CVE-2017-9389

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device allows a user to install applications written in the Lua programming language. Also the interfa...

CVE-2017-9389

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device allows a user to install applications written in the Lua programming language. Also the interfa...

Code injection

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device allows a user to install applications written in the Lua programming language. Also the interfa...

CVE-2017-9389

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device allows a user to install applications written in the Lua programming language. Also the interfa...

CVE-2017-9389

CVE-2017-9389 affects Vera VeraEdge (1.7.19) and Veralite (1.7.481). The web UI allows users to install and write Lua applications without authentication. A POST carries user-provided Lua code to the LuaUPNP daemon, which handles it in LU::JobHandler_LuaUPnP::RunLua and passes the code to LU::Lua...

Hidden Bee: Let’s go down the rabbit hole

Some time ago, we discussed the interesting malware, Hidden Bee. It is a Chinese miner, composed of userland components, as well as of a bootkit part. One of its unique features is a custom format used for some of the high-level elements this format was featured in my recent presentation at SAS...

The vulnerability of the cmsgpack library in the Lua subsystem of the Redis database management system allows attackers to compromise the confidentiality, integrity, and accessibility of the protected information.

The vulnerability of the cmsgpack library in the Lua subsystem of the Redis database management system arises due to an overflow of the buffer on the stack. Exploiting this vulnerability allows a remote attacker to compromise the confidentiality, integrity, and accessibility of the protected...

The vulnerability of the struct library in the Lua subsystem of the Redis database management system allows attackers to compromise the confidentiality, integrity, and accessibility of the protected information.

Vulnerability of the struct library in the Lua subsystem of the Redis database management system. Exploiting this vulnerability could allow a malicious actor to compromise the confidentiality, integrity, and accessibility of the protected information...

Fedora Update for lua FEDORA-2019-ee57bda7ae

The remote host is missing an update for the Copyright C 2019 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

The vulnerability of the Dr.Web Enterprise Security Suite, an anti-virus protection tool, lies in the lack of restrictions on writing, reading, and creating files within the server folder. This allows attackers to execute arbitrary Lua scripts.

The vulnerability of the Dr.Web Enterprise Security Suite antivirus protection lies in the absence of restrictions on writing, reading, and creating files within the server’s directory. Exploiting this vulnerability allows a malicious actor to execute arbitrary Lua scripts without the need for th...

CVE-2019-0805

An elevation of privilege vulnerability exists when Windows improperly handles calls to the LUAFV driver luafv.sys, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0730, CVE-2019-0731, CVE-2019-0796, CVE-2019-0836, CVE-2019-0841...

Ubuntu 16.04 LTS / 18.04 LTS : Lua vulnerability (USN-3941-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-3941-1 advisory. Fady Othman discovered that Lua incorrectly handled certain scripts. An attacker could possibly use this issue to cause a denial of service. Tenable h...

USN-3941-1 lua5.3 vulnerability

Fady Othman discovered that Lua incorrectly handled certain scripts. An attacker could possibly use this issue to cause a denial of service...

openSUSE Security Update : redis (openSUSE-2019-481)

This update for redis to 4.0.10 fixes the following issues : These security issues were fixed : - CVE-2018-11218: Prevent heap corruption vulnerability in cmsgpack bsc1097430. - CVE-2018-11219: Prevent integer overflow in Lua scripting bsc1097768. For Leap 42.3 and openSUSE SLE 12 backports this ...

openSUSE Security Update : haproxy (openSUSE-2019-824)

This update for haproxy to version 1.8.14 fixes the following issues : These security issues were fixed : - CVE-2018-14645: A flaw was discovered in the HPACK decoder what caused an out-of-bounds read in hpackvalididx that resulted in a remote crash and denial of service bsc1108683 -...

Mail.ru: touch.mail.ru / e.mail.ru memory content disclosure

An invalid handling of NUL byte in API request led to disclosure of HTTP server memory region. The root cause of this bug is tracked to nginx+openresty. An advisory is below: Insecure implementation of nginx rewrite / OpenResty ngx.req.seturi + memory content leak in nginx. OpenResty is LUA engin...

CUJO Smart Firewall Code Injection Vulnerability

CUJO Smart Firewall is a home smart firewall device from CUJO USA. A code injection vulnerability exists in the Safe Browsing feature in the CUJO Smart Firewall using firmware version 7003. An attacker can exploit this vulnerability by sending an HTTP request to execute arbitrary Lua scripts in t...

Vulnerability Spotlight: Multiple Vulnerabilities in CUJO Smart Firewall, Das U-Boot, OCTEON SDK, Webroot BrightCloud

Claudio Bozzato of Cisco Talos discovered these vulnerabilities. Executive summary CUJO AI produces the CUJO Smart Firewall, a device that provides protection to home networks against a myriad of threats such as malware, phishing websites and hacking attempts. Cisco Talos recently discovered 11...

CUJO Smart Firewall threatd hostname reputation check code execution vulnerability

Summary An exploitable vulnerability exists in the safe browsing function of the CUJO Smart Firewall, version 7003. The flaw lies in the way the safe browsing function parses HTTP requests. The server hostname is extracted from captured HTTP/HTTPS requests and inserted as part of a Lua statement...

CVE-2018-19391

Cobham Satcom Sailor 250 and 500 devices before 1.25 contained persistent XSS, which could be exploited by an unauthenticated threat actor via the /index.lua?pageID=Phone%20book name field...