Weekly Vulnerabilities Reports > May 28 to June 3, 2018

An issue was discovered in CmsEasy 6.1_20180508.

Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 6 of 6).

Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 5 of 6).

Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 4 of 6).

Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 3 of 6).

Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 2 of 6).

Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 1 of 6).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 46 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 45 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 44 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 43 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 41 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 40 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 39 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 38 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 37 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 36 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 35 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 34 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 33 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 32 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 31 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 30 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 29 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 28 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 27 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 26 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 25 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 24 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 23 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 22 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 20 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 19 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 18 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 17 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 16 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 15 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 14 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 13 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 12 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 11 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 10 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 8 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 7 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 6 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 5 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 4 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 3 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 2 of 46).

servlet/UserServlet in SearchBlox 8.6.6 has CSRF via the u_name, u_passwd1, u_passwd2, role, and X-XSRF-TOKEN POST parameters because of CSRF Token Bypass.

An issue was discovered in GreenCMS v2.3.0603.

An issue was discovered in GreenCMS v2.3.0603.

The iBMC (Intelligent Baseboard Management Controller) of some Huawei servers have a JSON injection vulnerability due to insufficient input validation.

The iBMC (Intelligent Baseboard Management Controller) of some Huawei servers have a JSON injection vulnerability due to insufficient input validation.

The iBMC (Intelligent Baseboard Management Controller) of some Huawei servers have a privilege escalation vulnerability.

express-restify-mongoose is a module to easily create a flexible REST interface for mongoose models.

Droppy versions <3.5.0 does not perform any verification for cross-domain websocket requests.

The '/common/ajax_email_connection_test.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by any authenticated user and can be abused to execute arbitrary commands on the system.

The script '/adminui/error_details.php' in the Quest KACE System Management Appliance 8.0.318 allows authenticated users to conduct PHP object injection attacks.

In order to perform actions that requires higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue managed that runs with root privileges and only allows a set of commands.

In order to perform actions that require higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue that runs daemonized with root privileges and only allows a set of commands to be executed.

In ImageMagick 7.0.7-37 Q16, SetGrayscaleImage in the quantize.c file allows attackers to cause a heap-based buffer over-read via a crafted file.

In ImageMagick 7.0.7-36 Q16, the ReadMATImage function in coders/mat.c allows attackers to cause a use after free via a crafted file.

Bitmain Antminer D3, L3+, and S9 devices allow Remote Command Execution via the system restore function.

Liblouis 3.5.0 has a Segmentation fault in lou_logPrint in logging.c.

ClipperCMS 1.3.3 allows Session Fixation.

TP-LINK IPC TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4 devices allow authenticated remote code execution via crafted JSON data because /usr/lib/lua/luci/torchlight/validator.lua does not block various punctuation characters.

An issue was discovered on Vgate iCar 2 Wi-Fi OBD2 Dongle devices.

An issue was discovered on Vgate iCar 2 Wi-Fi OBD2 Dongle devices.

Cross-site request forgery (CSRF) vulnerability in the login form in Zimbra Collaboration Suite (aka ZCS) before 8.6.0 Patch 10, 8.7.x before 8.7.11 Patch 2, and 8.8.x before 8.8.8 Patch 1 allows remote attackers to hijack the authentication of unspecified victims by leveraging failure to use a CSRF token.

The mobi_decompress_lz77 function in compression.c in Libmobi 0.3 allows remote attackers to cause remote code execution (heap-based buffer overflow) via a crafted mobi file.

An arbitrary file upload vulnerability in /classes/profile.class.php in Jigowatt "PHP Login & User Management" before 4.1.1, as distributed in the Envato Market, allows any remote authenticated user to upload .php files to the web server via a profile avatar field.

Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, under certain conditions, may leak LDAP password in plain-text into the RecoverPoint log file.

An issue was discovered in CScms v4.1.

The vlc_demux_chained_Delete function in input/demux_chained.c in VideoLAN VLC media player 3.0.1 allows remote attackers to cause a denial of service (heap corruption and application crash) or possibly have unspecified other impact via a crafted .swf file.

PHP Scripts Mall Naukri Clone Script through 3.0.3 allows Unrestricted Upload of a File with a Dangerous Type in edit_resume_det.php, as demonstrated by changing .docx to .php.

A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url.

i18n-node-angular is a module used to interact between i18n and angular without using additional resources.

scala-standalone-bin is a Binary wrapper for ScalaJS.

dwebp-bin is a dwebp node.js wrapper that convert WebP into PNG.

apk-parser2 is a module which extracts Android Manifest info from an APK file.

jvminstall is a module for downloading and unpacking jvm to local system.

nw-with-arm is a NW Installer including ARM-Build.

selenium-wrapper is a selenium server wrapper, including installation and chrome webdriver.

mystem3 is a NodeJS wrapper for the Yandex MyStem 3.

headless-browser-lite is a minimal npm installer for phantomjs and slimerjs with no external dependencies.

selenium-chromedriver is a simple utility for downloading the Selenium Webdriver for Google Chrome selenium-chromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.

macaca-chromedriver-zxa is a Node.js wrapper for the selenium chromedriver.

nodeschnaps is a NodeJS compatibility layer for Java (Rhino).

fibjs is a runtime for javascript applictions built on google v8 JS.

atom-node-module-installer installs node modules for atom-shell applications.

pennyworth is a natural language templating engine.

node-browser is a wrapper webdriver by nodejs.

box2d-native downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.

openframe-image is an Openframe extension which adds support for images via fbi.

curses is bindings for the native curses library, a full featured console IO library.

httpsync is a port of libcurl to node.js.

dalek-browser-ie-canary is Internet Explorer bindings for DalekJS.

unicode-json is a unicode lookup table.

chromedriver126 is chromedriver version 1.26 for linux OS.

openframe-glsviewer is a Openframe extension which adds support for shaders via glslViewer.

grunt-webdriver-qunit is a grunt plugin to run qunit with webdriver in grunt grunt-webdriver-qunit downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.

dalek-browser-ie is Internet Explorer bindings for DalekJS.

dalek-browser-chrome is Google Chrome bindings for DalekJS.

air-sdk is a NPM wrapper for the Adobe AIR SDK.

haxe is a cross-platform toolkit haxe downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks.

webrtc-native uses WebRTC from chromium project.

sauce-connect is a Node.js wrapper over the SauceLabs SauceConnect.jar program for establishing a secure tunnel for intranet testing.

imageoptim is a Node.js wrapper for some images compression algorithms.

jdf-sass is a fork from node-sass, jdf use only.

ipip is a Node.js module to query geolocation information for an IP or domain, based on database by ipip.net.

jser-stat is a JSer.info stat library.

nw is an installer for nw.js.

wasdk is a toolkit for creating WebAssembly modules.

libxl provides Node bindings for the libxl library for reading and writing excel (XLS and XLSX) spreadsheets.

closure-utils is Utilities for Closure Library based projects.

closurecompiler is a Closure Compiler for node.js.

Steroids is PhoneGap on Steroids, providing native UI elements, multiple WebViews and enhancements for better developer productivity.

nodewebkit is an installer for node-webkit.

Chromedriver is an NPM wrapper for selenium ChromeDriver.

Fuseki server wrapper and management API in fuseki before 1.0.1 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.

Kindlegen is a simple Node.js wrapper of the official kindlegen program.

apk-parser3 is a module to extract Android Manifest info from an APK file.

mongodb-instance before 0.0.3 installs mongodb locally.

bkjs-wand is imagemagick wand support for node.js and backendjs bkjs-wand versions lower than 0.3.2 download binary resources over HTTP, which leaves it vulnerable to MITM attacks.

embedza is a module to create HTML snippets/embeds from URLs using info from oEmbed, Open Graph, meta tags.

operadriver is a Opera Driver for Selenium.

apk-parser is a tool to extract Android Manifest info from an APK file.

During the installation process, the go-ipfs-deps module before 0.4.4 insecurely downloads resources over HTTP.

iedriver is an NPM wrapper for Selenium IEDriver.

galenframework-cli is the node wrapper for the Galen Framework.

appium-chromedriver is a Node.js wrapper around Chromedriver.

A vulnerability allows a phreaking attack on HCL legacy IVR systems that do not use VoIP.

windows-build-tools is a module for installing C++ Build Tools for Windows using npm.

mystem-fix is a node.js wrapper for MyStem morphology text analyzer by Yandex.ru mystem-fix downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.

massif is a Phantomjs fork massif downloads resources over HTTP, which leaves it vulnerable to MITM attacks.

roslib-socketio - The standard ROS Javascript Library fork for add support to socket.io roslib-socketio downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.

adamvr-geoip-lite is a light weight native JavaScript implementation of GeoIP API from MaxMind adamvr-geoip-lite downloads geoip resources over HTTP, which leaves it vulnerable to MITM attacks.

selenium-standalone-painful installs a start-selenium command line to start a standalone selenium server with chrome-driver.

limbus-buildgen is a "build anywhere" build system.

tomita-parser is a Node wrapper for Yandex Tomita Parser tomita-parser downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.

poco - The POCO libraries, downloads source file resources used for compilation over HTTP, which leaves it vulnerable to MITM attacks.

native-opencv is the OpenCV library installed via npm native-opencv downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.

ntfserver is a Network Testing Framework Server.

broccoli-closure is a Closure compiler plugin for Broccoli.

scala-bin is a binary wrapper for Scala.

strider-sauce is Sauce Labs / Selenium support for Strider.

webdrvr is a npm wrapper for Selenium Webdriver including Chromedriver / IEDriver / IOSDriver / Ghostdriver.

ibapi is an Interactive Brokers API addon for NodeJS.

Prince is a Node API for executing XML/HTML to PDF renderer PrinceXML via prince(1) CLI.

cue-sdk-node is a Corsair Cue SDK wrapper for node.js.

selenium-binaries downloads Selenium related binaries for your OS.

macaca-chromedriver is a Node.js wrapper for the selenium chromedriver.

dalek-browser-chrome-canary provides Google Chrome bindings for DalekJS.

unicode loads unicode data downloaded from unicode.org into nodejs.

ibm_db is an asynchronous/synchronous interface for node.js to IBM DB2 and IBM Informix.

baryton-saxophone is a module to install and launch Selenium Server for Mac, Linux and Windows.

pngcrush-installer is an installer for Pngcrush.

geoip-lite-country is a stripped down version of geoip-lite, supporting only country lookup.

product-monitor is a HTML/JavaScript template for monitoring a product by encouraging product developers to gather all the information about the status of a product, including live monitoring, statistics, endpoints, and test results into one place.

install-nw is a module which quickly and robustly installs and caches NW.js.

selenium-download downloads the latest versions of the selenium standalone server and the chromedriver.

aerospike is an Aerospike add-on module for Node.js.

AXON PBX 2.02 contains a DLL hijacking vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

Apport does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion, possibly gain root privileges, or escape from containers.

Espruino before 1.99 allows attackers to cause a denial of service (application crash) and a potential Escalation of Privileges with a user crafted input file via a Buffer Overflow during syntax parsing, because strncat is misused.

The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series vehicles produced in 2012 through 2018 allows local attacks involving the USB or OBD-II interface.

The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series vehicles produced in 2012 through 2018 allows a local attack when a USB device is plugged in.

The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series vehicles produced in 2012 through 2018 allows a local attack when a USB device is plugged in.

tificc in Little CMS 2.9 has an out-of-bounds write in the cmsPipelineCheckAndRetreiveStages function in cmslut.c in liblcms2.a via a crafted TIFF file.

tificc in Little CMS 2.9 has an out-of-bounds write in the PrecalculatedXFORM function in cmsxform.c in liblcms2.a via a crafted TIFF file.

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur.

VMware Horizon Client for Linux (4.x before 4.8.0 and prior) contains a local privilege escalation vulnerability due to insecure usage of SUID binary.

sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument.

The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux kernel through 4.16.12 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact because sense buffers have different sizes at the CDROM layer and the SCSI layer, as demonstrated by a CDROMREADMODE2 ioctl call.

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification.

Hyperledger Iroha versions v1.0_beta and v1.0.0_beta-1 are vulnerable to transaction and block signature verification bypass in the transaction and block validator allowing a single node to sign a transaction and/or block multiple times, each with a random nonce, and have other validating nodes accept them as separate valid signatures.

Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 can be used as medium to transmit viruses by placing infected files into a Leap2A archive and uploading that to Mahara.

robot-js is a module for native system automation for node.js.

arrayfire-js is a module for ArrayFire for the Node.js platform.

ngiflib.c in MiniUPnP ngiflib 0.4 has an infinite loop in DecodeGifImg and LoadGif.

An exploitable denial-of-service vulnerability exists in the lookup entry functionality of KeyTrees in Natus Xltek NeuroWorks 8.

An exploitable denial-of-service vulnerability exists in the traversal of lists functionality of Natus Xltek NeuroWorks 8.

An exploitable denial-of-service vulnerability exists in the unserialization of lists functionality of Natus Xltek NeuroWorks 8.

On F5 BIG-IP 13.1.0-13.1.0.3, 13.0.0, 12.1.0-12.1.3.3, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1, a malformed TLS handshake causes TMM to crash leading to a disruption of service.

webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash.

ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455".

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects.

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa.

The riot-compiler version version 2.3.21 has an issue in a regex (Catastrophic Backtracking) thats make it unusable under certain conditions.

MQTT before 3.4.6 and 4.0.x before 4.0.5 allows specifically crafted MQTT packets to crash the application, making a DoS attack feasible with very little bandwidth.

jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator.

jadedown is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.

A security issue was found in bittorrent-dht before 5.1.3 that allows someone to send a specific series of messages to a listening peer and get it to reveal internal memory.

A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame.

ansi2html is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.

Versions less than 0.1.4 of the static file server module fancy-server are vulnerable to directory traversal.

The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time.

SELA (aka SimplE Lossless Audio) v0.1.2-alpha has a stack-based buffer overflow in the core/apev2.c init_apev2_keys function.

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory.

An issue was discovered in EOS.IO DAWN 4.2.

stattic node module suffers from a Path Traversal vulnerability due to lack of validation of path, which allows a malicious user to read content of any file with known path.

crud-file-server node module before 0.9.0 suffers from a Path Traversal vulnerability due to incorrect validation of url, which allows a malicious user to read content of any file with known path.

gaoxuyan is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

node-tkinter was a malicious module published with the intent to hijack environment variables.

tkinter was a malicious module published with the intent to hijack environment variables.

mysqljs was a malicious module published with the intent to hijack environment variables.

sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped.

Certain input strings when passed to new Date() or Date.parse() in ecstatic node module before 1.4.0 will cause v8 to raise an exception.

Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised.

Due to a bug in the the default sign in functionality in the keystone node module before 0.3.16, incomplete email addresses could be matched.

The inert directory handler in inert node module before 1.1.1 always allows files in hidden directories to be served, even when `showHidden` is false.

IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability.

A stack exhaustion vulnerability in the search function of dtSearch 7.90.8538.1 and prior allows remote attackers to cause a denial of service condition by sending a specially crafted HTTP request.

igniteui 0.0.5 and earlier downloads JavaScript and CSS resources over insecure protocol.

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 42 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 21 of 46).

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 9 of 46).

On F5 BIG-IP 13.1.0-13.1.0.3, 13.0.0, 12.1.0-12.1.3.1, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1 and Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced.

Espruino before 1.99 allows attackers to cause a denial of service (application crash) and a potential Information Disclosure with user crafted input files via a Buffer Overflow or Out-of-bounds Read during syntax parsing of certain for loops in jsparse.c.

Espruino before 1.99 allows attackers to cause a denial of service (application crash) and potential Information Disclosure with a user crafted input file via a Buffer Overflow during syntax parsing because strncpy is misused in jslex.c.

Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 are vulnerable to the browser "back and refresh" attack.

The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series vehicles produced in 2012 through 2018 allows an attack by an attacker who has direct physical access.

An issue was discovered in CmsEasy 6.1_20180508.

In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function ReadDCMImage in coders/dcm.c, which allows attackers to cause a denial of service via a crafted DCM image file.

In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function GetImagePixelCache in MagickCore/cache.c, which allows attackers to cause a denial of service via a crafted CALS image file.

Under certain conditions, on F5 BIG-IP ASM 13.1.0-13.1.0.5, Behavioral DOS (BADOS) protection may fail during an attack.

Improper access control vulnerability in Synology Drive before 1.0.2-10275 allows remote authenticated users to access non-shared files or folders via unspecified vectors.

An issue was discovered in the MULTIDOTS Woo Checkout for Digital Goods plugin 2.1 for WordPress.

An issue was discovered in the MULTIDOTS Add Social Share Messenger Buttons Whatsapp and Viber plugin 1.0.8 for WordPress.

Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server.

The 'checksum' parameter of the '/common/download_attachment.php' script in the Quest KACE System Management Appliance 8.0.318 can be abused to read arbitrary files with 'www' privileges via Directory Traversal.

In stroke_socket.c in strongSwan before 5.6.3, a missing packet length check could allow a buffer underflow, which may lead to resource exhaustion and denial of service while reading from the socket.

GifIndexToTrueColor in ngiflib.c in MiniUPnP ngiflib 0.4 has a Segmentation fault.

An issue was discovered on Vgate iCar 2 Wi-Fi OBD2 Dongle devices.

The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib 1.11.1 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted audio file.

The mobi_reconstruct_parts function in parse_rawml.c in Libmobi 0.3 allows remote attackers to cause information disclosure (read access violation) via a crafted mobi file.

The buffer_addraw function in buffer.c in Libmobi 0.3 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted mobi file.

The mobi_decompress_huffman_internal function in compression.c in Libmobi 0.3 allows remote attackers to cause information disclosure (read access violation) via a crafted mobi file.

The buffer_fill64 function in compression.c in Libmobi 0.3 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted mobi file.

The mobi_get_kf8boundary_seqnumber function in util.c in Libmobi 0.3 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted mobi file.

The mobi_parse_mobiheader function in read.c in Libmobi 0.3 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted mobi file.

IBM FlashSystem V840 and V900 products could allow an authenticated attacker with specialized access to overwrite arbitrary files which could cause a denial of service.

Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contains a command injection vulnerability in the Boxmgmt CLI.

An issue was discovered in Free Lossless Image Format (FLIF) 0.3.

Yosoro 1.0.4 has stored XSS.

XSS in sexstatic <=0.6.2 causes HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name.

Open redirect in hekto <=0.2.3 when target domain name is used as html filename on server.

There is a reflected XSS vulnerability in AXON PBX 2.02 via the "AXON->Auto-Dialer->Agents->Name" field.

Data input into EMS Master Calendar before 8.0.0.201805210 via URL parameters is not properly sanitized, allowing malicious attackers to send a crafted URL for XSS.

An issue was discovered in the MULTIDOTS Advance Search for WooCommerce plugin 1.0.9 and earlier for WordPress.

The MULTIDOTS WooCommerce Quick Reports plugin 1.0.6 and earlier for WordPress is vulnerable to Stored XSS.

On F5 BIG-IP 12.1.0-12.1.3.1, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1, carefully crafted URLs can be used to reflect arbitrary content into GeoIP lookup responses, potentially exposing clients to XSS.

Graylog before v2.4.4 has an XSS security issue with unescaped text in dashboard names, related to components/dashboard/Dashboard.jsx, components/dashboard/EditDashboardModal.jsx, and pages/ShowDashboardPage.jsx.

Graylog before v2.4.4 has an XSS security issue with unescaped text in notifications, related to toastr and util/UserNotification.js.

Hue 3.12 has XSS via the /pig/save/ name and script parameters.

A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 "CSRF validation failure" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header.

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 10.5.8, 10.6.x before 10.6.5, and 10.7.x before 10.7.2.

Arbitrary code execution is possible in reduce-css-calc node module <=1.2.4 through crafted css.

Nunjucks is a full featured templating engine for JavaScript.

marked is an application that is meant to parse and compile markdown.

Certain input when passed into remarkable before 1.4.1 will bypass the bad protocol check that disallows the javascript: scheme allowing for javascript: url's to be injected into the rendered content.

Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.

The 'fmt' parameter of the '/common/run_cross_report.php' script in the the Quest KACE System Management Appliance 8.0.318 is vulnerable to cross-site scripting.

SeaCMS 6.61 has stored XSS in admin_collect.php via the siteurl parameter.

Reflected XSS is possible in the GamePlan theme through 1.5.13.2 for WordPress because of insufficient input sanitization, as demonstrated by the s parameter.

Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS via a contact group.

An issue was discovered in MISP 2.4.91.

YIBAN Easy class education platform 2.0 has XSS via the articlelist.php k parameter.

A reflected XSS vulnerability on Ruckus ICX7450-48 devices allows remote attackers to inject arbitrary web script or HTML.

i18next is a language translation framework.

IBM Security Guardium Big Data Intelligence (SonarG) 3.1 is vulnerable to cross-site scripting.

An issue was discovered in the ChangUonDyU Advanced Statistics plugin 1.0.2 for MyBB.

install-g-test downloads resources over HTTP, which leaves it vulnerable to MITM attacks.

bionode-sra is a Node.js wrapper for SRA Toolkit.

cobalt-cli downloads resources over HTTP, which leaves it vulnerable to MITM attacks.

On F5 BIG-IP 13.0.0, 12.0.0-12.1.2, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1, when processing DIAMETER transactions with carefully crafted attribute-value pairs, TMM may crash.

uws is a WebSocket server library.

engine.io-client is the client for engine.io, the implementation of a transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO.

csrf-lite is a cross-site request forgery protection library for framework-less node sites.

electron-packager is a command line tool that packages Electron source code into `.app` and `.exe` packages.

The airbrake module 0.3.8 and earlier defaults to sending environment variables over HTTP.

When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g.

paypal-ipn before 3.0.0 uses the `test_ipn` parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox.

In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.

The 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts in the Quest KACE System Management Appliance 8.0.318 are accessible only from localhost.

Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via a Buffer Overflow during syntax parsing because of a missing check for stack exhaustion with many '{' characters in jsparse.c.

Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via a Buffer Overflow during syntax parsing because a check for '\0' is made for the wrong array element in jsvar.c.

Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via a Buffer Overflow during syntax parsing of "VOID" tokens in jsparse.c.

Espruino before 1.98 allows attackers to cause a denial of service (application crash) with a user crafted input file via an Out-of-bounds Read during syntax parsing in which certain height validation is missing in libs/graphics/jswrap_graphics.c.

Espruino before 1.98 allows attackers to cause a denial of service (application crash) with a user crafted input file via a NULL pointer dereference during syntax parsing.

Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via an integer overflow during syntax parsing.

NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library in Graphviz 2.40.1 allows remote attackers to cause a denial of service (application crash) via a crafted file.

The compat_get_timex function in kernel/compat.c in the Linux kernel before 4.16.9 allows local users to obtain sensitive information from kernel memory via adjtimex.

MODX Revolution 2.6.3 has XSS.

There is a stored cross-site scripting (XSS) vulnerability in Huawei eSpace Desktop V300R001C00 and V300R001C50 version.

Cross-site scripting (XSS) vulnerability in File Sharing Notify Toast in Synology Drive before 1.0.2-10275 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name.

IBM Content Navigator 2.0.3, 3.0.0, 3.0.1, 3.0.2, and 3.0.3 is vulnerable to cross-site scripting.

backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON There exists a potential Cross Site Scripting vulnerability in the `Model#Escape` function of backbone 0.3.3 and earlier, if a user is able to supply input.

An issue was discovered in mass-pages-posts-creator.php in the MULTIDOTS Mass Pages/Posts Creator plugin 1.2.2 for WordPress.

ClipperCMS 1.3.3 has XSS in the "Module name" field in a "Modules -> Manage modules -> edit" action to the manager/ URI.

DomainMod 4.10.0 has Stored XSS in the "/settings/profile/index.php" new_last_name parameter.

DomainMod 4.10.0 has Stored XSS in the "/settings/profile/index.php" new_first_name parameter.

An issue was discovered in WUZHI CMS 4.1.0 There is a Stored XSS Vulnerability in "Account Settings -> Member Centre -> Chinese information -> Ordinary member" via a QQ number, as demonstrated by a form[qq_10]= substring.

IBM Security Guardium Big Data Intelligence (SonarG) 3.1 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB.

Information exposure through directory listings in serve 6.5.3 allows directory listing and file access even when they have been set to be ignored.

Under certain conditions, on F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.1, or 11.6.1 HF2-11.6.3.1, virtual servers configured with Client SSL or Server SSL profiles which make use of network hardware security module (HSM) functionality are exposed and impacted by this issue.

Features in F5 BIG-IP 13.0.0-13.1.0.3, 12.1.0-12.1.3.1, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1 system that utilizes inflate functionality directly, via an iRule, or via the inflate code from PEM module are subjected to a service disruption via a "Zip Bomb" attack.

psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine the existence and size of arbitrary files, a similar issue to CVE-2016-7977.

Bitty is a development web server tool that functions similar to `python -m SimpleHTTPServer`.

call is an HTTP router that is primarily used by the hapi framework.

secure-compare 3.0.0 and below do not actually compare two strings properly.

Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden.

The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series vehicles produced in 2012 through 2018 allows a remote attack via Bluetooth when in pairing mode, leading to a Head Unit reboot.

class-woo-banner-management.php in the MULTIDOTS WooCommerce Category Banner Management plugin 1.1.0 for WordPress has an Unauthenticated Settings Change Vulnerability, related to certain wp_ajax_nopriv_ usage.

Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 are vulnerable to mentioning the usernames that are already taken by people registered in the system rather than masking that information.

SchedMD Slurm before 17.02.11 and 17.1x.x before 17.11.7 mishandles user names (aka user_name fields) and group ids (aka gid fields).

A malformed OMACP WAP push message can cause memory corruption on a Samsung S7 Edge device when processing the String Extension portion of the WbXml payload.

The REST API in Dataiku DSS before 4.2.3 allows remote attackers to obtain sensitive information (i.e., determine if a username is valid) because of profile pictures visibility.

mySCADA myPRO 7 allows remote attackers to discover all ProjectIDs in a project by sending all of the prj parameter values from 870000 to 875000 in t=0&rq=0 requests to TCP port 11010.

restafary is a REpresentful State Transfer API for Creating, Reading, Using, Deleting files on a server from the web.

Stored XSS in YOOtheme Pagekit 1.0.13 and earlier allows a user to upload malicious code via the picture upload feature.

Cross-site scripting (XSS) vulnerability on Brother HL series printers allows remote attackers to inject arbitrary web script or HTML via the url parameter to etc/loginerror.html.

Stored cross-site scripting (XSS) vulnerability in the "Website's name" field found in the "Settings" page under the "General" menu in Creatiwity wityCMS 0.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to admin/settings/general.

In Stealth Authorization Server before 3.3.017.0 in Unisys Stealth Solution, an encryption key may be left in memory.

Sails is an MVC style framework for building realtime web applications.

A local file vulnerability exists in the F5 BIG-IP Configuration utility on versions 13.0.0, 12.1.0-12.1.2, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1 that exposes files containing F5-provided data only and do not include any configuration data, proxied traffic, or other potentially sensitive customer data.

IBM API Connect 5.0.0.0 through 5.0.8.2 does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system.

Rondaful M1 Wristband Smart Band 1 devices allow remote attackers to send an arbitrary number of call or SMS notifications via crafted Bluetooth Low Energy (BLE) traffic.

IBM Security Guardium Big Data Intelligence (SonarG) 3.1 generates an error message that includes sensitive information about its environment, users, or associated data.

Some Huawei smart phones have the denial of service (DoS) vulnerability due to the improper processing of malicious parameters.

IBM Security Guardium Big Data Intelligence (SonarG) 3.1 stores sensitive information in URL parameters.

The package `node-cli` before 1.0.0 insecurely uses the lock_file and log_file.

Prior to 2018-04-27, the reprompt feature in Amazon Echo devices could be misused by a custom Alexa skill.