Weekly Vulnerabilities Reports > September 3 to 9, 2018

\upload\plugins\sys\admin\Setting.php in CScms 4.1 allows CSRF via admin.php/setting/ftp_save.

An issue was discovered in Absolute Software CTES Windows Agent through 1.0.0.1479.

An exploitable command execution vulnerability exists in Information Builders WebFOCUS Business Intelligence Portal 8.1 .

An exploitable code execution vulnerability exists in the connect functionality of NordVPN 6.14.28.0.

Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier) use hardcoded credentials which may allow an remote authenticated attacker to execute arbitrary OS commands on the device via unspecified vector.

Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier) allow an attacker on the same network segment to bypass access restriction to add files on a specific directory that may result in executing arbitrary OS commands/code or information including credentials leakage or alteration.

Cross-site request forgery (CSRF) vulnerability in WL-330NUL Firmware version prior to 3.0.0.46 allows remote attackers to hijack the authentication of administrators via unspecified vectors.

phpMyFAQ before 2.9.11 allows CSRF.

KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Request Forgery (CSRF) vulnerability in /cgi-bin/koha/members/paycollect.pl Parameters affected: borrowernumber, amount, amountoutstanding, paid that can result in Attackers can mark payments as paid for certain users on behalf of Administrators.

LimeSurvey version 3.14.4 and earlier contains a directory traversal in file upload that allows upload of webshell vulnerability in file upload functionality that can result in remote code execution as authenticated user.

LimeSurvey version prior to 3.14.4 contains a file upload vulnerability in upload functionality that can result in an attacker gaining code execution via webshell.

WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600.

In all Android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel, radio_id is received from the FW and is used to access the buffer to copy the radio stats received for each radio from FW.

WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution.

MicroPyramid Django-CRM 0.2 allows CSRF for /users/create/, /users/##/edit/, and /accounts/##/delete/ URIs.

An issue was discovered in BTITeam XBTIT.

VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code (issue 2 of 2) via eventscript.cgi.

VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code (issue 1 of 2) via the ONVIF interface, (/onvif/device_service).

VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow CSRF.

Cscms 4 allows CSRF for creating a member via upload/admin.php/user/save, authenticating vip members via upload/admin.php/user/init/tid and upload/admin.php/user/init/rzid, and creating a super administrator and web editor via upload/admin.php/sys/save.

Frog CMS 0.9.5 has admin/?/user/edit/1 CSRF.

An issue was discovered in the HDF HDF5 1.8.20 library.

admin/admin/adminsave.html in YFCMF v3.0 allows CSRF to add an administrator account.

GNU Libextractor through 1.7 has an out-of-bounds read vulnerability in EXTRACTOR_zip_extract_method() in zip_extractor.c.

Cross-site request forgery (CSRF) vulnerability in my_profile/edit?inline= in FUEL CMS 1.4 allows remote attackers to change the administrator's password.

ImageMagick 7.0.8-11 Q16 has a heap-based buffer over-read in the MagickCore/quantum-private.h PushShortPixel function when called from the coders/psd.c ParseImageResourceBlocks function.

ImageMagick 7.0.8-11 Q16 has a heap-based buffer over-read in the coders/psd.c ParseImageResourceBlocks function.

An issue was discovered in Elefant CMS before 2.0.5.

An issue was discovered in Ogma CMS 0.4 Beta.

An issue was discovered in OpenJPEG 2.3.0.

An issue was discovered in OpenJPEG 2.3.0.

An exploitable heap corruption vulnerability exists in the Txo functionality of Antenna House DMC HTMLFilter as used by MarkLogic 8.0-6.

In Gogs 0.11.53, an attacker can use migrate to send arbitrary HTTP GET requests, leading to SSRF.

Homeputer CL Studio fur HomeMatic 4.0 Rel 160808 and earlier uses cleartext to exchange the username and password between server and client instances, which allows remote attackers to obtain sensitive information via a man in the middle attack.

The /etc/init.d/opsview-reporting-module script that runs at boot time in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 invokes a file that can be edited by the nagios user, and would allow attackers to elevate their privileges to root after a system restart, hence obtaining full control of the appliance.

SolarWinds DameWare Mini Remote Control before 12.1 has a Buffer Overflow.

An issue was discovered in Contiki-NG through 4.1.

An issue was discovered in Contiki-NG through 4.1.

An exploitable code execution vulnerability exists in the connect functionality of ProtonVPN VPN client 1.5.1.

Untrusted search path vulnerability in the installers of multiple Canon IT Solutions Inc.

Untrusted search path vulnerability in installer of ChatWork Desktop App for Windows 2.3.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

Untrusted search path vulnerability in Multiple Yayoi 17 Series products (Yayoi Kaikei 17 Series Ver.23.1.1 and earlier, Yayoi Aoiro Shinkoku 17 Ver.23.1.1 and earlier, Yayoi Kyuuyo 17 Ver.20.1.4 and earlier, Yayoi Kyuuyo Keisan 17 Ver.20.1.4 and earlier, Yayoi Hanbai 17 Series Ver.20.0.2 and earlier, and Yayoi Kokyaku Kanri 17 Ver.11.0.2 and earlier) allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

Untrusted search path vulnerability in Multiple Yayoi 17 Series products (Yayoi Kaikei 17 Series Ver.23.1.1 and earlier, Yayoi Aoiro Shinkoku 17 Ver.23.1.1 and earlier, Yayoi Kyuuyo 17 Ver.20.1.4 and earlier, Yayoi Kyuuyo Keisan 17 Ver.20.1.4 and earlier, Yayoi Hanbai 17 Series Ver.

The Pulse Secure Desktop (macOS) has a Privilege Escalation Vulnerability.

An issue was discovered in Artifex Ghostscript before 9.24.

Kaizen Asset Manager (Enterprise Edition) and Training Manager (Enterprise Edition) allow a remote attacker to achieve arbitrary code execution via file impersonation.

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files to the builtin PDF14 converter could use a use-after-free in copydevice handling to crash the interpreter or possibly have unspecified other impact.

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the setcolor function to crash the interpreter or possibly have unspecified other impact.

An issue was discovered in Artifex Ghostscript before 9.24.

An issue was discovered in Artifex Ghostscript before 9.24.

The irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket.

In Huawei HiRouter-CD20-10 with the versions before 1.9.6 and WS5200-10 with the versions before 1.9.6, there is a plug-in signature bypass vulnerability due to insufficient plug-in verification.

In Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel while trying to find out total number of partition via a non zero check, there could be possibility where the 'TotalPart' could cross 'GptHeader->MaxPtCnt' and which could result in OOB write in patching GPT.

AttacheCase ver.3.3.0.0 and earlier allows an arbitrary script execution via unspecified vectors.

AttacheCase ver.2.8.4.0 and earlier allows an arbitrary script execution via unspecified vectors.

Untrusted search path vulnerability in The installer of Digital Paper App version 1.4.0.16050 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

Directory traversal vulnerability in Explzh v.7.58 and earlier allows an attacker to read arbitrary files via unspecified vectors.

An out of bound write can occur when patching an Openshift object using the 'oc patch' functionality in OpenShift Container Platform before 3.7.

In Go Ethereum (aka geth) before 1.8.14, TraceChain in eth/api_tracer.go does not verify that the end block is after the start block.

PHP Scripts Mall Currency Converter Script 2.0.5 allows remote attackers to cause a denial of service (web-interface change) via an inverted comma.

The "PayWinner" function of a simplelottery smart contract implementation for The Ethereum Lottery, an Ethereum gambling game, generates a random value with publicly readable variable "maxTickets" (which is private, yet predictable and readable by the eth.getStorageAt function).

An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5.

IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 is vulnerable to SQL injection.

The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly.

In Ice Qube Thermal Management Center versions prior to version 4.13, the web application does not properly authenticate users which may allow an attacker to gain access to sensitive information.

TOCK version prior to commit 42f7f36e74088036068d62253e1d8fb26605feed.

An "Out-of-band resource load" issue was discovered on Xiaomi MIWiFi Xiaomi_55DD Version 2.8.50 devices.

In FreeBSD before 11.1-STABLE, 11.2-RELEASE-p2, 11.1-RELEASE-p13, ip fragment reassembly code is vulnerable to a denial of service due to excessive system resource consumption.

An issue was discovered in SeaCMS through 6.61.

GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_parse_context_parse() in gmarkup.c, related to utf8_str().

In Twistlock AuthZ Broker 0.1, regular expressions are mishandled, as demonstrated by containers/aa/pause?aaa=\/start to bypass a policy in which "docker start" is allowed but "docker pause" is not allowed.

A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a special function name (such as "if") and b is the SQL statement to be executed.

The LINE MUSIC for Android version 3.1.0 to versions prior to 3.6.5 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Input validation issue in EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier allows an attacker with administrative rights to execute arbitrary PHP code on the server via unspecified vectors.

The admin backend in phpMyFAQ before 2.9.11 allows CSV injection in reports.

An issue was discovered in Nibbleblog v4.0.5.

The web management console of Opsview Monitor 5.4.x before 5.4.2 provides functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events.

Gxlcms 2.0 before bug fix 20180915 has SQL Injection exploitable by an administrator.

D-Link DIR-846 devices with firmware 100.26 allow remote attackers to execute arbitrary code as root via a SetNetworkTomographySettings request by leveraging admin access.

An issue was discovered in Contiki-NG through 4.1.

An issue was discovered in Contiki-NG through 4.1.

Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier) allow an attacker on the same network segment to add malicious files on the device and execute arbitrary code.

In Pulse Secure Pulse Desktop Client 5.3RX before 5.3R5 and 9.0R1, there is a Privilege Escalation Vulnerability with Dynamic Certificate Trust.

Several buffer overflows when handling responses from a Gemsafe V1 Smartcard in gemsafe_get_cert_len in libopensc/pkcs15-gemsafeV1.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.

Several buffer overflows when handling responses from a TCOS Card in tcos_select_file in libopensc/card-tcos.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.

Several buffer overflows when handling responses from a Muscle Card in muscle_list_files in libopensc/card-muscle.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.

Ubuntu14.04 ORCA (Online Receipt Computer Advantage) 4.8.0 (panda-server) 1:1.4.9+p41-u4jma1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via unspecified vectors.

A double free when handling responses from an HSM Card in sc_pkcs15emu_sc_hsm_init in libopensc/pkcs15-sc-hsm.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.

A double free when handling responses in read_file in tools/egk-tool.c (aka the eGK card tool) in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.

A double free when handling responses from a smartcard in sc_file_set_sec_attr in libopensc/sc.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.

A single byte buffer overflow when handling responses from an esteid Card in sc_pkcs15emu_esteid_init in libopensc/pkcs15-esteid.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.

Several buffer overflows when handling responses from a CAC Card in cac_get_serial_nr_from_CUID in libopensc/card-cac.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.

Several buffer overflows when handling responses from an ePass 2003 Card in decrypt_response in libopensc/card-epass2003.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.

Several buffer overflows when handling responses from a Cryptoflex card in read_public_key in tools/cryptoflex-tool.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.

A buffer overflow when handling string concatenation in util_acl_to_str in tools/util.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.

In ImageMagick 7.0.7-29 and earlier, a memory leak in the formatIPTCfromBuffer function in coders/meta.c was found.

In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ReadOneJNGImage in coders/png.c allows an attacker to cause a denial of service (WriteBlob assertion failure and application exit) via a crafted file.

Buffer overflow in Ubuntu14.04 ORCA (Online Receipt Computer Advantage) 4.8.0 (panda-client2) 1:1.4.9+p41-u4jma1 and earlier, Ubuntu14.04 ORCA (Online Receipt Computer Advantage) 5.0.0 (panda-client2) 1:2.0.0+p48-u4jma1 and earlier, and Ubuntu16.04 ORCA (Online Receipt Computer Advantage) 5.0.0 (panda-client2) 1:2.0.0+p48-u5jma1 and earlier allows authenticated attackers to cause denial-of-service (DoS) condition via unspecified vectors.

In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause infinite recursion via a crafted file.

Technicolor TG588V V2 devices allow remote attackers to cause a denial of service (networking outage) via a flood of random MAC addresses, as demonstrated by macof.

There is an excessive memory allocation issue in the functions ReadBMPImage of coders/bmp.c and ReadDIBImage of coders/dib.c in ImageMagick 7.0.8-11, which allows remote attackers to cause a denial of service via a crafted image file.

There is a missing check for length in the functions ReadDCMImage of coders/dcm.c and ReadPICTImage of coders/pict.c in ImageMagick 7.0.8-11, which allows remote attackers to cause a denial of service via a crafted image.

The functions ReadDCMImage in coders/dcm.c, ReadPWPImage in coders/pwp.c, ReadCALSImage in coders/cals.c, and ReadPICTImage in coders/pict.c in ImageMagick 7.0.8-4 do not check the return value of the fputc function, which allows remote attackers to cause a denial of service via a crafted image file.

The function InsertRow in coders/cut.c in ImageMagick 7.0.7-37 allows remote attackers to cause a denial of service via a crafted image file due to an out-of-bounds write.

ImageMagick 7.0.8-6 has a memory leak vulnerability in the TIFFWritePhotoshopLayers function in coders/tiff.c.

ImageMagick 7.0.8-5 has a memory leak vulnerability in the function ReadOneJNGImage in coders/png.c.

jsish version 2.4.70 2.047 contains a CWE-125: Out-of-bounds Read vulnerability in function jsi_ObjArrayLookup (jsiObj.c:274) that can result in Crash due to segmentation fault.

jsish version 2.4.70 2.047 contains a Buffer Overflow vulnerability in function _jsi_evalcode from jsiEval.c that can result in Crash due to segmentation fault.

jsish version 2.4.67 contains a CWE-476: NULL Pointer Dereference vulnerability in Jsi_LogMsg (jsiUtils.c:196) that can result in Crash due to segmentation fault.

In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allows any author to view and grab all submitted papers (Title and Abstract) and their authors' personal information (Name, Email, Organization, and Position) by changing the value of Paper ID (the pid parameter).

An issue was discovered in ZZIPlib through 0.13.69.

It was discovered that fsync(2) system call in glusterfs client code leaks memory.

An issue was discovered in baigo CMS v2.1.1.

OneThink 1.1.141212 allows CSRF for adding a page via admin.php?s=/Channel/add.html, adding a blog via admin.php?s=/Article/update.html, and setting the audit state via admin.php?s=/Article/setStatus/status/1.html.

Vanilla before 2.6.1 allows SQL injection via an invitationID array to /profile/deleteInvitation, related to applications/dashboard/models/class.invitationmodel.php and applications/dashboard/controllers/class.profilecontroller.php.

Eventum before 3.4.0 has an open redirect vulnerability.

The removeXSS function in App/Common/common.php (called from App/Modules/Index/Action/SearchAction.class.php) in EasyCMS v1.4 allows XSS via an onhashchange event.

\upload\plugins\sys\Install.php in CScms 4.1 has XSS via the site name.

An issue is discovered in baijiacms V4.

An issue was discovered in Creme CRM 1.6.12.

An issue was discovered in Contiki-NG through 4.1.

An issue was discovered in the Linux kernel before 4.18.6.

Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the modal for creating Wiki page.

Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via Wiki page view.

Cross-site scripting vulnerability in FV Flowplayer Video Player 6.1.2 to 6.6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Gxlcms 1.0 has XSS via the PATH_INFO to gx/lib/ThinkPHP/Tpl/ThinkException.tpl.php.

Zurmo 3.2.4 Stable allows XSS via app/index.php/accounts/default/details?id=2&kanbanBoard=1&openToTaskId=1.

rejucms 2.1 has XSS via the ucenter/cms_user_add.php u_name parameter.

The UserPro plugin through 4.9.23 for WordPress allows XSS via the shortcode parameter in a userpro_shortcode_template action to wp-admin/admin-ajax.php.

download.cgi in Pulse Secure Pulse Connect Secure 8.1RX before 8.1R13 and 8.3RX before 8.3R4 and Pulse Policy Secure through 5.2RX before 5.2R10 and 5.4RX before 5.4R4 have an Open Redirect Vulnerability.

A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin 5.4.0 HRMS Software.

Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a Cross-site Scripting vulnerability.

KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Scripting (XSS) vulnerability in Multiple fields on multiple pages including /cgi-bin/koha/acqui/supplier.pl?op=enter , /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number] , /cgi-bin/koha/serials/subscription-add.pl that can result in Privilege escalation by taking control of higher privileged users browser sessions.

sympa version 6.2.16 and later contains a CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in The "referer" parameter of the wwsympa.fcgi login action.

Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross Site Scripting (XSS) vulnerability in unit.html and testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html and testsDOH/_base/i18nExhaustive.js in the DOH that can result in Victim attacked through their browser - deliver malware, steal HTTP cookies, bypass CORS trust.

An unescaped payload in exceljs <v1.6 allows a possible XSS via cell value when worksheet is displayed in browser.

e107 2.1.8 has XSS via the e107_admin/users.php?mode=main&action=list user_loginname parameter.

An issue was discovered in BTITeam XBTIT 2.5.4.

The diagnosticsb2ksy parameter of the /rest endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting.

The data parameter of the /settings/api/router endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting.

An issue was discovered in BTITeam XBTIT.

An issue was discovered in BTITeam XBTIT 2.5.4.

An issue was discovered in BTITeam XBTIT 2.5.4.

The newsfeed (aka /index.php?page=viewnews) in BTITeam XBTIT 2.5.4 has stored XSS via the title of a news item.

helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL.

Cross-site scripting vulnerability in Movable Type versions prior to Ver.

CraftedWeb through 2013-09-24 has reflected XSS via the p parameter.

An issue was discovered in Mayan EDMS before 3.0.3.

An issue was discovered in Mayan EDMS before 3.0.2.

An issue was discovered in Mayan EDMS before 3.0.2.

The issue was discovered in IdeaCMS through 2016-04-30.

PESCMS Team 2.2.1 has multiple reflected XSS via the keyword parameter: g=Team&m=User&a=index&keyword=, g=Team&m=User_group&a=index&keyword=, g=Team&m=Department&a=index&keyword=, and g=Team&m=Bulletin&a=index&keyword=.

The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks.

daneren2005 DSub for Subsonic (Android client) version 5.4.1 contains a CWE-295: Improper Certificate Validation vulnerability in HTTPS Client that can result in Any non-CA signed server certificate, including self signed and expired, are accepted by the client.

Amcrest networked devices use the same hardcoded SSL private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation, as demonstrated by Amcrest_IPC-HX1X3X-LEXUS_Eng_N_AMCREST_V2.420.AC01.3.R.20180206.

A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server's private key.

A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server's private key.

The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not honour configuration when SSL transport is required.

IBM WebSphere Application Server 7.0, 8.0, and 8.5.5 installations using Form Login could allow a remote attacker to conduct spoofing attacks.

Directory traversal vulnerability in ver.2.8.4.0 and earlier and ver.3.3.0.0 and earlier allows an attacker to create or overwrite existing files via specially crafted ATC file.

An exploitable denial of service exists in the the Joyent SmartOS OS 20161110T013148Z Hyprlofs file system.

In Artifex MuPDF 1.13.0, the fz_append_byte function in fitz/buffer.c allows remote attackers to cause a denial of service (segmentation fault) via a crafted pdf file.

In Artifex MuPDF 1.13.0, the pdf_get_xref_entry function in pdf/pdf-xref.c allows remote attackers to cause a denial of service (segmentation fault in fz_write_data in fitz/output.c) via a crafted pdf file.

asm/labels.c in Netwide Assembler (NASM) is prone to NULL Pointer Dereference, which allows the attacker to cause a denial of service via a crafted file.

The Pulse Secure Desktop (macOS) 5.3RX before 5.3R5 and 9.0R1 has a Format String Vulnerability.

okular version 18.08 and earlier contains a Directory Traversal vulnerability in function "unpackDocumentArchive(...)" in "core/document.cpp" that can result in Arbitrary file creation on the user workstation.

NASM nasm-2.13.03 nasm- 2.14rc15 version 2.14rc15 and earlier contains a memory corruption (crashed) of nasm when handling a crafted file due to function assemble_file(inname, depend_ptr) at asm/nasm.c:482.

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use insufficient interpreter stack-size checking during error handling to crash the interpreter.

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use incorrect free logic in pagedevice replacement to crash the interpreter.

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use incorrect access checking in temp file handling to disclose contents of files on the system otherwise not readable.

Memory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket.

Little CMS (aka Little Color Management System) 2.9 has an integer overflow in the AllocateDataSet function in cmscgats.c, leading to a heap-based buffer overflow in the SetData function via a crafted file in the second argument to cmsIT8LoadFromFile.

libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.

Netwide Assembler (NASM) 2.14rc15 has a buffer over-read in x86/regflags.c.

XRef::fetch in XRef.cc in Xpdf 4.00 allows remote attackers to cause a denial of service (stack consumption) via a crafted pdf file, related to AcroForm::scanField, as demonstrated by pdftohtml.

SplashXPath::strokeAdjust in splash/SplashXPath.cc in Xpdf 4.00 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted pdf file, as demonstrated by pdftoppm.

In the rcfilters plugin 2.1.6 for Roundcube, XSS exists via the _whatfilter and _messages parameters (in the Filters section of the settings).

An XSS issue was discovered in CremeCRM 1.6.12.

The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via the lang parameter in a wp-admin/admin.php?page=wp_file_manager request because set_transient is used in file_folder_manager.php and there is an echo of lang in lib\wpfilemanager.php.

An issue was discovered in Creme CRM 1.6.12.

An issue was discovered in Creme CRM 1.6.12.

IBM Campaign 9.1, 9.1.2, and 10 is vulnerable to HTML injection.

IBM Campaign 9.1, 9.1.2, and 10 is vulnerable to cross-site scripting.

Multiple cross-site scripting (XSS) vulnerabilities in /api/content/addOne in DoraCMS v2.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) discription or (2) comments field, related to users/userAddContent.

LavaLite 5.5 has XSS via a /edit URI, as demonstrated by client/job/job/Zy8PWBekrJ/edit.

An issue was discovered in Jorani 0.6.5.

Persistent cross-site scripting (XSS) issues in Jorani 0.6.5 allow remote attackers to inject arbitrary web script or HTML via the language parameter to session/language.

Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Directory Traversal via the fcgi-bin/wgsetcgi filename parameter.

A vulnerability in the Gleez CMS 1.2.0 login page could allow an unauthenticated, remote attacker to perform multiple user enumerations, which can further help an attacker to perform login attempts in excess of the configured login attempt limit.

IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 could allow an attacker to obtain sensitive information due to missing authentication in IGI for the survey application.

The Pulse Secure Desktop (macOS) 5.3RX before 5.3R5 and 9.0R1 has a Privilege Escalation Vulnerability.

HScripts PHP File Browser Script v1.0 allows Directory Traversal via the index.php path parameter.

An issue was discovered in BTITeam XBTIT.

An issue was discovered in BTITeam XBTIT.

NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service.

Gxlcms 2.0 before bug fix 20180915 has Directory Traversal exploitable by an administrator.

In LimeSurvey before 3.14.7, an admin user can leverage a "file upload" question to read an arbitrary file,

Frog CMS 0.9.5 has an Upload vulnerability that can create files via /admin/?/plugin/file_manager/save.

Cross-site scripting vulnerability in EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE (EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, and GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier) allow an attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors.

Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the app settings section of admin page.

Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the UserGroup Management section of admin page.

Ogma CMS 0.4 Beta has XSS via the "Footer Text footer" field on the "Theme/Theme Options" screen.

Frog CMS 0.9.5 has stored XSS via /admin/?/plugin/comment/settings.

Mate10 Pro Huawei smart phones with the versions before 8.1.0.326(C00) have a FRP bypass vulnerability.

Mate 10 Pro Huawei smart phones with the versions before BLA-L29 8.0.0.148(C432) have a Factory Reset Protection (FRP) bypass security vulnerability.

An issue was discovered in Gleez CMS v1.2.0.

An information disclosure vulnerability in Fortinet FortiManager 6.0.1 and below versions allows a standard user with adom assignment read the interface settings of vdoms unrelated to the assigned adom.

Various out of bounds reads when handling responses in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to potentially crash the opensc library using programs.

Endless recursion when handling responses from an IAS-ECC card in iasecc_select_file in libopensc/card-iasecc.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to hang or crash the opensc library using programs.

Directory traversal vulnerability in ver.2.8.4.0 and earlier and ver.3.3.0.0 and earlier allows an attacker to create arbitrary files via specially crafted ATC file.

FsPro Labs Event Log Explorer 4.6.1.2115 has ".elx" FileType XML External Entity Injection.

P10 Huawei smartphones with the versions before Victoria-AL00AC00B217 have an information leak vulnerability due to the lack of permission validation.