SB17-310: Vulnerability Summary for the Week of October 30, 2017

Original release date: November 06, 2017

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

 

High Vulnerabilities

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
There were no high vulnerabilities recorded this week.

Back to top

 

Medium Vulnerabilities

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
fortinet — fortiosA Denial of Service (DoS) vulnerability in Fortinet FortiOS 5.4.0 to 5.4.5 allows an authenticated user to cause the web GUI to be temporarily unresponsive, via passing a specially crafted payload to the ‘params’ parameter of the JSON web API.2017-10-274.0CVE-2017-14182
MISC
BID
SECTRACK
CONFIRM
fortinet — fortiosA Cross-Site-Scripting (XSS) vulnerability in Fortinet FortiOS 5.4.0 to 5.4.5 and 5.6.0 allows a remote unauthenticated attacker to execute arbitrary javascript code via webUI “Login Disclaimer” redir parameter.2017-10-274.3CVE-2017-7733
BID
SECTRACK
CONFIRM
gnu — binutilsdwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs in the case of a relocatable object file, which allows remote attackers to cause a denial of service (find_abstract_instance_name invalid memory read, segmentation fault, and application crash).2017-10-275.0CVE-2017-15938
BID
MISC
MISC
MISC
gnu — binutilsdwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line file table, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename. NOTE: this issue is caused by an incomplete fix for CVE-2017-15023.2017-10-274.3CVE-2017-15939
BID
MISC
MISC
MISC
graphicsmagick — graphicsmagickIn ReadOneJNGImage in coders/png.c in GraphicsMagick 1.3.26, a Null Pointer Dereference occurs while transferring JPEG scanlines, related to a PixelPacket pointer.2017-10-276.8CVE-2017-15930
CONFIRM
CONFIRM
BID
CONFIRM
radare — radare2In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo_gnu_verneed() in libr/bin/format/elf/elf.c via crafted ELF files on 32bit systems.2017-10-276.8CVE-2017-15931
BID
CONFIRM
CONFIRM
radare — radare2In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo_gnu_verdef() in libr/bin/format/elf/elf.c via crafted ELF files when parsing the ELF version on 32bit systems.2017-10-276.8CVE-2017-15932
BID
CONFIRM
CONFIRM

Back to top

 

Low Vulnerabilities

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
There were no low vulnerabilities recorded this week.

Back to top

 

Severity Not Yet Assigned

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
adult_script_pro — adult_script_pro
Adult Script Pro 2.2.4 allows SQL Injection via the PATH_INFO to a /download URI, a different vulnerability than CVE-2007-6576.2017-10-29not yet calculatedCVE-2017-15959
MISC
EXPLOIT-DB
amazon_web_services — cloudformation_boostrap
The Amazon Web Services (AWS) CloudFormation bootstrap tools package (aka aws-cfn-bootstrap) before 1.4-19.10 allows local users to execute arbitrary code with root privileges by leveraging the ability to create files in an unspecified directory.2017-10-30not yet calculatedCVE-2017-9450
BID
CONFIRM
apache — cordova
The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 through 2.9.0 does not properly validate callback identifiers, which allows remote attackers to execute arbitrary JavaScript in the host page and consequently gain privileges via a crafted gap-iab: URI.2017-10-30not yet calculatedCVE-2014-0073
MISC
FULLDISC
BUGTRAQ
BID
XF
CONFIRM
MLIST
apache — cordova
ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer) before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through 2.9.0 might allow remote attackers to spoof SSL servers by leveraging a default value of true for the trustAllHosts option.2017-10-30not yet calculatedCVE-2014-0072
MISC
FULLDISC
BUGTRAQ
XF
CONFIRM
MLIST
apache — hadoop
Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack.2017-10-30not yet calculatedCVE-2012-4449
MLIST
CONFIRM
apache — hive
Apache Hive 2.1.x before 2.1.2, 2.2.x before 2.2.1, and 2.3.x before 2.3.1 expose an interface through which masking policies can be defined on tables or views, e.g., using Apache Ranger. When a view is created over a given table, the policy enforcement does not happen correctly on the table for masked columns.2017-11-01not yet calculatedCVE-2017-12625
MLIST
apache — httpclient
http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.2017-10-30not yet calculatedCVE-2013-4366
CONFIRM
CONFIRM
apache — juddi
Cross-site scripting (XSS) vulnerability in Apache jUDDI before 2.0 allows remote attackers to inject arbitrary web script or HTML via the dsname parameter to happyjuddi.jsp.2017-10-30not yet calculatedCVE-2009-1198
CONFIRM
MLIST
BID
apache — juddi
Apache jUDDI before 2.0 allows attackers to spoof entries in log files via vectors related to error logging of keys from uddiget.jsp.2017-10-30not yet calculatedCVE-2009-1197
CONFIRM
MLIST
BID
apache — qpid
qpidd in Apache Qpid 0.30 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted protocol sequence set. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0203.2017-10-30not yet calculatedCVE-2015-0224
FEDORA
MLIST
MISC
REDHAT
REDHAT
REDHAT
REDHAT
BUGTRAQ
BID
SECTRACK
REDHAT
CONFIRM
CONFIRM
apache — storm
Directory traversal vulnerability in the log viewer in Apache Storm 0.9.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to log.2017-10-30not yet calculatedCVE-2014-0115
CONFIRM
MLIST
apache — struts
The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling.2017-10-30not yet calculatedCVE-2016-3090
BID
CONFIRM
SECTRACK
apache — subversion
libsvn_fs_fs/fs_fs.c in Apache Subversion 1.8.x before 1.8.2 might allow remote authenticated users with commit access to corrupt FSFS repositories and cause a denial of service or obtain sensitive information by editing packed revision properties.2017-10-30not yet calculatedCVE-2013-4246
BID
CONFIRM
apache — traffic_server
The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of service (out-of-bounds access and daemon crash) or possibly execute arbitrary code via vectors related to the (1) frame_handlers array or (2) set_dynamic_table_size function.2017-10-30not yet calculatedCVE-2015-3249
MLIST
BID
MISC
apache — traffic_server
Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT.2017-10-30not yet calculatedCVE-2014-3624
MLIST
BID
CONFIRM
apache — wicket
Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions.2017-10-30not yet calculatedCVE-2014-3526
CONFIRM
apache — wicket
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to

BUG/* . The second payload blocks the change of wireless settings. A factory reset is required.

2017-10-31not yet calculatedCVE-2017-14250
MISC
tpanel — tpanel
tPanel 2009 allows SQL injection for Authentication Bypass via ‘or 1=1 or ”=’ to login.php.2017-10-29not yet calculatedCVE-2017-15974
MISC
EXPLOIT-DB
typecho — typecho
In admin/write-post.php in Typecho through 1.1, one can log in to the background page, write a new article, and add payload in the article content, resulting in XSS via index.php/action/contents-post-edit.2017-10-30not yet calculatedCVE-2017-16230
MISC
us_zip_codes — database_script
US Zip Codes Database Script 1.0 allows SQL Injection via the state parameter.2017-10-31not yet calculatedCVE-2017-15980
EXPLOIT-DB
vastal — i-tech_agent_zone
Vastal I-Tech Agent Zone (aka The Real Estate Script) allows SQL Injection in searchCommercial.php via the property_type, city, or posted_by parameter, or searchResidential.php via the property_type, city, or bedroom parameter, a different vulnerability than CVE-2008-3951, CVE-2009-3497, and CVE-2012-0982.2017-10-31not yet calculatedCVE-2017-15991
EXPLOIT-DB
vastal — i-tech_dating_zone
Vastal I-Tech Dating Zone 0.9.9 allows SQL Injection via the ‘product_id’ to add_to_cart.php, a different vulnerability than CVE-2008-4461.2017-10-29not yet calculatedCVE-2017-15975
MISC
EXPLOIT-DB
vim — vim
VIM version 8.0.1187 (and other versions most likely) ignores umask when creating a swap file (“[ORIGINAL_FILENAME].swp”) resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the vi binary.2017-10-31not yet calculatedCVE-2017-1000382
MLIST
vir.it — explorer_anti-virus
In Vir.IT eXplorer Anti-Virus before 8.5.42, the driver file (VIAGLT64.SYS) contains an Arbitrary Write vulnerability because of not validating input values from IOCtl 0x8273007C.2017-11-03not yet calculatedCVE-2017-16237
EXPLOIT-DB
watchdog — anti-malware
In Watchdog Anti-Malware 2.74.186.150 and Online Security Pro 2.74.186.150, the zam32.sys driver contains a NULL pointer dereference vulnerability that gets triggered when sending an operation to ioctl 0x80002054. This is due to the input buffer being NULL or the input buffer size being 0 as they are not validated.2017-10-30not yet calculatedCVE-2017-15920
MISC
EXPLOIT-DB
watchdog — anti-malware
In Watchdog Anti-Malware 2.74.186.150 and Online Security Pro 2.74.186.150, the zam32.sys driver contains a NULL pointer dereference vulnerability that gets triggered when sending an operation to ioctl 0x80002010. This is due to the input buffer being NULL or the input buffer size being 0 as they are not validated.2017-10-30not yet calculatedCVE-2017-15921
MISC
EXPLOIT-DB
webkit — webkit
The UNIX IPC layer in WebKit, including WebKitGTK+ prior to 2.16.3, does not properly validate message size metadata, allowing a compromised secondary process to trigger an integer overflow and subsequent buffer overflow in the UI process. This vulnerability does not affect Apple products.2017-11-01not yet calculatedCVE-2017-1000121
CONFIRM
webkit — webkit
The UNIX IPC layer in WebKit, including WebKitGTK+ prior to 2.16.3, does not properly validate certain message metadata, allowing a compromised secondary process to cause a denial of service (release assertion) of the UI process. This vulnerability does not affect Apple products.2017-11-01not yet calculatedCVE-2017-1000122
CONFIRM
website_broker_script — website_broker_script
Website Broker Script allows SQL Injection via the ‘status_id’ Parameter to status_list.php.2017-10-31not yet calculatedCVE-2017-15992
EXPLOIT-DB
websitescripts.org — fake_magazine_cover_script
Fake Magazine Cover Script allows SQL Injection via the rate.php value parameter or the content.php id parameter.2017-10-31not yet calculatedCVE-2017-15987
EXPLOIT-DBnice
wordpress — wordpress
WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a “double prepare” approach, a different vulnerability than CVE-2017-14723.2017-11-02not yet calculatedCVE-2017-16510
MISC
MISC
MISC
MISC
xen — xen
An issue was discovered in Xen through 4.9.x. Grant copying code made an implication that any grant pin would be accompanied by a suitable page reference. Other portions of code, however, did not match up with that assumption. When such a grant copy operation is being done on a grant of a dying domain, the assumption turns out wrong. A malicious guest administrator can cause hypervisor memory corruption, most likely resulting in host crash and a Denial of Service. Privilege escalation and information leaks cannot be ruled out.2017-10-30not yet calculatedCVE-2017-15597
MLIST
BID
SECTRACK
CONFIRM
CONFIRM
zeebuddy — zeebuddy
ZeeBuddy 2x allows SQL Injection via the admin/editadgroup.php groupid parameter, a different vulnerability than CVE-2008-3604.2017-10-29not yet calculatedCVE-2017-15976
MISC
EXPLOIT-DB
zomato — clone_script
Zomato Clone Script allows SQL Injection via the restaurant-menu.php resid parameter.2017-10-31not yet calculatedCVE-2017-15993
EXPLOIT-DB

Back to top


This product is provided subject to this Notification and this Privacy & Use policy.

This entry was posted in Alerts. Bookmark the permalink.