SB17-310: Vulnerability Summary for the Week of October 30, 2017

Original release date: November 06, 2017

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

 

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
There were no high vulnerabilities recorded this week.

Back to top

 

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
fortinet — fortios A Denial of Service (DoS) vulnerability in Fortinet FortiOS 5.4.0 to 5.4.5 allows an authenticated user to cause the web GUI to be temporarily unresponsive, via passing a specially crafted payload to the ‘params’ parameter of the JSON web API. 2017-10-27 4.0 CVE-2017-14182
MISC
BID
SECTRACK
CONFIRM
fortinet — fortios A Cross-Site-Scripting (XSS) vulnerability in Fortinet FortiOS 5.4.0 to 5.4.5 and 5.6.0 allows a remote unauthenticated attacker to execute arbitrary javascript code via webUI “Login Disclaimer” redir parameter. 2017-10-27 4.3 CVE-2017-7733
BID
SECTRACK
CONFIRM
gnu — binutils dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs in the case of a relocatable object file, which allows remote attackers to cause a denial of service (find_abstract_instance_name invalid memory read, segmentation fault, and application crash). 2017-10-27 5.0 CVE-2017-15938
BID
MISC
MISC
MISC
gnu — binutils dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line file table, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename. NOTE: this issue is caused by an incomplete fix for CVE-2017-15023. 2017-10-27 4.3 CVE-2017-15939
BID
MISC
MISC
MISC
graphicsmagick — graphicsmagick In ReadOneJNGImage in coders/png.c in GraphicsMagick 1.3.26, a Null Pointer Dereference occurs while transferring JPEG scanlines, related to a PixelPacket pointer. 2017-10-27 6.8 CVE-2017-15930
CONFIRM
CONFIRM
BID
CONFIRM
radare — radare2 In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo_gnu_verneed() in libr/bin/format/elf/elf.c via crafted ELF files on 32bit systems. 2017-10-27 6.8 CVE-2017-15931
BID
CONFIRM
CONFIRM
radare — radare2 In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo_gnu_verdef() in libr/bin/format/elf/elf.c via crafted ELF files when parsing the ELF version on 32bit systems. 2017-10-27 6.8 CVE-2017-15932
BID
CONFIRM
CONFIRM

Back to top

 

Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
There were no low vulnerabilities recorded this week.

Back to top

 

Severity Not Yet Assigned

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
adult_script_pro — adult_script_pro
 
Adult Script Pro 2.2.4 allows SQL Injection via the PATH_INFO to a /download URI, a different vulnerability than CVE-2007-6576. 2017-10-29 not yet calculated CVE-2017-15959
MISC
EXPLOIT-DB
amazon_web_services — cloudformation_boostrap
 
The Amazon Web Services (AWS) CloudFormation bootstrap tools package (aka aws-cfn-bootstrap) before 1.4-19.10 allows local users to execute arbitrary code with root privileges by leveraging the ability to create files in an unspecified directory. 2017-10-30 not yet calculated CVE-2017-9450
BID
CONFIRM
apache — cordova
 
The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 through 2.9.0 does not properly validate callback identifiers, which allows remote attackers to execute arbitrary JavaScript in the host page and consequently gain privileges via a crafted gap-iab: URI. 2017-10-30 not yet calculated CVE-2014-0073
MISC
FULLDISC
BUGTRAQ
BID
XF
CONFIRM
MLIST
apache — cordova
 
ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer) before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through 2.9.0 might allow remote attackers to spoof SSL servers by leveraging a default value of true for the trustAllHosts option. 2017-10-30 not yet calculated CVE-2014-0072
MISC
FULLDISC
BUGTRAQ
XF
CONFIRM
MLIST
apache — hadoop
 
Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack. 2017-10-30 not yet calculated CVE-2012-4449
MLIST
CONFIRM
apache — hive
 
Apache Hive 2.1.x before 2.1.2, 2.2.x before 2.2.1, and 2.3.x before 2.3.1 expose an interface through which masking policies can be defined on tables or views, e.g., using Apache Ranger. When a view is created over a given table, the policy enforcement does not happen correctly on the table for masked columns. 2017-11-01 not yet calculated CVE-2017-12625
MLIST
apache — httpclient
 
http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification. 2017-10-30 not yet calculated CVE-2013-4366
CONFIRM
CONFIRM
apache — juddi
 
Cross-site scripting (XSS) vulnerability in Apache jUDDI before 2.0 allows remote attackers to inject arbitrary web script or HTML via the dsname parameter to happyjuddi.jsp. 2017-10-30 not yet calculated CVE-2009-1198
CONFIRM
MLIST
BID
apache — juddi
 
Apache jUDDI before 2.0 allows attackers to spoof entries in log files via vectors related to error logging of keys from uddiget.jsp. 2017-10-30 not yet calculated CVE-2009-1197
CONFIRM
MLIST
BID
apache — qpid
 
qpidd in Apache Qpid 0.30 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted protocol sequence set. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0203. 2017-10-30 not yet calculated CVE-2015-0224
FEDORA
MLIST
MISC
REDHAT
REDHAT
REDHAT
REDHAT
BUGTRAQ
BID
SECTRACK
REDHAT
CONFIRM
CONFIRM
apache — storm
 
Directory traversal vulnerability in the log viewer in Apache Storm 0.9.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to log. 2017-10-30 not yet calculated CVE-2014-0115
CONFIRM
MLIST
apache — struts
 
The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling. 2017-10-30 not yet calculated CVE-2016-3090
BID
CONFIRM
SECTRACK
apache — subversion
 
libsvn_fs_fs/fs_fs.c in Apache Subversion 1.8.x before 1.8.2 might allow remote authenticated users with commit access to corrupt FSFS repositories and cause a denial of service or obtain sensitive information by editing packed revision properties. 2017-10-30 not yet calculated CVE-2013-4246
BID
CONFIRM
apache — traffic_server
 
The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of service (out-of-bounds access and daemon crash) or possibly execute arbitrary code via vectors related to the (1) frame_handlers array or (2) set_dynamic_table_size function. 2017-10-30 not yet calculated CVE-2015-3249
MLIST
BID
MISC
apache — traffic_server
 
Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT. 2017-10-30 not yet calculated CVE-2014-3624
MLIST
BID
CONFIRM
apache — wicket
 
Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions. 2017-10-30 not yet calculated CVE-2014-3526
CONFIRM
apache — wicket
 
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to

BUG/* . The second payload blocks the change of wireless settings. A factory reset is required.

2017-10-31 not yet calculated CVE-2017-14250
MISC
tpanel — tpanel
 
tPanel 2009 allows SQL injection for Authentication Bypass via ‘or 1=1 or ”=’ to login.php. 2017-10-29 not yet calculated CVE-2017-15974
MISC
EXPLOIT-DB
typecho — typecho
 
In admin/write-post.php in Typecho through 1.1, one can log in to the background page, write a new article, and add payload in the article content, resulting in XSS via index.php/action/contents-post-edit. 2017-10-30 not yet calculated CVE-2017-16230
MISC
us_zip_codes — database_script
 
US Zip Codes Database Script 1.0 allows SQL Injection via the state parameter. 2017-10-31 not yet calculated CVE-2017-15980
EXPLOIT-DB
vastal — i-tech_agent_zone
 
Vastal I-Tech Agent Zone (aka The Real Estate Script) allows SQL Injection in searchCommercial.php via the property_type, city, or posted_by parameter, or searchResidential.php via the property_type, city, or bedroom parameter, a different vulnerability than CVE-2008-3951, CVE-2009-3497, and CVE-2012-0982. 2017-10-31 not yet calculated CVE-2017-15991
EXPLOIT-DB
vastal — i-tech_dating_zone
 
Vastal I-Tech Dating Zone 0.9.9 allows SQL Injection via the ‘product_id’ to add_to_cart.php, a different vulnerability than CVE-2008-4461. 2017-10-29 not yet calculated CVE-2017-15975
MISC
EXPLOIT-DB
vim — vim
 
VIM version 8.0.1187 (and other versions most likely) ignores umask when creating a swap file (“[ORIGINAL_FILENAME].swp”) resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the vi binary. 2017-10-31 not yet calculated CVE-2017-1000382
MLIST
vir.it — explorer_anti-virus
 
In Vir.IT eXplorer Anti-Virus before 8.5.42, the driver file (VIAGLT64.SYS) contains an Arbitrary Write vulnerability because of not validating input values from IOCtl 0x8273007C. 2017-11-03 not yet calculated CVE-2017-16237
EXPLOIT-DB
watchdog — anti-malware
 
In Watchdog Anti-Malware 2.74.186.150 and Online Security Pro 2.74.186.150, the zam32.sys driver contains a NULL pointer dereference vulnerability that gets triggered when sending an operation to ioctl 0x80002054. This is due to the input buffer being NULL or the input buffer size being 0 as they are not validated. 2017-10-30 not yet calculated CVE-2017-15920
MISC
EXPLOIT-DB
watchdog — anti-malware
 
In Watchdog Anti-Malware 2.74.186.150 and Online Security Pro 2.74.186.150, the zam32.sys driver contains a NULL pointer dereference vulnerability that gets triggered when sending an operation to ioctl 0x80002010. This is due to the input buffer being NULL or the input buffer size being 0 as they are not validated. 2017-10-30 not yet calculated CVE-2017-15921
MISC
EXPLOIT-DB
webkit — webkit
 
The UNIX IPC layer in WebKit, including WebKitGTK+ prior to 2.16.3, does not properly validate message size metadata, allowing a compromised secondary process to trigger an integer overflow and subsequent buffer overflow in the UI process. This vulnerability does not affect Apple products. 2017-11-01 not yet calculated CVE-2017-1000121
CONFIRM
webkit — webkit
 
The UNIX IPC layer in WebKit, including WebKitGTK+ prior to 2.16.3, does not properly validate certain message metadata, allowing a compromised secondary process to cause a denial of service (release assertion) of the UI process. This vulnerability does not affect Apple products. 2017-11-01 not yet calculated CVE-2017-1000122
CONFIRM
website_broker_script — website_broker_script
 
Website Broker Script allows SQL Injection via the ‘status_id’ Parameter to status_list.php. 2017-10-31 not yet calculated CVE-2017-15992
EXPLOIT-DB
websitescripts.org — fake_magazine_cover_script
 
Fake Magazine Cover Script allows SQL Injection via the rate.php value parameter or the content.php id parameter. 2017-10-31 not yet calculated CVE-2017-15987
EXPLOIT-DBnice
wordpress — wordpress
 
WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a “double prepare” approach, a different vulnerability than CVE-2017-14723. 2017-11-02 not yet calculated CVE-2017-16510
MISC
MISC
MISC
MISC
xen — xen
 
An issue was discovered in Xen through 4.9.x. Grant copying code made an implication that any grant pin would be accompanied by a suitable page reference. Other portions of code, however, did not match up with that assumption. When such a grant copy operation is being done on a grant of a dying domain, the assumption turns out wrong. A malicious guest administrator can cause hypervisor memory corruption, most likely resulting in host crash and a Denial of Service. Privilege escalation and information leaks cannot be ruled out. 2017-10-30 not yet calculated CVE-2017-15597
MLIST
BID
SECTRACK
CONFIRM
CONFIRM
zeebuddy — zeebuddy
 
ZeeBuddy 2x allows SQL Injection via the admin/editadgroup.php groupid parameter, a different vulnerability than CVE-2008-3604. 2017-10-29 not yet calculated CVE-2017-15976
MISC
EXPLOIT-DB
zomato — clone_script
 
Zomato Clone Script allows SQL Injection via the restaurant-menu.php resid parameter. 2017-10-31 not yet calculated CVE-2017-15993
EXPLOIT-DB

Back to top


This product is provided subject to this Notification and this Privacy & Use policy.

This entry was posted in Alerts. Bookmark the permalink.