Weekly Update: a new vulnerability is published on the National Vulnerability Database (36 items)

New vulnerabilities from the NVD: CVE-2017-17945 The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing SSL Certificate Validation. Published at: June 24, 2019 at 10:15PM View on website June 24, 2019 at 11:55PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2014-9699 The MakerBot Replicator 5G printer runs an Apache HTTP Server with directory indexing enabled. Apache logs, system logs, design files (i.e., a history of print files), and more are exposed to unauthenticated attackers through this HTTP server. Published at: June 25, 2019 at 12:15AM View on website June 25, 2019 at 01:55AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-1893 IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152157. Published at: June 27, 2019 at 05:15PM View on website June 27, 2019 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-1892 IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152156. Published at: June 27, 2019 at 05:15PM View on website June 27, 2019 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-1828 IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 150431. Published at: June 27, 2019 at 05:15PM View on website June 27, 2019 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-1827 IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 150430. Published at: June 27, 2019 at 05:15PM View on website June 27, 2019 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-1826 IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 150429. Published at: June 27, 2019 at 05:15PM View on website June 27, 2019 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-1760 IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 148614. Published at: June 27, 2019 at 05:15PM View on website June 27, 2019 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-1758 IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 148605. Published at: June 27, 2019 at 05:15PM View on website June 27, 2019 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-1734 IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 discloses sensitive information in error messages that may be used by a malicious user to orchestrate further attacks. IBM X-Force ID: 147838. Published at: June 27, 2019 at 05:15PM View on website June 27, 2019 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-15747 (glot-www) The default configuration of glot-www through 2018-05-19 allows remote attackers to execute arbitrary code because glot-code-runner supports os.system within a "python" "files" "content" JSON file. Published at: June 21, 2019 at 05:15PM View on website June 27, 2019 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-17478 Incorrect array position calculations in V8 in Google Chrome prior to 70.0.3538.102 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. Published at: June 27, 2019 at 08:15PM View on website June 27, 2019 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-17460 Insufficient data validation in filesystem URIs in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. Published at: June 27, 2019 at 08:15PM View on website June 27, 2019 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-16086 Insufficient policy enforcement in extensions API in Google Chrome prior to 69.0.3497.81 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. Published at: June 27, 2019 at 08:15PM View on website June 27, 2019 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-16077 Object lifecycle issue in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass content security policy via a crafted HTML page. Published at: June 27, 2019 at 08:15PM View on website June 27, 2019 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-16075 Insufficient file type enforcement in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to obtain local file data via a crafted HTML page. Published at: June 27, 2019 at 08:15PM View on website June 27, 2019 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-16074 Insufficient policy enforcement in site isolation in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass site isolation via a crafted HTML page. Published at: June 27, 2019 at 08:15PM View on website June 27, 2019 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-16073 Insufficient policy enforcement in site isolation in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass site isolation via a crafted HTML page. Published at: June 27, 2019 at 08:15PM View on website June 27, 2019 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-16070 Integer overflows in Skia in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Published at: June 27, 2019 at 08:15PM View on website June 27, 2019 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-16069 Unintended floating-point error accumulation in SwiftShader in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Published at: June 27, 2019 at 08:15PM View on website June 27, 2019 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-16064 Insufficient data validation in Extensions API in Google Chrome prior to 68.0.3440.75 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. Published at: June 27, 2019 at 08:15PM View on website June 27, 2019 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-15557 An issue was discovered in the Quantenna WiFi Controller on Telus Actiontec WEB6000Q v1.1.02.22 devices. An attacker can statically set his/her IP to anything on the 169.254.1.0/24 subnet, and obtain root access by connecting to 169.254.1.2 port 23 with telnet/netcat. Published at: June 27, 2019 at 08:15PM View on website June 27, 2019 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-15556 The Quantenna WiFi Controller on Telus Actiontec WEB6000Q v1.1.02.22 allows login with root level access with the user "root" and an empty password by using the enabled onboard UART headers. Published at: June 27, 2019 at 08:15PM View on website June 27, 2019 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2017-5028 Insufficient data validation in V8 in Google Chrome prior to 56.0.2924.76 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Published at: June 27, 2019 at 08:15PM View on website June 27, 2019 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-15555 On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login with root level access with the user "root" and password "admin" by using the enabled onboard UART headers. Published at: June 28, 2019 at 06:15PM View on website June 28, 2019 at 07:53PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-15520 Various Lexmark devices have a Buffer Overflow (issue 2 of 2). Published at: June 28, 2019 at 07:15PM View on website June 28, 2019 at 09:53PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-15519 Various Lexmark devices have a Buffer Overflow (issue 1 of 2). Published at: June 28, 2019 at 08:15PM View on website June 28, 2019 at 09:53PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-14919 LOYTEC LGATE-902 6.3.2 devices allow XSS. Published at: June 28, 2019 at 08:15PM View on website June 28, 2019 at 09:53PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-14918 LOYTEC LGATE-902 6.3.2 devices allow Directory Traversal. Published at: June 28, 2019 at 09:15PM View on website June 28, 2019 at 11:53PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-14916 LOYTEC LGATE-902 6.3.2 devices allow Arbitrary file deletion. Published at: June 28, 2019 at 09:15PM View on website June 28, 2019 at 11:53PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-14887 Improper Host header sanitization in the dbfilter routing component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows a remote attacker to deny access to the service and to disclose database names via a crafted request. Published at: June 28, 2019 at 09:15PM View on website June 28, 2019 at 11:53PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-14886 The module-description renderer in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not disable RST's local file inclusion, which allows privileged authenticated users to read local files via a crafted module description. Published at: June 28, 2019 at 09:15PM View on website June 28, 2019 at 11:53PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-14885 Incorrect access control in the database manager component in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows a remote attacker to restore a database dump without knowing the super-admin password. An arbitrary password succeeds. Published at: June 28, 2019 at 09:15PM View on website June 28, 2019 at 11:53PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-14868 Incorrect access control in the Password Encryption module in Odoo Community 9.0 and Odoo Enterprise 9.0 allows authenticated users to change the password of other users without knowing their current password via a crafted RPC call. Published at: June 28, 2019 at 09:15PM View on website June 28, 2019 at 11:53PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-14867 Incorrect access control in the portal messaging system in Odoo Community 9.0 and 10.0 and Odoo Enterprise 9.0 and 10.0 allows remote attackers to post messages on behalf of customers, and to guess document attribute values, via crafted parameters. Published at: June 28, 2019 at 09:15PM View on website June 28, 2019 at 11:53PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2016-10761 Logitech Unifying devices before 2016-02-26 allow keystroke injection, bypassing encryption, aka MouseJack. Published at: June 29, 2019 at 11:15PM View on website June 30, 2019 at 01:53AM via National Vulnerability Database