Latest Vulnerabilities

  • CVE-2017-13083
    Akeo Consulting Rufus prior to version 2.17.1187 does not adequately validate the integrity of updates downloaded over HTTP, allowing an attacker to easily convince a user to execute arbitrary code... Read more »
  • CVE-2017-8024
    EMC Isilon OneFS (versions prior to 8.1.0.1, versions prior to 8.0.1.2, versions prior to 8.0.0.6, version 7.2.1.x) is impacted by a reflected cross-site scripting vulnerability that may potentially be exploited by malicious users to compromise the affected system.... Read more »
  • CVE-2017-15595
    An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking.... Read more »
  • CVE-2017-15592
    An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to cause a denial of service (hypervisor crash) or possibly gain privileges because self-linear shadow mappings are mishandled for translated guests.... Read more »
  • CVE-2017-15590
    An issue was discovered in Xen through 4.9.x allowing x86 guest OS users to cause a denial of service (hypervisor crash) or possibly gain privileges because MSI mapping was mishandled.... Read more »
  • CVE-2017-15583
    The embedded web server on ABB Fox515T 1.0 devices is vulnerable to Local File Inclusion. It accepts a parameter that specifies a file for display or for use as a template. The filename is not validated; an attacker could retrieve any file.... Read more »
  • CVE-2017-15588
    An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to execute arbitrary code on the host OS because of a race condition that can cause a stale TLB entry.... Read more »
  • CVE-2017-15596
    An issue was discovered in Xen 4.4.x through 4.9.x allowing ARM guest OS users to cause a denial of service (prevent physical CPU usage) because of lock mishandling upon detection of an add-to-physmap error.... Read more »
  • CVE-2017-15591
    An issue was discovered in Xen 4.5.x through 4.9.x allowing attackers (who control a stub domain kernel or tool stack) to cause a denial of service (host OS crash) because of a missing comparison (of range start to range end) within the DMOP map/unmap implementation.... Read more »
  • CVE-2017-15593
    An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (memory leak) because reference counts are mishandled.... Read more »
  • CVE-2017-15594
    An issue was discovered in Xen through 4.9.x allowing x86 SVM PV guest OS users to cause a denial of service (hypervisor crash) or gain privileges because IDT settings are mishandled during CPU hotplugging.... Read more »
  • CVE-2017-15587
    An integer overflow was discovered in pdf_read_new_xref_section in pdf/pdf-xref.c in Artifex MuPDF 1.11.... Read more »
  • CVE-2017-15589
    An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to obtain sensitive information from the host OS (or an arbitrary guest OS) because intercepted I/O operations can cause a write of data from uninitialized hypervisor stack memory.... Read more »
  • CVE-2017-15579
    In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via an aa_pages_per_page cookie in a playlist action to watch.php.... Read more »
  • CVE-2017-15573
    In Redmine before 3.2.6 and 3.3.x before 3.3.3, XSS exists because markup is mishandled in wiki content.... Read more »
  • CVE-2017-15572
    In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can obtain sensitive information (password reset tokens) by reading a Referer log, because account/lost_password does not use a redirect.... Read more »
  • CVE-2017-15574
    In Redmine before 3.2.6 and 3.3.x before 3.3.3, stored XSS is possible by using an SVG document as an attachment.... Read more »
  • CVE-2017-15577
    Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering of wiki links, which allows remote attackers to obtain sensitive information.... Read more »
  • CVE-2017-15575
    In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a check for whether the Repository module is enabled in a project's settings, which might allow remote attackers to obtain sensitive differences information or possibly have unspecified other impact.... Read more »
  • CVE-2017-15571
    In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/issues/_list.html.erb via crafted column data.... Read more »
  • CVE-2017-15576
    Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in activity views, which allows remote attackers to obtain sensitive information.... Read more »
  • CVE-2017-15578
    In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via the image parameter to admin/edit_category.php.... Read more »
  • CVE-2016-10515
    In Redmine before 3.2.3, there are stored XSS vulnerabilities affecting Textile and Markdown text formatting, and project homepages.... Read more »
  • CVE-2017-15568
    In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/application_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of issue history.... Read more »
  • CVE-2017-15570
    In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/timelog/_list.html.erb via crafted column data.... Read more »
  • CVE-2017-15569
    In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/queries_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of an issue list.... Read more »
  • CVE-2017-14005
    An Unverified Password Change issue was discovered in ProMinent MultiFLEX M10a Controller web interface. When setting a new password for a user, the application does not require the user to know the original password. An attacker who is authenticated could change a user's password, enabling future access and possible configuration changes.... Read more »
  • CVE-2017-9625
    An Improper Authentication issue was discovered in Envitech EnviDAS Ultimate Versions prior to v1.0.0.5. The web application lacks proper authentication which could allow an attacker to view information and modify settings or execute code remotely.... Read more »
  • CVE-2017-14009
    An Information Exposure issue was discovered in ProMinent MultiFLEX M10a Controller web interface. When an authenticated user uses the Change Password feature on the application, the current password for the user is specified in plaintext. This may allow an attacker who has been authenticated to gain access to the password.... Read more »
  • CVE-2017-15565
    In Poppler 0.59.0, a NULL Pointer Dereference exists in the GfxImageColorMap::getGrayLine() function in GfxState.cc via a crafted PDF document.... Read more »
  • CVE-2017-14007
    An Insufficient Session Expiration issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The user's session is available for an extended period beyond the last activity, allowing an attacker to reuse an old session for authorization.... Read more »
  • CVE-2017-13999
    A Stack-based Buffer Overflow issue was discovered in WECON LEVI Studio HMI Editor v1.8.1 and prior. Multiple stack-based buffer overflow vulnerabilities have been identified in which the application does not verify string size before copying to memory; the attacker may then be able to crash the application or run arbitrary code.... Read more »
  • CVE-2017-14011
    A Cross-Site Request Forgery issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The application does not sufficiently verify requests, making it susceptible to cross-site request forgery. This may allow an attacker to execute unauthorized code, resulting in changes to the configuration of the device.... Read more »
  • CVE-2017-14013
    A Client-Side Enforcement of Server-Side Security issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The log out function in the application removes the user's session only on the client side. This may allow an attacker to bypass protection mechanisms, gain privileges, or assume the identity of an authenticated user.... Read more »
  • CVE-2017-15539
    SQL Injection exists in zorovavi/blog through 2017-10-17 via the id parameter to recept.php.... Read more »
  • CVE-2017-5531
    Deployments of TIBCO Managed File Transfer Command Center versions 8.0.0 and 8.0.1 and TIBCO Managed File Transfer Internet Server versions 8.0.0 and 8.0.1 that enable the Administrator Service may be affected by a vulnerability which may allow any authenticated user to gain administrative control of Managed File Transfer web applications.... Read more »
  • CVE-2017-6273
    NVIDIA ADSP Firmware contains a vulnerability in the ADSP Loader component where there is the potential to write to a memory location that is outside the intended boundary of the buffer, which may lead to denial of service or possible escalation of privileges.... Read more »
  • CVE-2017-3760
    The Lenovo Service Framework Android application uses a set of nonsecure credentials when performing integrity verification of downloaded applications and/or data. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.... Read more »
  • CVE-2017-3759
    The Lenovo Service Framework Android application accepts some responses from the server without proper validation. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.... Read more »
  • CVE-2017-3761
    The Lenovo Service Framework Android application executes some system commands without proper sanitization of external input. In certain cases, this could lead to command injection which, in turn, could lead to remote code execution.... Read more »
  • CVE-2017-15538
    Stored XSS vulnerability in the Media Objects component of ILIAS before 5.1.21 and 5.2.x before 5.2.9 allows an authenticated user to inject JavaScript to gain administrator privileges, related to the setParameter function in Services/MediaObjects/classes/class.ilMediaItem.php.... Read more »
  • CVE-2017-3758
    Improper access controls on several Android components in the Lenovo Service Framework application can be exploited to enable remote code execution.... Read more »
  • CVE-2017-15537
    The x86/fpu (Floating Point Unit) subsystem in the Linux kernel before 4.13.5, when a processor supports the xsave feature but not the xsaves feature, does not correctly handle attempts to set reserved bits in the xstate header via the ptrace() or rt_sigreturn() system call, allowing local users to read the FPU registers of other processes on the system, related to arch/x86/kernel/fpu/regset.c and arch/x86/kernel/fpu/signal.c.... Read more »
  • CVE-2017-8805
    Debian ftpsync before 20171017 does not use the rsync --safe-links option, which allows remote attackers to conduct directory traversal attacks via a crafted upstream mirror.... Read more »
  • CVE-2015-7806
    Eval injection vulnerability in the fm_saveHelperGatherItems function in ajax.php in the Form Manager plugin before 1.7.3 for WordPress allows remote attackers to execute arbitrary code via unspecified vectors.... Read more »
  • CVE-2014-8357
    backupsettings.html in the web administrative portal in Zhone zNID GPON 2426A before S3.0.501 places a session key in a URL, which allows remote attackers to obtain arbitrary user passwords via the sessionKey parameter in a getConfig action to backupsettings.conf.... Read more »
  • CVE-2014-9118
    The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddr parameter to zhnping.cmd.... Read more »
  • CVE-2014-2277
    The make_temporary_filename function in perltidy 20120701-1 and earlier allows local users to obtain sensitive information or write to arbitrary files via a symlink attack, related to use of the tmpnam function.... Read more »
  • CVE-2014-2664
    Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.... Read more »
  • CVE-2014-9697
    Huawei USG9560/9520/9580 before V300R001C01SPC300 allows remote attackers to cause a memory leak or denial of service (memory exhaustion, reboot and MPU switchover) via a crafted website.... Read more »
  • CVE-2014-9733
    nw.js before 0.11.5 can simulate user input events in a normal frame, which allows remote attackers to have unspecified impact via unknown vectors.... Read more »
  • CVE-2014-9489
    The gollum-grit_adapter Ruby gem dependency in gollum before 3.1.1 and the gollum-lib gem dependency in gollum-lib before 4.0.1 when the string "master" is in any of the wiki documents, allows remote authenticated users to execute arbitrary code via the -O or --open-files-in-pager flags.... Read more »
  • CVE-2014-8323
    buddy-ng.c in Aircrack-ng before 1.2 Beta 3 allows remote attackers to cause a denial of service (segmentation fault) via a response with a crafted length parameter.... Read more »
  • CVE-2014-9678
    FlexPaperViewer.swf in Flexpaper before 2.3.1 allows remote attackers to conduct content-spoofing attacks via the Swfile parameter.... Read more »
  • CVE-2014-9677
    Cross-site scripting (XSS) vulnerability in FlexPaperViewer.swf in Flexpaper before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via the Swfile parameter.... Read more »
  • CVE-2014-9487
    The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053.... Read more »
  • CVE-2014-8324
    network.c in Aircrack-ng before 1.2 Beta 3 allows remote attackers to cause a denial of service (segmentation fault) via a response with a crafted length parameter.... Read more »
  • CVE-2017-13084
    Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Station-To-Station-Link (STSL) Transient Key (STK) during the PeerKey handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.... Read more »
  • CVE-2017-13086
    Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Tunneled Direct-Link Setup (TDLS) Peer Key (TPK) during the TDLS handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.... Read more »
  • CVE-2017-13078
    Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points to clients.... Read more »
  • CVE-2017-13082
    Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11r allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the fast BSS transmission (FT) handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.... Read more »
  • CVE-2017-13088
    Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Integrity Group Temporal Key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients.... Read more »
  • CVE-2017-13080
    Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients.... Read more »
  • CVE-2017-13087
    Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Group Temporal Key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients.... Read more »
  • CVE-2017-13081
    Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients.... Read more »
  • CVE-2017-13079
    Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients.... Read more »
  • CVE-2017-13077 (wpa, wpa2)
    Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the four-way handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.... Read more »
  • CVE-2017-15385
    The store_versioninfo_gnu_verdef function in libr/bin/format/elf/elf.c in radare2 2.0.0 allows remote attackers to cause a denial of service (r_read_le16 invalid write and application crash) or possibly have unspecified other impact via a crafted ELF file.... Read more »
  • CVE-2017-0316
    In GeForce Experience (GFE) 3.x before 3.10.0.55, NVIDIA Installer Framework contains a vulnerability in NVISystemService64 where a value passed from a user to the driver is used without validation, which may lead to denial of service or possible escalation of privileges.... Read more »
  • CVE-2017-9368
    An information disclosure vulnerability in the BlackBerry Workspaces Server could result in an attacker gaining access to source code for server-side applications by crafting a request for specific files.... Read more »
  • CVE-2017-9367
    A directory traversal vulnerability in the BlackBerry Workspaces Server could potentially allow an attacker to execute or upload arbitrary files, or reveal the content of arbitrary files anywhere on the web server by crafting a URL with a manipulated POST request.... Read more »
  • CVE-2015-7504
    Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode.... Read more »
  • CVE-2017-15289
    The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation.... Read more »
  • CVE-2015-3229
    fedora-cloud-atomic.ks in spin-kickstarts allows remote attackers to conduct man-in-the-middle attacks by leveraging use of HTTP to download Fedora Atomic updates.... Read more »
  • CVE-2017-15265
    Use-after-free vulnerability in the Linux kernel before 4.14-rc5 allows local users to have unspecified impact via vectors related to /dev/snd/seq.... Read more »
  • CVE-2015-7687
    Use-after-free vulnerability in OpenSMTPD before 5.7.2 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via vectors involving req_ca_vrfy_smtp and req_ca_vrfy_mta.... Read more »
  • CVE-2017-15221
    ASX to MP3 converter 3.1.3.7.2010.11.05 has a buffer overflow via a crafted M3U file, a related issue to CVE-2009-1324.... Read more »
  • CVE-2014-0208
    Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name.... Read more »
  • CVE-2015-4650
    Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote attackers to gain shell access and execute arbitrary code with root privileges via unspecified vectors.... Read more »
  • CVE-2015-2780
    Unrestricted file upload vulnerability in Berta CMS allows remote attackers to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.... Read more »
  • CVE-2017-15361
    The Infineon RSA library 1.02.013 in Infineon Trusted Platform Module (TPM) firmware, such as versions before 0000000000000422 - 4.34, before 000000000000062b - 6.43, and before 0000000000008521 - 133.33, mishandles RSA key generation, which makes it easier for attackers to defeat various cryptographic protection mechanisms via targeted attacks, aka ROCA. Examples of affected technologies include BitLocker with TPM 1.2, YubiKey 4 PGP key generation, and the Cached User Data encryption feature in Chrome OS.... Read more »
  • CVE-2017-15383
    Nero 7.10.1.0 has an unquoted BINARY_PATH_NAME for NBService, exploitable via a Trojan horse Nero.exe file in the %PROGRAMFILES(x86)%\Nero directory.... Read more »
  • CVE-2017-15384
    rate-me.php in Rate Me 1.0 has XSS via the id field in a rate action.... Read more »
  • CVE-2017-15295
    Xpress Server in SAP POS does not require authentication for read/write/delete file access. This is SAP Security Note 2520064.... Read more »
  • CVE-2017-15297
    SAP Hostcontrol does not require authentication for the SOAP SAPControl endpoint. This is SAP Security Note 2442993.... Read more »
  • CVE-2017-15296
    The Java component in SAP CRM has CSRF. This is SAP Security Note 2478964.... Read more »
  • CVE-2017-15293
    Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials. This is SAP Security Note 2520064.... Read more »
  • CVE-2017-15294
    The Java administration console in SAP CRM has XSS. This is SAP Security Note 2478964.... Read more »
  • CVE-2017-14952
    Double free in i18n/zonemeta.cpp in International Components for Unicode (ICU) for C/C++ through 59.1 allows remote attackers to execute arbitrary code via a crafted string, aka a "redundant UVector entry clean up function call" issue.... Read more »
  • CVE-2016-4461
    Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.... Read more »
  • CVE-2014-7851
    oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user.... Read more »
  • CVE-2014-3702
    Directory traversal vulnerability in eNovance eDeploy allows remote attackers to create arbitrary directories and files and consequently cause a denial of service (resource consumption) via a .. (dot dot) the session parameter.... Read more »
  • CVE-2014-8621
    SQL injection vulnerability in the Store Locator plugin 2.3 through 3.11 for WordPress allows remote attackers to execute arbitrary SQL commands via the sl_custom_field parameter to sl-xml.php.... Read more »
  • CVE-2014-9148
    Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur.... Read more »
  • CVE-2014-9147
    Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive information via a direct request to the database backup file in .backup/.... Read more »
  • CVE-2014-8087
    Cross-site scripting (XSS) vulnerability in the post highlights plugin before 2.6.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the txt parameter in a headline action to ajax/ph_save.php.... Read more »
  • CVE-2016-8734
    Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory.... Read more »
  • CVE-2014-0029
    Multiple cross-site scripting (XSS) vulnerabilities in the SAM web application in Red Hat katello-headpin allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.... Read more »
  • CVE-2017-15375
    Multiple client-side cross site scripting vulnerabilities have been discovered in the WpJobBoard v4.5.1 web-application for WordPress. The vulnerabilities are located in the `query` and `id` parameters of the `wpjb-email`, `wpjb-job`, `wpjb-application`, and `wpjb-membership` modules. Remote attackers are able to inject malicious script code to hijack admin session credentials via the backend, or to manipulate the backend on client-side performed requests. The attack vector is non-persistent and the request method to inject is GET. The attacker does not need a privileged user account to perform a successful exploitation.... Read more »
  • CVE-2017-15371
    There is a reachable assertion abort in the function sox_append_comment() in formats.c in Sound eXchange (SoX) 14.4.2. A Crafted input will lead to a denial of service attack during conversion of an audio file.... Read more »
  • VU#307015: Infineon RSA library does not properly generate RSA key pairs
    Vulnerability Note VU#307015 Infineon RSA library does not properly generate RSA key pairs Original Release date: 16 Oct 2017 | Last revised: 16 Oct 2017 Overview The Infineon RSA library version 1.02.013 does not properly generate RSA key pairs, which may allow an attacker to recover the RSA private key corresponding to an RSA public key generated by this library. Description CWE-310: Cryptographic Issues - CVE-2017-15361 The Infineon RSA library version 1.02.013 does not properly generate RSA key pairs. As a result, the keyspace required for a brute force search is lessened such that it is feasible to factorize keys under at least 2048 bits and obtain the RSA private key. The attacker needs only access to the victim's RSA public key generated by this library in order to calculate the private key. Note that only RSA key generation is impacted. ECC is unaffected. RSA keys generated by other devices/libraries... Read more »
  • VU#228519: Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse
    Vulnerability Note VU#228519 Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse Original Release date: 16 Oct 2017 | Last revised: 18 Oct 2017 Overview Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a wireless access point (AP) or client. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames. Description CWE-323: Reusing a Nonce, Key Pair in Encryption Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a victim wireless access point (AP) or... Read more »
  • VU#590639: NXP Semiconductors MQX RTOS contains multiple vulnerabilities
    Vulnerability Note VU#590639 NXP Semiconductors MQX RTOS contains multiple vulnerabilities Original Release date: 12 Oct 2017 | Last revised: 13 Oct 2017 Overview The NXP Semiconductors MQX RTOS prior to version 5.1 contains a buffer overflow in the DHCP client, which may lead to memory corruption allowing an attacker to execute arbitrary code, as well as an out of bounds read in the DNS client which may lead to a denial of service. Description The NXP Semiconductors MQX real-time operating system (RTOS) prior to version 5.1 is vulnerable to the following: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2017-12718 The RTCS DHCP client for MQX version 5.0 fails to sanitize lengths for DHCP options 66 and 67. A remote attacker sending crafted DHCP packets utilizing options 66 and 67 may gain control of the length passed to memcpy, which may allow overwriting memory with... Read more »
  • VU#973527: Dnsmasq contains multiple vulnerabilities.
    Vulnerability Note VU#973527 Dnsmasq contains multiple vulnerabilities. Original Release date: 02 Oct 2017 | Last revised: 18 Oct 2017 Overview Dnsmasq, versions 2.77 and earlier, contains multiple vulnerabilities. Description CWE-122: Heap-based Buffer Overflow - CVE-2017-14491 CWE-122: Heap-based Buffer Overflow - CVE-2017-14492 CWE-121: Stack-based Buffer Overflow - CVE-2017-14493 CWE-200: Information Exposure - CVE-2017-14494 CWE-400: Uncontrolled Resource Consumption('Resource Exhaustion') - CVE-2017-14495 CWE-191: Integer Underflow - CVE-2017-14496 Please see the Google Security blog post for additional information. Impact Dnsmasq is a widely used piece of open-source software. These vulnerabilities can be triggered remotely via DNS and DHCP protocols and can lead to remote code execution, information exposure, and denial of service. In some cases an attacker would need to induce one or more DNS requests. Solution Apply an Update Version 2.78 has been released to address these vulnerabilities. Vendor Information (Learn More) VendorStatusDate NotifiedDate UpdateddnsmasqAffected25 Sep 201702 Oct 2017 TechnicolorAffected-18... Read more »
  • VU#101048: Microsoft .NET framework SOAP Moniker PrintClientProxy remote code execution vulnerability
    Vulnerability Note VU#101048 Microsoft .NET framework SOAP Moniker PrintClientProxy remote code execution vulnerability Original Release date: 13 Sep 2017 | Last revised: 16 Sep 2017 Overview The Microsoft .NET framework fails to properly parse WSDL content, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description The PrintClientProxy method in the WSDL-parsing component of the Microsoft .NET framework fails to properly handle linefeed characters. If an attacker can trigger the .NET framework to trigger a specially-crafted WSDL file, this can result in arbitrary code execution. This vulnerability is currently being exploited in the wild, by way of an RTF file with an embedded Soap Moniker object that triggers a remote WSDL file to be retrieved and parsed. Other attack vectors may be possible. Impact By causing the .NET framework to parse a specially-crafted WSDL file with the SOAP Moniker,... Read more »
  • VU#240311: Multiple Bluetooth implementation vulnerabilities affect many devices
    Vulnerability Note VU#240311 Multiple Bluetooth implementation vulnerabilities affect many devices Original Release date: 12 Sep 2017 | Last revised: 18 Oct 2017 Overview A collection of Bluetooth implementation vulnerabilities known as "BlueBorne" has been released. These vulnerabilities collectively affect Windows, iOS, and Linux-kernel-based operating systems including Android and Tizen, and may in worst case allow an unauthenticated attacker to perform commands on the device. Description The following vulnerabilities have been identified in various Bluetooth implementations: 1. CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2017-1000251 Linux kernel versions from 3.3-rc1 to present contain a vulnerable implementation of L2CAP EFS within the BlueZ module. The l2cap_parse_conf_rsp function does not properly check then length of the rsp argument prior to unpacking, allowing an attacker to overflow a 64 byte buffer on the kernel stack with an unlimited amount of data crafted to conform to a valid L2CAP... Read more »
  • VU#166743: Das U-Boot AES-CBC encryption implementation contains multiple vulnerabilities
    Vulnerability Note VU#166743 Das U-Boot AES-CBC encryption implementation contains multiple vulnerabilities Original Release date: 08 Sep 2017 | Last revised: 12 Oct 2017 Overview Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector and improper handling of an error condition may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data. Description CWE-329: Not Using a Random IV with CBC Mode - CVE-2017-3225 Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data. CWE-208: Information Exposure Through Timing Discrepancy - CVE-2017-3226 Devices that make use of Das U-Boot's AES-CBC encryption feature using environment encryption (i.e., setting the configuration parameter CONFIG_ENV_AES=y) read environment... Read more »
  • VU#112992: Apache Struts 2 framework REST plugin insecurely deserializes untrusted XML data
    Vulnerability Note VU#112992 Apache Struts 2 framework REST plugin insecurely deserializes untrusted XML data Original Release date: 06 Sep 2017 | Last revised: 06 Sep 2017 Overview Apache Struts 2 framework, versions 2.5 to 2.5.12, with REST plugin insecurely deserializes untrusted XML data. A remote, unauthenticated attacker can leverage this vulnerability to execute arbitrary code in the context of the Struts application. Description CWE-502: Deserialization of Untrusted Data - CVE-2017-9805 In Apache Struts 2 framework, versions 2.5 to 2.5.12, the REST plugin uses XStreamHandler with an instance of XStream to deserialize XML data. Because there is no type filtering, a remote, unauthenticated attacker may send a specially crafted XML payload to execute arbitrary code in the context of the Struts application. Refer to the researcher's blog post for more information about this vulnerability. A Metasploit module with exploit code is publicly available. Impact A remote, unauthenticated... Read more »
  • VU#403768: Akeo Consulting Rufus fails to update itself securely
    Vulnerability Note VU#403768 Akeo Consulting Rufus fails to update itself securely Original Release date: 29 Aug 2017 | Last revised: 31 Aug 2017 Overview Akeo Consulting Rufus fails to securely check for and retrieve updates, which an allow an authenticated attacker to execute arbitrary code on a vulnerable system. Description Akeo Consulting Rufus 2.16 retrieves updates over HTTP. While Rufus does attempt to perform some basic signature checking of downloaded updates, it does not ensure that the update was signed by a trusted certificate authority (CA). This lack of CA checking allows the use of a self-signed certificate. Because of these two weaknesses, an attacker can subvert the update process to achieve arbitrary code execution. Impact An attacker on the same network as, or who can otherwise affect network traffic from, a Rufus user can cause the Rufus update process to execute arbitrary code. ... Read more »
  • VU#824672: Microsoft Windows automatically executes code specified in shortcut files
    Vulnerability Note VU#824672 Microsoft Windows automatically executes code specified in shortcut files Original Release date: 03 Aug 2017 | Last revised: 09 Aug 2017 Overview Microsoft Windows automatically executes code specified in shortcut (LNK) files. Description Microsoft Windows supports the use of shortcut or LNK files. A LNK file is a reference to a local file. Clicking on a LNK or file has essentially the same outcome as clicking on the file that is specified as the shortcut target. For example, clicking a shortcut to calc.exe will launch calc.exe, and clicking a shortcut to readme.txt will open readme.txt with the associated application for handling text files. Microsoft Windows fails to safely obtain icons for shortcut files. When Windows displays Control Panel items, it will initialize each object for the purpose of providing dynamic icon functionality. This means that a Control Panel applet will execute code when the icon is... Read more »
  • VU#793496: Open Shortest Path First (OSPF) protocol implementations may improperly determine LSA recency
    Vulnerability Note VU#793496 Open Shortest Path First (OSPF) protocol implementations may improperly determine LSA recency Original Release date: 27 Jul 2017 | Last revised: 18 Oct 2017 Overview Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency for LSAs with MaxSequenceNumber. Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to poison routing tables within the domain. Description CWE-354: Improper Validation of Integrity Check Value Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency with MaxSequenceNumber. According to RFC 2328 section 13.1, for two instances of the same LSA, recency is determined by first comparing sequence numbers, then checksums, and finally MaxAge. In a case where the sequence numbers are the same, the LSA with the larger checksum is considered more recent, and will not be flushed from... Read more »
  • VU#838200: Telerik Web UI contains cryptographic weakness
    Vulnerability Note VU#838200 Telerik Web UI contains cryptographic weakness Original Release date: 25 Jul 2017 | Last revised: 25 Jul 2017 Overview The Telerik Web UI, versions R2 2017 (2017.2.503) and prior, is vulnerable to a cryptographic weakness which an attacker can exploit to extract encryption keys. Description CWE-326: Inadequate Encryption Strength - CVE-2017-9248 The Telerik.Web.UI.dll is vulnerable to a cryptographic weakness which allows the attacker to extract the Telerik.Web.UI.DialogParametersEncryptionKey and/or the MachineKey. Versions R2 2017 (2017.2.503) and prior are vulnerable. Impact A remote, unauthenticated attacker could perform arbitrary file upload and downloads, cross-site scripting attacks, leak the MachineKey, or compromise the ASP.NET ViewState. Software vendors who use Telerik web components may also be impacted. Solution Apply an update Please see the Telerik's support article for update information for specific versions. The support article also provides information to those who are unable to update their... Read more »
  • VU#586501: Inmarsat AmosConnect8 Mail Client Vulnerable to SQL Injection and Backdoor Account
    Vulnerability Note VU#586501 Inmarsat AmosConnect8 Mail Client Vulnerable to SQL Injection and Backdoor Account Original Release date: 20 Jul 2017 | Last revised: 21 Jul 2017 Overview Inmarsat Solutions offers a shipboard email client service, AmosConnect 8 (AC8), which was designed to be utilized over satellite networks in a highly optimized manner. A third-party security research firm has identified two security vulnerabilities in the client software: On-board ship network access could provide visibility of user names and passwords configured on the client device. A backdoor account has been identified in the client that provides full system privileges. This vulnerability could be exploited remotely. An attacker with high skill would be able to exploit this vulnerability. AmosConnect 8 has been deemed end of life, and no longer supported. Inmarsat customers must contact Inmarsat Customer Service to obtain the replacement mail client software. ... Read more »
  • VU#547255: Dahua IP cameras Sonia web interface is vulnerable to stack buffer overflow
    Vulnerability Note VU#547255 Dahua IP cameras Sonia web interface is vulnerable to stack buffer overflow Original Release date: 18 Jul 2017 | Last revised: 26 Jul 2017 Overview Dahua IP camera products using firmware versions prior to V2.400.0000.14.R.20170713 include a version of the Sonia web interface that may be vulnerable to a stack buffer overflow. Description CWE-121: Stack-based Buffer Overflow - CVE-2017-3223 Dahua IP camera products include an application known as Sonia (/usr/bin/sonia) that provides the web interface and other services for controlling the IP camera remotely. Versions of Sonia included in firmware versions prior to DH_IPC-Consumer-Zi-Themis_Eng_P_V2.408.0000.11.R.20170621 do not validate input data length for the 'password' field of the web interface. A remote, unauthenticated attacker may submit a crafted POST request to the IP camera's Sonia web interface that may lead to out-of-bounds memory operations and loss of availability or remote code execution. The issue was originally identified by the researcher... Read more »
  • VU#489392: Acronis True Image fails to update itself securely
    Vulnerability Note VU#489392 Acronis True Image fails to update itself securely Original Release date: 19 Jun 2017 | Last revised: 28 Jun 2017 Overview Acronis True Image fails to securely check for and retrieve updates, which an allow an authenticated attacker to execute arbitrary code with administrator privileges. Description Acronis True Image is a disk backup utility for Windows and Mac systems. Acronis True Image versions through and including 2017 Build 8053 performs update operations over unprotected HTTP channels. Downloaded updates are not validated beyond verifying the server-provided MD5 hash. Impact An attacker on the same network as, or who can otherwise affect network traffic from, an Acronis True Image user can cause the True Image update process to execute arbitrary code with system administrator privileges. Solution Apply an update This issue is addressed in Acronis True Image 2017 Build 8058.... Read more »