Weekly Vulnerabilities Reports > May 15 to 21, 2017

An issue was discovered on Mimosa Client Radios before 2.2.4 and Mimosa Backhaul Radios before 2.2.4.

An issue was discovered on Mimosa Client Radios before 2.2.3 and Mimosa Backhaul Radios before 2.2.3.

In OpenEXR 2.2.0, an invalid write of size 2 in the = operator function in half.h could cause the application to crash or execute arbitrary code.

In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels function in ImfInputFile.cpp could cause the application to crash or execute arbitrary code.

In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h could cause the application to crash or execute arbitrary code.

login.cgi on D-Link DIR-600M devices with firmware 3.04 allows remote attackers to bypass authentication by entering more than 20 blank spaces in the password field during an admin login attempt.

PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed.

The server in Dropbear before 2017.75 might allow post-authentication root remote code execution because of a double free in cleanup of TCP listeners when the -a option is enabled.

A Command Injection issue was discovered in Satel Iberia SenNet Data Logger and Electricity Meters: SenNet Optimal DataLogger V5.37c-1.43c and prior, SenNet Solar Datalogger V5.03-1.56a and prior, and SenNet Multitask Meter V5.21a-1.18b and prior.

In MODX Revolution before 2.5.7, a user with file upload permissions is able to execute arbitrary code by uploading a file with the name .htaccess.

In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials.

Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Zimbra Collaboration before 8.6.0 Patch 8 allow remote attackers to hijack the authentication of administrators for requests that (1) add, (2) modify, or (3) remove accounts by leveraging failure to use of a CSRF token and perform referer header checks, aka bugs 100885 and 100899.

Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a Client Registration Service, which is a simple web application that allows clients to be created, deleted, etc.

Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications.

INFOR EAM V11.0 Build 201410 has SQL injection via search fields, related to the filtervalue parameter.

In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF.

In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.

There is a debug-interface vulnerability on some Tenda routers (FH1202/F1202/F1200: versions before 1.2.0.20).

Session Side jacking vulnerability in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote authenticated users to view, add, and remove users via modification of the HTTP request.

An Incorrect Default Permissions issue was discovered in Schneider Electric Wonderware InduSoft Web Studio v8.0 Patch 3 and prior versions.

The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls.

A vulnerability in a script file that is installed as part of the Cisco Policy Suite (CPS) Software distribution for the CPS appliance could allow an authenticated, local attacker to escalate their privilege level to root.

readelf.c in GNU Binutils 2017-04-12 has a "shift exponent too large for type unsigned long" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.

readelf.c in GNU Binutils 2017-04-12 has a "cannot be represented in type long" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.

Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue.

smb4k before 2.0.1 allows local users to gain root privileges by leveraging failure to verify arguments to the mount helper DBUS service.

KDE kdelibs before 4.14.32 and KAuth before 5.34 allow local users to gain root privileges by spoofing a callerID and leveraging a privileged helper app.

A boundary error within the "parse_tiff_ifd()" function (internal/dcraw_common.cpp) in LibRaw versions before 0.18.2 can be exploited to cause a memory corruption via e.g.

In TrustZone access control policy may potentially be bypassed in all Android releases from CAF using the Linux kernel due to improper input validation an integer overflow vulnerability leading to a buffer overflow could potentially occur and a buffer over-read vulnerability could potentially occur.

In QSEE in all Android releases from CAF using the Linux kernel access control may potentially be bypassed due to a page alignment issue.

If shared content protection memory were passed as the secure camera memory buffer by the HLOS to a trusted application (TA) in all Android releases from CAF using the Linux kernel, the TA would not detect an issue and it would be treated as secure memory.

In TrustZone a cryptographic issue can potentially occur in all Android releases from CAF using the Linux kernel.

In TrustZone an out-of-range pointer offset vulnerability can potentially occur in a DRM routine in all Android releases from CAF using the Linux kernel.

In TrustZone an untrusted pointer dereference vulnerability can potentially occur in a DRM routine in all Android releases from CAF using the Linux kernel.

In TrustZone a buffer overflow vulnerability can potentially occur in all Android releases from CAF using the Linux kernel while loading an ELF file.

In TrustZone an integer overflow vulnerability can potentially occur in all Android releases from CAF using the Linux kernel.

In TrustZone an integer overflow vulnerability can potentially occur in all Android releases from CAF using the Linux kernel.

In TrustZone a buffer overflow vulnerability can potentially occur in a DRM routine in all Android releases from CAF using the Linux kernel.

In TrustZone an integer overflow vulnerability leading to a buffer overflow could potentially occur in a DRM routine in all Android releases from CAF using the Linux kernel.

A PKCS#1 v1.5 signature verification routine in all Android releases from CAF using the Linux kernel may not check padding.

Due to missing input validation in all Android releases from CAF using the Linux kernel, HLOS can write to fuses for which it should not have access.

In TrustZone, an integer overflow vulnerability can potentially occur in all Android releases from CAF using the Linux kernel due to an improper address range computation.

A buffer overflow vulnerability in all Android releases from CAF using the Linux kernel can potentially occur if an OEM performs an app region size customization due to a hard-coded value.

Buffer overflow in Larson VizEx Reader 9.7.5 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .tif file.

Buffer overflow in Halliburton LogView Pro 10.0.1 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .tif file.

An issue was discovered on Mimosa Client Radios before 2.2.3.

An information-leakage issue was discovered on Mimosa Client Radios before 2.2.3 and Mimosa Backhaul Radios before 2.2.3.

A hard-coded credentials issue was discovered on Mimosa Client Radios before 2.2.3, Mimosa Backhaul Radios before 2.2.3, and Mimosa Access Points before 2.2.3.

An issue was discovered on Mimosa Client Radios before 2.2.3 and Mimosa Backhaul Radios before 2.2.3.

jasypt before 1.9.2 allows a timing attack against the password hash comparison.

Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes Secure Cisco Auditor (SCA) 3.0, has a Directory Traversal issue in its TFTP Server, allowing attackers to read arbitrary files via ../ sequences in a pathname.

ImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users.

/admin/loginc.php in Allen Disk 1.6 doesn't check if isset($_SESSION['captcha']['code']) == 1, which leads to CAPTCHA bypass by emptying $_POST['captcha'].

reg.php in Allen Disk 1.6 doesn't check if isset($_SESSION['captcha']['code'])==1, which makes it possible to bypass the CAPTCHA via an empty $_POST['captcha'].

A Resource Exhaustion issue was discovered in Phoenix Contact GmbH mGuard firmware versions 8.3.0 to 8.4.2.

A Stack Buffer Overflow issue was discovered in VIPA Controls WinPLC7 5.0.45.5921 and prior.

A vulnerability in the web framework of the Cisco TelePresence IX5000 Series could allow an unauthenticated, remote attacker to access arbitrary files on an affected device.

A vulnerability in the web interface of Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to access sensitive data.

In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API.

libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c.

libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c.

libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow.

A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801.

A vulnerability in MikroTik Version 6.38.5 could allow an unauthenticated remote attacker to exhaust all available CPU via a flood of UDP packets on port 500 (used for L2TP over IPsec), preventing the affected router from accepting new connections; all devices will be disconnected from the router and all logs removed automatically.

The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 for Joomla! allows a directory traversal attack that bypasses a uniqid protection mechanism, and makes it easier to read arbitrary uploaded files.

The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 for Joomla! allows prediction of a uniqid value based on knowledge of a time value.

Cisco Sourcefire Snort 3.0 before build 233 has a Buffer Overread related to use of a decoder array.

Cisco Sourcefire Snort 3.0 before build 233 mishandles Ether Type Validation.

A vulnerability in Cisco WebEx Meetings Server could allow unauthenticated, remote attackers to gain information that could allow them to access scheduled customer meetings.

A vulnerability in the Event Management Service daemon (emsd) of Cisco IOS XR routers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device.

A vulnerability in the Plug-and-Play (PnP) subsystem of the Cisco Aironet 1800, 2800, and 3800 Series Access Points running a Lightweight Access Point (AP) or Mobility Express image could allow an unauthenticated, adjacent attacker to execute arbitrary code with root privileges.

A vulnerability in the ICMP ingress packet processing of Cisco TelePresence Collaboration Endpoint (CE) Software could allow an unauthenticated, remote attacker to cause the TelePresence endpoint to reload unexpectedly, resulting in a denial of service (DoS) condition.

OpenVPN version 2.3.12 and newer is vulnerable to unauthenticated Denial of Service of server via received large control packet.

The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication.

Ceragon FibeAir IP-10 wireless radios through 7.2.0 have a default password of mateidu for the mateidu account (a hidden user account established by the vendor).

winpm-32.exe in Pegasus Mail (aka Pmail) v4.72 build 572 allows code execution via a crafted ssgp.dll file that must be installed locally.

An Improper Access Control issue was discovered in LCDS - Leao Consultoria e Desenvolvimento de Sistemas LTDA ME LAquis SCADA.

A directory traversal vulnerability in the ePO Extension in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, and 5.1.3 and earlier allows remote authenticated users to execute a command of their choice via an authenticated ePO session.

EMC Isilon OneFS 8.0.1.0, OneFS 8.0.0.0 - 8.0.0.2, OneFS 7.2.1.0 - 7.2.1.3, and OneFS 7.2.0.x is affected by an NFS export vulnerability.

A DLL Hijack issue was discovered in Rockwell Automation Connected Components Workbench (CCW).

In MODX Revolution before 2.5.7, when PHP 5.3.3 is used, an attacker is able to include and execute arbitrary files on the web server due to insufficient validation of the action parameter to setup/index.php, aka directory traversal.

A time-of-check time-of-use race condition could potentially exist in the secure file system in all Android releases from CAF using the Linux kernel.

In TrustZone a time-of-check time-of-use race condition could potentially exist in a listener routine in all Android releases from CAF using the Linux kernel.

In TrustZone a time-of-check time-of-use race condition could potentially exist in a QFPROM routine in all Android releases from CAF using the Linux kernel.

In TrustZone a time-of-check time-of-use race condition could potentially exist in an authentication routine in all Android releases from CAF using the Linux kernel.

An Improper XML Parser Configuration issue was discovered in Schneider Electric Wonderware Historian Client 2014 R2 SP1 and prior.

In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress function in ImfZip.cpp could cause the application to crash.

In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in ImfFastHuf.cpp could cause the application to crash.

In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash.

In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash.

MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has conflicting interpretations of an initial \/ substring as introducing either a local pathname or a remote hostname, which leads to (1) arbitrary Permalink Injection via CSRF attacks on a permalink_page.php?url= URI and (2) an open redirect via a login_page.php?return= URI.

The lzw_add_to_dict function in imagew-gif.c in libimageworsener.a in ImageWorsener 1.3.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted image.

The my_skip_input_data_fn function in imagew-jpeg.c in libimageworsener.a in ImageWorsener 1.3.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted image.

poppler 0.54.0, as used in Evince and other products, has a NULL pointer dereference in the JPXStream::readUByte function in JPXStream.cc.

An absolute path traversal vulnerability (CWE-36) in Micro Focus Vibe 4.0.2 and earlier allows a remote authenticated attacker to download arbitrary files from the server by submitting a specially crafted request to the viewFile endpoint.

Privilege Escalation vulnerability in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote authenticated users to view confidential information via modification of the HTTP request.

Heap buffer overflow in vshttpd (aka ioos) in HooToo Trip Mate 6 (TM6) firmware 2.000.030 and earlier allows remote unauthenticated attackers to control the program counter via a specially crafted HTTP Cookie header.

IBM QRadar 7.2 and 7.3 stores user credentials in plain in clear text which can be read by an authenticated user.

OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker.

In Ambari 2.2.2 through 2.4.2 and Ambari 2.5.0, sensitive data may be stored on disk in temporary files on the Ambari Server host.

In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.

After logging into the portal, the logout jsp page redirects the browser back to the login page after.

Two CalendarXP products have XSS in common parts of HTML files.

In MODX Revolution before 2.5.7, an attacker is able to trigger Reflected XSS by injecting payloads into several fields on the setup page, as demonstrated by the database_type parameter.

In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session.

In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename.

Embedding Script (XSS) in HTTP Headers vulnerability in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote attackers to get session/cookie information via modification of the HTTP request.

Open redirect vulnerability in the proxyimages function in wowproxy.php in the Wow Moodboard Lite plugin 1.1.1.1 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.

Cross-site scripting (XSS) vulnerability in phpwhois 4.2.5, as used in the adsense-click-fraud-monitoring plugin 1.7.5 for WordPress, allows remote attackers to inject arbitrary web script or HTML via the query parameter to whois.php.

The Google I/O 2017 application before 5.1.4 for Android downloads multiple .json files from http://storage.googleapis.com without SSL, which makes it easier for man-in-the-middle attackers to spoof Feed and Schedule data by creating a modified blocks_v4.json file.

The PUMA PUMATRAC app 3.0.2 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

The YottaMark ShopWell - Healthy Diet & Grocery Food Scanner app 5.3.7 through 5.4.2 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

The Interval International app 3.3 through 3.5.1 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

The Zipongo - Healthy Recipes and Grocery Deals app before 6.3 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

The Warner Bros.

The Radio Javan app 9.3.4 through 9.6.1 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

The Life Before Us Yo app 2.5.8 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

The MoboTap Dolphin Web Browser - Fast Private Internet Search app 9.23.0 through 9.23.2 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

The Quest Information Systems Indiana Voters app 1.1.24 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash.

The NFSv4 implementation in the Linux kernel through 4.11.1 allows local users to cause a denial of service (resource consumption) by leveraging improper channel callback shutdown when unmounting an NFSv4 filesystem, aka a "module reference and kernel daemon" leak.

The print_symbol_for_build_attribute function in readelf.c in GNU Binutils 2017-04-12 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted ELF file.

GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to MIPS GOT mishandling in the process_mips_specific function in readelf.c.

GNU Binutils 2017-04-03 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash), related to the process_mips_specific function in readelf.c, via a crafted ELF file that triggers a large memory-allocation attempt.

GNU Binutils 2.28 allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file with many program headers, related to the get_program_headers function in readelf.c.

GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to the byte_get_little_endian function in elfcomm.c, the get_unwind_section_word function in readelf.c, and ARM unwind information that contains invalid word offsets.

perltidy through 20160302, as used by perlcritic, check-all-the-things, and other software, relies on the current working directory for certain output files and does not have a symlink-attack protection mechanism, which allows local users to overwrite arbitrary files by creating a symlink, as demonstrated by creating a perltidy.ERR symlink that the victim cannot delete.

In TrustZone an information exposure vulnerability can potentially occur in all Android releases from CAF using the Linux kernel.

fs/ext4/inode.c in the Linux kernel before 4.6.2, when ext4 data=ordered mode is used, mishandles a needs-flushing-before-commit list, which allows local users to obtain sensitive information from other users' files in opportunistic circumstances by waiting for a hardware reset, creating a new file, making write system calls, and reading this file.

PCManFM 1.2.5 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (application unavailability).

EMC RSA Adaptive Authentication (On-Premise) versions prior to 7.3 P2 (exclusive) contains a fix for a cross-site scripting vulnerability that could potentially be exploited by malicious users to compromise the affected system.

In MODX Revolution before 2.5.7, a user with resource edit permissions can inject an XSS payload into the title of any post via the pagetitle parameter to connectors/index.php.

INFOR EAM V11.0 Build 201410 has XSS via comment fields.

User Name Disclosure in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote attackers to view user information via the appliance web interface.

Web Server method disclosure in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote attackers to exploit and find another hole via HTTP response header.

Banner Disclosure in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote attackers to obtain product information via HTTP response header.

In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing.

Dropbear before 2017.75 might allow local users to read certain files as root, if the file has the authorized_keys file format with a command= option.

In MODX Revolution before 2.5.7, an attacker might be able to trigger XSS by injecting a payload into the HTTP Host header of a request.

Facebook WhatsApp Messenger before 2.16.323 for Android uses the SD card for cleartext storage of files (Audio, Documents, Images, Video, and Voice Notes) associated with a chat, even after that chat is deleted.

Clickjacking vulnerability in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote authenticated users to inject arbitrary web script or HTML via HTTP response header.

admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts.

Authconfig version 6.2.8 is vulnerable to an Information exposure while using SSSD to authenticate against remote server resulting in the leak of information about existing usernames.

IBM Jazz Foundation could allow an authenticated user to obtain sensitive information from stack traces.

In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting.

An Improper Authentication issue was discovered in Phoenix Contact GmbH mGuard firmware versions 8.3.0 to 8.4.2.

There is a stack-based buffer overflow on some Tenda routers (FH1202/F1202/F1200: versions before 1.2.0.20).

Libmenu-cache 1.0.2 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (menu unavailability).

IBM Distributed Marketing 8.6, 9.0, and 10.0 could allow a privileged authenticated user to create an instance that gets created with security profile not valid for the templates, that results in the new instance not accessible for the intended user.