CVE-2019-15248

Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters ATAs could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An...

Firefox 69 Now Blocks 3rd-Party Tracking Cookies and Cryptominers By Default

Mozilla has finally enabled the "Enhanced Tracking Protection" feature for all of its web browser users worldwide by default with the official launch of Firefox 69 for Windows, Mac, Linux, and Android. The company enabled the "Enhanced Tracking Protection" setting by default for its browser in Ju...

CVE-2019-10059

The legacy finger service TCP port 79 is enabled by default on various older Lexmark devices...

CVE-2019-1917

A vulnerability in the REST API interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to bypass authentication on an affected system. The vulnerability is due to insufficient validation of HTTP requests. An attacker could exploit this vulnerability by...

tomcat: Host name verification missing in WebSocket client

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88...

DRUPAL-CONTRIB-2019-014

Acquia Connector facilitates sending certain telemetry data to Acquia for the purposes of analysis. The module automates the collection of site information to speed support communication and issue resolution. It is required for use with the Acquia Insight service. The module does not properly...

CVE-2018-11750

Previous releases of the Puppet ciscoios module did not validate a host's identity before starting a SSH connection. As of the 0.4.0 release of ciscoios, host key checking is enabled by default...

JDK: privilege escalation via insufficiently restricted access to Attach API

In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on...

DEBIAN-CVE-2017-7537

It was found that a mock CMC authentication plugin with a hardcoded secret was accidentally enabled by default in the pki-core package before 10.6.4. An attacker could potentially use this flaw to bypass the regular authentication process and trick the CA server into issuing certificates...

Wireless IP Camera (P2P) WIFICAM 'Cloud' Feature Design Flaw Vulnerability

Wireless IP Camera P2P WIFICAM is a wireless IP camera. A design flaw exists in the Wireless IP Camera P2P WIFICAM 'Cloud' feature, where the camera provides a 'Cloud' feature that is enabled by default, allowing consumers to bypass NAT and firewalls by managing the device over the network using ...

CubeCart Stored Cross-Site Scripting Vulnerability

CubeCart is an open source PHP e-commerce software system. A stored cross-site scripting vulnerability exists in CubeCart. Due to insufficient filtering of user-supplied data via the "firstname" and "lastname" HTTP POST parameters passed to the "/index.php" script input, a remotely-authenticated...

tomcat: incomplete fix for CVE-2012-3544

It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat and JBoss Web processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by...

JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started

JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platform before 5.3.0, is enabled without authentication when started by the JGroups channel, which allows remote attackers in adjacent networks to read diagnostics information via a...

Netscape Enterprise Server 3.03.63.51 - Directory Indexing

Netscape Enterprise Server 3.03.63.51 - Directory Indexing // source: https://www.securityfocus.com/bid/1063/info Netscape Enterprise Server 3.x includes a poorly documented feature that will allow remote users to view directory listings by appending various instructional tags to the URL. Althoug...

Netscape Enterprise Server 3.0/3.6/3.51 - Directory Indexing

// source: https://www.securityfocus.com/bid/1063/info Netscape Enterprise Server 3.x includes a poorly documented feature that will allow remote users to view directory listings by appending various instructional tags to the URL. Although it can be disabled, Netscape Enterprise Server is shipped...

Cisco IOS Web Administration Denial of Service

Advisory ID Internal CORE-22510 Bugtraq ID: 1838 CVE Name: None currently assigned. Title: Cisco IOS Web Administration Denial of Service Class: Denial of Service Remotely Exploitable: Yes Locally Exploitable: Yes Vulnerability Description: The HTTP service facility in the Cisco IOS provides remo...