петък, 19 юли 2019 г.

Weekly update: a new vulnerability is published on the National Vulnerability Database (25 items)



New vulnerabilities from the NVD: CVE-2018-11563

An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.7. A carefully constructed email could be used to inject and execute arbitrary stylesheet or JavaScript code in a logged in customer's browser in the context of the OTRS customer panel application.
Published at: July 08, 2019 at 04:15PM
View on website

July 08, 2019 at 07:07PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-8408 (dcs-1130_firmware)

An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of setting a SMB folder for the video clippings recorded by the device. It seems that the GET parameters passed in this request (to test if SMB credentials and hostname sent to the device work properly) result in being passed as commands to a "system" API in the function and thus result in command injection on the device. If the firmware version is dissected using binwalk tool, we obtain a cramfs-root archive which contains the filesystem set up on the device that contains all the binaries. The binary "cgibox" is the one that has the vulnerable function "sub_7EAFC" that receives the values sent by the GET request. If we open this binary in IDA-pro we will notice that this follows a ARM little endian format. The function sub_7EAFC in IDA pro is identified to be receiving the values sent in the GET request and the value set in GET parameter "user" is extracted in functio n sub_7E49C which is then passed to the vulnerable system API call.
Published at: July 02, 2019 at 07:15PM
View on website

July 08, 2019 at 11:07PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-8417 (dcs-1100_firmware, dcs-1130_firmware)

An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device requires that a user logging into the device provide a username and password. However, the device allows D-Link apps on the mobile devices and desktop to communicate with the device without any authentication. As a part of that communication, the device uses custom version of base64 encoding to pass data back and forth between the apps and the device. However, the same form of communication can be initiated by any process including an attacker process on the mobile phone or the desktop and this allows a third party to retrieve the device's password without any authentication by sending just 1 UDP packet with custom base64 encoding. The severity of this attack is enlarged by the fact that there more than 100,000 D-Link devices out there.
Published at: July 03, 2019 at 12:15AM
View on website

July 09, 2019 at 01:07AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-8404 (dcs-1130_firmware)

An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of setting a SMB folder for the video clippings recorded by the device. It seems that the POST parameters passed in this request (to test if email credentials and hostname sent to the device work properly) result in being passed as commands to a "system" API in the function and thus result in command injection on the device. If the firmware version is dissected using binwalk tool, we obtain a cramfs-root archive which contains the filesystem set up on the device that contains all the binaries. The library "libmailutils.so" is the one that has the vulnerable function "sub_1FC4" that receives the values sent by the POST request. If we open this binary in IDA-pro we will notice that this follows an ARM little endian format. The function sub_1FC4 in IDA pro is identified to be receiving the values sent in the POST request and the value set in POST parameter "receiver1" is extracted in function "sub_15AC" which is then passed to the vulnerable system API call. The vulnerable library function is accessed in "cgibox" binary at address 0x0008F598 which calls the "mailLoginTest" function in "libmailutils.so" binary as shown below which results in the vulnerable POST parameter being passed to the library which results in the command injection issue.
Published at: July 02, 2019 at 10:15PM
View on website

July 09, 2019 at 01:07AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-14866 (odoo)

Incorrect access control in the TransientModel framework in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated attackers to access data in transient records that they do not own by making an RPC call before garbage collection occurs.
Published at: July 03, 2019 at 09:15PM
View on website

July 09, 2019 at 09:07PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-14833

Intuit Lacerte 2017 has Incorrect Access Control.
Published at: July 09, 2019 at 04:15PM
View on website

July 09, 2019 at 09:07PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-8407 (dcs-1130_firmware)

An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross-site request forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface to change the user's password.
Published at: July 02, 2019 at 10:15PM
View on website

July 09, 2019 at 09:07PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-11307

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
Published at: July 09, 2019 at 07:15PM
View on website

July 09, 2019 at 11:07PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-8414 (dcs-1100_firmware, dcs-1130_firmware)

An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The binary orthrus in /sbin folder of the device handles all the UPnP connections received by the device. It seems that the binary performs a sprintf operation at address 0x0000A3E4 with the value in the command line parameter "-f" and stores it on the stack. Since there is no length check, this results in corrupting the registers for the function sub_A098 which results in memory corruption.
Published at: July 02, 2019 at 11:15PM
View on website

July 09, 2019 at 11:07PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-8410 (dcs-1100_firmware, dcs-1130_firmware)

An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The binary rtspd in /sbin folder of the device handles all the rtsp connections received by the device. It seems that the binary performs a memcpy operation at address 0x00011E34 with the value sent in the "Authorization: Basic" RTSP header and stores it on the stack. The number of bytes to be copied are calculated based on the length of the string sent in the RTSP header by the client. As a result, memcpy copies more data then it can hold on stack and this results in corrupting the registers for the caller function sub_F6CC which results in memory corruption. The severity of this attack is enlarged by the fact that the same value is then copied on the stack in the function 0x00011378 and this allows to overflow the buffer allocated and thus control the PC register which will result in arbitrary code execution on the device.
Published at: July 02, 2019 at 11:15PM
View on website

July 09, 2019 at 11:07PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-8409 (dcs-1130_firmware)

An issue was discovered on D-Link DCS-1130 devices. The device requires that a user logging to the device to provide a username and password. However, the device does not enforce the same restriction on a specific URL thereby allowing any attacker in possession of that to view the live video feed. The severity of this attack is enlarged by the fact that there more than 100,000 D-Link devices out there.
Published at: July 02, 2019 at 11:15PM
View on website

July 09, 2019 at 11:07PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-8406 (dcs-1130_firmware)

An issue was discovered on D-Link DCS-1130 devices. The device provides a crossdomain.xml file with no restrictions on who can access the webserver. This allows an hosted flash file on any domain to make calls to the device's webserver and pull any information that is stored on the device. In this case, user's credentials are stored in clear text on the device and can be pulled easily. It also seems that the device does not implement any cross-site scripting forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface into executing a cross-site flashing attack on the user's browser and execute any action on the device provided by the web management interface which steals the credentials from tools_admin.cgi file's response and displays it inside a Textfield.
Published at: July 02, 2019 at 11:15PM
View on website

July 09, 2019 at 11:07PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-8405 (dcs-1100_firmware, dcs-1130_firmware)

An issue was discovered on D-Link DCS-1130 and DCS-1100 devices. The binary rtspd in /sbin folder of the device handles all the rtsp connections received by the device. It seems that the binary loads at address 0x00012CF4 a flag called "Authenticate" that indicates whether a user should be authenticated or not before allowing access to the video feed. By default, the value for this flag is zero and can be set/unset using the HTTP interface and network settings tab as shown below. The device requires that a user logging to the HTTP management interface of the device to provide a valid username and password. However, the device does not enforce the same restriction by default on RTSP URL due to the checkbox unchecked by default, thereby allowing any attacker in possession of external IP address of the camera to view the live video feed. The severity of this attack is enlarged by the fact that there more than 100,000 D-Link devices out there.
Published at: July 02, 2019 at 11:15PM
View on website

July 09, 2019 at 11:07PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-11427 (oncell_g3150-hspa-t_firmware, oncell_g3150-hspa_firmware)

CSRF tokens are not used in the web application of Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior, which makes it possible to perform CSRF attacks on the device administrator.
Published at: July 03, 2019 at 06:15PM
View on website

July 10, 2019 at 01:07AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-12626

An issue was discovered in Eventum 3.5.0. /htdocs/popup.php has XSS via the cat parameter.
Published at: July 10, 2019 at 03:15PM
View on website

July 10, 2019 at 07:04PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-12625

An issue was discovered in Eventum 3.5.0. /htdocs/validate.php has XSS via the values parameter.
Published at: July 10, 2019 at 03:15PM
View on website

July 10, 2019 at 07:04PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-12623

An issue was discovered in Eventum 3.5.0. htdocs/switch.php has XSS via the current_page parameter.
Published at: July 10, 2019 at 03:15PM
View on website

July 10, 2019 at 07:04PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-12622

An issue was discovered in Eventum 3.5.0. htdocs/ajax/update.php has XSS via the field_name parameter.
Published at: July 10, 2019 at 03:15PM
View on website

July 10, 2019 at 07:04PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-11423 (oncell_g3150-hspa-t_firmware, oncell_g3150-hspa_firmware)

There is Memory corruption in the web interface Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior, different vulnerability than CVE-2018-11420.
Published at: July 03, 2019 at 07:15PM
View on website

July 10, 2019 at 07:04PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-11420 (oncell_g3150-hspa-t_firmware, oncell_g3150-hspa_firmware)

There is Memory corruption in the web interface of Moxa OnCell G3100-HSPA Series version 1.5 Build 17042015 and prio,r a different vulnerability than CVE-2018-11423.
Published at: July 03, 2019 at 07:15PM
View on website

July 10, 2019 at 07:04PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-7189

main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80. This behavior has a security risk if the explicitly provided port number (i.e., 443 in this example) is hardcoded into an application as a security policy, but the hostname argument (i.e., 127.0.0.1:80 in this example) is obtained from untrusted input.
Published at: July 10, 2019 at 06:15PM
View on website

July 10, 2019 at 09:04PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-6217

paypal/adaptivepayments-sdk-php v3.9.2 is vulnerable to a reflected XSS in the SetPaymentOptions.php resulting code execution
Published at: July 10, 2019 at 06:15PM
View on website

July 10, 2019 at 09:04PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-12652

libpng before 1.6.32 does not properly check the length of chunks against the user limit.
Published at: July 10, 2019 at 06:15PM
View on website

July 10, 2019 at 09:04PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-10531

An issue was discovered in the America's Army Proving Grounds platform for the Unreal Engine. With a false packet sent via UDP, the application server responds with several bytes, giving the possibility of DoS amplification, even being able to be used in DDoS attacks.
Published at: July 10, 2019 at 07:15PM
View on website

July 10, 2019 at 11:04PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2014-3798

The Windows Guest Tools in Citrix XenServer 6.2 SP1 and earlier allows remote attackers to cause a denial of service (guest OS crash) via a crafted Ethernet frame.
Published at: July 11, 2019 at 11:15PM
View on website

July 12, 2019 at 03:04AM

via National Vulnerability Database


Няма коментари:

Публикуване на коментар