Security Bulletin: IBM API Connect is vulnerable to CSV Injection (CVE-2018-1774)

Summary IBM API Connect has addressed the following vulnerability. IBM API Connect is vulnerable to CSV Injection via the Developer Portal and analytics that could contain malicious commands that would be executed once opened by an administrator. Vulnerability Details CVEID: CVE-2018-1774...

Security Bulletin: IBM API Connect Developer Portal is vulnerable to Server Side Request Forgery (CVE-2018-1712)

Summary IBM API Connect has addressed the following vulnerability. IBM API Connect Developer Portal is vulnerable to Server Side Request Forgery. An attacker, using specially crafted input parameters can trick the server into making potentially malicious calls within the trusted network...

GHSA-37Q6-576Q-VGR7 Missing Origin Validation in parcel-bundler

Versions of parcel-bundler before 1.10.0 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement HMR are not validated...

TIBCO Security Advisory: November 6, 2018 - TIBCOActiveSpaces

TIBCO ActiveSpaces Administrative Daemon Vulnerable to CSRF Attacks Original release date: November 6, 2018 Last revised: CVE-2018-12411 Source: TIBCOSoftware Inc. TIBCO ActiveSpaces Administrative Daemon Vulnerable to CSRF Attacks Original release date: November 6, 2018 Last revised: Source: TIB...

Security Bulletin: IBM API Connect is affected by Foreshadow Spectre Variant vulnerability (CVE-2018-3646 CVE-2018-3615 CVE-2018-3620)

Summary API Connect has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2018-3646 DESCRIPTION: Multiple Intel CPU's could allow a local attacker to obtain sensitive information, caused by a flaw in the CPU speculative branch instruction execution feature. By conducting...

JVN#59394343: Multiple vulnerabilities in OpenDolphin

OpenDolphin provided by Life Sciences Computing Corporation contains multiple vulnerabilities listed below. Privilege escalation - CVE-2018-16161 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H| Base Score: 8.8 CVSS v2| AV:N/AC:L/AU:S/C:P/I:P/A:P| Base...

Apache Spark Information Disclosure Vulnerability

Apache Spark is a large-scale data processing engine that supports acyclic data streaming and in-memory computation from the Apache Software Foundation.Apache Spark Maven-based build is a version built on Maven. A security vulnerability exists in Apache Spark Maven-based build versions 1.3.x...

[SECURITY] Fedora 28 Update: python26-2.6.9-17.fc28

Python 2.6 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 2.6, see other distributions that support it, such as CentOS or RHEL 6...

CVE-2018-11804

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A...

CVE-2018-11804

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A...

CVE-2018-11804

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A...

Micro Focus Enterprise Developer Denial of Service Vulnerability

Micro Focus Enterprise Developer and Enterprise Server are both products of Micro Focus, a British company. micro Focus Enterprise Developer is a set of integrated development environments for the mainframe. enterprise Server is a set of Enterprise Server is a production deployment platform for...

Null pointer dereference

Incorrect handling of an invalid value for an HTTP request parameter by Directory Server aka Enterprise Server Administration web UI in Micro Focus Enterprise Developer and Enterprise Server 2.3 Update 2 and earlier, 3.0 before Patch Update 12, and 4.0 before Patch Update 2 causes a null pointer...

CVE-2018-12469

Incorrect handling of an invalid value for an HTTP request parameter by Directory Server aka Enterprise Server Administration web UI in Micro Focus Enterprise Developer and Enterprise Server 2.3 Update 2 and earlier, 3.0 before Patch Update 12, and 4.0 before Patch Update 2 causes a null pointer...

Mikrotik RouterOS Remote Root

/ Exploit Title: RouterOS Remote Rooting Date: 10/07/2018 Exploit Author: Jacob Baines Vendor Homepage: www.mikrotik.com Software Link: https://mikrotik.com/download Version: Longterm: 6.30.1 - 6.40.7 Stable: 6.29 - 6.42 Beta: 6.29rc1 - 6.43rc3 Tested on: RouterOS Various CVE : CVE-2018-14847 By...

Empowering Developers: How Unfiltered Data and Custom Integrations Became a Foundation for Carbon Black

Today, we’re hosting our first-ever Developer Day from the sold-out CbConnect18 conference in New York. The day features in-depth, technical workshops to accelerate developers’ ability to extend Carbon Black’s open cloud platform to improve the security stack. The way I see it, this day is years ...

Empowering Developers: How Unfiltered Data and Custom Integrations Became a Foundation for Carbon Black

Today, we’re hosting our first-ever Developer Day from the sold-out CbConnect18 conference in New York. The day features in-depth, technical workshops to accelerate developers’ ability to extend Carbon Black’s open cloud platform to improve the security stack. The way I see it, this day is years ...

From Now On, Only Default Android Apps Can Access Call Log and SMS Data

A few hours ago the company announced its "non-shocking" plans to shut down Google+ social media network following a "shocking" data breach incident. Now to prevent abuse and potential leakage of sensitive data to third-party app developers, Google has made several significant changes giving user...

KLA11330 Multiple vulnerabilities in Microsoft Developer Tools

Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information. Below is a complete list of vulnerabilities: 1. A memory corruption vulnerability in Azure IoT Device Client SDK can be...

Uber: Client secret, server tokens for developer applications returned by internal API

@appsecurein identified an internal API for https://riders.uber.com that could return clientsecret and server token for applications authorized by the account owner to access their Uber account. We restricted the data returned by this endpoint. Thanks for bringing this to our attention,...