SB18-260: Vulnerability Summary for the Week of September 10, 2018

Original release date: September 17, 2018

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

 

High Vulnerabilities

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
There were no high vulnerabilities recorded this week.

Back to top

 

Medium Vulnerabilities

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
There were no medium vulnerabilities recorded this week.

Back to top

 

Low Vulnerabilities

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
There were no low vulnerabilities recorded this week.

Back to top

 

Severity Not Yet Assigned

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
absolute — ctes_windows_agentAn issue was discovered in Absolute Software CTES Windows Agent through 1.0.0.1479. The security permissions on the %ProgramData%CTES folder and sub-folders may allow write access to low-privileged user accounts. This allows unauthorized replacement of service program executable (EXE) or dynamically loadable library (DLL) files, causing elevated (SYSTEM) user access. Configuration control files or data files under this folder could also be similarly modified to affect service process behavior.2018-09-08not yet calculatedCVE-2018-16715
CONFIRM
ansible — tower
 
A privilege escalation flaw was found in the Ansible Tower. When Tower before 3.0.3 deploys a PostgreSQL database, it incorrectly configures the trust level of postgres user. An attacker could use this vulnerability to gain admin level access to the database.2018-09-11not yet calculatedCVE-2016-7070
CONFIRM
CONFIRM
apache — activemq_client
 
TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.2018-09-10not yet calculatedCVE-2018-11775
CONFIRM
BID
SECTRACK
apache — mesos
 
When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.2018-09-13not yet calculatedCVE-2018-1330
artifex — ghostscript
 
An issue was discovered in Artifex Ghostscript before 9.25. Incorrect “restoration of privilege” checking when running out of stack during exception handling could be used by attackers able to supply crafted PostScript to execute code using the “pipe” instruction. This is due to an incomplete fix for CVE-2018-16509.2018-09-10not yet calculatedCVE-2018-16802
MISC
MISC
CONFIRM
MLIST
MLIST
MISC
asus — gt-ac5300_routersStack-based buffer overflow on the ASUS GT-AC5300 router through 3.0.0.4.384_32738 allows remote attackers to cause a denial of service (device crash) or possibly have unspecified other impact by setting a long sh_path0 value and then sending an appGet.cgi?hook=select_list(“Storage_x_SharedPath”) request, because ej_select_list in router/httpd/web.c uses strcpy.2018-09-13not yet calculatedCVE-2018-17022
MISC
asus — gt-ac5300_routersCross-site request forgery (CSRF) vulnerability on ASUS GT-AC5300 routers with firmware through 3.0.0.4.384_32738 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a request to start_apply.htm.2018-09-13not yet calculatedCVE-2018-17023
MISC
asus — gt-ac5300_routersCross-site scripting (XSS) vulnerability on ASUS GT-AC5300 devices with firmware through 3.0.0.4.384_32738 allows remote attackers to inject arbitrary web script or HTML via the appGet.cgi hook parameter.2018-09-13not yet calculatedCVE-2018-17021
MISC
asus — gt-ac5300_routers
 
ASUS GT-AC5300 devices with firmware through 3.0.0.4.384_32738 allow remote attackers to cause a denial of service via a single “GET / HTTP/1.1rn” line.2018-09-13not yet calculatedCVE-2018-17020
MISC
avaya — ip_office
 
A vulnerability in the one-X Portal component of Avaya IP Office allows an authenticated attacker to read and delete arbitrary files on the system. Affected versions of Avaya IP Office include 9.1 through 9.1 SP12, 10.0 through 10.0 SP7, and 10.1 through 10.1 SP2.2018-09-12not yet calculatedCVE-2018-15610
CONFIRM

b3log/solo — b3log/solo

In b3log Solo 2.9.3, XSS in the Input page under the Publish Articles menu, with an ID of linkAddress stored in the link JSON field, allows remote attackers to inject arbitrary Web scripts or HTML via a crafted site name provided by an administrator.2018-09-10not yet calculatedCVE-2018-16805
MISC
baijiacms — baijiacmsAn issue is discovered in baijiacms V4. XSS exists via the assets/weengine/components/zclip/ZeroClipboard.swf id parameter, aka “Non-standard use of the flash component.”2018-09-08not yet calculatedCVE-2018-16725
MISC
baijiacms — baijiacms
 
An issue is discovered in baijiacms V4. Blind SQL Injection exists via the order parameter in an index.php?act=index request.2018-09-08not yet calculatedCVE-2018-16724
MISC
bigtree — bigtree_cms
 
BigTree CMS 4.2.23 allows remote authenticated users, if possessing privileges to set hooks, to execute arbitrary code via /core/admin/auto-modules/forms/process.php.2018-09-13not yet calculatedCVE-2018-17030
MISC

blogcms — blogcms

BlogCMS through 2016-10-25 has XSS via a comment.2018-09-10not yet calculatedCVE-2018-16779
MISC

bro — bro

In Bro through 2.5.5, there is a DoS in IRC protocol names command parsing in analyzer/protocol/irc/IRC.cc.2018-09-13not yet calculatedCVE-2018-17019
MISC

bro — bro

In Bro through 2.5.5, there is a memory leak potentially leading to DoS in scripts/base/protocols/krb/main.bro in the Kerberos protocol parser.2018-09-10not yet calculatedCVE-2018-16807
MISC

bullguard — multiple_products

BullGuard Safe Browsing 18.1.355 allows XSS on Google, Bing, and Yahoo! pages via domains indexed in search results.2018-09-15not yet calculatedCVE-2018-17061
MISC

cisco-config-manager — cisco-config-manager

K-Net Cisco Configuration Manager through 2014-11-19 has XSS via devices.php.2018-09-14not yet calculatedCVE-2018-17051
MISC

cms_maelostore — cms_maelostore

An issue was discovered in CMS MaeloStore V.1.5.0. There is a CSRF vulnerability that can change the administrator password via admin/modul/users/aksi_users.php?act=update.2018-09-14not yet calculatedCVE-2018-17045
MISC

cqu-lankers — cqu-lankers

CQU-LANKERS through 2017-11-02 has XSS via the public/api.php callback parameter in an uploadpic action.2018-09-14not yet calculatedCVE-2018-17049
MISC
cscms — cscmsCScms 4.1 allows arbitrary file upload by (for example) adding the php extension to the default filetype list (gif, jpg, png), and then providing a .php pathname within fileurl JSON data.2018-09-08not yet calculatedCVE-2018-16731
MISC
MISC
cscms — cscmsuploadpluginssysadminSetting.php in CScms 4.1 allows CSRF via admin.php/setting/ftp_save.2018-09-08not yet calculatedCVE-2018-16732
MISC
MISC
cscms — cscms
 
uploadpluginssysInstall.php in CScms 4.1 has XSS via the site name.2018-09-08not yet calculatedCVE-2018-16730
MISC
MISC
d-link — dir-600m_devices
 
D-Link DIR-600M devices allow XSS via the Hostname and Username fields in the Dynamic DNS Configuration page.2018-09-12not yet calculatedCVE-2018-16605
MISC
d-link — dir-816_a2_1.10_b05_devicesAn issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction within the handler function of the /goform/sylogapply route. This could lead to command injection via the syslogIp parameter after /goform/clearlog is invoked.2018-09-15not yet calculatedCVE-2018-17064
MISC
d-link — dir-816_a2_1.10_b05_devicesAn issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction within the handler function of the /goform/NTPSyncWithHost route. This could lead to command injection via shell metacharacters.2018-09-15not yet calculatedCVE-2018-17063
MISC
d-link — dir-816_a2_1.10_b05_devicesAn issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction in the handler function of the /goform/form2systime.cgi route. This could lead to command injection via shell metacharacters in the datetime parameter.2018-09-15not yet calculatedCVE-2018-17066
MISC
d-link — dir-816_a2_1.10_b05_devicesAn issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. A very long password to /goform/formLogin could lead to a stack-based buffer overflow and overwrite the return address.2018-09-15not yet calculatedCVE-2018-17067
MISC
d-link — dir-816_a2_1.10_b05_devicesAn issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. Within the handler function of the /goform/DDNS route, a very long password could lead to a stack-based buffer overflow and overwrite the return address.2018-09-15not yet calculatedCVE-2018-17065
MISC
d-link — dir-816_a2_1.10_b05_devicesAn issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction in the handler function of the /goform/Diagnosis route. This could lead to command injection via shell metacharacters in the sendNum parameter.2018-09-15not yet calculatedCVE-2018-17068
MISC

daum_communications — potplayer

A heap-based buffer overflow in PotPlayerMini.exe in PotPlayer 1.7.8556 allows remote attackers to execute arbitrary code via a .wav file with large BytesPerSec and SamplesPerSec values, and a small Data_Chunk_Size value.2018-09-10not yet calculatedCVE-2018-16797
MISC
daylight_studio — fuel_cmsFUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter.2018-09-09not yet calculatedCVE-2018-16763
MISC
daylight_studio — fuel_cms
 
FUEL CMS 1.4.1 allows SQL Injection via the layout, published, or search_term parameter to pages/items.2018-09-09not yet calculatedCVE-2018-16762
MISC

dbf2txt — dbf2txt

An issue has been found in dbf2txt through 2012-07-19. It is a infinite loop.2018-09-14not yet calculatedCVE-2018-17042
MISC
MISC
dell_emc — vplex_geosynchrony
 
Dell EMC VPlex GeoSynchrony, versions prior to 6.1, contains an Insecure File Permissions vulnerability. A remote authenticated malicious user could read from VPN configuration files on and potentially author a MITM attack on the VPN traffic.2018-09-11not yet calculatedCVE-2018-11078
SECTRACK
FULLDISC
doc2txt — doc2txtAn issue has been found in doc2txt through 2014-03-19. It is a heap-based buffer overflow in the function Storage::init in Storage.cpp, called from parse_doc in parse_doc.cpp.2018-09-14not yet calculatedCVE-2018-17043
MISC
MISC
docker — moby
 
An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.2018-09-10not yet calculatedCVE-2018-12608
MISC

dotcms — dotcms

dotCMS V5.0.1 has XSS in the /html/portlet/ext/contentlet/image_tools/index.jsp fieldName and inode parameters.2018-09-12not yet calculatedCVE-2018-16980
MISC
drools_workbench — drools_workbench 
 
Drools Workbench contains a path traversal vulnerability. The vulnerability allows a remote, authenticated attacker to bypass the directory restrictions and retrieve arbitrary files from the affected host.2018-09-10not yet calculatedCVE-2016-7041
REDHAT
REDHAT
REDHAT
REDHAT
BID
SECTRACK
CONFIRM

dusaurabh/php — dusaurabh/php

Complete Responsive CMS Blog through 2018-05-20 has XSS via a comment.2018-09-10not yet calculatedCVE-2018-16780
MISC
e107 — e107
 
e107_admin/banlist.php in e107 2.1.8 allows SQL injection via the old_ip parameter.2018-09-12not yet calculatedCVE-2018-16389
MISC
CONFIRM
e107 — e107
 
e107_web/js/plupload/upload.php in e107 2.1.8 allows remote attackers to execute arbitrary PHP code by uploading a .php filename with the image/jpeg content type.2018-09-12not yet calculatedCVE-2018-16388
MISC
CONFIRM
easycms — easycms
 
EasyCMS 1.5 allows XSS via the index.php?s=/admin/fields/update/navTabId/listfields/callbackType/closeCurrent content field.2018-09-10not yet calculatedCVE-2018-16773
MISC
easycms — easycms
 
The removeXSS function in App/Common/common.php (called from App/Modules/Index/Action/SearchAction.class.php) in EasyCMS v1.4 allows XSS via an onhashchange event.2018-09-09not yet calculatedCVE-2018-16759
MISC
elefant_cms — elefant_cmsAn issue was discovered in Elefant CMS before 2.0.7. There is a PHP Code Execution Vulnerability in /designer/add/stylesheet.php by using a .php extension in the New Stylesheet Name field in conjunction with 2018-09-12not yet calculatedCVE-2018-16975
MISC
MISC
MISC
elefant_cms — elefant_cms
 
An issue was discovered in Elefant CMS before 2.0.7. There is a PHP Code Execution Vulnerability in apps/filemanager/upload/drop.php by using /filemanager/api/rm/.htaccess to remove the .htaccess file, and then using a filename that ends in .php followed by space characters (for bypassing the blacklist).2018-09-12not yet calculatedCVE-2018-16974
MISC
MISC
MISC
ethereum — go_ethereum
 
In Go Ethereum (aka geth) before 1.8.14, TraceChain in eth/api_tracer.go does not verify that the end block is after the start block.2018-09-08not yet calculatedCVE-2018-16733
MISC
eventum — eventum
 
Eventum before 3.4.0 has an open redirect vulnerability.2018-09-09not yet calculatedCVE-2018-16761
MISC
f5 — big-ip_apmOn BIG-IP APM 11.6.0-11.6.3.1, 12.1.0-12.1.3.3, 13.0.0, and 13.1.0-13.1.0.3, APMD may core when processing SAML Assertion or response containing certain elements.2018-09-13not yet calculatedCVE-2018-5549
CONFIRM
f5 — big-ip_apm
 
On BIG-IP APM 11.6.0-11.6.3, an insecure AES ECB mode is used for orig_uri parameter in an undisclosed /vdesk link of APM virtual server configured with an access profile, allowing a malicious user to build a redirect URI value using different blocks of cipher texts.2018-09-13not yet calculatedCVE-2018-5548
CONFIRM
f5 — big-ip
 
A vulnerability in BIG-IP APM portal access 11.5.1-11.5.7, 11.6.0-11.6.3, and 12.1.0-12.1.3 discloses the BIG-IP software version in rewritten pages.2018-09-13not yet calculatedCVE-2018-15310
CONFIRM
f5 — websafe_alert_serverOn F5 WebSafe Alert Server 1.0.0-4.2.6, a malicious, authenticated user can execute code on the alert server by using a maliciously crafted payload.2018-09-13not yet calculatedCVE-2018-5545
CONFIRM
feindura — feindura
 
feindura 2.0.7 allows XSS via the tags field of a new page created at index.php?category=0&page=new.2018-09-12not yet calculatedCVE-2018-16728
MISC

ffjpeg — ffjpeg

ffjpeg.dll in ffjpeg before 2018-08-22 allows remote attackers to cause a denial of service (FPE signal) via a progressive JPEG file that lacks an AC Huffman table.2018-09-10not yet calculatedCVE-2018-16781
MISC
foreman — foremanforeman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an administrator’s view). The user’s actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion.2018-09-10not yet calculatedCVE-2016-7078
BID
CONFIRM
CONFIRM
CONFIRM
MLIST
CONFIRM
foreman — foreman
 
foreman before 1.14.0 is vulnerable to an information leak. It was found that Foreman form helper does not authorize options for associated objects. Unauthorized user can see names of such objects if their count is less than 6.2018-09-10not yet calculatedCVE-2016-7077
BID
CONFIRM
CONFIRM
CONFIRM
frappe_technologies — erpnextAn exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The sort_by and start parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.2018-09-12not yet calculatedCVE-2018-3884
MISC
frappe_technologies — erpnextAn exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The order_by parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.2018-09-12not yet calculatedCVE-2018-3885
MISC
frappe_technologies — erpnextAn exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The employee and sort_order parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.2018-09-12not yet calculatedCVE-2018-3883
MISC
frappe_technologies — erpnext
 
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The searchfield parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.2018-09-12not yet calculatedCVE-2018-3882
MISC
freebsd_project — freebsdIn FreeBSD before 11.2-RELEASE, a stack guard-page is available but is disabled by default. This results in the possibility a poorly written process could be cause a stack overflow.2018-09-12not yet calculatedCVE-2017-1083
MISC
freebsd_project — freebsdIn FreeBSD before 11.2-RELEASE, an application which calls setrlimit() to increase RLIMIT_STACK may turn a read-only memory region below the stack into a read-write region. A specially crafted executable could be exploited to execute arbitrary code in the user context.2018-09-12not yet calculatedCVE-2017-1085
EXPLOIT-DB
MISC
freebsd_project — freebsdIn FreeBSD before 11.1-STABLE, 11.2-RELEASE-p3, 11.1-RELEASE-p14, 10.4-STABLE, and 10.4-RELEASE-p12, insufficient validation in the ELF header parser could allow a malicious ELF binary to cause a kernel crash or disclose kernel memory.2018-09-12not yet calculatedCVE-2018-6924
SECTRACK
FREEBSD
freebsd_project — freebsdIn FreeBSD before 11.2-RELEASE, multiple issues with the implementation of the stack guard-page reduce the protections afforded by the guard-page. This results in the possibility a poorly written process could be cause a stack overflow.2018-09-12not yet calculatedCVE-2017-1084
EXPLOIT-DB
EXPLOIT-DB
MISC
freebsd_project — freebsd
 
In FreeBSD 11.x before 11.1-RELEASE and 10.x before 10.4-RELEASE, the qsort algorithm has a deterministic recursion pattern. Feeding a pathological input to the algorithm can lead to excessive stack usage and potential overflow. Applications that use qsort to handle large data set may crash if the input follows the pathological pattern.2018-09-12not yet calculatedCVE-2017-1082
MISC
fuji_electric — v-server_lite
 
A maliciously crafted project file may cause a buffer overflow, which may allow the attacker to execute arbitrary code that affects Fuji Electric V-Server Lite 4.0.3.0 and prior.2018-09-13not yet calculatedCVE-2018-10637
BID
MISC
furuno — felcom_250_and_500_devicesFURUNO FELCOM 250 and 500 devices allow unauthenticated access to the xml/permission.xml file containing all of the system’s usernames and passwords. This includes the Admin and Service user accounts and their unsalted MD5 hashes, as well as the SMS server password in cleartext.2018-09-10not yet calculatedCVE-2018-16705
MISC
MISC
furuno — felcom_250_and_500_devices
 
FURUNO FELCOM 250 and 500 devices allow unauthenticated users to change the password for the Admin, Log and Service accounts, as well as the password for the protected “SMS” panel via /cgi-bin/sm_changepassword.cgi and /cgi-bin/sm_sms_changepasswd.cgi.2018-09-10not yet calculatedCVE-2018-16591
MISC
MISC
gitolite — gitolite
 
Gitolite before 3.6.9 does not (in certain configurations involving @all or a regex) properly restrict access to a Git repository that is in the process of being migrated until the full set of migration steps has been completed. This can allow valid users to obtain unintended access.2018-09-12not yet calculatedCVE-2018-16976
MISC
MISC
MISC

gogs — gogs

In Gogs 0.11.53, an attacker can use a crafted .eml file to trigger MIME type sniffing, which leads to XSS, as demonstrated by Internet Explorer, because an “X-Content-Type-Options: nosniff” header is not sent.2018-09-13not yet calculatedCVE-2018-17031
MISC

golang/go — golang/go

The html package (aka x/net/html) before 2018-07-13 in Go mishandles “in frameset” insertion mode, leading to a “panic: runtime error” for html.Parse of