IBM AIX nslookup fails to drop root privileges

Overview The nslookup command fails to drop privileges, allowing local attackers to gain root privileges. Description The nslookup program fails to drop the privileges it gains from being setuid. This access appears to be needed to read the "/etc/resolv.conf" file. This problem was described in I...

SMTP end-of-data uncertainty can be abused to spoof emails and bypass policies

Overview A vulnerability has been found in the way that SMTP servers and software handle the end-of-data sequences essentially the end of a single email message in mail messages. An attacker can use this inconsistency to craft an email message that can bypass SMTP security policies. Description...

HPE SiteScope contains multiple vulnerabilities

Overview HPE's SiteScope is vulnerable to several cryptographic issues, insufficiently protected credentials, and missing authentication. Description HPE's SiteScope is vulnerable to several vulnerabilities. The researcher reports that version 11.31.461 is affected; other versions may also be...

mDNSResponder contains multiple memory-based vulnerabilities

Overview mDNSResponder provides unicast and multicast mDNS services on UNIX-like operating systems such as OS X. mDNSResponder version 379.27 and above prior to version 625.41.2 is vulnerable to several buffer overflow vulnerabilities, as well as a null pointer dereference. Description CWE-120:...

Wyse ThinOS LPD service buffer overflow vulnerability

Overview Wyse ThinOS HF 4.4.079i has a buffer overflow vulnerability in the LPD service 515/tcp. Description The LPD service 515/tcp on Wyse ThinOS HF 4.4.079i crashes when a long buffer is sent to it. This condition may exist in all versions before Wyse ThinOS 6.5. --- Impact An attacker can cau...

Java Deployment Toolkit insufficient argument validation

Overview The Sun Java Deployment Toolkit plugin and ActiveX control perform insufficient argument validation, allowing an attacker to perform several attacks, including the execution of an arbitrary JAR file. Description The Sun Java Deployment Toolkit contains an NPAPI Netscape compatible plugin...

Microsoft Windows Internet Printing Protocol service integer overflow

Overview The Microsoft Windows Internet Printing Protocol IPP service contains an integer overflow vulnerability, which can allow a remote attacker to execute arbitrary code on a vulnerable system. Description IPP is an IP-based network protocol that allows remote printing and printer management...

Adobe Reader EScript.api arbitrary code execution

Overview The Adobe Acrobat Reader contains a vulnerability that may allow an attacker to execute arbitrary code. Description Adobe Acrobat Reader is software designed to view Portable Document Format PDF files. Adobe also distributes the Adobe Acrobat Plug-In to allow users to view PDF files insi...

CREDANT Mobile Guardian Shield fails to remove credentials from memory

Overview CREDANT Mobile Guardian Shield fails to properly remove credentials from memory, which may allow an attacker to obtain access to the Windows domain and encrypted drive contents. Description CREDANT Mobile Guardian CMG Shield is a component of Mobile Guardian Enterprise Edition. CMG Shiel...

Apple ColorSync buffer overflow vulnerability

Overview Apple ColorSync contains a buffer overflow vulnerability that may allow an attacker to execute arbitrary code. Description ColorSync is Apple's color management API. OS X applications and devices can use ColorSync profiles to determine how colors in images should be interpreted.ColorSync...

WMI Object Broker ActiveX Control bypasses ActiveX security model

Overview The Microsoft WMI Object Broker ActiveX control bypasses the ActiveX security model, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description ActiveXActiveX is a technology that allows programmers to create reusable software...

Microsoft Plug and Play fails to properly validate user supplied data

Overview Microsoft Plug and Play contains a flaw in message buffer handling that may result in local or remote arbitrary code execution or a denial-of-service condition. Description The following is from the Microsoft Plug and Play description: Plug and Play PnP allows the operating system to...

EMC Legato NetWorker database services use insufficient authentication

Overview The EMC Legato NetWorker database services use weak authentication, allowing a remote attacker to gain root access to the server. Description EMC Legato NetWorker is a cross-platform backup and recovery application. It is also repackaged by Sun Microsystems as Solstice Backup and StorEdg...

Microsoft Windows logon process fails contains a buffer overflow during the logon process

Overview The Windows Logon process Winlogon contains a vulnerability that may permit a remote attacker to execute arbitrary code on the system. Description The Windows logon process Winlogon containss a buffer overflow vulnerability during the processeing of the domain value. It fails to perform...

Microsoft Private Communication Technology (PCT) fails to properly validate message inputs

Overview A vulnerability exists in the Private Communications Transport PCT protocol, which is part of the Microsoft Secure Sockets Layer SSL library. Exploitation of this vulnerability may permit a remote attacker to compromise the system. An exploit for this issue currently being used to...

OpenSSL contains multiple buffer overflows in buffers that are used to hold ASCII representations of integers

Overview OpenSSL is an open-source implementation of the Secure Sockets Layer SSL protocol. There is a buffer overflow on 64-bit platforms related to the ASCII representation of integers. Description OpenSSL clients and servers running on 64-bit platforms prior to version 0.9.6e and pre-release...

Sceiner firmware locks and associated devices are vulnerable to encryption downgrade and arbitrary file upload attacks

Overview Sciener is a company that develops software and hardware for electronic locks that are marketed under many different brands. Their hardware works in tandem with an app, called the TTLock app, which is also produced by Sciener. The TTLock app utilizes Bluetooth connections to connect to...

Silicon Labs Z-Wave chipsets contain multiple vulnerabilities

Overview Various Silicon Labs Z-Wave chipsets do not support encryption, can be downgraded to not use weaker encryption, and are vulnerable to denial of service. Some of these vulnerabilities are inherent in Z-Wave protocol specifications. Description Z-Wave devices based on Silicon Labs chipsets...

Diebold Nixdorf ProCash 2100xe USB ATM does not adequately secure communications between CCDM and host

Overview Diebold Nixdorf 2100xe USB automated teller machines ATMs are vulnerable to physical attacks on the communication channel between the cash and check deposit module CCDM and the host computer. An attacker with physical access to internal ATM components may be able to exploit this...

Microsoft Windows DNS servers are vulnerable to heap overflow

Overview Microsoft Windows DNS servers are vulnerable to heap overflow attacks, enabling unauthenticated attackers to send malicious requests to affected servers. Description CWE-122: Heap-based Buffer Overflow - CVE-2018-8626Microsoft Windows Domain Name System DNS servers are vulnerable to heap...

McAfee VirusScan Enterprise for Windows scriptproxy COM object memory corruption vulnerability

Overview McAfee VirusScan Enterprise for Windows scriptproxy COM object contains a memory corruption vulnerability. Description According to the reporter, McAfee VirusScan Enterprise for Windows version 8.7i through at least 8.8 patch 7 contains a scriptproxy COM object that is vulnerable to the...

Commvault Edge Server deserializes cookie data insecurely

Overview Commvault Edge Server, version 10 R2, deserializes untrusted, user-provided cookie data, resulting in arbitrary OS command execution with the web server's privileges. Description CWE-502: Deserialization of Untrusted Data - CVE-2015-7253Commvault Edge Server, version 10 R2, deserializes...

Verizon Fios Actiontec model MI424WR-GEN3I router vulnerable to cross-site request forgery

Overview The Verizon FIOS Actiontec router model MI424WR-GEN3I is susceptible to cross-site request forgery attacks. CWE-352 Description The Verizon FIOS Actiontec router model MI424WR-GEN3I is susceptible to cross-site request forgery attacks. CWE-352 A remote attacker that is able to trick a us...

Wyse Simple Imager (WSI) includes vulnerable versions of TFTPD32

Overview Wyse Simple Imager WSI includes older versions version of TFTPD32 that contains publicly known vulnerabilities. An attacker could exploit these vulnerabilities to potentially execute arbitrary code on the system running WSI and TFTPD32. Description Wyse Simple Imager WSI is a component o...

ISC BIND denial of service vulnerability

Overview A vulnerability in the BIND name server could allow a remote attacker to cause a denial of service against an affected system. Description The Berkeley Internet Name Domain BIND is a popular Domain Name System DNS implementation from Internet Systems Consortium ISC. BIND version 9.4.0...

Ethereal contains multiple vulnerabilities in the IGAP protocol dissector

Overview Ethereal contains multiple buffer overflows in the Internet Group Membership Authentication Protocol IGAP protocol dissector. These vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code. Description Ethereal is a network traffic analysis package. It...

Multiple vendors' SSH transport layer protocol implementations contain vulnerabilities in key exchange and initialization

Overview Secure shell SSH transport layer protocol implementations from different vendors contain multiple vulnerabilities in code that handles key exchange and initialization. Both SSH servers and clients are affected. A remote attacker could execute arbitrary code with the privileges of the SSH...

Microsoft Outlook View Control allows execution of arbitrary code and manipulation of user data

Overview A vulnerability exists in an ActiveX control supplied with Microsoft Outlook 2002 that could allow malicious code on a web page or in an HTML email message to manipulate Outlook data or execute arbitrary code as the user running Outlook. Description Microsoft Outlook 2002 installs an...

Multiple D-Link routers vulnerable to remote command execution

Overview Multiple D-Link routers are vulnerable to unauthenticated remote command execution. Description Several D-Link routers contain CGI capability that is exposed to users as /applysec.cgi, and dispatched on the device by the binary /www/cgi/ssi. This CGI code contains two flaws: 1. The...

Telerik Analytics Monitor Library allows DLL hijacking

Overview Telerik Analytics Monitor Library is a third-party application analytics service that collects detailed application metrics for vendors. Some versions of the Telerik library allow DLL hijacking, allowing an attacker to load malicious code in the context of the Telerik-based application...

Dell KACE K2000 Appliance contains backdoor administrator account

Overview The Dell KACE K2000 System Deployment Appliance contains a hidden administrator account that could allow a remote attacker to take control of an affected device. Description The Dell KACE K2000 Deployment Appliance is an integrated systems provisioning product for large-scale operating...

GNU libc regcomp() stack exhaustion denial of service

Overview The regcomp function of GNU libc is susceptible to stack exhaustion which may result in a denial of service. Description It is possible to trigger deep recursion which results in stack exhaustion. An example trigger is: grep -E ".10,10,10,10,10," --- Impact An attacker may be able to...

TCP may keep its offered receive window closed indefinitely (RFC 1122)

Overview Part of the Transmission Control Protocol TCP specification RFC 1122 allows a receiver to advertise a zero byte window, instructing the sender to maintain the connection but not send additional TCP payload data. The sender should then probe the receiver to check if the receiver is ready ...

OpenOffice.org may fail to properly contain certain Java applets

Overview The OpenOffice.org team has reported a vulnerability in how the 1.1 and 2.0 versions of OpenOffice.org handle certain Java applets. Description OpenOffice.org is an office suite that is available for multiple operating systems, including Windows, Linux, Apple Mac OS X, and BSD. It includ...

Microsoft Distributed Transaction Coordinator vulnerable to buffer overflow via specially crafted network message

Overview Microsoft Distributed Transaction Coordinator MSDTC may be vulnerable to a flaw that allows remote unauthenticated attackers to execute arbitrary code. Description The Microsoft Distributed Transaction Coordinator MSDTC is described by Microsoft as "distributed transaction facility for...

Mozilla Firefox executes JavaScript in the "IconURL" parameter of "InstallTrigger.install()" with chrome privileges

Overview Mozilla Firefox may execute JavaScript contained within the IconURL parameter of InstallTrigger.install with chrome privileges. This may allow an attacker to execute arbitrary commands on a vulnerable system. Description XPInstallXPInstall is a cross-platform software installation method...

Microsoft CIS and RPC over HTTP Proxy components fail to properly handle responses

Overview A vulnerability in a Microsoft HTTP Proxy component may lead to a denial of service. Description Microsoft's COM Internet Sevices CIS and Remote Procedure Call RPC over HTTP Proxy contain a vulnerability that could permit an attacker to cause a denial of service. When a forwarded request...

Yahoo! Audio Conferencing ActiveX control vulnerable to buffer overflow

Overview A remotely exploitable buffer overflow vulnerability has been discovered in the Yahoo! Audio Conferencing ActiveX control. Description The Yahoo! Audio Conferencing ActiveX control is used in the web-based Yahoo! Chat service, as well as in the Win32 Yahoo! Messenger application. There i...

IIS decodes filenames superfluously after applying security checks

Overview Microsoft IIS decodes filenames after applying security checks, allowing an attacker to execute commands. Description To accomodate complex URIs, RFC 2396 specifies a means to encode arbitrary octets using hexadecimal characters and the percent sign %. Quoting from RFC 2396: An escaped...

HHControl Object (showHelp) may execute shortcuts embedded in help files

Overview The HHCtrl ActiveX control has a serious vulnerability that allows remote intruders to execute arbitrary code, if the intruder can cause a compiled help file CHM to be stored "locally." Microsoft has released a security bulletin and a patch for this vulnerability, but the patch does not...

RADIUS protocol susceptible to forgery attacks.

Overview A vulnerability in the RADIUS protocol allows an attacker allows an attacker to forge an authentication response in cases where a Message-Authenticator attribute is not required or enforced. This vulnerability results from a cryptographically insecure integrity check when validating...

Space Coast Credit Union SCCU Mobile for Android and iPhone fails to properly validate SSL certificates

Overview Space Coast Credit Union SCCU Mobile for Android, version 2.1.0.1104 and earlier, and for iOS, version 2.2 and earlier, fails to properly validate SSL certificates provided by HTTPS connections, which may enable an attacker to conduct man-in-the-middle MITM attacks. Description CWE-295:...

Huawei Mobile WiFi E5151 and E5186 routers use insufficiently random values for DNS queries

Overview Huawei Mobile WiFi E5151, firmware version 21.141.13.00.1080, and E5186, firmware version V200R001B306D01C00, use insufficiently random values for DNS queries and are vulnerable to DNS spoofing attacks. Description CWE-330: Use of Insufficiently Random Values - CVE-2015-8265Huawei Mobile...

Mediabridge Medialink Wireless-N Broadband Router MWN-WAPR300N contains multiple vulnerabilities

Overview Mediabridge Medialink Wireless-N Broadband Router MWN-WAPR300N, firmware version 5.07.50 and possibly earlier, uses non-unique default credentials and is vulnerable to universal authentication bypass and cross-site request forgery CSRF. Description CWE-255: Credentials Management -...

Ruby on Rails Action Pack framework insecurely typecasts YAML and Symbol XML parameters

Overview The Ruby on Rails Action Pack framework is susceptible to authentication bypass, SQL injection, arbitrary code execution, or denial of service. Description The Ruby on Rails advisory states:"Multiple vulnerabilities in parameter parsing in Action Pack There are multiple weaknesses in the...

OpenSSL leaks ECDSA private key through a remote timing attack

Overview The OpenSSL ladder implementation for scalar multiplication of points on elliptic curves over binary fields is susceptible to a timing attack vulnerability. This vulnerability can be used to steal the private key of a TLS server that authenticates with ECDSA signatures and binary curves...

SwiftView ActiveX control and plug-in stack buffer overflow

Overview The SwiftView ActiveX control and plug-in contain a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description SwiftView is software used to view or print PCL, HPGL, and TIFF files. SwiftSend is a product used f...

Java Runtime Environment Image Parsing Code buffer overflow vulnerability

Overview The Sun Java Runtime Environment contains a buffer overflow vulnerability that may allow an attacker to execute code or read local files. Description The Java Runtime Environment JRE is a group software packages from Sun Microsystems that allow a computer to access and use Java...

OpenSSL SSLv2 client code fails to properly check for NULL

Overview A flaw in the OpenSSL library could allow a remote attacker to cause a denial of service on an affected application. Description The OpenSSL toolkit implements the Secure Sockets Layer SSL versions 2 and 3 and Transport Layer Security TLS version 1 protocols as well as a general purpose...

VERITAS Backup Exec uses hard-coded authentication credentials

Overview The VERITAS Backup Exec Remote Agent uses hard-coded authentication credentials. An attacker with knowledge of these credentials could access arbitrary files on a vulnerable system. Description VERITAS Backup Exec Remote Agent is a data backup and recovery solution with support for...