Weekly Updates: a new vulnerability is published on the National Vulnerability Database (7 items)

New vulnerabilities from the NVD: CVE-2014-10374 On Fitbit activity-tracker devices, certain addresses never change. According to the popets-2019-0036.pdf document, this leads to "permanent trackability" and "considerable privacy concerns" without a user-accessible anonymization feature. The devices, such as Charge 2, transmit Bluetooth Low Energy (BLE) advertising packets with a TxAdd flag indicating random addresses, but the addresses remain constant. If devices come within BLE range at one or more locations where an adversary has set up passive sniffing, the adversary can determine whether the same device has entered one of these locations. Published at: July 15, 2019 at 04:15PM View on website July 15, 2019 at 05:41PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-13442 SolarWinds Network Performance Monitor 12.3 allows SQL Injection via the /api/ActiveAlertsOnThisEntity/GetActiveAlerts TriggeringObjectEntityNames parameter. Published at: July 16, 2019 at 09:15PM View on website July 17, 2019 at 12:02AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2017-12652 (libpng) libpng before 1.6.32 does not properly check the length of chunks against the user limit. Published at: July 10, 2019 at 06:15PM View on website July 17, 2019 at 06:02PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-11734 (e107) In e107 v2.1.7, output without filtering results in XSS. Published at: July 10, 2019 at 09:15PM View on website July 17, 2019 at 08:02PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2016-10763 The CampTix Event Ticketing plugin before 1.5 for WordPress allows XSS in the admin section via a ticket title or body. Published at: July 18, 2019 at 03:15PM View on website July 18, 2019 at 06:02PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2016-10762 The CampTix Event Ticketing plugin before 1.5 for WordPress allows CSV injection when the export tool is used. Published at: July 18, 2019 at 03:15PM View on website July 18, 2019 at 06:02PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-7882 Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access. Published at: July 19, 2019 at 07:15PM View on website July 19, 2019 at 09:34PM via National Vulnerability Database