SB18-365: Vulnerability Summary for the Week of December 24, 2018

Original release date: December 31, 2018

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

 

High Vulnerabilities

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
orange — arv7519rw22_livebox_2.1_firmwareOrange Livebox 00.96.320S devices allow remote attackers to discover Wi-Fi credentials via /get_getnetworkconf.cgi on port 8080, leading to full control if the admin password equals the Wi-Fi password or has the default admin value. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2.2018-12-2310.0CVE-2018-20377
MISC
MISC
MISC
MISC
s-cms — s-cmsAn issue was discovered in S-CMS 3.0. It allows SQL Injection via the bank/callback1.php P_no field.2018-12-257.5CVE-2018-20477
MISC

Back to top

 

Medium Vulnerabilities

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
audiocoding — freeware_advanced_audio_decoder_2A NULL pointer dereference was discovered in sbr_process_channel of libfaad/sbr_dec.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash.2018-12-224.3CVE-2018-20357
MISC
audiocoding — freeware_advanced_audio_decoder_2An invalid memory address dereference was discovered in the lt_prediction function of libfaad/lt_predict.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.2018-12-224.3CVE-2018-20358
MISC
audiocoding — freeware_advanced_audio_decoder_2An invalid memory address dereference was discovered in the sbrDecodeSingleFramePS function of libfaad/sbr_dec.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.2018-12-224.3CVE-2018-20359
MISC
audiocoding — freeware_advanced_audio_decoder_2An invalid memory address dereference was discovered in the sbr_process_channel function of libfaad/sbr_dec.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.2018-12-224.3CVE-2018-20360
MISC
audiocoding — freeware_advanced_audio_decoder_2An invalid memory address dereference was discovered in the hf_assembly function of libfaad/sbr_hfadj.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.2018-12-224.3CVE-2018-20361
MISC
audiocoding — freeware_advanced_audio_decoder_2A NULL pointer dereference was discovered in ifilter_bank of libfaad/filtbank.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash because adding to windowed output is mishandled in the EIGHT_SHORT_SEQUENCE case.2018-12-224.3CVE-2018-20362
MISC
s-cms — s-cmsAn issue was discovered in S-CMS 3.0. It allows XSS via the admin/demo.php T_id parameter.2018-12-254.3CVE-2018-20476
MISC

Back to top

 

Low Vulnerabilities

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
frogcms_project — frogcmsFrog CMS 0.9.5 has XSS via the Database name field to the /install/index.php URI.2018-12-253.5CVE-2018-20448
MISC

Back to top

 

Severity Not Yet Assigned

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
74cms — 74cms
An issue was discovered in 74cms v4.2.111. It allows remote authenticated users to read or modify arbitrary resumes by changing a job-search intention, as demonstrated by the index.php?c=Personal&a=ajax_save_basic pid parameter.2018-12-27not yet calculatedCVE-2018-20519
MISC
74cms — 74cms
An issue was discovered in 74cms v4.2.111. upload/index.php?c=resume&a=resume_list has XSS via the key parameter.2018-12-25not yet calculatedCVE-2018-20454
MISC
advisto — peel_shopping
Peel shopping peel-shopping_9_1_0 version contains a Cross Site Scripting (XSS) vulnerability that can result in an authenticated user injecting java script code in the “Site Name EN” parameter. This attack appears to be exploitable if the malicious user has access to the administration account.2018-12-28not yet calculatedCVE-2018-1000887
MISC
amalen — mxq_tv_box_android_deviceThe MXQ TV Box 4.4.2 Android device with a build fingerprint of MBX/m201_N/m201_N:4.4.2/KOT49H/20160106:user/test-keys contains the Android framework with a package name of android (versionCode=19, versionName=4.4.2-20170213) that contains an exported broadcast receiver application component that, when called, will make the device inoperable. The vulnerable component named com.android.server.SystemRestoreReceiver will write a value of –restore_systemn–locale=2018-12-28not yet calculatedCVE-2018-14988
MISC
MISC
amalen — mxq_tv_box_android_deviceThe MXQ TV Box 4.4.2 Android device with a build fingerprint of MBX/m201_N/m201_N:4.4.2/KOT49H/20160106:user/test-keys contains the Android framework with a package name of android (versionCode=19, versionName=4.4.2-20170213) that dynamically registers a broadcast receiver app component named com.android.server.MasterClearReceiver instead of statically registering it in the AndroidManifest.xml file of the core Android package, as done in Android Open Source Project (AOSP) code for Android 4.4.2. The dynamic-registration of the MasterClearReceiver broadcast receiver app component is not protected with the android.permission.MASTER_CLEAR permission during registration, so any app co-located on the device, even those without any permissions, can programmatically initiate a factory reset of the device. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of core Android process.2018-12-28not yet calculatedCVE-2018-14987
MISC
MISC
ambit — multiple_devicesAmbit DDW2600 5.100.1009, DDW2602 5.105.1003, T60C926 4.64.1012, and U10C019 5.66.1026 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20380
MISC
MISC
apache — tikaA carefully crafted or corrupt sqlite file can cause an infinite loop in Apache Tika’s SQLite3Parser in versions 1.8-1.19.1 of Apache Tika.2018-12-24not yet calculatedCVE-2018-17197
BID
MISC
arris — multiple_devicesARRIS DG950A 7.10.145 and DG950S 7.10.145.EURO devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20383
MISC
MISC
arris — multiple_devices
ARRIS SBG6580-2 D30GW-SEAEAGLE-1.5.2.5-GA-00-NOSH devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20386
MISC
MISC
asus — aura_syncThe Asusgio low-level driver in ASUS Aura Sync v1.07.22 and earlier exposes functionality to read and write Machine Specific Registers (MSRs). This could be leveraged to execute arbitrary ring-0 code.2018-12-26not yet calculatedCVE-2018-18535
MISC
FULLDISC
BID
MISC
asus — aura_syncThe GLCKIo low-level driver in ASUS Aura Sync v1.07.22 and earlier exposes a path to write an arbitrary DWORD to an arbitrary address.2018-12-26not yet calculatedCVE-2018-18537
MISC
FULLDISC
BID
MISC
asus — aura_syncThe GLCKIo and Asusgio low-level drivers in ASUS Aura Sync v1.07.22 and earlier expose functionality to read/write data from/to IO ports. This could be leveraged in a number of ways to ultimately run code with elevated privileges.2018-12-26not yet calculatedCVE-2018-18536
MISC
FULLDISC
BID
MISC
asus — zenfone_3_max_android_deviceThe ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed app with a package name of com.asus.loguploader (versionCode=1570000275, versionName=7.0.0.55_170515). This app contains an exported service app component named com.asus.loguploader.LogUploaderService that, when accessed with a particular action string, will write a bugreport (kernel log, logcat log, and the state of system services including the text of active notifications), Wi-Fi Passwords, and other system data to external storage (sdcard). Any app with the READ_EXTERNAL_STORAGE permission on this device can read this data from the sdcard after it has been dumped there by the com.asus.loguploader. Third-party apps are not allowed to directly create a bugreport or access the user’s stored wireless network credentials.2018-12-28not yet calculatedCVE-2018-14979
MISC
MISC
asus — zenfone_3_max_android_deviceThe ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed platform app with a package name of com.asus.dm (versionCode=1510500200, versionName=1.5.0.40_171122) has an exposed interface in an exported service named com.asus.dm.installer.DMInstallerService that allows any app co-located on the device to use its capabilities to download an arbitrary app over the internet and install it. Any app on the device can send an intent with specific embedded data that will cause the com.asus.dm app to programmatically download and install the app. For the app to be downloaded and installed, certain data needs to be provided: download URL, package name, version name from the app’s AndroidManifest.xml file, and the MD5 hash of the app. Moreover, any app that is installed using this method can also be programmatically uninstalled using the same unprotected component named com.asus.dm.installer.DMInstallerService.2018-12-28not yet calculatedCVE-2018-14992
MISC
MISC
battelle — v2i_hubBattelle V2I Hub 2.5.1 could allow a remote attacker to bypass security restrictions, caused by the direct checking of the API key against a user-supplied value in PHP’s GET global variable array using PHP’s strcmp() function. By adding “[]” to the end of “key” in the URL when accessing API functions, an attacker could exploit this vulnerability to execute API functions.2018-12-28not yet calculatedCVE-2018-1000628
MISC
battelle — v2i_hubBattelle V2I Hub 3.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the tmx/TmxCtl/src/lib/PluginStatus.cpp and TmxControl::user_info() function, which could allow the attacker to view, add, modify or delete information in the back-end database.2018-12-28not yet calculatedCVE-2018-1000631
MISC
battelle — v2i_hubBattelle V2I Hub 2.5.1 is vulnerable to a denial of service, caused by the failure to restrict access to a sensitive functionality. By visiting http://V2I_HUB/UI/powerdown.php, a remote attacker could exploit this vulnerability to shut down the system.2018-12-28not yet calculatedCVE-2018-1000624
MISC
battelle — v2i_hubBattelle V2I Hub 2.5.1 could allow a remote attacker to bypass security restrictions, caused by the lack of requirement to change the default API key. An attacker could exploit this vulnerability using all available API functions containing an unchanged API key to gain unauthorized access to the system.2018-12-28not yet calculatedCVE-2018-1000626
MISC
battelle — v2i_hubBattelle V2I Hub 2.5.1 contains hard-coded credentials for the administrative account. An attacker could exploit this vulnerability to log in as an admin on any installation and gain unauthorized access to the system.2018-12-28not yet calculatedCVE-2018-1000625
MISC
battelle — v2i_hubBattelle V2I Hub 2.5.1 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by api/SystemConfigActions.php?action=add and the index.php script. A remote attacker could exploit this vulnerability using the parameterName or _login_username parameter in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.2018-12-28not yet calculatedCVE-2018-1000629
MISC
battelle — v2i_hubBattelle V2I Hub 2.5.1 could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to the API key file. An attacker could exploit this vulnerability to obtain the current API key to gain unauthorized access to the system.2018-12-28not yet calculatedCVE-2018-1000627
MISC
battelle — v2i_hubBattelle V2I Hub 2.5.1 is vulnerable to SQL injection. A remote authenticated attacker could send specially-crafted SQL statements to /api/PluginStatusActions.php and /status/pluginStatus.php using the jtSorting or id parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.2018-12-28not yet calculatedCVE-2018-1000630
MISC
bento4 — bento4An issue was discovered in Bento4 1.5.1-627. There is an attempt at excessive memory allocation in the AP4_DataBuffer class when called from AP4_HvccAtom::Create in Core/Ap4HvccAtom.cpp.2018-12-26not yet calculatedCVE-2018-20502
MISC
bento4 — bento4An issue was discovered in Bento4 1.5.1-627. There is a heap-based buffer over-read in AP4_AvccAtom::Create in Core/Ap4AvccAtom.cpp, as demonstrated by mp42hls.2018-12-23not yet calculatedCVE-2018-20409
MISC
bento4 — bento4An issue was discovered in Bento4 1.5.1-627. There is a memory leak in AP4_StdcFileByteStream::Create in System/StdC/Ap4StdCFileByteStream.cpp, as demonstrated by mp42hls.2018-12-23not yet calculatedCVE-2018-20408
MISC
bento4 — bento4
An issue was discovered in Bento4 1.5.1-627. There is a memory leak in AP4_DescriptorFactory::CreateDescriptorFromStream in Core/Ap4DescriptorFactory.cpp, as demonstrated by mp42hls.2018-12-23not yet calculatedCVE-2018-20407
MISC
bigtree — bigtree
BigTree 4.3 allows full path disclosure via authenticated admin/news/ input that triggers a syntax error.2018-12-23not yet calculatedCVE-2018-20405
MISC
bnmux — multiple_devicesBnmux BCW700J 5.20.7, BCW710J 5.30.6a, and BCW710J2 5.30.16 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20387
MISC
MISC
c3p0 — c3p0
c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.2018-12-24not yet calculatedCVE-2018-20433
MISC
MLIST
carl_burch — logisim_evolution
Logisim Evolution version 2.14.3 and earlier contains an XML External Entity (XXE) vulnerability in Circuit file loading functionality (loadXmlFrom in src/com/cburch/logisim/file/XmlReader.java) that can result in information leak, possible RCE depending on system configuration. This attack appears to be exploitable via the victim opening a specially crafted circuit file. This vulnerability appears to have been fixed in 2.14.4.2018-12-28not yet calculatedCVE-2018-1000889
MISC
MISC
castlenet — multiple_devicesCastleNet CBV38Z4EC 125.553mp1.39219mp1.899.007, CBV38Z4ECNIT 125.553mp1.39219mp1.899.005ITT, CBW383G4J 37.556mp5.008, and CBW38G4J 37.553mp1.008 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20385
MISC
MISC
cisco — adaptive_security_appliance_softwareA vulnerability in the authorization subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, but unprivileged (levels 0 and 1), remote attacker to perform privileged actions by using the web management interface. The vulnerability is due to improper validation of user privileges when using the web management interface. An attacker could exploit this vulnerability by sending specific HTTP requests via HTTPS to an affected device as an unprivileged user. An exploit could allow the attacker to retrieve files (including the running configuration) from the device or to upload and replace software images on the device.2018-12-24not yet calculatedCVE-2018-15465
BID
CISCO
MISC
cms_made_simple — cms_made_simpleThere is a reflected XSS vulnerability in the CMS Made Simple 2.2.8 admin/myaccount.php. This vulnerability is triggered upon an attempt to modify a user’s mailbox with the wrong format. The response contains the user’s previously entered email address.2018-12-25not yet calculatedCVE-2018-20464
MISC
comtrend — multiple_devices
Comtrend CM-6200un 123.447.007 and CM-6300n 123.553mp1.005 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20388
MISC
MISC
contiki-ng — contiki-ng
Contiki-NG before 4.2 has a stack-based buffer overflow in the push function in os/lib/json/jsonparse.c that allows an out-of-bounds write of an ‘{‘ or ‘[‘ character.2018-12-28not yet calculatedCVE-2018-20579
MISC
coolpad — canvas_deviceThe Coolpad Canvas device with a build fingerprint of Coolpad/cp3636a/cp3636a:7.0/NRD90M/093031423:user/release-keys contains a platform app with a package name of com.qualcomm.qti.modemtestmode (versionCode=24, versionName=7.0) that contains an exported service app component named com.qualcomm.qti.modemtestmode.MbnTestService that allows any app on the device to set certain system properties as the com.android.phone user. When an app sets the persist.service.logr.enable system property to a value of 1, an app with a package name of com.yulong.logredirect (versionCode=20160622, versionName=5.25_20160622_01) will start writing the system-wide logcat log, kernel log, and a tcpdump network traffic capture to external storage. Furthermore, on the Coolpad Canvas device, the com.android.phone app writes the destination phone number and body of the text message for outgoing text messages. A notification when logging can be avoided if the log is enabled after device startup and disabled prior to device shutdown by setting the system properties using the exported interface of the com.qualcomm.qti.modemtestmode app. Any app with the READ_EXTERNAL_STORAGE permission can access the log files.2018-12-28not yet calculatedCVE-2018-15004
MISC
MISC
craft_cms — craft_cmsCraft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field.2018-12-25not yet calculatedCVE-2018-20465
MISC
MISC
craft_cms — craft_cms
index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.2018-12-23not yet calculatedCVE-2018-20418
MISC
MISC
EXPLOIT-DB
crashfix — crashfix
CrashFix 1.0.4 has SQL Injection via the User[status] parameter. This is related to actionIndex in UserController.php, and the protectedmodelsUser.php search() function.2018-12-27not yet calculatedCVE-2018-20508
MISC
d-link — dir-140l_and_dir-640l_devicesdirary0.js on D-Link DIR-140L, DIR-640L devices allows remote unauthenticated attackers to discover admin credentials.2018-12-21not yet calculatedCVE-2018-18009
FULLDISC
BID
d-link — dsl-2770l_devicesatbox.htm on D-Link DSL-2770L devices allows remote unauthenticated attackers to discover admin credentials.2018-12-21not yet calculatedCVE-2018-18007
FULLDISC
BID
d-link — dsl_and_dir_and_dwr_devicesspaces.htm on multiple D-Link devices (DSL, DIR, DWR) allows remote unauthenticated attackers to discover admin credentials.2018-12-21not yet calculatedCVE-2018-18008
FULLDISC
BID
d-link — multiple_devicesD-Link DCM-604 DCM604_C1_ViaCabo_1.04_20130606 and DCM-704 EU_DCM-704_1.10 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20389
MISC
MISC
d-link — multiple_devicesD-Link DCM-604 DCM604_C1_ViaCabo_1.04_20130606 and DCM-704 EU_DCM-704_1.10 devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32 and iso.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32 SNMP requests.2018-12-25not yet calculatedCVE-2018-20445
MISC
damicms — damicms
DamiCMS 6.0.1 allows remote attackers to read arbitrary files via a crafted admin.php?s=Tpl/Add/id request, as demonstrated by admin.php?s=Tpl/Add/id/.PublicConfigconfig.ini.php to read the global configuration file.2018-12-28not yet calculatedCVE-2018-20571
MISC
dextsolution — dextuploadx5DEXTUploadX5 version Between 1.0.0.0 and 2.2.0.0 contains a vulnerability that could allow remote attacker to download and execute remote arbitrary file by setting the arguments to the activex method. this can be leveraged for code execution.2018-12-28not yet calculatedCVE-2018-5203
MISC
discuz! — discuzxDiscuz! DiscuzX 3.4, when WeChat login is enabled, allows remote attackers to bypass a “disabled registration” setting by adding a non-existing wxopenid value to the plugin.php ac=wxregister query string.2018-12-23not yet calculatedCVE-2018-20423
MISC
discuz! — discuzxDiscuz! DiscuzX 3.4, when WeChat login is enabled, allows remote attackers to delete the common_member_wechatmp data structure via an ac=unbindmp request to plugin.php.2018-12-23not yet calculatedCVE-2018-20424
MISC
discuz! — discuzxDiscuz! DiscuzX 3.4, when WeChat login is enabled, allows remote attackers to bypass authentication by leveraging a non-empty #wechat#common_member_wechatmp to gain login access to an account via a plugin.php ac=wxregister request (the attacker does not have control over which account will be accessed).2018-12-23not yet calculatedCVE-2018-20422
MISC
dolibarr — erp_and_crm
Dolibarr ERP/CRM through 8.0.3 has /exports/export.php?datatoexport= XSS.2018-12-26not yet calculatedCVE-2018-19799
MISC
MISC
EXPLOIT-DB
douco — douphp_cmsAn issue was discovered in DouCo DouPHP 1.5 20181221. admin/article.php?rec=update has XSS via the title parameter.2018-12-28not yet calculatedCVE-2018-20561
MISC
douco — douphp_cmsAn issue was discovered in DouCo DouPHP 1.5 20181221. admin/article_category.php?rec=update has XSS via the cat_name parameter.2018-12-28not yet calculatedCVE-2018-20562
MISC
douco — douphp_cmsDouCo DouPHP 1.5 has upload/admin/manager.php?rec=insert CSRF to add an administrator account.2018-12-23not yet calculatedCVE-2018-20419
MISC
douco — douphp_cmsAn issue was discovered in DouCo DouPHP 1.5 20181221. admin/product.php?rec=update has XSS via the name parameter.2018-12-28not yet calculatedCVE-2018-20559
MISC
douco — douphp_cmsAn issue was discovered in DouCo DouPHP 1.5 20181221. admin/product_category.php?rec=update has XSS via the cat_name parameter.2018-12-28not yet calculatedCVE-2018-20564
MISC
douco — douphp_cmsAn issue was discovered in DouCo DouPHP 1.5 20181221. admin/show.php?rec=update has XSS via the show_name parameter.2018-12-28not yet calculatedCVE-2018-20560
MISC
douco — douphp_cmsAn issue was discovered in DouCo DouPHP 1.5 20181221. It allows full path disclosure in “Smarty error: unable to read resource” error messages for a crafted installation page.2018-12-28not yet calculatedCVE-2018-20566
MISC
douco — douphp_cmsAn issue was discovered in DouCo DouPHP 1.5 20181221. admin/nav.php?rec=update has XSS via the nav_name parameter.2018-12-28not yet calculatedCVE-2018-20565
MISC
douco — douphp_cmsAn issue was discovered in DouCo DouPHP 1.5 20181221. installindex.php allows a reload of the product in opportunistic circumstances in which install.lock cannot be read.2018-12-28not yet calculatedCVE-2018-20567
MISC
douco — douphp_cmsAn issue was discovered in DouCo DouPHP 1.5 20181221. admin/mobile.php?rec=system&act=update has XSS via the mobile_name parameter.2018-12-28not yet calculatedCVE-2018-20563
MISC
douco — douphp_cmsAn issue was discovered in DouCo DouPHP 1.5 20181221. admin/page.php?rec=edit has XSS via the page_name parameter.2018-12-28not yet calculatedCVE-2018-20557
MISC
douco — douphp_cmsAn issue was discovered in DouCo DouPHP 1.5 20181221. admin/system.php?rec=update has XSS via the site_name parameter.2018-12-28not yet calculatedCVE-2018-20558
MISC
engelsystem — engelsystem
Engelsystem before commit hash 2e28336 allows CSRF.2018-12-26not yet calculatedCVE-2018-19182
CONFIRM
CONFIRM
epson — workforce_wf-2861_printersThe web service on Epson WorkForce WF-2861 10.48 LQ22I3(Recovery-mode), WF-2861 10.51.LQ20I6, and WF-2861 10.52.LQ17IA devices allows remote attackers to upload a firmware file and reset the printer without authentication by making a request to the /DOWN/FIRMWAREUPDATE/ROM1 URI and a POST request to the /FIRMWAREUPDATE URI.2018-12-24not yet calculatedCVE-2018-19248
MISC
epson — workforce_wf-2861_printersAn issue was discovered on Epson WorkForce WF-2861 10.48 LQ22I3, 10.51.LQ20I6 and 10.52.LQ17IA devices. They use SNMP to find certain devices on the network, but the default version is v2c, allowing an amplification attack.2018-12-24not yet calculatedCVE-2018-18960
MISC
epson — workforce_wf-2861_printersAn issue was discovered on Epson WorkForce WF-2861 10.48 LQ22I3, 10.51.LQ20I6 and 10.52.LQ17IA devices. On the ‘Air Print Setting’ web page, if the data for ‘Bonjour Service Location’ at /PRESENTATION/BONJOUR is more than 251 bytes when sending data for Air Print Setting, then the device no longer functions until a reboot.2018-12-24not yet calculatedCVE-2018-18959
MISC
epson — workforce_wf-2861_printersThe web service on Epson WorkForce WF-2861 10.48 LQ22I3(Recovery-mode), WF-2861 10.51.LQ20I6, and WF-2861 10.52.LQ17IA devices allows remote attackers to cause a denial of service via a FIRMWAREUPDATE GET request, as demonstrated by the /DOWN/FIRMWAREUPDATE/ROM1 URI.2018-12-24not yet calculatedCVE-2018-19232
MISC
ethereum — go-ethereumGo Ethereum (aka geth) 1.8.19 allows attackers to cause a denial of service (memory consumption) by rewriting the length of a dynamic array in memory, and then writing data to a single memory location with a large index number, as demonstrated by use of “assembly { mstore }” followed by a “c[0xC800000] = 0xFF” assignment.2018-12-23not yet calculatedCVE-2018-20421
MISC
ethereum — hashheroes_tiles
The determineWinner function of a smart contract implementation for HashHeroes Tiles, an Ethereum game, uses a certain blockhash value in an attempt to generate a random number for the case where NUM_TILES equals the number of people who purchased a tile, which allows an attacker to control the awarding of the prize by being the last person to purchase a tile.2018-12-26not yet calculatedCVE-2018-17987
MISC
ethereum — nexxustokenThe mintToken function of Nexxus (NXX) aka NexxusToken, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.2018-12-28not yet calculatedCVE-2018-18665
MISC
MISC
MISC
ethereum — pylontokenThe mintToken function of Pylon (PYLNT) aka PylonToken, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value, a related issue to CVE-2018-11812.2018-12-28not yet calculatedCVE-2018-18667
MISC
MISC
MISC
ethereum — swftcoin_tokenThe mintToken function of SwftCoin (SWFTC) aka SwftCoin, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.2018-12-28not yet calculatedCVE-2018-18666
MISC
MISC
MISC
evolution_cms — evolution_cmsEvolution CMS 1.4.x allows XSS via the manager/ search parameter.2018-12-28not yet calculatedCVE-2018-16638
MISC
evolution_cms — evolution_cmsEvolution CMS 1.4.x allows XSS via the page weblink title parameter to the manager/ URI.2018-12-28not yet calculatedCVE-2018-16637
MISC
f5 — big-ipOn versions 11.2.1. and greater, unrestricted Snapshot File Access allows BIG-IP system’s user with any role, including Guest Role, to have access and download previously generated and available snapshot files on the BIG-IP configuration utility such as QKView and TCPDumps.2018-12-28not yet calculatedCVE-2018-15333
CONFIRM
f5 — big-ip_apmWhen APM 13.0.0-13.1.x is deployed as an OAuth Resource Server, APM becomes a client application to an external OAuth authorization server. In certain cases when communication between the BIG-IP APM and the OAuth authorization server is lost, APM may not display the intended message in the failure response2018-12-28not yet calculatedCVE-2018-15335
CONFIRM
f5 — big-ip_apmA cross-site request forgery (CSRF) vulnerability in the APM webtop 11.2.1 or greater may allow attacker to force an APM webtop session to log out and require re-authentication.2018-12-28not yet calculatedCVE-2018-15334
CONFIRM
f5 — ip_infusion_zebos_and_ocnosThe BGP daemon (bgpd) in all IP Infusion ZebOS versions to 7.10.6 and all OcNOS versions to 1.3.3.145 allow remote attackers to cause a denial of service attack via an autonomous system (AS) path containing 8 or more autonomous system number (ASN) elements.2018-12-28not yet calculatedCVE-2018-17539
CONFIRM
foxit — quick_pdf_libraryIn Foxit Quick PDF Library (all versions prior to 16.12), issue where loading a malformed or malicious PDF containing invalid xref entries using the DAOpenFile or DAOpenFileReadOnly functions may result in an access violation caused by out of bounds memory access.2018-12-24not yet calculatedCVE-2018-20249
BID
CONFIRM
foxit — quick_pdf_libraryIn Foxit Quick PDF Library (all versions prior to 16.12), issue where loading a malformed or malicious PDF containing invalid xref table pointers or invalid xref table data using the LoadFromFile, LoadFromString, LoadFromStream, DAOpenFile or DAOpenFileReadOnly functions may result in an access violation caused by out of bounds memory access.2018-12-24not yet calculatedCVE-2018-20248
BID
CONFIRM
foxit — quick_pdf_libraryIn Foxit Quick PDF Library (all versions prior to 16.12), issue where loading a malformed or malicious PDF containing a recursive page tree structure using the LoadFromFile, LoadFromString or LoadFromStream functions results in a stack overflow.2018-12-24not yet calculatedCVE-2018-20247
BID
CONFIRM
frontaccounting_team — frontaccountingFrontAccounting 2.4.5 contains a Time Based Blind SQL Injection vulnerability in the parameter “filterType” in /attachments.php that can allow the attacker to grab the entire database of the application.2018-12-28not yet calculatedCVE-2018-1000890
MISC
EXPLOIT-DB
gnu — gnu_tarGNU Tar through 1.30, when –sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user’s process (e.g., a system backup running as root).2018-12-26not yet calculatedCVE-2018-20482
MISC
MISC
MISC
MISC
gnu — gnu_wgetset_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file’s origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.2018-12-26not yet calculatedCVE-2018-20483
MISC
MISC
gnu — libextractorGNU Libextractor through 1.8 has an out-of-bounds read vulnerability in the function history_extract() in plugins/ole2_extractor.c, related to EXTRACTOR_common_convert_to_utf8 in common/convert.c.2018-12-24not yet calculatedCVE-2018-20430
BID
MISC
MISC
MISC
MLIST
DEBIAN
gnu — libextractorGNU Libextractor through 1.8 has a NULL Pointer Dereference vulnerability in the function process_metadata() in plugins/ole2_extractor.c.2018-12-24not yet calculatedCVE-2018-20431
BID
MISC
MISC
MISC
MLIST
DEBIAN
google — chrome
The Chat Anywhere extension 2.4.0 for Chrome allows XSS via crafted use of < in a message, because a danmuWrapper DIV element in chatbox-onlydanmu.js is outside the scope of a Content Security Policy (CSP).2018-12-27not yet calculatedCVE-2018-20524
MISC
imagemagick — imagemagickIn coders/bmp.c in ImageMagick before 7.0.8-16, an input file can result in an infinite loop and hang, with high CPU and memory consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.2018-12-25not yet calculatedCVE-2018-20467
BID
MISC
MISC
inovo — broadband_devicesiNovo Broadband IB-8120-W21 139.4410mp1.004200.002 and IB-8120-W21E1 139.4410mp1.3921132mp1.899.004404.004 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20384
MISC
MISC
ivan_cordoba — generic_cmsuser/index.php in Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 allows SQL injection for authentication bypass.2018-12-28not yet calculatedCVE-2018-20569
MISC
ivan_cordoba — generic_cmsAdministrator/index.php in Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 allows SQL injection for authentication bypass.2018-12-28not yet calculatedCVE-2018-20568
MISC
jasper — jasper
jp2_encode in jp2/jp2_enc.c in JasPer 2.0.14 has a heap-based buffer over-read.2018-12-28not yet calculatedCVE-2018-20570
MISC
jeecms — jeecms
JEECMS 9 has SSRF via the ueditor/getRemoteImage.jspx upfile parameter.2018-12-28not yet calculatedCVE-2018-20528
MISC
jiuzhou — bcm93383wrg_devicesJiuzhou BCM93383WRG 139.4410mp1.3921132mp1.899.004404.004 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20382
MISC
MISC
kaonmedia — cg2001_devicesKaonmedia CG2001-AN22A 1.2.1, CG2001-UDBNA 3.0.8, and CG2001-UN2NA 3.0.8 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20390
MISC
MISC
kirby_cms — kirby_cms
Kirby v2.5.12 allows XSS by using the “site files” Add option to upload an SVG file.2018-12-28not yet calculatedCVE-2018-16630
MISC
leagoo — p1_android_deviceThe Leagoo P1 Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a hidden root privilege escalation capability to achieve command execution as the root user. They have made modifications that allow a user with physical access to the device to obtain a root shell via ADB by modifying read-only system properties at runtime. Specifically, modifying the ro.debuggable and the ro.secure system properties to a certain value and then restarting the ADB daemon allows for a root shell to be obtained via ADB.2018-12-28not yet calculatedCVE-2018-14998
MISC
MISC
leagoo — z5c_android_deviceThe Leagoo Z5C Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a pre-installed app with a package name of com.android.messaging (versionCode=1000110, versionName=1.0.001, (android.20170630.092853-0)) containing an exported content provider named com.android.messaging.datamodel.MessagingContentProvider. Any app co-located on the device can read the most recent text message from each conversation. That is, for each phone number where the user has either sent or received a text message from, a zero-permission third-party app can obtain the body of the text message, phone number, name of the contact (if it exists), and a timestamp for the most recent text message of each conversation. As the querying of the vulnerable content provider app component can be performed silently in the background, a malicious app can continuously monitor the content provider to see if the current message in each conversation has changed to obtain new text messages.2018-12-28not yet calculatedCVE-2018-14986
MISC
MISC
leagoo — z5c_android_deviceThe Leagoo Z5C Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a pre-installed platform app with a package name of com.android.settings (versionCode=23, versionName=6.0-android.20170630.092853) that contains an exported broadcast receiver that allows any app co-located on the device to programmatically initiate a factory reset. In addition, the app initiating the factory reset does not require any permissions. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of a pre-installed platform app.2018-12-28not yet calculatedCVE-2018-14985
MISC
MISC
leagoo — z5c_android_deviceThe Leagoo Z5C Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a pre-installed app with a package name of com.android.messaging (versionCode=1000110, versionName=1.0.001, (android.20170630.092853-0)) with an exported broadcast receiver app component named com.android.messaging.trackersender.TrackerSender. Any app co-located on the device, even one with no permissions, can send a broadcast intent with certain embedded data to the exported broadcast receiver application component that will result in the programmatic sending of a text message where the phone number and body of the text message is controlled by the attacker.2018-12-28not yet calculatedCVE-2018-14984
MISC
MISC
libcaca — libcacaThere is an illegal READ memory access at caca/dither.c (function get_rgba_default) in libcaca 0.99.beta19 for 24bpp data.2018-12-28not yet calculatedCVE-2018-20547
MISC
libcaca — libcacaThere is an illegal WRITE memory access at caca/file.c (function caca_file_read) in libcaca 0.99.beta19.2018-12-28not yet calculatedCVE-2018-20549
MISC
libcaca — libcacaThere is an illegal WRITE memory access at common-image.c (function load_image) in libcaca 0.99.beta19 for 4bpp data.2018-12-28not yet calculatedCVE-2018-20545
MISC
libcaca — libcacaThere is an illegal WRITE memory access at common-image.c (function load_image) in libcaca 0.99.beta19 for 1bpp data.2018-12-28not yet calculatedCVE-2018-20548
MISC
libcaca — libcacaThere is an illegal READ memory access at caca/dither.c (function get_rgba_default) in libcaca 0.99.beta19 for the default bpp case.2018-12-28not yet calculatedCVE-2018-20546
MISC
libcaca — libcaca
There is floating point exception at caca/dither.c (function caca_dither_bitmap) in libcaca 0.99.beta19.2018-12-28not yet calculatedCVE-2018-20544
MISC
libdoc — libdocThe getlong function in numutils.c in libdoc through 2017-10-23 has a heap-based buffer over-read that allows attackers to cause a denial of service (application crash) via a crafted file.2018-12-25not yet calculatedCVE-2018-20453
MISC
libdoc — libdoc
The process_file function in reader.c in libdoc through 2017-10-23 has a heap-based buffer over-read that allows attackers to cause a denial of service (application crash) via a crafted file.2018-12-25not yet calculatedCVE-2018-20451
MISC
liblas — liblasThere is a Segmentation fault triggered by illegal address access at liblas::SpatialReference::GetGTIF() (spatialreference.cpp) in libLAS 1.8.1 that will cause a denial of service.2018-12-28not yet calculatedCVE-2018-20539
MISC
liblas — liblasThere is memory leak at liblas::Open (liblas/liblas.hpp) in libLAS 1.8.1.2018-12-28not yet calculatedCVE-2018-20540
MISC
liblas — liblasThere is a NULL pointer dereference at liblas::SpatialReference::GetGTIF() (spatialreference.cpp) in libLAS 1.8.1 that will cause a denial of service.2018-12-28not yet calculatedCVE-2018-20537
MISC
liblas — liblas
There is a heap-based buffer over-read at liblas::SpatialReference::GetGTIF() (spatialreference.cpp) in libLAS 1.8.1 that will cause a denial of service.2018-12-28not yet calculatedCVE-2018-20536
MISC
libming — libminglibming 0.4.8 has a NULL pointer dereference in the strlenext function of the decompile.c file, a different vulnerability than CVE-2018-7874.2018-12-24not yet calculatedCVE-2018-20428
MISC
libming — libminglibming 0.4.8 has a NULL pointer dereference in the getName function of the decompile.c file, a different vulnerability than CVE-2018-7872 and CVE-2018-9165.2018-12-24not yet calculatedCVE-2018-20429
MISC
libming — libminglibming 0.4.8 has a NULL pointer dereference in the newVar3 function of the decompile.c file, a different vulnerability than CVE-2018-7866.2018-12-24not yet calculatedCVE-2018-20426
MISC
libming — libminglibming 0.4.8 has a NULL pointer dereference in the getInt function of the decompile.c file, a different vulnerability than CVE-2018-9132.2018-12-24not yet calculatedCVE-2018-20427
MISC
libming — libming
libming 0.4.8 has a NULL pointer dereference in the pushdup function of the decompile.c file.2018-12-24not yet calculatedCVE-2018-20425
MISC
libraw — librawLibRaw::copy_bayer in libraw_cxx.cpp in LibRaw 0.19.1 has a NULL pointer dereference.2018-12-22not yet calculatedCVE-2018-20364
BID
MISC
libraw — librawLibRaw::raw2image() in libraw_cxx.cpp has a heap-based buffer overflow.2018-12-22not yet calculatedCVE-2018-20365
BID
MISC
libraw — libraw
LibRaw::raw2image in libraw_cxx.cpp in LibRaw 0.19.1 has a NULL pointer dereference.2018-12-22not yet calculatedCVE-2018-20363
BID
MISC
libsolv — libsolvThere is an illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a in libsolv through 0.7.2 that will cause a denial of service.2018-12-28not yet calculatedCVE-2018-20534
MISC
MISC
libsolv — libsolvThere is a NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a in libsolv through 0.7.2 that will cause a denial of service.2018-12-28not yet calculatedCVE-2018-20533
MISC
MISC
libsolv — libsolv
There is a NULL pointer dereference at ext/testcase.c (function testcase_read) in libsolvext.a in libsolv through 0.7.2 that will cause a denial of service.2018-12-28not yet calculatedCVE-2018-20532
MISC
MISC
libxls — libxls
The read_MSAT_body function in ole.c in libxls 1.4.0 has an invalid free that allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, because of inconsistent memory management (new versus free) in ole2_read_header in ole.c.2018-12-25not yet calculatedCVE-2018-20452
MISC
libxls — libxls
The read_MSAT function in ole.c in libxls 1.4.0 has a double free that allows attackers to cause a denial of service (application crash) via a crafted file, a different vulnerability than CVE-2017-2897.2018-12-25not yet calculatedCVE-2018-20450
MISC
libxsmm — libxsmmThere is a heap-based buffer-overflow at generator_spgemm_csc_reader.c (function libxsmm_sparse_csc_reader) in LIBXSMM 1.10, a different vulnerability than CVE-2018-20541 (which is in a different part of the source code and is seen at a different address).2018-12-28not yet calculatedCVE-2018-20542
MISC
MISC
MISC
MISC
libxsmm — libxsmmThere is an attempted excessive memory allocation at libxsmm_sparse_csc_reader in generator_spgemm_csc_reader.c in LIBXSMM 1.10 that will cause a denial of service.2018-12-28not yet calculatedCVE-2018-20543
MISC
libxsmm — libxsmm
There is a heap-based buffer overflow in libxsmm_sparse_csc_reader at generator_spgemm_csc_reader.c in LIBXSMM 1.10, a different vulnerability than CVE-2018-20542 (which is in a different part of the source code and is seen at different addresses).2018-12-28not yet calculatedCVE-2018-20541
MISC
MISC
MISC
linux — linux_kernelAn issue was discovered in the Linux kernel before 4.18.11. The ipddp_ioctl function in drivers/net/appletalk/ipddp.c allows local users to obtain sensitive kernel address information by leveraging CAP_NET_ADMIN to read the ipddp_route dev and next fields via an SIOCFINDIPDDPRT ioctl call.2018-12-27not yet calculatedCVE-2018-20511
MISC
BID
MISC
MISC
MISC
metinfo — metinfo
MetInfo 6.x through 6.1.3 has XSS via the /admin/login/login_check.php url_array[] parameter.2018-12-26not yet calculatedCVE-2018-20486
MISC
MISC
mezzanine_cms — mezzanine_cmsMezzanine CMS v4.3.1 allows XSS via the /admin/blog/blogcategory/add/?_to_field=id&_popup=1 title parameter at admin/blog/blogpost/add/.2018-12-28not yet calculatedCVE-2018-16632
MISC
microstrategy — microstrategy_webmain.aspx in Microstrategy Analytics 10.4.0026.0049 and earlier has CSRF.2018-12-28not yet calculatedCVE-2018-18696
MISC
BUGTRAQ
minicms — minicms
MiniCMS V1.10 has XSS via the mc-admin/post-edit.php query string, a related issue to CVE-2018-10296 and CVE-2018-16233.2018-12-27not yet calculatedCVE-2018-20520
MISC
mit — kerberosA Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.2018-12-26not yet calculatedCVE-2018-20217
CONFIRM
CONFIRM
FEDORA
ml_report — ml_report_enterpriseML Report version Between 2.00.000.0000 and 2.18.628.5980 contains a vulnerability that could allow remote attacker to download and execute remote arbitrary file by setting the arguments to the activex method. this can be leveraged for code execution.2018-12-28not yet calculatedCVE-2018-5204
MISC
motorola_multiple_devicesMotorola SBG901 SBG901-2.10.1.1-GA-00-581-NOSH, SBG941 SBG941-2.11.0.0-GA-07-624-NOSH, and SVG1202 SVG1202-2.1.0.0-GA-14-LTSH devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20399
BID
MISC
MISC
mplus — cbc383z_devices
mplus CBC383Z CBC383Z_mplus_MDr026 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20397
MISC
MISC
nec_corporation_of_america — nec_univerge_sv9100_webproNEC Univerge Sv9100 WebPro 6.00.00 devices have Cleartext Password Storage in the Web UI.2018-12-26not yet calculatedCVE-2018-11742
MISC
MISC
FULLDISC
EXPLOIT-DB
nec_corporation_of_america — nec_univerge_sv9100_webproNEC Univerge Sv9100 WebPro 6.00.00 devices have Predictable Session IDs that result in Account Information Disclosure via Home.htm?sessionId=#####&GOTO(8) URIs.2018-12-26not yet calculatedCVE-2018-11741
MISC
MISC
FULLDISC
EXPLOIT-DB
net&sys — multiple_devicesNET&SYS MNG2120J 5.76.1006c and MNG6300 5.83.6305jrc2 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20396
MISC
MISC
netwave — mng6200_devices
NETWAVE MNG6200 C4835805jrc12FU121413.cpr devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20395
MISC
MISC
netwide_assembler — netwide_assemblerThere is a use-after-free at asm/preproc.c (function pp_getline) in Netwide Assembler (NASM) 2.14rc16 that will cause a denial of service during a line-number increment attempt.2018-12-28not yet calculatedCVE-2018-20535
MISC
netwide_assembler — netwide_assemblerThere is a use-after-free at asm/preproc.c (function pp_getline) in Netwide Assembler (NASM) 2.14rc16 that will cause a denial of service during certain finishes tests.2018-12-28not yet calculatedCVE-2018-20538
MISC
nuttx — nuttx
An issue was discovered in NuttX before 7.27. The function netlib_parsehttpurl() in apps/netutils/netlib/netlib_parsehttpurl.c mishandles URLs longer than hostlen bytes (in the webclient, this is set by default to 40), leading to an Infinite Loop. The attack vector is the Location header of an HTTP 3xx response.2018-12-28not yet calculatedCVE-2018-20578
MISC
MISC
orange — liveboxOrange Livebox 00.96.320S devices allow cgi-bin/restore.exe, cgi-bin/firewall_SPI.exe, cgi-bin/setup_remote_mgmt.exe, cgi-bin/setup_pass.exe, and cgi-bin/upgradep.exe CSRF. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2.2018-12-28not yet calculatedCVE-2018-20577
MISC
orange — liveboxOrange Livebox 00.96.320S devices allow cgi-bin/autodialing.exe and cgi-bin/phone_test.exe CSRF, leading to arbitrary outbound telephone calls to an attacker-specified telephone number. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2.2018-12-28not yet calculatedCVE-2018-20576
MISC
MISC
orange — livebox
Orange Livebox 00.96.320S devices have an undocumented /system_firmwarel.stm URI for manual firmware update. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2.2018-12-28not yet calculatedCVE-2018-20575
MISC
php_group — pear
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header[‘filename’]` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.2018-12-28not yet calculatedCVE-2018-1000888
MISC
MISC
CONFIRM
CONFIRM
phpscriptsmall.com — website_seller_script
PHP Scripts Mall Website Seller Script 2.0.5 has XSS via a Profile field such as Company Address, a related issue to CVE-2018-15896.2018-12-28not yet calculatedCVE-2018-20530
MISC
poppler — poppler
A reachable Object::getString assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to construction of invalid rich media annotation assets in the AnnotRichMedia class in Annot.c.2018-12-28not yet calculatedCVE-2018-20551
MISC
MISC
poppler — poppler
XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef entries, which allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PDF document, when XRefEntry::setFlag in XRef.h is called from Parser::makeStream in Parser.cc.2018-12-25not yet calculatedCVE-2018-20481
BID
MISC
MISC
pulse_secure — secure_access_sa_series_ssl_vpn_productsCertain Secure Access SA Series SSL VPN products (originally developed by Juniper Networks but now sold and supported by Pulse Secure, LLC) allow privilege escalation, as demonstrated by Secure Access SSL VPN SA-4000 5.1R5 (build 9627) 4.2 Release (build 7631). This occurs because appropriate controls are not performed. Specifically, it is possible for a readonly user to change the administrator user password by making a local copy of the /dana-admin/user/update.cgi page, changing the “user” value, and saving the changes.2018-12-21not yet calculatedCVE-2018-20193
FULLDISC
BID
python — python
Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a “resize to twice the size” attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data.2018-12-23not yet calculatedCVE-2018-20406
MISC
MISC
q’center — virtual_applianceCross-site scripting (XSS) vulnerability in Q’center Virtual Appliance 1.8.1014 and earlier versions could allow remote attackers to inject Javascript code in the compromised application, a different vulnerability than CVE-2018-0723.2018-12-26not yet calculatedCVE-2018-0724
CONFIRM
q’center — virtual_applianceCross-site scripting (XSS) vulnerability in Q’center Virtual Appliance 1.8.1014 and earlier versions could allow remote attackers to inject Javascript code in the compromised application, a different vulnerability than CVE-2018-0724.2018-12-26not yet calculatedCVE-2018-0723
CONFIRM
radare2 — radare2In radare2 prior to 3.1.1, r_bin_dyldcache_extract in libr/bin/format/mach0/dyldcache.c may allow attackers to cause a denial-of-service (application crash caused by out-of-bounds read) by crafting an input file.2018-12-25not yet calculatedCVE-2018-20458
MISC
MISC
radare2 — radare2In radare2 through 3.1.3, the armass_assemble function in libr/asm/arch/arm/armass.c allows attackers to cause a denial-of-service (application crash by out-of-bounds read) by crafting an arm assembly input because a loop uses an incorrect index in armass.c and certain length validation is missing in armass64.c, a related issue to CVE-2018-20457.2018-12-25not yet calculatedCVE-2018-20459
MISC
MISC
radare2 — radare2In radare2 prior to 3.1.1, core_anal_bytes in libr/core/cmd_anal.c allows attackers to cause a denial-of-service (application crash caused by out-of-bounds read) by crafting a binary file.2018-12-25not yet calculatedCVE-2018-20461
MISC
MISC
radare2 — radare2In radare2 prior to 3.1.1, the parseOperand function inside libr/asm/p/asm_x86_nz.c may allow attackers to cause a denial of service (application crash in libr/util/strbuf.c via a stack-based buffer over-read) by crafting an input file, a related issue to CVE-2018-20455.2018-12-25not yet calculatedCVE-2018-20456
MISC
MISC
radare2 — radare2In radare2 through 3.1.3, the assemble function inside libr/asm/p/asm_arm_cs.c allows attackers to cause a denial-of-service (application crash via an r_num_calc out-of-bounds read) by crafting an arm assembly input because a loop uses an incorrect index in armass.c and certain length validation is missing in armass64.c, a related issue to CVE-2018-20459.2018-12-25not yet calculatedCVE-2018-20457
MISC
MISC
radare2 — radare2In radare2 prior to 3.1.2, the parseOperands function in libr/asm/arch/arm/armass64.c allows attackers to cause a denial-of-service (application crash caused by stack-based buffer overflow) by crafting an input file.2018-12-25not yet calculatedCVE-2018-20460
MISC
MISC
radare2 — radare2
In radare2 prior to 3.1.1, the parseOperand function inside libr/asm/p/asm_x86_nz.c may allow attackers to cause a denial of service (application crash via a stack-based buffer overflow) by crafting an input file, a related issue to CVE-2018-20456.2018-12-25not yet calculatedCVE-2018-20455
MISC
MISC
rockwell_automation_allen-bradley — powermonitor_1000An issue was discovered in Rockwell Automation Allen-Bradley PowerMonitor 1000. An unauthenticated user can add/edit/remove administrators because access control is implemented on the client side via a disabled attribute for a BUTTON element.2018-12-26not yet calculatedCVE-2018-19616
MISC
EXPLOIT-DB
rockwell_automation_allen-bradley — powermonitor_1000An issue was discovered in Rockwell Automation Allen-Bradley PowerMonitor 1000. /Security/Security.shtm has stored XSS via a /Security/cgi-bin/security URI.2018-12-26not yet calculatedCVE-2018-19615
MISC
EXPLOIT-DB
s-cms — s-cmsAn issue was discovered in S-CMS 1.0. It allows SQL Injection via the wap_index.php?type=newsinfo S_id parameter.2018-12-25not yet calculatedCVE-2018-20479
MISC
s-cms — s-cmsAn issue was discovered in S-CMS 1.0. It allows SQL Injection via the js/pic.php P_id parameter.2018-12-25not yet calculatedCVE-2018-20480
MISC
s-cms — s-cms
An issue was discovered in S-CMS 1.0. It allows reading certain files, such as PHP source code, via the admin/download.php DownName parameter with a mixed-case extension, as demonstrated by a DownName=download.Php value.2018-12-25not yet calculatedCVE-2018-20478
MISC
safe_software — fme_server
Safe Software FME Server through 2018.1 creates and enables three additional accounts in addition to the initial administrator account. The passwords to the three accounts are the same as the usernames, which are guest, user, and author. Logging in with these accounts will grant any user the default privilege roles that were also created for each of the accounts.2018-12-23not yet calculatedCVE-2018-20402
MISC
schneider_electric — evlink_parkingA Code Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could enable access with maximum privileges when a remote code execution is performed.2018-12-24not yet calculatedCVE-2018-7801
CONFIRM
schneider_electric — evlink_parkingA Hard-coded Credentials vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could enable an attacker to gain access to the device.2018-12-24not yet calculatedCVE-2018-7800
CONFIRM
schneider_electric — evlink_parkingA SQL Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could give access to the web interface with full privileges.2018-12-24not yet calculatedCVE-2018-7802
CONFIRM

schneider_electric — foxview_hmi_scada

A Credential Management vulnerability exists in FoxView HMI SCADA (All Foxboro DCS, Foxboro Evo, and IA Series versions prior to Foxboro DCS Control Core Services 9.4 (CCS 9.4) and FoxView 10.5.) which could cause unauthorized disclosure, modification, or disruption in service when the password is modified without permission.2018-12-24not yet calculatedCVE-2018-7793
CONFIRM
schneider_electric — gp-pro_exAn Improper Input Validation vulnerability exists in Pro-Face GP-Pro EX v4.08 and previous versions which could cause the execution arbitrary executable when GP-Pro EX is launched.2018-12-24not yet calculatedCVE-2018-7832
CONFIRM
schneider_electric — iiot_monitorAn Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability exists in IIoT Monitor 3.1.38 which could allow access to files available to SYSTEM user.2018-12-24not yet calculatedCVE-2018-7835
CONFIRM
schneider_electric — iiot_monitorAn unrestricted Upload of File with Dangerous Type vulnerability exists on numerous methods of the IIoT Monitor 3.1.38 software that could allow upload and execution of malicious files.2018-12-24not yet calculatedCVE-2018-7836
CONFIRM
schneider_electric — iiot_monitorAn Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability exists on numerous methods of the IIoT Monitor 3.1.38 software that could allow the software to resolve documents outside of the intended sphere of control, causing the software to embed incorrect documents into its output and expose restricted information.2018-12-24not yet calculatedCVE-2018-7837
CONFIRM
schneider_electric — powersuite2A Buffer Error vulnerability exists in PowerSuite 2, all released versions (VW3A8104 & Patches), which could cause an overflow in the memcpy function, leading to corruption of data and program instability.2018-12-24not yet calculatedCVE-2018-7796
CONFIRM
scientific_atlanta_webstar — dpc2100_devicesS-A WebSTAR DPC2100 v2.0.2r1256-060303 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20392
MISC
MISC
sky_elite — 6.0l+_android_deviceThe Sky Elite 6.0L+ Android device with a build fingerprint of SKY/x6069_trx_l601_sky/x6069_trx_l601_sky:6.0/MRA58K/1482897127:user/release-keys contains a pre-installed platform app with a package name of com.fw.upgrade.sysoper (versionCode=238, versionName=2.3.8) that contains an exported broadcast receiver app component named com.adups.fota.sysoper.WriteCommandReceiver that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. The com.fw.upgrade.sysoper app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as system user can allow a third-party app to video record the user’s screen, factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, obtain the user’s text messages, and more.2018-12-28not yet calculatedCVE-2018-15007
MISC
MISC
skyworth — multiple_cm5100_devicesSkyworth CM5100 V1.1.0, CM5100-440 V1.2.1, CM5100-511 4.1.0.14, CM5100-GHD00 V1.2.2, and CM5100.g2 4.1.0.17 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20398
MISC
MISC
sqlite — sqlite
SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.2018-12-21not yet calculatedCVE-2018-20346
BID
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MLIST
MISC
MISC
MISC
MISC
MISC
MISC
CONFIRM
suse — repository_mirroring_toolThe YaST2 RMT module for configuring the SUSE Repository Mirroring Tool (RMT) before 1.1.2 exposed MySQL database passwords on process commandline, allowing local attackers to access or corrupt the RMT database.2018-12-26not yet calculatedCVE-2018-17957
CONFIRM
CONFIRM
synology — diskstation_managerCross-site scripting (XSS) vulnerability in info.cgi in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary web script or HTML via the host parameter.2018-12-24not yet calculatedCVE-2018-8917
CONFIRM
synology — diskstation_managerInformation exposure vulnerability in SYNO.Core.Desktop.SessionData in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to steal credentials via unspecified vectors.2018-12-24not yet calculatedCVE-2018-8919
CONFIRM
synology — diskstation_managerImproper neutralization of escape vulnerability in Log Exporter in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary content to have an unspecified impact by exporting an archive in CSV format.2018-12-24not yet calculatedCVE-2018-8920
CONFIRM
synology — router_managerCross-site scripting (XSS) vulnerability in info.cgi in Synology Router Manager (SRM) before 1.1.7-6941 allows remote attackers to inject arbitrary web script or HTML via the host parameter.2018-12-24not yet calculatedCVE-2018-8918
CONFIRM
tcpreplay — tcpreplayTcpreplay before 4.3.1 has a heap-based buffer over-read in get_l2len in common/get.c.2018-12-28not yet calculatedCVE-2018-20553
MISC
MISC
tcpreplay — tcpreplay
Tcpreplay before 4.3.1 has a heap-based buffer over-read in packet2tree in tree.c.2018-12-28not yet calculatedCVE-2018-20552
MISC
MISC
technicolor — multiple_devicesTechnicolor CGA0111 CGA0111E-ES-13-E23E-c8000r5712-170217-0829-TRU, CWA0101 CWA0101E-A23E-c7000r5712-170315-SKC, DPC3928SL D3928SL-PSIP-13-A010-c3420r55105-170214a, TC7110.AR STD3.38.03, TC7110.B STC8.62.02, TC7110.D STDB.79.02, TC7200.d1I TC7200.d1IE-N23E-c7000r5712-170406-HAT, and TC7200.TH2v2 SC05.00.22 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20393
MISC
MISC
technicolor — multiple_devicesTechnicolor DPC3928SL D3928SL-PSIP-13-A010-c3420r55105-170214a devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.10001 and 1.3.6.1.4.1.4413.2.2.2.1.18.1.2.3.4.1.2.10001 SNMP requests.2018-12-25not yet calculatedCVE-2018-20439
MISC
technicolor — multiple_devicesTechnicolor DPC2320 dpc2300r2-v202r1244101-150420a-v6 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20381
MISC
MISC
technicolor — multiple_devicesTechnicolor DPC3928SL D3928SL-PSIP-13-A010-c3420r55105-160428a devices allow XSS via a Cross Protocol Injection attack with setSSID of 1.3.6.1.4.1.4413.2.2.2.1.18.1.2.1.1.3.10001.2018-12-23not yet calculatedCVE-2018-20379
MISC
technicolor — multiple_devicesTechnicolor TC7110.AR STD3.38.03 devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.2863.205.10.1.30.4.1.14.1.3.32 and iso.3.6.1.4.1.2863.205.10.1.30.4.2.4.1.2.32 SNMP requests.2018-12-25not yet calculatedCVE-2018-20438
MISC
technicolor — multiple_devicesTechnicolor CWA0101 CWA0101E-A23E-c7000r5712-170315-SKC devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.10001 and 1.3.6.1.4.1.4413.2.2.2.1.18.1.2.3.4.1.2.10001 SNMP requests.2018-12-25not yet calculatedCVE-2018-20440
MISC
technicolor — multiple_devicesTechnicolor TC7200.TH2v2 SC05.00.22 devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.2863.205.10.1.30.4.1.14.1.3.32 and iso.3.6.1.4.1.2863.205.10.1.30.4.2.4.1.2.32 SNMP requests.2018-12-25not yet calculatedCVE-2018-20441
MISC
technicolor — multiple_devicesTechnicolor TC7110.B STC8.62.02 devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.2863.205.10.1.30.4.1.14.1.3.32 and iso.3.6.1.4.1.2863.205.10.1.30.4.2.4.1.2.32 SNMP requests.2018-12-25not yet calculatedCVE-2018-20442
MISC
technicolor — multiple_devicesTechnicolor TC7200.d1I TC7200.d1IE-N23E-c7000r5712-170406-HAT devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.10001 and 1.3.6.1.4.1.4413.2.2.2.1.18.1.2.3.4.1.2.10001 SNMP requests.2018-12-25not yet calculatedCVE-2018-20443
MISC
technicolor — multiple_devicesTechnicolor CGA0111 CGA0111E-ES-13-E23E-c8000r5712-170217-0829-TRU devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.10001 and 1.3.6.1.4.1.4413.2.2.2.1.18.1.2.3.4.1.2.10001 SNMP requests.2018-12-25not yet calculatedCVE-2018-20444
MISC
teknotel — cbw700n_devicesTEKNOTEL CBW700N 81.447.392110.729.024 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20391
MISC
MISC
telegram — telegram
The “secret chat” feature in Telegram 4.9.1 for Android has a “side channel” in which Telegram servers send GET requests for URLs typed while composing a chat message, before that chat message is sent. There are also GET requests to other URLs on the same web server. This also affects one or more other Telegram products, such as Telegram Web-version 0.7.0. In addition, it can be interpreted as an SSRF issue.2018-12-24not yet calculatedCVE-2018-20436
MISC
MISC
the_qt_company — qtAn issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.2018-12-26not yet calculatedCVE-2018-19873
SUSE
CONFIRM
CONFIRM

the_qt_company — qt

QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.2018-12-26not yet calculatedCVE-2018-15518
SUSE
CONFIRM
CONFIRM
the_qt_company — qtAn issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.2018-12-26not yet calculatedCVE-2018-19871
CONFIRM
CONFIRM
the_qt_company — qtAn issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.2018-12-26not yet calculatedCVE-2018-19870
CONFIRM
CONFIRM
the_qt_company — qtAn issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.2018-12-26not yet calculatedCVE-2018-19869
CONFIRM
CONFIRM
thomson — multiple_devices
Thomson DWG849 STC0.01.16, DWG850-4 ST9C.05.25, DWG855 ST80.20.26, and TWG870 STB2.01.36 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20394
MISC
MISC
tiny_c_compiler — tiny_c_compilerAn issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. Compiling a crafted source file leads to an 8 byte out of bounds write in the sym_pop function in tccgen.c.2018-12-23not yet calculatedCVE-2018-20375
MISC
tiny_c_compiler — tiny_c_compilerAn issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. Compiling a crafted source file leads to an 8 byte out of bounds write in the asm_parse_directive function in tccasm.c.2018-12-23not yet calculatedCVE-2018-20376
MISC
tiny_c_compiler — tiny_c_compiler
An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. Compiling a crafted source file leads to an 8 byte out of bounds write in the use_section1 function in tccasm.c.2018-12-23not yet calculatedCVE-2018-20374
MISC
ubee — multiple_devicesUbee DVW2108 6.28.1017 and DVW2110 6.28.2012 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20400
MISC
MISC
via_technologies — epia-e900_system_boardETK_E900.sys, a SmartETK driver for VIA Technologies EPIA-E900 system board, is vulnerable to denial of service attack via IOCTL 0x9C402048, which calls memmove and constantly fails on an arbitrary (uncontrollable) address, resulting in an eternal hang or a BSoD.2018-12-26not yet calculatedCVE-2018-20404
MISC
vivo — v7_android_deviceThe Vivo V7 Android device with a build fingerprint of vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys contains a platform app with a package name of com.vivo.bsptest (versionCode=1, versionName=1.0) containing an exported activity app component named com.vivo.bsptest.BSPTestActivity that allows any app co-located on the device to initiate the writing of the logcat log, bluetooth log, and kernel log to external storage. When logging is enabled, there is a notification in the status bar, so it is not completely transparent to the user. The user can cancel the logging, but it can be re-enabled since the app with a package name of com.vivo.bsptest cannot be disabled. The writing of these logs can be initiated by an app co-located on the device, although the READ_EXTERNAL_STORAGE permission is necessary to for an app to access the log files.2018-12-28not yet calculatedCVE-2018-15001
MISC
MISC
vivo — v7_android_deviceThe Vivo V7 device with a build fingerprint of vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys allows any app co-located on the device to set system properties as the com.android.phone user. The com.qualcomm.qti.modemtestmode app (versionCode=25, versionName=7.1.2) that contains an exported service named com.qualcomm.qti.modemtestmode.MbnTestService that allows any app co-located on the device to provide key-value pairs to set certain system properties. Notably, system properties with the persist.* prefix can be set which will survive a reboot. On the Vivo V7 device, when the persist.sys.input.log property is set to have a value of yes, the user’s screen touches be written to the logcat log by the InputDispatcher for all apps. The system-wide logcat log can be obtained from external storage via a different known vulnerability on the device. The READ_EXTERNAL_STORAGE permission is necessary to access the log files containing the user’s touch coordinates. With some effort, the user’s touch coordinates can be mapped to key presses on a keyboard.2018-12-28not yet calculatedCVE-2018-15002
MISC
MISC
weberp — weberp
In webERP 4.15, Z_CreateCompanyTemplateFile.php has Incorrect Access Control, leading to the overwrite of an existing .sql file on the target web site by creating a template and then using ../ directory traversal in the TemplateName parameter.2018-12-23not yet calculatedCVE-2018-20420
MISC
wellintech — kingscadaWellinTech KingSCADA before 3.7.0.0.1 contains a stack-based buffer overflow. The vulnerability is triggered when sending a specially crafted packet to the AlarmServer (AEserver.exe) service listening on TCP port 12401.2018-12-23not yet calculatedCVE-2018-20410
MISC
MISC
wordpress — wordpressAn issue was discovered in the JSmol2WP plugin 1.07 for WordPress. There is an arbitrary file read vulnerability via ../ directory traversal in query=php://filter/resource= in the jsmol.php query string. This can also be used for SSRF.2018-12-25not yet calculatedCVE-2018-20463
MISC
wordpress — wordpress
An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the jsmol.php data parameter.2018-12-25not yet calculatedCVE-2018-20462
MISC
wuzhi_cms — wuzhi_cms
WUZHI CMS 4.1.0 allows coreframe/app/coupon/admin/copyfrom.php SQL injection via the index.php?m=promote&f=index&v=search keywords parameter, a related issue to CVE-2018-15893.2018-12-28not yet calculatedCVE-2018-20572
MISC

xiaomi — mi_a1_devices

An issue was discovered on Xiaomi Mi A1 tissot_sprout:8.1.0/OPM1.171019.026/V9.6.4.0.ODHMIFE devices. They store cleartext Wi-Fi passwords in logcat during the process of setting up the phone as a hotspot.2018-12-24not yet calculatedCVE-2018-18698
MISC
xmplay — xmplay
XMPlay 3.8.3 allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted http:// URL in a .m3u file.2018-12-24not yet calculatedCVE-2018-19357
EXPLOIT-DB
yaml-cpp — yaml-cppThe SingleDocParser::HandleFlowMap function in yaml-cpp (aka LibYaml-C++) 0.6.2 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted YAML file.2018-12-28not yet calculatedCVE-2018-20574
MISC
yaml-cpp — yaml-cpp
The Scanner::EnsureTokensInQueue function in yaml-cpp (aka LibYaml-C++) 0.6.2 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted YAML file.2018-12-28not yet calculatedCVE-2018-20573
MISC
zoho — manageengine_adselfservice_plusZoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature.2018-12-26not yet calculatedCVE-2018-20485
MISC
zoho — manageengine_adselfservice_plusZoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation.2018-12-26not yet calculatedCVE-2018-20484
MISC
zoho — manageengine_opmanagerZoho ManageEngine OpManager 12.3 before build 123239 allows SQL injection in the Alarms section.2018-12-21not yet calculatedCVE-2018-20338
BID
MISC
zoho — manageengine_opmanagerZoho ManageEngine OpManager 12.3 before build 123239 allows XSS in the Notes column of the Alarms section.2018-12-21not yet calculatedCVE-2018-20339
BID
MISC
zoom — 5352_devices
Zoom 5352 v5.5.8.6Y devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.2018-12-23not yet calculatedCVE-2018-20401
MISC
MISC
zte — blade_vantage_android_deviceThe ZTE Blade Vantage Android device with a build fingerprint of ZTE/Z839/sweet:7.1.1/NMF26V/20180120.095344:user/release-keys, the ZTE Blade Spark Android device with a build fingerprint of ZTE/Z971/peony:7.1.1/NMF26V/20171129.143111:user/release-keys, the ZTE ZMAX Pro Android device with a build fingerprint of ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys, and the ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contain a pre-installed platform app with a package name of com.android.modem.service (versionCode=25, versionName=7.1.1; versionCode=23, versionName=6.0.1) that exports an interface to any app on co-located on the device. Using the exported interface of the com.android.modem.service app, any app can enable and obtain certain log files (modem and logcat) without the appropriate corresponding access permissions. The modem logs contain the phone number and full text body of incoming and outgoing text messages in binary format. In addition, the modem log contains the phone numbers for both incoming and outgoing phone calls. The system-wide logcat logs (those obtained via the logcat binary) tend to contain sensitive user data. Third-party apps are prevented from directly reading the system-wide logcat logs. The capability to read from the system-wide logcat logs is only available to pre-installed system apps and platform apps. The modem log and/or logcat log, once activated, get written to external storage (SD card). An app aware of this vulnerability can enable the logs, parse them for relevant data, and exfiltrate them from the device. The modem log and logcat log are inactive by default, but a third-party app with no permissions can activate them, although the app will need to be granted the READ_EXTERNAL_STORAGE permission to access them.2018-12-28not yet calculatedCVE-2018-14995
MISC
MISC
zte — zmax_champ_android_deviceThe ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contains a pre-installed platform app with a package name of com.android.zte.hiddenmenu (versionCode=23, versionName=6.0.1) that contains an exported broadcast receiver app component named com.android.zte.hiddenmenu.CommandReceiver that is accessible to any app co-located on the device. This app component, when it receives a broadcast intent with a certain action string, will write a non-standard (i.e., not defined in Android Open Source Project (AOSP) code) command to the /cache/recovery/command file to be executed in recovery mode. Once the device boots into recovery mode, it will crash, boot into recovery mode, and crash again. This crash loop will keep repeating, which makes the device unusable. There is no way to boot into an alternate mode once the crash loop starts.2018-12-28not yet calculatedCVE-2018-15006
MISC
MISC
zte — zmax_champ_android_deviceThe ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contains a pre-installed platform app with a package name of com.zte.zdm.sdm (versionCode=31, versionName=V5.0.3) that contains an exported broadcast receiver app component named com.zte.zdm.VdmcBroadcastReceiver that allows any app co-located on the device to programmatically initiate a factory reset. In addition, the app initiating the factory reset does not require any permissions. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of a pre-installed platform app.2018-12-28not yet calculatedCVE-2018-15005
MISC
MISC
zte — zxv10_b860av2.1_chinamobileZTE ZXV10 B860AV2.1 product ChinaMobile branch with the ICNT versions up to V1.3.3, the BESTV versions up to V1.2.2, the WASU versions up to V1.1.7 and the MGTV versions up to V1.4.6 have an authentication bypass vulnerability, which may allows an unauthorized user to perform unauthorized operations.2018-12-28not yet calculatedCVE-2018-7366
CONFIRM

Back to top


This product is provided subject to this Notification and this Privacy & Use policy.

This entry was posted in Alerts. Bookmark the permalink.