SB17-282: Vulnerability Summary for the Week of October 2, 2017

10-13-2017, 02:23 PM

The Patriot The Patriot is offline

Senior Member

Join Date: Jun 2002

Posts: 1,386,283

SB17-282: Vulnerability Summary for the Week of October 2, 2017

SB17-282: Vulnerability Summary for the Week of October 2, 2017

10-08-2017 10:20 PM

Original release date: October 09, 2017
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0
Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9
Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

*

High Vulnerabilities

Primary
Vendor -- ProductDescriptionPublishedCVSS ScoreSource & Patch Infoersdata -- ers_data_systemERS Data System 1.8.1.0 allows remote attackers to execute arbitrary code, related to "com.branaghgroup.ecers.update.UpdateRequest" object deserialization.2017-09-297.5 CVE-2017-14702
MISC
EXPLOIT-DBgnu -- binutilsMemory leak in decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.2017-09-297.1 CVE-2017-14930
CONFIRMhp -- application_performance_managementA potential security vulnerability has been identified in HPE Application Performance Management (BSM) Platform versions 9.26, 9.30, 9.40. The vulnerability could be remotely exploited to allow code execution.2017-09-2910.0 CVE-2017-14350
BID
MISC
CONFIRMhp -- bsm_platform_application_performance_management_sy stem_healthA directory traversal vulnerability in HPE BSM Platform Application Performance Management System Health product versions 9.26, 9.30 and 9.40, allows users to upload unrestricted files.2017-09-299.0 CVE-2017-13982
MISC
CONFIRM
AUSCERThp -- bsm_platform_application_performance_management_sy stem_healthAn authentication vulnerability in HPE BSM Platform Application Performance Management System Health product versions 9.26, 9.30 and 9.40, allows remote users to bypass authentication.2017-09-2910.0 CVE-2017-13983
MISC
CONFIRM
AUSCERThp -- ucmdb_configuration_managerA potential security vulnerability has been identified in HP UCMDB Configuration Manager versions 10.10, 10.11, 10.20, 10.21, 10.22, 10.23. These vulnerabilities could be remotely exploited to allow code execution.2017-09-297.5 CVE-2017-14351
CONFIRM Back to top
*

Medium Vulnerabilities

Primary
Vendor -- ProductDescriptionPublishedCVSS ScoreSource & Patch Infoapache -- geodeWhen a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries. In Apache Geode before 1.2.1, the query results may contain data from another user's concurrently executing gfsh query, potentially revealing data that the user is not authorized to view.2017-09-294.0 CVE-2017-9794
MLISTartifex -- gsviewArtifex GSView 6.0 Beta on Windows allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .pdf file, related to "Possible Stack Corruption starting at KERNELBASE!RaiseException+0x0000000000000068."2017-09-296.8 CVE-2017-14945
CONFIRMartifex -- gsviewArtifex GSView 6.0 Beta on Windows allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .pdf file, related to "Data from Faulting Address controls Branch Selection starting at mupdfnet64!mIncrementalSaveFile+0x000000000000344e ."2017-09-296.8 CVE-2017-14946
CONFIRMartifex -- gsviewArtifex GSView 6.0 Beta on Windows allows attackers to execute arbitrary code or cause a denial of service via a crafted .xps file, related to a "Read Access Violation on Block Data Move starting at mupdfnet64!mIncrementalSaveFile+0x0000000000193359 ."2017-09-296.8 CVE-2017-14947
CONFIRMblogotext_project -- blogotextStored XSS vulnerability via a comment in inc/conv.php in BlogoText before 3.7.6 allows an unauthenticated attacker to inject JavaScript. If the victim is an administrator, an attacker can (for example) change global settings or create/delete posts. It is also possible to execute JavaScript against unauthenticated users of the blog.2017-10-014.3 CVE-2017-14957
MISC
MISC
MISC
MISCcfpaypal -- cp_contact_form_with_paypalThe cp-contact-form-with-paypal (aka CP Contact Form with PayPal) plugin before 1.1.6 for WordPress has CSRF with resultant XSS, related to cp_contactformpp.php and cp_contactformpp_admin_int_list.inc.php.2017-09-296.8 CVE-2015-9233
MISC
MISC
MISCcfpaypal -- cp_contact_form_with_paypalThe cp-contact-form-with-paypal (aka CP Contact Form with PayPal) plugin before 1.1.6 for WordPress has SQL injection via the cp_contactformpp_id parameter to cp_contactformpp.php.2017-09-296.5 CVE-2015-9234
MISC
MISC
MISCcheck_mk_project -- check_mkCheck_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, which allows remote attackers to obtain sensitive user information by reading a GUI crash report.2017-10-014.3 CVE-2017-14955
CONFIRM
CONFIRMegroupware -- egroupwareStored XSS vulnerability in eGroupware Community Edition before 16.1.20170922 allows an unauthenticated remote attacker to inject JavaScript via the User-Agent HTTP header, which is mishandled during rendering by the application administrator.2017-09-294.3 CVE-2017-14920
MISC
MISCfreedesktop -- popplerIn Poppler 0.59.0, a NULL Pointer Dereference exists in AnnotRichMedia::Content::Content in Annot.cc via a crafted PDF document.2017-09-294.3 CVE-2017-14926
CONFIRMfreedesktop -- popplerIn Poppler 0.59.0, a NULL Pointer Dereference exists in the SplashOutputDev::type3D0() function in SplashOutputDev.cc via a crafted PDF document.2017-09-294.3 CVE-2017-14927
CONFIRMfreedesktop -- popplerIn Poppler 0.59.0, a NULL Pointer Dereference exists in AnnotRichMedia::Configuration::Configuration in Annot.cc via a crafted PDF document.2017-09-294.3 CVE-2017-14928
CONFIRMfreedesktop -- popplerIn Poppler 0.59.0, memory corruption occurs in a call to Object::dictLookup() in Object.h after a repeating series of Gfx::display, Gfx::go, Gfx::execOp, Gfx::opFill, Gfx::doPatternFill, Gfx::doTilingPatternFill and Gfx::drawForm calls (aka a Gfx.cc infinite loop), a different vulnerability than CVE-2017-14519.2017-09-295.0 CVE-2017-14929
CONFIRMfreedesktop -- popplerThe FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler 0.59.0 has a NULL pointer dereference vulnerability because a data structure is not initialized, which allows an attacker to launch a denial of service attack.2017-10-015.0 CVE-2017-14975
CONFIRMfreedesktop -- popplerThe FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler 0.59.0 has a heap-based buffer over-read vulnerability if an out-of-bounds font dictionary index is encountered, which allows an attacker to launch a denial of service attack.2017-10-015.0 CVE-2017-14976
CONFIRM
CONFIRMfreedesktop -- popplerThe FoFiTrueType::getCFFBlock function in FoFiTrueType.cc in Poppler 0.59.0 has a NULL pointer dereference vulnerability due to lack of validation of a table pointer, which allows an attacker to launch a denial of service attack.2017-10-015.0 CVE-2017-14977
CONFIRMgnu -- binutilsdecode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.2017-09-294.3 CVE-2017-14932
CONFIRM
CONFIRMgnu -- binutilsread_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.2017-09-294.3 CVE-2017-14933
CONFIRM
CONFIRM
CONFIRMgnu -- binutilsprocess_debug_info in dwarf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file that contains a negative size value in a CU structure.2017-09-294.3 CVE-2017-14934
CONFIRM
CONFIRMgnu -- binutils_bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file.2017-09-294.3 CVE-2017-14938
MISC
MISC
MISCgnu -- binutilsdecode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles a length calculation, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to read_1_byte.2017-09-294.3 CVE-2017-14939
MISC
MISC
MISCgnu -- binutilsscan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file.2017-09-294.3 CVE-2017-14940
MISC
MISC
MISCgnu -- binutilsThe *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandle the failure of a certain canonicalization step, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.2017-10-014.3 CVE-2017-14974
CONFIRM
CONFIRMhp -- arcsight_enterprise_security_manager_expressA reflected Cross-Site Scripting(XSS) vulnerability in ArcSight ESM and ArcSight ESM Express, any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1, allows for unintended information when a specific URL is sent to the system.2017-09-294.3 CVE-2017-13986
BID
CONFIRMhp -- arcsight_enterprise_security_manager_expressAn insufficient access control vulnerability in ArcSight ESM and ArcSight ESM Express, any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1, allows an unauthorized user to download log files.2017-09-294.0 CVE-2017-13987
BID
CONFIRMhp -- arcsight_enterprise_security_manager_expressAn improper access control vulnerability in ArcSight ESM and ArcSight ESM Express, any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1, allows unauthorized users to alter the maximum size of storage groups and enable/disable the setting for the 'follow schedule' function.2017-09-294.0 CVE-2017-13988
BID
CONFIRMhp -- arcsight_enterprise_security_manager_expressAn improper access control vulnerability in ArcSight ESM and ArcSight ESM Express, any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1, allows unauthorized users to retrieve or modify storage information.2017-09-295.5 CVE-2017-13989
BID
CONFIRMhp -- arcsight_enterprise_security_manager_expressAn information leakage vulnerability in ArcSight ESM and ArcSight ESM Express, any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1, allows disclosure of Apache Tomcat application server version.2017-09-295.0 CVE-2017-13990
BID
CONFIRMhp -- arcsight_enterprise_security_manager_expressAn information leakage vulnerability in ArcSight ESM and ArcSight ESM Express, any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1, allows disclosure of product license features.2017-09-295.0 CVE-2017-13991
BID
CONFIRMhp -- bsm_platform_application_performance_management_sy stem_healthAn authentication vulnerability in HPE BSM Platform Application Performance Management System Health product versions 9.26, 9.30 and 9.40, allows remote users to delete arbitrary files via servlet directory traversal.2017-09-295.5 CVE-2017-13984
MISC
CONFIRM
AUSCERThp -- bsm_platform_application_performance_management_sy stem_healthAn authentication vulnerability in HPE BSM Platform Application Performance Management System Health product versions 9.26, 9.30 and 9.40, allows remote users to traverse directory leading to disclosure of information.2017-09-294.0 CVE-2017-13985
MISC
CONFIRM
AUSCERThp -- ucmdb_configuration_managerA potential security vulnerability has been identified in HP UCMDB Configuration Manager versions 10.10, 10.11, 10.20, 10.21, 10.22, 10.23. These vulnerabilities could be remotely exploited to allow cross-site scripting.2017-09-294.3 CVE-2017-14352
BID
CONFIRMjaspersoft -- jasperreportsJaspersoft JasperReports 4.7 suffers from a saved credential disclosure vulnerability, which allows a remote authenticated user to retrieve stored Data Source passwords by accessing flow.html and reading the HTML source code of the page reached in an Edit action for a Data Source connector.2017-10-014.0 CVE-2017-14941
MISCopenexif_project -- openexifExifImageFile::readDQT in ExifImageFileRead.cpp in OpenExif 2.1.4 allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted JPEG file.2017-09-294.3 CVE-2017-14931
MISC
MISCopenvswitch -- openvswitchIn lib/ofp-util.c in Open vSwitch (OvS) before 2.8.1, there are multiple memory leaks while parsing malformed OpenFlow group mod messages.2017-10-015.0 CVE-2017-14970
CONFIRM
CONFIRMpivotx -- pivotxlib.php in PivotX 2.3.11 does not properly block uploads of dangerous file types by admin users, which allows remote PHP code execution via an upload of a .php file.2017-10-016.5 CVE-2017-14958
CONFIRMpulsesecure -- pulse_one_on-premisePulse Secure Pulse One On-Premise 2.0.1649 and below does not properly validate requests, which allows remote users to query and obtain sensitive information.2017-09-295.0 CVE-2017-14935
CONFIRMtiki -- tikiwiki_cms/groupwareCross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with an IMG element, related to tiki-assignuser.php.2017-09-296.0 CVE-2017-14924
MISC
MISC
MISCtiki -- tikiwiki_cms/groupwareCross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to edit global permissions if an administrator opens a wiki page with an IMG element, related to tiki-objectpermissions.php. For example, an attacker could assign administrator privileges to every unauthenticated user of the site.2017-09-296.0 CVE-2017-14925
MISC
MISC
MISC Back to top
*

Low Vulnerabilities

Primary
Vendor -- ProductDescriptionPublishedCVSS ScoreSource & Patch Infolinux -- linux_kernelThe waitid implementation in kernel/exit.c in the Linux kernel through 4.13.4 accesses rusage data structures in unintended cases, which allows local users to obtain sensitive information, and bypass the KASLR protection mechanism, via a crafted system call.2017-10-012.1 CVE-2017-14954
MISC
MISC
MISC
MISC
MISCtine20 -- tine_2.0Stored XSS vulnerability via IMG element at "Filename" of Filemanager in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users.2017-09-293.5 CVE-2017-14921
MISC
MISC
MISC
MISC
MISCtine20 -- tine_2.0Stored XSS vulnerability via IMG element at "History" of Profile, Calendar, Tasks, and CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users.2017-09-293.5 CVE-2017-14922
MISC
MISC
MISC
MISC
MISCtine20 -- tine_2.0Stored XSS vulnerability via IMG element at "Leadname" of CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users.2017-09-293.5 CVE-2017-14923
MISC
MISC
MISC
MISC
MISC Back to top
*

Severity Not Yet Assigned

Primary
Vendor -- ProductDescriptionPublishedCVSS ScoreSource & Patch Infoakka -- akka
*Akka HTTP versions mmap_base. Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are that is supposed to be the "gap" between the stack and the binary.2017-10-04not yet calculatedCVE-2017-1000253
BID
SECTRACK
MISClinux -- kernel
*Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.2017-10-04not yet calculatedCVE-2017-1000112
MLIST
BID
SECTRACKloytec -- lvis-3me
*An Insufficiently Protected Credentials issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The application does not sufficiently protect sensitive information from unauthorized access.2017-10-05not yet calculatedCVE-2017-13998
BID
MISCloytec -- lvis-3me
*An Insufficient Entropy issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The application does not utilize sufficiently random number generation for the web interface authentication mechanism, which could allow remote code execution.2017-10-05not yet calculatedCVE-2017-13992
BID
MISCloytec_lvis-3me
*A Relative Path Traversal issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The web user interface fails to prevent access to critical files that non administrative users should not have access to, which could allow an attacker to create or modify files or execute arbitrary code.2017-10-05not yet calculatedCVE-2017-13996
BID
MISCmercurial -- mercurial
*Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks.2017-10-04not yet calculatedCVE-2017-1000116
BID
GENTOO
CONFIRMmercurial -- mercurial
*Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository2017-10-04not yet calculatedCVE-2017-1000115
BID
GENTOO
CONFIRMmyscada -- mypro
*An Unquoted Search Path issue was discovered in mySCADA myPRO Versions 7.0.26 and prior. Application services utilize unquoted search path elements, which could allow an attacker to execute arbitrary code with elevated privileges.2017-10-06not yet calculatedCVE-2017-12730
BID
MISCnet/http -- net/http
*The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.2017-10-04not yet calculatedCVE-2017-1000098
CONFIRM
CONFIRM
CONFIRMnexusphp -- nexusphp
*Multiple cross-site request forgery (CSRF) vulnerabilities in NexusPHP 1.5 allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) linkname, (2) url, or (3) title parameter in an add action to linksmanage.php.2017-10-02not yet calculatedCVE-2017-12792
MISCnode.js -- node.js
*A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.2017-10-03not yet calculatedCVE-2017-15010
BID
CONFIRM
CONFIRM
CONFIRMntdriver.c -- ntdriver.c
*The (1) IsVolumeAccessibleByCurrentUser and (2) MountDevice methods in Ntdriver.c in TrueCrypt 7.0, VeraCrypt before 1.15, and CipherShed, when running on Windows, do not check the impersonation level of impersonation tokens, which allows local users to impersonate a user at SecurityIdentify level and gain access to other users' mounted encrypted volumes.2017-10-02not yet calculatedCVE-2015-7359
MISC
MLIST
MLIST
MISC
CONFIRMoctober -- cms
*October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server.2017-10-04not yet calculatedCVE-2017-1000119
CONFIRMopenexr -- openexr
*Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp.2017-10-02not yet calculatedCVE-2017-14988
MISCopenkm -- openkm
*Cross-site scripting (XSS) vulnerability in OpenKM before 6.4.19 allows remote authenticated users to inject arbitrary web script or HTML via the Tasks parameter.2017-10-06not yet calculatedCVE-2014-8957
MISC
BID
MISCopentext_document -- sciences_xpression
*OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to an XML External Entity vulnerability: /xFramework/services/QuickDoc.QuickDocHttpSoap11Endpoint/. An unauthenticated user is able to read directory listings or system files, or cause SSRF or Denial of Service.2017-10-02not yet calculatedCVE-2017-14759
MISC
MISCopentext_document -- sciences_xpression
*OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to Cross-Site Scripting: /xAdmin/html/XPressoDoc, parameter: categoryId.2017-10-02not yet calculatedCVE-2017-14755
MISC
MISCopentext_document -- sciences_xpression
*OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to Arbitrary File Read: /xAdmin/html/cm_datasource_group_xsd.jsp, parameter: xsd_datasource_schema_file filename. In order for this vulnerability to be exploited, an attacker must authenticate to the application first.2017-10-02not yet calculatedCVE-2017-14754
MISC
MISCopentext_document -- sciences_xpression
*OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to SQL Injection: /xDashboard/html/jobhistory/downloadSupportFile.action, parameter: jobRunId. In order for this vulnerability to be exploited, an attacker must authenticate to the application first.2017-10-02not yet calculatedCVE-2017-14757
MISC
MISC
EXPLOIT-DBopentext_document -- sciences_xpression
*OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to SQL Injection: /xAdmin/html/cm_doclist_view_uc.jsp, parameter: documentId. In order for this vulnerability to be exploited, an attacker must authenticate to the application first.2017-10-02not yet calculatedCVE-2017-14758
MISC
MISC
EXPLOIT-DBopentext_document -- sciences_xpression
*OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to Cross-Site Scripting: /xAdmin/html/Deployment (cat_id).2017-10-02not yet calculatedCVE-2017-14756
MISC
MISCopenvpn -- openvpn
*OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution.2017-10-03not yet calculatedCVE-2017-12166
BID
SECTRACK
MISCphilips -- hue_bridge
*Lack of Transport Encryption in the public API in Philips Hue Bridge BSB002 SW 1707040932 allows remote attackers to read API keys (and consequently bypass the pushlink protection mechanism, and obtain complete control of the connected accessories) by leveraging the ability to sniff HTTP traffic on the local intranet network.2017-09-30not yet calculatedCVE-2017-14797
MISCphpcollab -- phpcollab
*Unrestricted file upload vulnerability in clients/editclient.php in PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/.2017-10-02not yet calculatedCVE-2017-6090
MISC
EXPLOIT-DBphpcollab -- phpcollab
*SQL injection vulnerability in PhpCollab 2.5.1 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) project or id parameters to topics/deletetopics.php; the (2) id parameter to bookmarks/deletebookmarks.php; or the (3) id parameter to calendar/deletecalendar.php.2017-10-02not yet calculatedCVE-2017-6089
MISC
EXPLOIT-DBpngcrush -- pngcrush
*Off-by-one error in the pngcrush_measure_idat function in pngcrush.c in pngcrush before 1.7.84 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file.2017-10-06not yet calculatedCVE-2015-2158
MLIST
BID
CONFIRM
CONFIRMprtg -- network_monitor
*PRTG Network Monitor version 17.3.33.2830 is vulnerable to stored Cross-Site Scripting on all sensor titles, related to incorrect error handling for a %00 in the SRC attribute of an IMG element.2017-10-03not yet calculatedCVE-2017-15008
MISCprtg -- network_monitor
*PRTG Network Monitor version 17.3.33.2830 is vulnerable to reflected Cross-Site Scripting on error.htm (the error page), via the errormsg parameter.2017-10-03not yet calculatedCVE-2017-15009
MISCqnap -- music_station
*QNAP discovered a number of command injection vulnerabilities found in Music Station versions 4.8.6 (for QTS 4.2.x), 5.0.7 (for QTS 4.3.x), and earlier. If exploited, these vulnerabilities may allow a remote attacker to run arbitrary commands on the NAS.2017-10-06not yet calculatedCVE-2017-13069
CONFIRMqnap -- qnap
*QNAP has already patched this vulnerability. This security concern allows a remote attacker to perform an SQL injection on the application and obtain Helpdesk application information. A remote attacker does not require any privileges to successfully execute this attack.2017-10-06not yet calculatedCVE-2017-13068
MISCqt -- qt
*The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.2017-10-03not yet calculatedCVE-2017-15011
MISC
MISCrapid7 -- metasploit
*The web UI in Rapid7 Metasploit before 4.14.1-20170828 allows logout CSRF, aka R7-2017-22.2017-10-06not yet calculatedCVE-2017-15084
CONFIRMredis -- redis
*The clusterLoadConfig function in cluster.c in Redis 4.0.2 allows attackers to cause a denial of service (out-of-bounds array index and application crash) or possibly have unspecified other impact by leveraging "limited access to the machine."2017-10-06not yet calculatedCVE-2017-15047
MISCruby -- ruby
*The Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which might allow remote attackers to obtain sensitive information via a man-in-the-middle-attack.2017-10-06not yet calculatedCVE-2015-1828
CONFIRM
CONFIRM
CONFIRMsaia_burgess -- pcd_controllers
*An Information Exposure issue was discovered in Saia Burgess Controls PCD Controllers with PCD firmware versions prior to 1.28.16 or 1.24.69. In certain circumstances, the device pads Ethernet frames with memory contents.2017-10-04not yet calculatedCVE-2017-9628
BID
MISCschneider_electric -- indusoft_web_studio
*A Missing Authentication for Critical Function issue was discovered in Schneider Electric InduSoft Web Studio v8.0 SP2 or prior, and InTouch Machine Edition v8.0 SP2 or prior. InduSoft Web Studio provides the capability for an HMI client to trigger script execution on the server for the purposes of performing customized calculations or actions. A remote malicious entity could bypass the server authentication and trigger the execution of an arbitrary command. The command is executed under high privileges and could lead to a complete compromise of the server.2017-10-02not yet calculatedCVE-2017-13997
BID
MISCsentinel -- ldk_rte
*Buffer overflow in hasplms in Gemalto ACC (Admin Control Center), all versions ranging from HASP SRM 2.10 to Sentinel LDK 7.50, allows remote attackers to shut down the remote process (a denial of service) via a language pack (ZIP file) with invalid HTML files.2017-10-02not yet calculatedCVE-2017-11498
MISC
MISCsentinel -- ldk_rte
*Arbitrary memory read from controlled memory pointer in Gemalto's HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55 leads to remote denial of service.2017-10-03not yet calculatedCVE-2017-12820
MISCsentinel -- ldk_rte
*Stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center), all versions ranging from HASP SRM 2.10 to Sentinel LDK 7.50, allows remote attackers to execute arbitrary code via malformed ASN.1 streams in V2C and similar input files.2017-10-02not yet calculatedCVE-2017-11496
MISC
MISCsentinel -- ldk_rte
*Stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center), all versions ranging from HASP SRM 2.10 to Sentinel LDK 7.50, allows remote attackers to execute arbitrary code via language packs containing filenames longer than 1024 characters.2017-10-02not yet calculatedCVE-2017-11497
MISC
MISCsentinel -- ldk_rte
*Memory corruption in Gemalto's HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55 might cause remote code execution.2017-10-03not yet calculatedCVE-2017-12821
MISCsentinel -- ldk_rte
*Remote enabling and disabling admin interface in Gemalto's HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55 leads to new attack vectors.2017-10-03not yet calculatedCVE-2017-12822
MISCsentinel -- ldk_rte
*Remote manipulations with language pack updater lead to NTLM-relay attack for system user in Gemalto's HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55.2017-10-03not yet calculatedCVE-2017-12819
MISCsentinel -- ldk_rte
*Stack overflow in custom XML-parser in Gemalto's HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55 leads to remote denial of service.2017-10-03not yet calculatedCVE-2017-12818
MISCskybox -- manager_client_application
*Skybox Manager Client Application is prone to information disclosure via a username enumeration attack. A local unauthenticated attacker could exploit the flaw to obtain valid usernames, by analyzing error messages upon valid and invalid account login attempts.2017-10-02not yet calculatedCVE-2017-14772
BID
CONFIRMskybox_security -- skybox_manager_client_application
*Skybox Manager Client Application prior to 8.5.501 is prone to an arbitrary file upload vulnerability due to insufficient input validation of user-supplied files path when uploading files via the application. During a debugger-pause state, a local authenticated attacker can upload an arbitrary file and overwrite existing files within the scope of the affected application.2017-10-02not yet calculatedCVE-2017-14771
BID
CONFIRMskybox_security -- skybox_manager_client_application
*Skybox Manager Client Application prior to 8.5.501 is prone to an information disclosure vulnerability of user password hashes. A local authenticated attacker can access the password hashes in a debugger-pause state during the authentication process.2017-10-02not yet calculatedCVE-2017-14770
BID
CONFIRMskybox_security -- skybox_manager_client_application
*Skybox Manager Client Application prior to 8.5.501 is prone to an elevation of privileges vulnerability during authentication of a valid user in a debugger-pause state. The vulnerability can only be exploited by a local authenticated attacker.2017-10-02not yet calculatedCVE-2017-14773
BID
CONFIRMsmarterstats -- smarterstats
*SmarterStats Version 11.3.6347 will Render the Referer Field of HTTP Logfiles from URL /Data/Reports/ReferringURLsWithQueries resulting in Stored Cross Site Scripting.2017-09-29not yet calculatedCVE-2017-14620
MISC
EXPLOIT-DBsolarwinds -- network_performance_monitor
*The 'Upload logo from external path' function of SolarWinds Network Performance Monitor version 12.0.15300.90 allows remote attackers to cause a denial of service (permanent display of a "Cannot exit above the top directory" error message throughout the entire web application) via a ".." in the path field. In other words, the denial of service is caused by an incorrect implementation of a directory-traversal protection mechanism.2017-10-02not yet calculatedCVE-2017-9538
BUGTRAQ
BIDsolarwinds -- network_performance_monitor
*Persistent cross-site scripting (XSS) in the Add Node function of SolarWinds Network Performance Monitor version 12.0.15300.90 allows remote attackers to introduce arbitrary JavaScript into various vulnerable parameters.2017-10-02not yet calculatedCVE-2017-9537
BUGTRAQ
BIDspidercontrol -- scada_web_server
*An Improper Privilege Management issue was discovered in SpiderControl SCADA Web Server Version 2.02.0007 and prior. Authenticated, non-administrative local users are able to alter service executables with escalated privileges, which could allow an attacker to execute arbitrary code under the context of the current system services.2017-10-04not yet calculatedCVE-2017-12728
BID
MISCstatic_analysis_utilities -- static_analysis_utilities
*The custom Details view of the Static Analysis Utilities based DRY Plugin, was vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view.2017-10-04not yet calculatedCVE-2017-1000103
BID
CONFIRMsubrion -- cms
*There are CSRF vulnerabilities in Subrion CMS before 4.2.0 because of a logic error. Although there is functionality to detect CSRF, it is called too late in the ia.core.php code, allowing (for example) an attack against the query parameter to panel/database.2017-10-06not yet calculatedCVE-2017-15063
MISCtexlive -- texlive
*The pre-install script in texlive 3.1.20140525_r34255.fc21 as packaged in Fedora 21 and rpm, and texlive 6.20131226_r32488.fc20 and rpm allows local users to delete arbitrary files via a crafted file in the user's home directory.2017-10-06not yet calculatedCVE-2015-0296
FEDORA
FEDORA
MLIST
BID
CONFIRMtrend_micro -- officescan
*Pre-authorization Start Remote Process vulnerabilities in Trend Micro OfficeScan 11.0 and XG may allow unauthenticated users who can access the OfficeScan server to start the fcgiOfcDDA.exe executable or cause a potential INI corruption, which may cause the server disk space to be consumed with dump files from continuous HTTP requests.2017-10-05not yet calculatedCVE-2017-14086
MISC
BID
SECTRACK
CONFIRM
EXPLOIT-DBtrend_micro -- officescan
*An Unauthorized Memory Corruption vulnerability in Trend Micro OfficeScan 11.0 and XG may allow remote unauthenticated users who can access the OfficeScan server to target cgiShowClientAdm.exe and cause memory corruption issues.2017-10-05not yet calculatedCVE-2017-14089
MISC
BID
SECTRACK
CONFIRM
EXPLOIT-DBtrend_micro -- officescan
*A potential Man-in-the-Middle (MitM) attack vulnerability in Trend Micro OfficeScan 11.0 and XG may allow attackers to execute arbitrary code on vulnerable installations.2017-10-05not yet calculatedCVE-2017-14084
MISC
BID
SECTRACK
CONFIRM
EXPLOIT-DBtrend_micro -- officescan
*A Host Header Injection vulnerability in Trend Micro OfficeScan XG (12.0) may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.2017-10-05not yet calculatedCVE-2017-14087
MISC
BID
SECTRACK
CONFIRM
EXPLOIT-DBtrend_micro -- officescan
*A vulnerability in Trend Micro OfficeScan 11.0 and XG allows remote unauthenticated users who can access the system to download the OfficeScan encryption file.2017-10-05not yet calculatedCVE-2017-14083
MISC
BID
SECTRACK
CONFIRM
EXPLOIT-DBtrend_micro -- officescan
*Memory Corruption Privilege Escalation vulnerabilities in Trend Micro OfficeScan 11.0 and XG allows local attackers to execute arbitrary code and escalate privileges to resources normally reserved for the kernel on vulnerable installations by exploiting tmwfp.sys. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit the vulnerability.2017-10-05not yet calculatedCVE-2017-14088
BID
SECTRACK
MISC
MISC
CONFIRMtrend_micro -- officescan
*Information disclosure vulnerabilities in Trend Micro OfficeScan 11.0 and XG may allow unauthenticated users who can access the OfficeScan server to query the network's NT domain or the PHP version and modules.2017-10-05not yet calculatedCVE-2017-14085
MISC
BID
SECTRACK
CONFIRM
EXPLOIT-DBtruecrypt -- truecrypt
*The IsDriveLetterAvailable method in Driver/Ntdriver.c in TrueCrypt 7.0, VeraCrypt before 1.15, and CipherShed, when running on Windows, does not properly validate drive letter symbolic links, which allows local users to mount an encrypted volume over an existing drive letter and gain privileges via an entry in the /GLOBAL?? directory.2017-10-02not yet calculatedCVE-2015-7358
MISC
MLIST
MLIST
MISC
CONFIRM
EXPLOIT-DBucopia -- wireless_appliance
*The chroothole_client executable in UCOPIA Wireless Appliance before 5.1.8 allows remote attackers to gain root privileges via a dollar sign ($) metacharacter in the argument to chroothole_client.2017-10-02not yet calculatedCVE-2017-11322
MISC
EXPLOIT-DBucopia -- wireless_appliance
*The restricted shell interface in UCOPIA Wireless Appliance before 5.1.8 allows remote authenticated users to gain 'admin' privileges via shell metacharacters in the less command.2017-10-02not yet calculatedCVE-2017-11321
MISC
EXPLOIT-DBupx -- upx
*p_lx_elf.cpp in UPX 3.94 mishandles ELF headers, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by an Invalid Pointer Read in PackLinuxElf64::unpack().2017-10-06not yet calculatedCVE-2017-15056
MISCwordpress -- wordpress

WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).2017-10-02not yet calculatedCVE-2017-14990
MISCwordpress -- wordpress
*Cross-site scripting (XSS) vulnerability in Best Gallery Albums Plugin before 3.0.70for WordPress allows remote attackers to inject arbitrary web script or HTML via the order_id parameter in the gallery_album_sorting page to wp-admin/admin.php.2017-10-06not yet calculatedCVE-2014-8758
MISC
MISCwordpress -- wordpress
*Multiple cross-site scripting (XSS) vulnerabilities in assets/misc/fallback-page.php in the Profile Builder plugin before 2.0.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) site_name, (2) message, or (3) site_url parameter.2017-10-06not yet calculatedCVE-2014-8492
MISC
MISCwordpress -- wordpress
*Cross-site scripting (XSS) vulnerability in the Easy Contact Form Solution plugin before 1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the value parameter in a master_response action to wp-admin/admin-ajax.php.2017-10-06not yet calculatedCVE-2014-7240
MISC
MISCwordpress -- wordpress
*The ec_ajax_update_option and ec_ajax_clear_all_taxrates functions in inc/admin/admin_ajax_functions.php in the WP EasyCart plugin 1.1.30 through 3.0.20 for Wordpress allows remote attackers to gain administrator privileges and execute arbitrary code via the option_name and option_value parameters.2017-10-06not yet calculatedCVE-2015-2673
MISCwordpress -- wordpress
*WPHRM Human Resource Management System for WordPress 1.0 allows SQL Injection via the employee_id parameter.2017-10-02not yet calculatedCVE-2017-14848
EXPLOIT-DBwordpress -- wordpress
*The Smush Image Compression and Optimization plugin before 2.7.6 for WordPress allows directory traversal.2017-10-06not yet calculatedCVE-2017-15079
CONFIRM
CONFIRMwordpress -- wordpress
*Cross-site scripting (XSS) vulnerability in the uDesign (aka U-Design) theme 2.3.0 before 2.7.10 for WordPress allows remote attackers to inject arbitrary web script or HTML via a fragment identifier, as demonstrated by #.2017-10-02not yet calculatedCVE-2015-7357
MISC
FULLDISC
CONFIRM
MISCwso2 -- wso2
*The Management Console in WSO2 Application Server 5.3.0, WSO2 Business Process Server 3.6.0, WSO2 Business Rules Server 2.2.0, WSO2 Complex Event Processor 4.2.0, WSO2 Dashboard Server 2.0.0, WSO2 Data Analytics Server 3.1.0, WSO2 Data Services Server 3.5.1, and WSO2 Machine Learner 1.2.0 is affected by stored XSS.2017-10-03not yet calculatedCVE-2017-14995
CONFIRMzoho_site24x7 -- mobile_network_poller
*The Zoho Site24x7 Mobile Network Poller application before 1.1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a self-signed certificate.2017-09-29not yet calculatedCVE-2017-14582
BID
MISC*loytec -- lvis-3me
*A Cross-site Scripting issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The web interface lacks proper web request validation, which could allow XSS attacks to occur if an authenticated user of the web interface is tricked into clicking a malicious link.2017-10-05not yet calculatedCVE-2017-13994
BID
MISC Back to top
This product is provided subject to this Notification and this Privacy & Use policy.

More...