Weekly Update: a new vulnerability is published on the National Vulnerability Database (13 items)

New vulnerabilities from the NVD: CVE-2014-7198 OMERO before 5.0.6 has multiple CSRF vulnerabilities because the framework for OMERO's web interface lacks CSRF protection. Published at: April 01, 2019 at 03:29AM View on website April 01, 2019 at 09:16AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2017-16775 Improper restriction of rendered UI layers or frames vulnerability in SSOOauth.cgi in Synology SSO Server before 2.1.3-0129 allows remote attackers to conduct clickjacking attacks via unspecified vectors. Published at: April 01, 2019 at 06:29PM View on website April 01, 2019 at 09:16PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2017-16774 Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter. Published at: April 01, 2019 at 06:29PM View on website April 01, 2019 at 09:16PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2017-8023 EMC NetWorker may potentially be vulnerable to an unauthenticated remote code execution vulnerability in the Networker Client execution service (nsrexecd) when oldauth authentication method is used. An unauthenticated remote attacker could send arbitrary commands via RPC service to be executed on the host system with the privileges of the nsrexecd service, which runs with administrative privileges. Published at: April 02, 2019 at 12:29AM View on website April 02, 2019 at 03:16AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2017-6049 Detcon Sitewatch Gateway, all versions without cellular, an attacker can edit settings on the device using a specially crafted URL. Published at: April 02, 2019 at 11:29PM View on website April 03, 2019 at 01:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2017-6047 Detcon Sitewatch Gateway, all versions without cellular, Passwords are presented in plaintext in a file that is accessible without authentication. Published at: April 02, 2019 at 11:29PM View on website April 03, 2019 at 01:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2017-18364 (phpfk) phpFK lite has XSS via the faq.php, members.php, or search.php query string or the user.php user parameter. Published at: March 27, 2019 at 07:29PM View on website April 03, 2019 at 01:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2017-13911 A configuration issue was addressed with additional restrictions. This issue affected versions prior to macOS X El Capitan 10.11.6 Security Update 2018-002, macOS Sierra 10.12.6 Security Update 2018-002, macOS High Sierra 10.13.2. Published at: April 03, 2019 at 09:29PM View on website April 03, 2019 at 11:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-5606 Vordel XML Gateway (acquired by Axway) version 7.2.2 could allow remote attackers to cause a denial of service via a specially crafted request. Published at: April 03, 2019 at 10:29PM View on website April 03, 2019 at 11:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-5463 AxiomSL's Axiom java applet module (used for editing uploaded Excel files and associated Java RMI services) 9.5.3 and earlier allows remote attackers to (1) access data of other basic users through arbitrary SQL commands, (2) perform a horizontal and vertical privilege escalation, (3) cause a Denial of Service on global application, or (4) write/read/delete arbitrary files on server hosting the application. Published at: April 03, 2019 at 11:29PM View on website April 04, 2019 at 03:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-5462 AxiomSL's Axiom Google Web Toolkit module 9.5.3 and earlier allows remote attackers to inject HTML into the scoping dashboard features. Published at: April 04, 2019 at 12:29AM View on website April 04, 2019 at 03:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-5384 AxiomSL's Axiom Google Web Toolkit module 9.5.3 and earlier is vulnerable to a Session Fixation attack. Published at: April 04, 2019 at 12:29AM View on website April 04, 2019 at 03:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2014-3603 The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Published at: April 04, 2019 at 05:29PM View on website April 04, 2019 at 07:36PM via National Vulnerability Database