Debian DSA-4269-1 : postgresql-9.6 - security update

Two vulnerabilities have been found in the PostgreSQL database system : - CVE-2018-10915 Andrew Krasichkov discovered that libpq did not reset all its connection state during reconnects. - CVE-2018-10925 It was discovered that some 'CREATE TABLE' statements could disclose server memory. For...

CVE-2018-3110

A vulnerability was discovered in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18. Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with network access via Oracle Net to...

CVE-2018-10925

CVE-2018-10925 affects PostgreSQL before certain fixed releases: 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24. The flaw: failure to properly authorize certain INSERT ... ON CONFLICT DO UPDATE statements. An attacker with CREATE TABLE privileges (and potentially INSERT/limited UPDATE privileges on a t...

CVE-2018-10925

Removed by vendor...

PostgreSQL -- two vulnerabilities

The PostgreSQL project reports: CVE-2018-10915: Certain host connection parameters defeat client-side security defenses libpq, the client connection API for PostgreSQL that is also used by other connection libraries, had an internal issue where it did not reset all of its connection state variabl...

UBUNTU-CVE-2018-10925

It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server...

CVE-2018-15130

CVE-2018-15130 affects ThinkSAAS up to 2018-07-25. The vulnerability is a Cross-Site Scripting (XSS) flaw exploitable via the parameter groupdesc in the URL path index.php?app=group&ac=create&ts=do, allowing injection of arbitrary web script/HTML into the page. Root cause details beyond XSS are n...

WeaselCMS Cross-Site Request Forgery Vulnerability

WeaselCMS is a lightweight content management system CMS written in PHP. A cross-site request forgery vulnerability exists in WeaselCMS version 0.3.5. A remote attacker can exploit this vulnerability to create a new page with index.php?b=pages&a=new URI...

Samsung SmartThings Hub video-core HTTP server buffer overflow vulnerability (CNVD-2018-17075)

Samsung SmartThings Hub is a smart home management device from Samsung, South Korea. video-core HTTP server is one of the HTTP servers. A buffer overflow vulnerability exists in the camera 'create' function of the video-core HTTP server in the Samsung SmartThings Hub, which stems from the...

Linux kernel information disclosure vulnerability (CNVD-2018-24551)

Linux kernel is the kernel used by Linux, the open source operating system released by the Linux Foundation in the United States. A security vulnerability exists in the kernel/time/posix-timers.c file in versions of Linux kernel prior to 4.14.8, which stems from an implementation of the timercrea...

Bento4 Buffer Overflow Vulnerability (CNVD-2018-14699)

Bento4 is an open source C++ library for reading and writing MP4 files. A heap buffer overflow vulnerability exists in AP4AvccAtom::Create in the Core/Ap4AvccAtom.cpp file in Bento4 version 1.5.1-624. An attacker can exploit this vulnerability to cause a heap buffer out-of-bounds read...

BageCMS Cross-Site Request Forgery Vulnerability

BageCMS is a cross-platform content management system CMS based on PHP and MySQL. A cross-site request forgery vulnerability exists in the index.php?r=admini/admin/create URL in BageCMS version 3.1.3. A remote attacker can exploit the vulnerability to add a backend administrator account...

CVE-2018-14584

An issue has been discovered in Bento4 1.5.1-624. AP4AvccAtom::Create in Core/Ap4AvccAtom.cpp has a heap-based buffer over-read...

CVE-2018-14582

index.php?r=admini/admin/create in BageCMS V3.1.3 allows CSRF to add a background administrator account...

UBUNTU-CVE-2018-14584

An issue has been discovered in Bento4 1.5.1-624. AP4AvccAtom::Create in Core/Ap4AvccAtom.cpp has a heap-based buffer over-read...

CVE-2018-14582

index.php?r=admini/admin/create in BageCMS V3.1.3 allows CSRF to add a background administrator account...

Cross site scripting

October CMS version prior to build 437 contains a Cross Site Scripting XSS vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable...

CVE-2018-3004

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2,12.2.0.1 and 18.2. Difficult to exploit vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via multiple...

Red Hat Ceph Security Bypass Vulnerability

Red Hat Ceph is a Linux PB-level distributed file system from Red Hat. The main goal of the system is to be designed as a distributed file system without a single point of failure based on POSIX Portable Operating System Interface, so that data can be fault-tolerant and seamlessly replicated.Ceph...

Gleez CMS Cross-Site Request Forgery Vulnerability

Gleez CMS is an extensible open source content management system CMS based on the Kohana framework. A cross-site request forgery vulnerability exists in Gleez CMS version 1.2.0. A remote attacker can exploit this vulnerability to create new pages and logs...