:15PM
View on website

April 08, 2020 at 12:24AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-9544

An issue was discovered in xdLocalStorage through 2.0.5. The receiveMessage() function in xdLocalStoragePostMessageApi.js does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages.
Published at: April 07, 2020 at 09:15PM
View on website

April 08, 2020 at 12:24AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2013-7488

perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows remote attackers to cause an infinite loop via unexpected input.
Published at: April 07, 2020 at 09:15PM
View on website

April 08, 2020 at 12:24AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-9547

An issue was discovered on Samsung mobile devices with JBP(4.3) and KK(4.4.2) software. Because the READ_LOGS permission is mishandled, sensitive information is disclosed in a world-readable copy of the log file if the error message is "Unhandled exception in Dalvik VM," "Application not responding ANR event," or "Crash on an application's native code." The Samsung ID is SVE-2015-2885 (October 2015).
Published at: April 10, 2020 at 10:15PM
View on website

April 11, 2020 at 12:03AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-9546

An issue was discovered on Samsung mobile devices with KK(4.4) and later software through 2015-06-16. In some cases, HTTP is used for an Inputmethod, rather than HTTPS. A man-in-the-middle attacker can modify the client-server data stream to insert directory traversal sequences into an extracted file path. The Samsung ID is SVE-2015-4363 (November 2015).
Published at: April 10, 2020 at 10:15PM
View on website

April 11, 2020 at 12:03AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-8546

An issue was discovered on Samsung mobile devices with software through 2015-11-12, affecting the Galaxy S6/S6 Edge, Galaxy S6 Edge+, and Galaxy Note5 with the Shannon333 chipset. There is a stack-based buffer overflow in the baseband process that is exploitable for remote code execution via a fake base station. The Samsung ID is SVE-2015-5123 (December 2015).
Published at: April 10, 2020 at 10:15PM
View on website

April 11, 2020 at 12:03AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-5524

An issue was discovered on Samsung mobile devices with KK(4.4) and later software through 2015-05-13. There is a buffer overflow in datablock_write because the amount of received data is not validated. The Samsung ID is SVE-2015-4018 (December 2015).
Published at: April 10, 2020 at 10:15PM
View on website

April 11, 2020 at 12:03AM

via National Vulnerability Database


Няма коментари:

Публикуване на коментар