събота, 24 октомври 2020 г.

Weekly Update: a new vulnerability is published on the National Vulnerability Database (54 items)


New vulnerabilities from the NVD: CVE-2019-11823

CRLF injection vulnerability in Network Center in Synology Router Manager (SRM) before 1.2.3-8017-2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted network traffic.
Published at: May 04, 2020 at 01:15PM
View on website

May 04, 2020 at 04:22PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-17557

It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.
Published at: May 04, 2020 at 04:15PM
View on website

May 04, 2020 at 06:24PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-13285

CoSoSys Endpoint Protector 5.1.0.2 allows Host Header Injection.
Published at: May 04, 2020 at 05:15PM
View on website

May 04, 2020 at 08:26PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-12864

SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) is vulnerable to Information Leakage, because of improper error handling with stack traces, as demonstrated by discovering a full pathname upon a 500 Internal Server Error via the api2/swis/query?lang=en-us&swAlertOnError=false query parameter.
Published at: May 04, 2020 at 05:15PM
View on website

May 04, 2020 at 08:26PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-21233

TensorFlow before 1.7.0 has an integer overflow that causes an out-of-bounds read, possibly causing disclosure of the contents of process memory. This occurs in the DecodeBmp feature of the BMP decoder in core/kernels/decode_bmp_op.cc.
Published at: May 04, 2020 at 06:15PM
View on website

May 04, 2020 at 08:26PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-18774

Certain NETGEAR devices are affected by incorrect configuration of security settings. This affects D6100 before 1.0.0.55, D7800 before V1.0.1.24, R7100LG before V1.0.0.32, WNDR4300v1 before 1.0.2.90, and WNDR4500v3 before 1.0.0.48.
Published at: May 04, 2020 at 07:15PM
View on website

May 04, 2020 at 09:29PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-18771

Certain NETGEAR devices are affected by stored XSS. This affects R9000 before 1.0.2.40, R6100 before 1.0.1.1, 6R7500 before 1.0.0.110, R7500v2 before 1.0.3.20, R7800 before 1.0.2.36, WNDR4300v2 before 1.0.0.48, and WNR2000v5 before 1.0.0.58.
Published at: May 04, 2020 at 07:15PM
View on website

May 04, 2020 at 09:29PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-18760

Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. This affects R8300 before 1.0.2.104 and R8500 before 1.0.2.104.
Published at: May 04, 2020 at 07:15PM
View on website

May 04, 2020 at 09:29PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-18753

Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. This affects: D6220, running firmware versions prior to 1.0.0.40 D8500, running firmware versions prior to 1.0.3.39 EX3700, running firmware versions prior to 1.0.0.70 EX3800, running firmware versions prior to 1.0.0.70 EX6000, running firmware versions prior to 1.0.0.30 EX6100, running firmware versions prior to 1.0.2.22 EX6120, running firmware versions prior to 1.0.0.40 EX6130, running firmware versions prior to 1.0.0.22 EX6150v1, running firmware versions prior to 1.0.0.42 EX6200, running firmware versions prior to 1.0.3.88 EX7000, running firmware versions prior to 1.0.0.66 R6300v2, running firmware versions prior to 1.0.4.18 R6400, running firmware versions prior to 1.0.1.24 R6400v2, running firmware versions prior to 1.0.2.32 R6700, running firmware versions prior to 1.0.1.22 R6700v3, running firmware versions prior to 1.0.2.32 R6900, running firmware versions prior to 1.0.1.22 R7000, running firmware versions prior to 1.0.9.6 R6900P, running firmware versions prior to 1.0.0.56 R7000P, running firmware versions prior to 1.0.0.56 R7100LG, running firmware versions prior to 1.0.0.42 R7300DST, running firmware versions prior to 1.0.0.54 R7900, running firmware versions prior to 1.0.1.26 R8300, running firmware versions prior to 1.0.2.106 R8500, running firmware versions prior to 1.0.2.106 WN2500RPv2, running firmware versions prior to 1.0.1.54 WNR3500Lv2, running firmware versions prior to 1.2.0.46
Published at: May 04, 2020 at 07:15PM
View on website

May 04, 2020 at 09:29PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-18867

Certain NETGEAR devices are affected by incorrect configuration of security settings. This affects D6100 before 1.0.0.55, D7800 before V1.0.1.24, R7100LG before V1.0.0.32, WNDR4300v1 before 1.0.2.90, and WNDR4500v3 before 1.0.0.48.
Published at: May 05, 2020 at 05:15PM
View on website

May 05, 2020 at 08:26PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-18866

Certain NETGEAR devices are affected by stored XSS. This affects R9000 before 1.0.2.40, R6100 before 1.0.1.1, 6R7500 before 1.0.0.110, R7500v2 before 1.0.3.20, R7800 before 1.0.2.36, WNDR4300v2 before 1.0.0.48, and WNR2000v5 before 1.0.0.58.
Published at: May 05, 2020 at 05:15PM
View on website

May 05, 2020 at 08:26PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-18865

Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. This affects R8300 before 1.0.2.104 and R8500 before 1.0.2.104.
Published at: May 05, 2020 at 05:15PM
View on website

May 05, 2020 at 08:26PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-18864

Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. This affects R6400 before 1.0.1.24, R6400v2 before 1.0.2.32, R6700 before 1.0.1.22, R6900 before 1.0.1.22, R7000 before 1.0.9.4, R7000P before 1.0.0.56, R6900P before 1.0.0.56, R7100LG before 1.0.0.32, R7300 before 1.0.0.54, R7900 before 1.0.1.18, R8300 before 1.0.2.104, and R8500 before 1.0.2.104.
Published at: May 05, 2020 at 05:15PM
View on website

May 05, 2020 at 08:26PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19515

Ayision Ays-WR01 v28K.RPT.20161224 devices allow stored XSS in wireless settings.
Published at: May 05, 2020 at 08:15PM
View on website

May 05, 2020 at 09:29PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19514

Ayision Ays-WR01 v28K.RPT.20161224 devices allow stored XSS in basic repeater settings via an SSID.
Published at: May 05, 2020 at 08:15PM
View on website

May 05, 2020 at 09:29PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19517

Intelbras RF1200 1.1.3 devices allow CSRF to bypass the login.html form, as demonstrated by launching a scrapy process.
Published at: May 05, 2020 at 09:15PM
View on website

May 05, 2020 at 11:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10634

SAE IT-systems FW-50 Remote Telemetry Unit (RTU). A specially crafted request could allow an attacker to view the file structure of the affected device and access files that should be inaccessible.
Published at: May 06, 2020 at 12:15AM
View on website

May 06, 2020 at 01:43AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10630

SAE IT-systems FW-50 Remote Telemetry Unit (RTU). The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in the output used as a webpage that is served to other users.
Published at: May 06, 2020 at 12:15AM
View on website

May 06, 2020 at 01:43AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20768

ServiceNow IT Service Management Kingston through Patch 14-1, London through Patch 7, and Madrid before patch 4 allow stored XSS via crafted sysparm_item_guid and sys_id parameters in an Incident Request to service_catalog.do.
Published at: May 06, 2020 at 01:15AM
View on website

May 06, 2020 at 03:43AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19169

Dext5.ocx ActiveX 5.0.0.116 and eariler versions contain a vulnerability, which could allow remote attacker to download arbitrary file by setting the arguments to the activex method. This can be leveraged for code execution.
Published at: May 06, 2020 at 04:15PM
View on website

May 06, 2020 at 05:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19168

Dext5.ocx ActiveX 5.0.0.116 and eariler versions contain a vulnerability, which could allow remote attacker to download and execute remote arbitrary file by setting the arguments to the activex method. This can be leveraged for code execution.
Published at: May 06, 2020 at 04:15PM
View on website

May 06, 2020 at 05:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19167

Tobesoft Nexacro v2019.9.25.1 and earlier version have an arbitrary code execution vulnerability by using method supported by Nexacro14 ActiveX Control. It allows attacker to cause remote code execution.
Published at: May 06, 2020 at 04:15PM
View on website

May 06, 2020 at 05:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19166

Tobesoft XPlatform v9.1, 9.2.0, 9.2.1 and 9.2.2 have a vulnerability that can load unauthorized DLL files. It allows attacker to cause remote code execution.
Published at: May 06, 2020 at 04:15PM
View on website

May 06, 2020 at 05:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-4266

IBM Maximo Anywhere 7.6.2.0, 7.6.2.1, 7.6.3.0, and 7.6.3.1 does not have device jailbreak detection which could result in an attacker gaining sensitive information about the device. IBM X-Force ID: 160199.
Published at: May 06, 2020 at 05:15PM
View on website

May 06, 2020 at 07:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-8956

ntpd in ntp 4.2.8p10, 4.2.8p11, 4.2.8p12 and 4.2.8p13 allow remote attackers to prevent a broadcast client from synchronizing its clock with a broadcast NTP server via soofed mode 3 and mode 5 packets. The attacker must either be a part of the same broadcast network or control a slave in that broadcast network that can capture certain required packets on the attacker's behalf and send them to the attacker.
Published at: May 06, 2020 at 10:15PM
View on website

May 06, 2020 at 11:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-18868

Blaauw Remote Kiln Control through v3.00r4 allows an unauthenticated attacker to access MySQL credentials in cleartext in /engine/db.inc, /lang/nl.bak, or /lang/en.bak.
Published at: May 07, 2020 at 04:15PM
View on website

May 07, 2020 at 05:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-18867

Browsable directories in Blaauw Remote Kiln Control through v3.00r4 allow an attacker to enumerate sensitive filenames and locations, including source code. This affects /ajax/, /common/, /engine/, /flash/, /images/, /Images/, /jscripts/, /lang/, /layout/, /programs/, and /sms/.
Published at: May 07, 2020 at 04:15PM
View on website

May 07, 2020 at 05:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-18865

Information disclosure via error message discrepancies in authentication functions in Blaauw Remote Kiln Control through v3.00r4 allows an unauthenticated attacker to enumerate valid usernames.
Published at: May 07, 2020 at 04:15PM
View on website

May 07, 2020 at 05:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-5493

ATTO FibreBridge 7500N firmware versions prior to 2.90 are susceptible to a vulnerability which allows an unauthenticated remote attacker to cause Denial of Service (DoS).
Published at: May 07, 2020 at 04:15PM
View on website

May 07, 2020 at 05:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-18872

Weak password requirements in Blaauw Remote Kiln Control through v3.00r4 allow a user to set short or guessable passwords (e.g., 1 or 1234).
Published at: May 07, 2020 at 05:15PM
View on website

May 07, 2020 at 07:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-18871

A path traversal in debug.php accessed via default.php in Blaauw Remote Kiln Control through v3.00r4 allows an authenticated attacker to upload arbitrary files, leading to arbitrary remote code execution.
Published at: May 07, 2020 at 05:15PM
View on website

May 07, 2020 at 07:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-18870

A path traversal via the iniFile parameter in excel.php in Blaauw Remote Kiln Control through v3.00r4 allows an authenticated attacker to download arbitrary files from the host machine.
Published at: May 07, 2020 at 05:15PM
View on website

May 07, 2020 at 07:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-18869

Leftover Debug Code in Blaauw Remote Kiln Control through v3.00r4 allows a user to execute arbitrary php code via /default.php?idx=17.
Published at: May 07, 2020 at 05:15PM
View on website

May 07, 2020 at 07:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-18866

Unauthenticated SQL injection via the username in the login mechanism in Blaauw Remote Kiln Control through v3.00r4 allows a user to extract arbitrary data from the rkc database.
Published at: May 07, 2020 at 05:15PM
View on website

May 07, 2020 at 07:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-18864

/server-info and /server-status in Blaauw Remote Kiln Control through v3.00r4 allow an unauthenticated attacker to gain sensitive information about the host machine.
Published at: May 07, 2020 at 05:15PM
View on website

May 07, 2020 at 07:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19164

dext5.ocx ActiveX Control in Dext5 Upload 5.0.0.112 and earlier versions contains a vulnerability that could allow remote files to be executed by setting the arguments to the activex method. A remote attacker could induce a user to access a crafted web page, causing damage such as malicious code infection.
Published at: May 07, 2020 at 09:15PM
View on website

May 07, 2020 at 11:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-7946

Information Exposure vulnerability in Unity8 as used on the Ubuntu phone and possibly also in Unity8 shipped elsewhere. This allows an attacker to enable the MTP service by opening the emergency dialer. Fixed in 8.11+16.04.20160111.1-0ubuntu1 and 8.11+15.04.20160122-0ubuntu1.
Published at: May 08, 2020 at 02:15AM
View on website

May 08, 2020 at 03:43AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2014-1423

signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch, did not properly restrict applications from querying oath tokens due to incorrect checks and the missing installation of the signon-apparmor-extension. An attacker could use this create a malicious click app that collects oauth tokens for other applications, exposing sensitive information.
Published at: May 08, 2020 at 02:15AM
View on website

May 08, 2020 at 03:43AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2012-0953

A race condition was discovered in the Linux drivers for Nvidia graphics which allowed an attacker to exfiltrate kernel memory to userspace. This issue was fixed in version 295.53.
Published at: May 08, 2020 at 04:15AM
View on website

May 08, 2020 at 08:43AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2012-0952

A heap buffer overflow was discovered in the device control ioctl in the Linux driver for Nvidia graphics cards, which may allow an attacker to overflow 49 bytes. This issue was fixed in version 295.53.
Published at: May 08, 2020 at 04:15AM
View on website

May 08, 2020 at 08:43AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14898

The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could use this flaw to obtain sensitive information, cause a denial of service, or possibly have other unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.
Published at: May 08, 2020 at 05:15PM
View on website

May 08, 2020 at 07:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-10170

A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user.
Published at: May 08, 2020 at 05:15PM
View on website

May 08, 2020 at 07:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-10169

A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw allows an authenticated attacker with UMA permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the user running application.
Published at: May 08, 2020 at 05:15PM
View on website

May 08, 2020 at 07:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-5491

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: May 08, 2020 at 06:15PM
View on website

May 08, 2020 at 07:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-5480

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: May 08, 2020 at 06:15PM
View on website

May 08, 2020 at 07:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-15514

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: May 08, 2020 at 06:15PM
View on website

May 08, 2020 at 07:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-13657

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: May 08, 2020 at 06:15PM
View on website

May 08, 2020 at 07:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-13656

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: May 08, 2020 at 06:15PM
View on website

May 08, 2020 at 07:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-13655

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: May 08, 2020 at 06:15PM
View on website

May 08, 2020 at 07:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-13651

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: May 08, 2020 at 06:15PM
View on website

May 08, 2020 at 07:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-5484

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: May 08, 2020 at 07:15PM
View on website

May 08, 2020 at 09:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-13654

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: May 08, 2020 at 07:15PM
View on website

May 08, 2020 at 09:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-13653

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: May 08, 2020 at 07:15PM
View on website

May 08, 2020 at 09:43PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-20225

An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number).
Published at: May 08, 2020 at 09:15PM
View on website

May 08, 2020 at 11:36PM

via National Vulnerability Database

 

Няма коментари:

Публикуване на коментар