SB18-330: Vulnerability Summary for the Week of November 19, 2018

Original release date: November 26, 2018

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

 The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

High Vulnerabilities

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
There were no high vulnerabilities recorded this week.

Back to top

 

Medium Vulnerabilities

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
There were no medium vulnerabilities recorded this week.

Back to top

 

Low Vulnerabilities

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
There were no low vulnerabilities recorded this week.

Back to top

 

Severity Not Yet Assigned

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
apache — sparkIn all versions of Apache Spark, its standalone resource manager accepts code to execute on a ‘master’ host, that then runs that code on ‘worker’ hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.2018-11-19not yet calculatedCVE-2018-17190
BID
MISC
arm — adult_filterAdult Filter 1.0 has a Buffer Overflow via a crafted Black Domain List file.2018-11-22not yet calculatedCVE-2018-19459
MISC
EXPLOIT-DB
articlecms — articlecmsArticleCMS through 2017-02-19 has XSS via the /update_personal_infomation realname or email parameter.2018-11-23not yet calculatedCVE-2018-19469
MISC
artifex — ghostscriptpsi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same.2018-11-23not yet calculatedCVE-2018-19475
MISC
MISC
MISC
MISC
artifex — ghostscriptAn issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not checked correctly if another device is used.2018-11-21not yet calculatedCVE-2018-19409
BID
MISC
MISC
GENTOO
MISC
artifex — ghostscriptpsi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a JBIG2Decode type confusion.2018-11-23not yet calculatedCVE-2018-19477
MISC
MISC
MISC
MISC
artifex — ghostscriptpsi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a setcolorspace type confusion.2018-11-23not yet calculatedCVE-2018-19476
MISC
MISC
MISC
MISC
askey– qbee_camera_app_for_androidInsecure Cryptographic Storage of credentials in com.vestiacom.qbeecamera_preferences.xml in the QBee Cam application through 1.0.5 for Android allows an attacker to retrieve the username and password.2018-11-20not yet calculatedCVE-2018-16223
MISC
FULLDISC
bestxsoftware — best_free_keyloggerBestXsoftware Best Free Keylogger 5.2.9 allows local users to gain privileges via a Trojan horse “%PROGRAMFILES%BFK 5.2.9syscrb.exe” file because of insecure permissions for the BUILTINUsers group.2018-11-19not yet calculatedCVE-2018-18519
MISC
clippercms — clippercmsClipperCMS 1.3.3 allows remote authenticated administrators to upload .htaccess files.2018-11-21not yet calculatedCVE-2018-19424
MISC
cloud_foundry — user_account_and_authentication_serverCloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges.2018-11-19not yet calculatedCVE-2018-15761
CONFIRM
comsenz– discuz!Discuz! X3.4 allows XSS via admin.php because admincp/admincp_setting.php and templatedefaultcommonfooter.htm mishandle s statcode field from third-party stats code.2018-11-22not yet calculatedCVE-2018-19464
MISC
contiki-ng — contiki-ngAn issue was discovered in the MQTT server in Contiki-NG before 4.2. The function parse_publish_vhdr() that parses MQTT PUBLISH messages with a variable length header uses memcpy to input data into a fixed size buffer. The allocated buffer can fit only MQTT_MAX_TOPIC_LENGTH (default 64) bytes, and a length check is missing. This could lead to Remote Code Execution via a stack-smashing attack (overwriting the function return address). Contiki-NG does not separate the MQTT server from other servers and the OS modules, so access to all memory regions is possible.2018-11-21not yet calculatedCVE-2018-19417
MISC
control_web_panel — centos-webpanelCentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows XSS via the admin/index.php module parameter.2018-11-20not yet calculatedCVE-2018-18774
MISC
MISC
EXPLOIT-DB
control_web_panel — centos-webpanelCentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=send_ssh, as demonstrated by executing an arbitrary OS command.2018-11-20not yet calculatedCVE-2018-18772
MISC
MISC
EXPLOIT-DB
control_web_panel — centos-webpanelCentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=rootpwd, as demonstrated by changing the root password.2018-11-20not yet calculatedCVE-2018-18773
MISC
MISC
EXPLOIT-DB
denx — u-bootDENX U-Boot through 2018.09-rc1 has a remotely exploitable buffer overflow via a malicious TFTP server because TFTP traffic is mishandled. Also, local exploitation can occur via a crafted kernel image.2018-11-20not yet calculatedCVE-2018-18439
MLIST
denx — u-bootDENX U-Boot through 2018.09-rc1 has a locally exploitable buffer overflow via a crafted kernel image because filesystem loading is mishandled.2018-11-20not yet calculatedCVE-2018-18440
MLIST
fineuploader — fineuploaderUnauthenticated arbitrary file upload vulnerability in FineUploader php-traditional-server <= v1.2.22018-11-19not yet calculatedCVE-2018-9209
MISC
fluidbyte — codiadCodiad 2.8.4 allows remote authenticated administrators to execute arbitrary code by uploading an executable file.2018-11-21not yet calculatedCVE-2018-19423
MISC
foxit_software — foxit_readerFoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (Break instruction exception and application crash) via BMP data because of a ConvertToPDF_x86!ConnectedPDF::ConnectedPDFSDK::FCP_SendEmailNotification issue.2018-11-20not yet calculatedCVE-2018-19389
MISC
MISC
foxit_software — foxit_readerFoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (Break instruction exception and application crash) via TIFF data because of a ConvertToPDF_x86!ConnectedPDF::ConnectedPDFSDK::FCP_SendEmailNotification issue.2018-11-20not yet calculatedCVE-2018-19390
MISC
MISC
foxit_software — foxit_readerFoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read, access violation, and application crash) via TIFF data because of a ConvertToPDF_x86!ReleaseFXURLToHtml issue.2018-11-20not yet calculatedCVE-2018-19388
MISC
MISC
freeware_advanced_audio_decoder_2 — freeware_advanced_audio_decoder_2An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.1. There was a heap-based buffer overflow in the function excluded_channels() in libfaad/syntax.c.2018-11-23not yet calculatedCVE-2018-19502
MISC
MISC
freeware_advanced_audio_decoder_2 — freeware_advanced_audio_decoder_2An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.1. There was a stack-based buffer overflow in the function calculate_gain() in libfaad/sbr_hfadj.c.2018-11-23not yet calculatedCVE-2018-19503
MISC
MISC
freeware_advanced_audio_decoder_2 — freeware_advanced_audio_decoder_2An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.1. There is a NULL pointer dereference in ifilter_bank() in libfaad/filtbank.c.2018-11-23not yet calculatedCVE-2018-19504
MISC
MISC
getsimple_cms — getsimple_cmsIn GetSimple CMS 3.3.15, admin/upload.php blocks .html uploads but there are several alternative cases in which HTML can be executed, such as a file with no extension or an unrecognized extension (e.g., the test or test.asdf filename), because of admin/upload-uploadify.php, and validate_safe_file in admin/inc/security_functions.php.2018-11-21not yet calculatedCVE-2018-19420
MISC
getsimple_cms — getsimple_cmsIn GetSimple CMS 3.3.15, admin/upload.php blocks .html uploads but Internet Explorer render HTML elements in a .eml file, because of admin/upload-uploadify.php, and validate_safe_file in admin/inc/security_functions.php.2018-11-21not yet calculatedCVE-2018-19421
MISC
git — gitGit before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if ‘.’ were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.2018-11-23not yet calculatedCVE-2018-19486
MISC
MISC
gnome — keyringGNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig and policy XML elements) are not used.2018-11-18not yet calculatedCVE-2018-19358
MISC
MISC
MISC
gnuplot — gnuplotAn issue was discovered in datafile.c in Gnuplot 5.2.5. This issue allows an attacker to conduct a heap-based buffer overflow with an arbitrary amount of data in df_generate_ascii_array_entry. To exploit this vulnerability, an attacker must pass an overlong string as the right bound of the range argument that is passed to the plot function.2018-11-23not yet calculatedCVE-2018-19490
MISC
MISC
gnuplot — gnuplotAn issue was discovered in post.trm in Gnuplot 5.2.5. This issue allows an attacker to conduct a buffer overflow with an arbitrary amount of data in the PS_options function. This flaw is caused by a missing size check of an argument passed to the “set font” function. This issue occurs when the Gnuplot postscript terminal is used as a backend.2018-11-23not yet calculatedCVE-2018-19491
MISC
MISC
gnuplot — gnuplot
 
An issue was discovered in cairo.trm in Gnuplot 5.2.5. This issue allows an attacker to conduct a buffer overflow with an arbitrary amount of data in the cairotrm_options function. This flaw is caused by a missing size check of an argument passed to the “set font” function. This issue occurs when the Gnuplot pngcairo terminal is used as a backend.2018-11-23not yet calculatedCVE-2018-19492
MISC
MISC
google — chromiumGoogle Monorail before 2018-04-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with duplicated columns) can be used to obtain sensitive information about the content of bug reports.2018-11-20not yet calculatedCVE-2018-10099
MISC
MISC
MISC
google — chromiumGoogle Monorail before 2018-06-07 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with a crafted groupby value) can be used to obtain sensitive information about the content of bug reports.2018-11-20not yet calculatedCVE-2018-19335
MISC
MISC
MISC
google — chromium
 
Google Monorail before 2018-05-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with an unsupported axis) can be used to obtain sensitive information about the content of bug reports.2018-11-20not yet calculatedCVE-2018-19334
MISC
MISC
MISC
greencms — greencmsAn issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that allows attackers to delete a log file via the index.php?m=admin&c=data&a=clear URI.2018-11-20not yet calculatedCVE-2018-19376
MISC
hayageek — hayageekArbitrary file upload in jQuery Upload File <= 4.0.22018-11-19not yet calculatedCVE-2018-9207
MISC
hucart_cms — hucart_cmsHuCart 5.7.4 has SQL injection in get_ip() in system/class/helper_class.php via the X-Forwarded-For HTTP header to the user/index.php?load=login&act=act_login URI.2018-11-23not yet calculatedCVE-2018-19468
MISC
ibm — api_connectIBM API Connect 2018.1 through 2018.3.7 could allow an unauthenticated attacker to cause a denial of service due to not setting limits on JSON payload size. IBM X-Force ID: 148802.2018-11-20not yet calculatedCVE-2018-1779
BID
XF
CONFIRM
ibm — cloud_privateThe Identity and Access Management (IAM) services (IBM Cloud Private 3.1.0) do not use a secure channel, such as SSL, to exchange information only when accessed internally from within the cluster. It could be possible for an attacker with access to network traffic to sniff packets from the connection and uncover data. IBM X-Force ID: 1509032018-11-21not yet calculatedCVE-2018-1843
CONFIRM
XF
ibm — cloud_privateIBM Cloud Private 2.1.0 could allow a local user to obtain the CA Private Key due to it being world readable in boot/master node. IBM X-Force ID: 150901.2018-11-19not yet calculatedCVE-2018-1841
BID
XF
CONFIRM
ibm — websphere_application_serverIBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using Enterprise bundle Archives (EBA) could allow a local attacker to traverse directories on the system. By persuading a victim to extract a specially-crafted ZIP archive containing “dot dot slash” sequences (../), an attacker could exploit this vulnerability to write to arbitrary files on the system. Note: This vulnerability is known as “Zip-Slip”. IBM X-Force ID: 149427.2018-11-16not yet calculatedCVE-2018-1797
BID
SECTRACK
XF
CONFIRM
ismart_alarm– ismartalarm_cube_one_devicesIncorrect access control for the diagnostic files of the iSmartAlarm Cube One through 2.2.4.10 allows an attacker to retrieve them via a specifically crafted TCP request to port 12345 and 22306, and access sensitive information from the device.2018-11-20not yet calculatedCVE-2018-16224
MISC
FULLDISC
ismart_alarm — ismartalarm_app_for_androidCleartext Storage of credentials in the iSmartAlarmData.xml configuration file in the iSmartAlarm application through 2.0.8 for Android allows an attacker to retrieve the username and password.2018-11-20not yet calculatedCVE-2018-16222
MISC
FULLDISC
libansilove — libansiloveThe ansilove_ansi function in loaders/ansi.c in libansilove 1.0.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted file.2018-11-18not yet calculatedCVE-2018-19353
MISC
MISC
libsndfile — libsndfileAn issue was discovered in libsndfile 1.0.28. There is a NULL pointer dereference in the function sf_write_int in sndfile.c, which will lead to a denial of service.2018-11-22not yet calculatedCVE-2018-19432
BID
MISC
linux — linux_kernelIn the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.2018-11-16not yet calculatedCVE-2018-18955
MISC
BID
MISC
MISC
MISC
MISC
EXPLOIT-DB
linux — linux_kernelkvm_pv_send_ipi in arch/x86/kvm/lapic.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where the apic map is uninitialized.2018-11-20not yet calculatedCVE-2018-19406
BID
MISC
linux — linux_kernelThe vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized.2018-11-20not yet calculatedCVE-2018-19407
BID
MISC
liquidvpn — liquidvpnMultiple local privilege escalation vulnerabilities have been identified in the LiquidVPN client through 1.37 for macOS. An attacker can communicate with an unprotected XPC service and directly execute arbitrary OS commands as root or load a potentially malicious kernel extension because com.smr.liquidvpn.OVPNHelper uses the system function to execute the “command_line” parameter as a shell command.2018-11-20not yet calculatedCVE-2018-18857
MISC
FULLDISC
EXPLOIT-DB
liquidvpn — liquidvpnMultiple local privilege escalation vulnerabilities have been identified in the LiquidVPN client through 1.37 for macOS. An attacker can communicate with an unprotected XPC service and directly execute arbitrary OS commands as root or load a potentially malicious kernel extension because com.smr.liquidvpn.OVPNHelper uses the value of the “tun_path” or “tap_path” pathname in a kextload() call.2018-11-20not yet calculatedCVE-2018-18859
MISC
FULLDISC
EXPLOIT-DB
liquidvpn — liquidvpn_Multiple local privilege escalation vulnerabilities have been identified in the LiquidVPN client through 1.37 for macOS. An attacker can communicate with an unprotected XPC service and directly execute arbitrary OS commands as root or load a potentially malicious kernel extension because com.smr.liquidvpn.OVPNHelper uses the system function to execute the “tun_path” or “tap_path” pathname within a shell command.2018-11-20not yet calculatedCVE-2018-18858
MISC
FULLDISC
EXPLOIT-DB
liquidvpn — liquidvpn
 
Multiple local privilege escalation vulnerabilities have been identified in the LiquidVPN client through 1.37 for macOS. An attacker can communicate with an unprotected XPC service and directly execute arbitrary OS commands as root or load a potentially malicious kernel extension because com.smr.liquidvpn.OVPNHelper uses the system function to execute the “openvpncmd” parameter as a shell command.2018-11-20not yet calculatedCVE-2018-18856
MISC
FULLDISC
EXPLOIT-DB
loadbalancer.org — enterprise_va_maxLoadbalancer.org Enterprise VA MAX before 8.3.3 has XSS because Apache HTTP Server logs are displayed.2018-11-20not yet calculatedCVE-2018-18864
MISC
FULLDISC
logicspice — logicspiceLogicspice FAQ Script 2.9.7 allows uploading arbitrary files, which leads to remote command execution via admin/faqs/faqimages with a .php file.2018-11-22not yet calculatedCVE-2018-19457
MISC
EXPLOIT-DB
micro_focus/netiq — access_manager_identity_providerAn open redirect vulnerability exists in the Access Manager Identity Provider prior to 4.4 SP3.2018-11-20not yet calculatedCVE-2018-17948
MISC
novell — netwareIn Novell NetWare before 6.5 SP8, a stack buffer overflow in processing of CALLIT RPC calls in the NFS Portmapper daemon in PKERNEL.NLM allowed remote unauthenticated attackers to execute code, because a length field was incorrectly trusted.2018-11-21not yet calculatedCVE-2009-5153
MISC
MISC
MISC
paessler– prtg_network_monitorPRTG Network Monitor before 18.2.40.1683 allows an authenticated user with a read-only account to create another user with a read-write account (including administrator) via an HTTP request because /api/addusers doesn’t check, or doesn’t properly check, user rights.2018-11-21not yet calculatedCVE-2018-19411
MISC
paessler– prtg_network_monitorPRTG Network Monitor before 18.2.40.1683 allows remote unauthenticated attackers to create users with read-write privileges (including administrator). A remote unauthenticated user can craft an HTTP request and override attributes of the ‘include’ directive in /public/login.htm and perform a Local File Inclusion attack, by including /api/addusers and executing it. By providing the ‘id’ and ‘users’ parameters, an unauthenticated attacker can create a user with read-write privileges (including administrator).2018-11-21not yet calculatedCVE-2018-19410
MISC
pcman_ftp_server — pcman_ftp_serverBuffer overflow in PCMan FTP Server 2.0.7 allows for remote code execution via the APPE command.2018-11-20not yet calculatedCVE-2018-18861
MISC
philips — multiple_productsPhilips iSite and IntelliSpace PACS, iSite PACS, all versions, and IntelliSpace PACS, all versions. Default credentials and no authentication within third party software may allow an attacker to compromise a component of the system.2018-11-19not yet calculatedCVE-2018-17906
BID
MISC
php — phpext/standard/var.c in PHP 5.x through 7.1.24 on Windows allows attackers to cause a denial of service (NULL pointer dereference and application crash) because com and com_safearray_proxy return NULL in com_properties_get in ext/com_dotnet/com_handlers.c, as demonstrated by a serialize call on COM(“WScript.Shell”).2018-11-20not yet calculatedCVE-2018-19395
BID
MISC
php — phpext/standard/var_unserializer.c in PHP 5.x through 7.1.24 allows attackers to cause a denial of service (application crash) via an unserialize call for the com, dotnet, or variant class.2018-11-20not yet calculatedCVE-2018-19396
BID
MISC
php_proxy — php_proxyIn PHP Proxy 3.0.3, any user can read files from the server without authentication due to an index.php?q=file:/// LFI URI, a different vulnerability than CVE-2018-19246.2018-11-22not yet calculatedCVE-2018-19458
MISC
EXPLOIT-DB
phpbb — phpbbPassing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.2018-11-17not yet calculatedCVE-2018-19274
MISC
MLIST
CONFIRM
pivotal — cloud_foundry_on_demand_services_sdkPivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perform broker operations.2018-11-19not yet calculatedCVE-2018-15759
CONFIRM
portainer.io — portainerPortainer through 1.19.2 provides an API endpoint (/api/users/admin/check) to verify that the admin user is already created. This API endpoint will return 404 if admin was not created and 204 if it was already created. Attackers can set an admin password in the 404 case.2018-11-20not yet calculatedCVE-2018-19367
MISC
MISC
prestashop — prestashopmodules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfiles), order (for upload destinations under modules/files), or cart (for upload destinations under modules/cartfiles).2018-11-18not yet calculatedCVE-2018-19355
MISC
project_jupyter — jupyter_notebookJupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHandler and NbconvertPostHandler do not set a Content Security Policy to prevent this.2018-11-18not yet calculatedCVE-2018-19351
MISC
MISC
MISC
MISC
project_jupyter — jupyter_notebook
 
Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely.2018-11-18not yet calculatedCVE-2018-19352
MISC
MISC
MISC
roche_diagnostics — accu-check_inform_ii_base_unit_and_coaguchekAn issue was discovered in Roche Accu-Chek Inform II Base Unit / Base Unit Hub before 03.01.04 and CoaguChek / cobas h232 Handheld Base Unit before 03.01.04. Weak access credentials may enable attackers in the adjacent network to gain unauthorized service access via a service interface.2018-11-20not yet calculatedCVE-2018-18562
BID
MISC
roche_diagnostics — accu-chek_inform_ii_base_unit_and_coaguchekAn issue was discovered in Roche Accu-Chek Inform II Base Unit / Base Unit Hub before 03.01.04 and CoaguChek / cobas h232 Handheld Base Unit before 03.01.04. Insecure permissions in a service interface may allow authenticated attackers in the adjacent network to execute arbitrary commands on the operating system.2018-11-20not yet calculatedCVE-2018-18561
BID
MISC
roche_diagnostics — multiple_productsAn issue was discovered in Roche Accu-Chek Inform II Instrument before 03.06.00 (Serial number below 14000) and 04.x before 04.03.00 (Serial Number above 14000), CoaguChek Pro II before 04.03.00, CoaguChek XS Plus before 03.01.06, CoaguChek XS Pro before 03.01.06, cobas h 232 before 03.01.03 (Serial Number below KQ0400000 or KS0400000) and cobas h 232 before 04.00.04 (Serial Number above KQ0400000 or KS0400000). Improper access control to a service command allows attackers in the adjacent network to execute arbitrary code on the system through a crafted Poct1-A message.2018-11-20not yet calculatedCVE-2018-18563
BID
MISC
roche_diagnostics — multiple_productsAn issue was discovered in Roche Accu-Chek Inform II Instrument before 03.06.00 (Serial number below 14000) and 04.x before 04.03.00 (Serial Number above 14000), CoaguChek Pro II before 04.03.00, CoaguChek XS Plus before 03.01.06, CoaguChek XS Pro before 03.01.06, cobas h 232 before 03.01.03 (Serial number below KQ0400000 or KS0400000), and cobas h 232 before 04.00.04 (Serial number above KQ0400000 or KS0400000). A vulnerability in the software update mechanism allows authenticated attackers in the adjacent network to overwrite arbitrary files on the system through a crafted update package.2018-11-20not yet calculatedCVE-2018-18565
BID
MISC
roche_diagnostics — multiple_productsAn issue was discovered in Roche Accu-Chek Inform II Instrument before 03.06.00 (Serial number below 14000) and 04.x before 04.03.00 (Serial Number above 14000), CoaguChek Pro II before 04.03.00, and cobas h 232 before 04.00.04 (Serial number above KQ0400000 or KS0400000). Improper access control allows attackers in the adjacent network to change the instrument configuration.2018-11-20not yet calculatedCVE-2018-18564
BID
MISC

royal_applications — royal_ts_and_tsx_browser_extensions

The Royal browser extensions TS before 4.3.60728 (Release Date 2018-07-28) and TSX before 3.3.1 (Release Date 2018-09-13) allow Credentials Disclosure.2018-11-20not yet calculatedCVE-2018-18865
MISC
FULLDISC
FULLDISC
EXPLOIT-DB
samsung — 840_evo_devicesAn issue was discovered on Samsung 840 EVO devices. Vendor-specific commands may allow access to the disk-encryption key.2018-11-20not yet calculatedCVE-2018-12038
CERT-VN
BID
MISC
CONFIRM
samsung — multiple_devicesAn issue was discovered on Samsung 840 EVO and 850 EVO devices (only in “ATA high” mode, not vulnerable in “TCG” or “ATA max” mode), Samsung T3 and T5 portable drives, and Crucial MX100, MX200 and MX300 devices. Absence of a cryptographic link between the password and the Disk Encryption Key allows attackers with privileged access to SSD firmware full access to encrypted data.2018-11-20not yet calculatedCVE-2018-12037
BID
MISC
CONFIRM
showdoc — showdocShowDoc 2.4.1 has XSS via the lang parameter because install/database.php mishandles the $cur_lang value.2018-11-22not yet calculatedCVE-2018-19433
MISC
subrion — subrion_cms/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.2018-11-21not yet calculatedCVE-2018-19422
MISC
sysstat — sysstatAn issue was discovered in sysstat 12.1.1. The remap_struct function in sa_common.c has an out-of-bounds read during a memmove call, as demonstrated by sadf.2018-11-21not yet calculatedCVE-2018-19416
MISC
sysstat — sysstatAn issue was discovered in sysstat 12.1.1. The remap_struct function in sa_common.c has an out-of-bounds read during a memset call, as demonstrated by sadf.2018-11-24not yet calculatedCVE-2018-19517
MISC
tryton — trytonThe client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle.2018-11-22not yet calculatedCVE-2018-19443
MISC
MISC
ucms — ucmsUCMS 1.4.7 allows remote authenticated users to change the administrator password because $_COOKIE[‘admin_’.cookiehash] is used for arbitrary cookie values that are set and not empty.2018-11-22not yet calculatedCVE-2018-19437
MISC
vanilla_forums — vanillaVanilla before 2.5.5 and 2.6.x before 2.6.2 allows Remote Code Execution because authenticated administrators have a reachable call to unserialize in the Gdn_Format class.2018-11-23not yet calculatedCVE-2018-19499
MISC
weberp — weberpAn issue was discovered on the “Bank Account Matching – Receipts” screen of the General Ledger component in webERP 4.15. BankMatching.php has Blind SQL injection via the AmtClear_ parameter.2018-11-22not yet calculatedCVE-2018-19434
MISC
weberp — weberpAn issue was discovered in the Sales component in webERP 4.15. SalesInquiry.php has SQL Injection via the SortBy parameter.2018-11-22not yet calculatedCVE-2018-19435
MISC
weberp — weberpAn issue was discovered in the Manufacturing component in webERP 4.15. CollectiveWorkOrderCost.php has Blind SQL Injection via the SearchParts parameter.2018-11-22not yet calculatedCVE-2018-19436
MISC
yxcms — yxcmsIn YXcms 1.4.7, protected/apps/appmanage/controller/indexController.php allow remote authenticated Administrators to execute any PHP code by creating a ZIP archive containing a config.php file, hosting the .zip file at an external URL, and visiting index.php?r=appmanage/index/onlineinstall&url= followed by that URL. This is related to the onlineinstall and import functions.2018-11-20not yet calculatedCVE-2018-19404
MISC
z-blogphp — z-blogphpzb_system/function/lib/upload.php in Z-BlogPHP through 1.5.1 allows remote attackers to execute arbitrary PHP code by using the image/jpeg content type in an upload to the zb_system/admin/index.php?act=UploadMng URI.2018-11-22not yet calculatedCVE-2018-19463
MISC
zoho — manageengine_opmanagerZoho ManageEngine OpManager 12.3 before 123219 has a Self XSS Vulnerability.2018-11-20not yet calculatedCVE-2018-18716
MISC
FULLDISC
BUGTRAQ
zoho — manageengine_opmanagerZoho ManageEngine OpManager 12.3 before 123219 has stored XSS.2018-11-20not yet calculatedCVE-2018-18715
MISC
FULLDISC
BUGTRAQ

Back to top


This product is provided subject to this Notification and this Privacy & Use policy.

This entry was posted in Alerts. Bookmark the permalink.