Weekly Update: a new vulnerability is published on the National Vulnerability Database (12 items)

New vulnerabilities from the NVD: CVE-2016-10036 Unrestricted file upload vulnerability in ui/artifact/upload in JFrog Artifactory before 4.16 allows remote attackers to (1) deploy an arbitrary servlet application and execute arbitrary code by uploading a war file or (2) possibly write to arbitrary files and cause a denial of service by uploading an HTML file. Published at: May 01, 2018 at 10:29PM View on website May 02, 2018 at 12:09AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4209 Automatic Bug Reporting Tool (ABRT) before 2.1.6 allows local users to obtain sensitive information about arbitrary files via vectors related to sha1sums. Published at: May 01, 2018 at 10:29PM View on website May 02, 2018 at 12:09AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4201 Katello allows remote authenticated users to call the "system remove_deletion" CLI command via vectors related to "remove system" permissions. Published at: May 01, 2018 at 10:29PM View on website May 02, 2018 at 12:09AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4040 IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.1.2.x before 7.2.1.5 and 7.2.x before 7.2.2.0 on Unix use weak permissions (755) for unspecified configuration and log files, which allows local users to obtain sensitive information by reading the files. IBM X-Force ID: 86176. Published at: May 01, 2018 at 09:29PM View on website May 02, 2018 at 12:09AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4035 IBM Sterling Connect:Direct for OpenVMS 3.4.00, 3.4.01, 3.5.00, 3.6.0, and 3.6.0.1 allow remote attackers to have unspecified impact by leveraging failure to reject client requests for an unencrypted session when used as the server in a TCP/IP session and configured for SSL encryption with the client. IBM X-Force ID: 86138. Published at: May 01, 2018 at 09:29PM View on website May 02, 2018 at 12:09AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-2049 Red Hat CloudForms 2 Management Engine (CFME) allows remote attackers to conduct session tampering attacks by leveraging use of a static secret_token.rb secret. Published at: May 01, 2018 at 10:29PM View on website May 02, 2018 at 12:09AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-0185 Cross-site request forgery (CSRF) vulnerability in ManageIQ Enterprise Virtualization Manager (EVM) allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors. Published at: May 01, 2018 at 10:29PM View on website May 02, 2018 at 12:09AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-0159 The fedora-business-cards package before 1-0.1.beta1.fc17 on Fedora 17 and before 1-0.1.beta1.fc18 on Fedora 18 allows local users to cause a denial of service or write to arbitrary files via a symlink attack on /tmp/fedora-business-cards-buffer.svg. Published at: May 01, 2018 at 10:29PM View on website May 02, 2018 at 12:09AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-6272 The NotificationBroadcastReceiver class in the com.android.phone process in Google Android 4.1.1 through 4.4.2 allows attackers to bypass intended access restrictions and consequently make phone calls to arbitrary numbers, send mmi or ussd codes, or hangup ongoing calls via a crafted application. Published at: May 02, 2018 at 06:29PM View on website May 02, 2018 at 08:09PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-2233 Ansible before 1.2.1 makes it easier for remote attackers to conduct man-in-the-middle attacks by leveraging failure to cache SSH host keys. Published at: May 04, 2018 at 11:29PM View on website May 05, 2018 at 02:59AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-5628 gofer before 0.68 uses world-writable permissions for /var/lib/gofer/journal/watchdog, which allows local users to cause a denial of service by removing journal entries. Published at: May 04, 2018 at 11:29PM View on website May 05, 2018 at 02:59AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-0704 389 Directory Server 1.2.7.5, when built with mozldap, allows remote attackers to cause a denial of service (replica crash) by sending an empty modify request. Published at: May 04, 2018 at 11:29PM View on website May 05, 2018 at 02:59AM via National Vulnerability Database