Weekly Update: a new vulnerability is published on the National Vulnerability Database (11 items)

New vulnerabilities from the NVD: CVE-2014-2079 X File Explorer (aka xfe) might allow local users to bypass intended access restrictions and gain access to arbitrary files by leveraging failure to use directory masks when creating files on Samba and NFS shares. Published at: July 16, 2018 at 05:29PM View on website July 16, 2018 at 09:17PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-0522 The Notes Client Single Logon feature in IBM Notes 8.0, 8.0.1, 8.0.2, 8.5, 8.5.1, 8.5.2, 8.5.3, and 9.0 on Windows allows local users to discover passwords via vectors involving an unspecified operating system communication mechanism for password transmission between Windows and Notes. IBM X-Force ID: 82531. Published at: July 16, 2018 at 05:29PM View on website July 16, 2018 at 09:17PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2017-2638 It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name. Published at: July 16, 2018 at 04:29PM View on website July 19, 2018 at 08:37AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2017-18103 The atlassian-http library, as used in various Atlassian products, before version 2.0.2 allows remote attackers to spoof web content in the Mozilla Firefox Browser through uploaded files that have a content-type of application/mathml+xml. Published at: July 18, 2018 at 05:29PM View on website July 19, 2018 at 08:37AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2017-17541 A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6.0.0, 5.6.4 and below versions, FortiAnalyzer 6.0.0, 5.6.4 and below versions allows inject Javascript code and HTML tags through the CN value of CA and CRL certificates via the import CA and CRL certificates feature. Published at: July 16, 2018 at 11:29PM View on website July 19, 2018 at 08:37AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2016-9574 nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA. Published at: July 19, 2018 at 04:29PM View on website July 19, 2018 at 06:37PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2014-2302 The installer script in webEdition CMS before 6.2.7-s1 and 6.3.x before 6.3.8-s1 allows remote attackers to conduct PHP Object Injection attacks by intercepting a request to update.webedition.org. Published at: July 19, 2018 at 08:29PM View on website July 19, 2018 at 10:37PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2014-0243 Check_MK through 1.2.5i2p1 allows local users to read arbitrary files via a symlink attack to a file in /var/lib/check_mk_agent/job. Published at: July 19, 2018 at 08:29PM View on website July 19, 2018 at 10:37PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2016-10727 camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. The server code was intended to report an error and not proceed, but the code was written incorrectly. Published at: July 20, 2018 at 07:29AM View on website July 20, 2018 at 08:37AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2014-4150 The scheme48-send-definition function in cmuscheme48.el in Scheme 48 allows local users to write to arbitrary files via a symlink attack on /tmp/s48lose.tmp. Published at: July 20, 2018 at 08:29PM View on website July 20, 2018 at 10:14PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2014-2296 XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass authentication via crafted XML data. Published at: July 20, 2018 at 08:29PM View on website July 20, 2018 at 10:14PM via National Vulnerability Database