3702 matches found
InsydeH2O UEFI software impacted by multiple vulnerabilities in SMM
Overview The InsydeH2O Hardware-2-Operating System H2O UEFI firmware contains multiple vulnerabilities related to memory management in System Management Mode SMM. Description UEFI software provides an extensible interface between an operating system and platform firmware. UEFI software uses a...
Samba vfs_fruit module insecurely handles extended file attributes
Overview The Samba vfsfruit module allows out-of-bounds heap read and write via extended file attributes CVE-2021-44142. This vulnerability allows a remote attacker to execute arbitrary code with root privileges. Description The Samba vfsfruit module uses extended file attributes EA, xattr to...
McAfee Agent for Windows is vulnerable to privilege escalation due to OPENSSLDIR location
Overview McAfee Agent contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user may be able to place files. Description CVE-2022-0166 McAfee Agent, which comes with various McAfee products such as McAfee...
Silicon Labs Z-Wave chipsets contain multiple vulnerabilities
Overview Various Silicon Labs Z-Wave chipsets do not support encryption, can be downgraded to not use weaker encryption, and are vulnerable to denial of service. Some of these vulnerabilities are inherent in Z-Wave protocol specifications. Description Z-Wave devices based on Silicon Labs chipsets...
Saviynt Enterprise Identity Cloud vulnerable to local user enumeration and authentication bypass
Overview Saviynt Enterprise Identity Cloud contains user enumeration and authentication bypass vulnerabilities in the local password reset feature. Together, these vulnerabilities could allow a remote, unauthenticated attacker to gain administrative privileges if an SSO solution is not configured...
Apache Log4j allows insecure JNDI lookups
Overview Apache Log4j allows insecure JNDI lookups that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the vulnerable Java application using Log4j. CISA has published Apache Log4j Vulnerability Guidance and provides a Software List. Description Th...
Compilers permit Unicode control and homoglyph characters
Overview Attacks that allow for unintended control of Unicode and homoglyphic characters, described by the researchers in this report leverage text encoding that may cause source code to be interpreted differently by a compiler than it appears visually to a human reviewer. Source code compilers,...
Salesforce DX command line interface (CLI) does not adequately protect sfdxurl credentials
Overview The default security configuration in Salesforce allows an authenticated user with the Salesforce-CLI to create URL that will allow anyone, anywhere access to the Salesforce GUI with the same administrative credentials without a log trace of access or usage of the API. Description The...
NicheStack embedded TCP/IP has vulnerabilities
Overview HCC Embedded's software called InterNiche stack NicheStack and NicheLite, which provides TCP/IP networking capability to embedded systems, is impacted by multiple vulnerabilities. The Forescout and JFrog researchers who discovered this set of vulnerabilities have identified these as...
HTTP Request Smuggling in Web Proxies
Overview HTTP web proxies and web accelerators that support HTTP/2 for an HTTP/1.1 backend webserver are vulnerable to HTTP Request Smuggling. Description The affected systems allow invalid characters such as carriage return and newline characters in HTTP/2 headers. When an attacker passes these...
Microsoft Windows Active Directory Certificate Services can allow for AD compromise via PetitPotam NTLM relay attacks
Overview Microsoft Windows Active Directory Certificate Services AD CS by default can be used as a target for NTLM relay attacks, which can allow a domain-joined computer to take over the entire Active Directory. Description PetitPotam is a tool to force Windows hosts to authenticate to other...
Arcadyan-based routers and modems vulnerable to authentication bypass
Overview A path traversal vulnerability exists in numerous routers manufactured by multiple vendors using Arcadyan based software. This vulnerability allows an unauthenticated user access to sensitive information and allows for the alteration of the router configuration. Description The...
Microsoft Windows 10 gives unprivileged user access to system32\config files
Overview Multiple versions of Windows 10 grant non-administrative users read access to files in the %windir%\system32\config directory. This can allow for local privilege escalation LPE. Description With multiple versions of Windows 10, the BUILTIN\Users group is given RX permissions to files in...
Microsoft Windows Print Spooler Point and Print allows installation of arbitrary queue-specific files
Overview Microsoft Windows allows for non-admin users to be able to install printer drivers via Point and Print. Printers installed via this technique also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process. Description...
Microsoft Windows Print Spooler allows for RCE via AddPrinterDriverEx()
Overview The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. Description The...
Checkbox Survey insecurely deserializes ASP.NET View State data
Overview Checkbox Survey prior to version 7.0 insecurely deserializes ASP.NET View State data, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable server. Description CVE-2021-27852 Checkbox Survey insecurely deserializes ASP.NET View State data. Checkbox...
Pulse Connect Secure Samba buffer overflow
Overview Pulse Connect Secure PCS gateway contains a buffer overflow vulnerability in Samba-related code that may allow an authenticated remote attacker to execute arbitrary code. Description CVE-2021-22908 PCS includes the ability to connect to Windows file shares SMB. This capability is provide...
Devices supporting Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure
Overview Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing. Description The Bluetooth Core Specification and Mesh Profile Specification are t...
MySQL for Windows is vulnerable to privilege escalation due to OPENSSLDIR location
Overview MySQL for Windows contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files. Description CVE-2021-2307 MySQL includes an OpenSSL component that specifies an OPENSSLDIR variable as a...
Pulse Connect Secure contains a use-after-free vulnerability
Overview Pulse Connect Secure PCS gateway contains a use-after-free vulnerability that can allow an unauthenticated remote attacker to execute arbitrary code. Description CVE-2021-22893 A use-after-free vulnerability that can be reached via a license server handling endpoint may allow a remote,...
Atlassian Bitbucket on Windows is vulnerable to privilege escalation due to weak ACLs
Overview Atlassian Bitbucket on Windows fails to properly set ACLs, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges. Description The Atlassian Bitbucket Windows installer fails to set a secure access-control list ACL on the default installation directory,...
Siemens Totally Integrated Automation Portal vulnerable to privilege escalation due to Node.js paths
Overview Siemens Totally Integrated Administrator TIA fails to properly set the module search path to be used by a privileged Node.js component, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges. The PCS neo administration console is reported to be affected...
Sudo set_cmd() is vulnerable to heap-based buffer overflow
Overview A heap-based overflow has been discovered in the setcmd function in sudo, which may allow a local attacker to execute commands with elevated administrator privileges. Description From the Sudo Main Page: Sudo su "do" allows a system administrator to delegate authority to give certain use...
Adobe ColdFusion is vulnerable to privilege escalation due to weak ACLs
Overview Adobe ColdFusion fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges. Description The Adobe ColdFusion installer fails to set a secure access-control list ACL on the default installation directory, such as...
Dnsmasq is vulnerable to memory corruption and cache poisoning
Overview Dnsmasq is vulnerable to a set of memory corruption issues handling DNSSEC data and a second set of issues validating DNS responses. These vulnerabilities could allow an attacker to corrupt memory on a vulnerable system and perform cache poisoning attacks against a vulnerable environment...
SolarWinds Orion API authentication bypass allows remote command execution
Overview The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands. Description The SolarWinds Orion Platform is a suite of infrastructure and system monitoring and management products. The SolarWinds Orion API is embedded into the...
Veritas Backup Exec is vulnerable to privilege escalation due to OPENSSLDIR location
Overview Veritas Backup Exec contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files. Description CVE-2019-1552 Veritas Backup Exec includes an OpenSSL component that specifies an OPENSSLD...
Embedded TCP/IP stacks have memory corruption vulnerabilities
Overview Multiple open-source embedded TCP/IP stacks, commonly used in Internet of Things IoT and embedded devices, have several vulnerabilities stemming from improper memory management. These vulnerabilities are also tracked as ICS-VU-633937 and JVNVU96491057 as well as the name AMNESIA:33...
VMware Workspace ONE Access and related components are vulnerable to command injection
Overview VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector are vulnerable to command injection in the administrative configurator. This could allow a remote attacker to execute commands with unrestricted privileges on the underlying operating system...
Replay Protected Memory Block (RPMB) protocol does not adequately defend against replay attacks
Overview The Replay Protected Memory Block RPMB protocol found in several storage specifications does not securely protect against replay attacks. An attacker with physical access can deceive a trusted component about the status of an RPBM write command or the content of an RPMB area. Description...
Macrium Reflect is vulnerable to privilege escalation due to OPENSSLDIR location
Overview Macrium Reflect contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files. Description CVE-2020-10143 Macrium Reflect includes an OpenSSL component that specifies an OPENSSLDIR...
Chocolatey Boxstarter is vulnerable to privilege escalation due to weak ACLs
Overview Chocolatey Boxstarter fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges. Description CVE-2020-15264 The Chocolatey Boxstarter installer fails to set a secure access-control list ACL on the...
Acronis backup software contains multiple privilege escalation vulnerabilities
Overview Acronis True Image, Cyber Backup, and Cyber Protection all contain privilege escalation vulnerabilities, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges. Description CVE-2020-10138 Acronis Cyber Backup 12.5 and Cyber Protect 15 include...
Microsoft Windows Netlogon Remote Protocol (MS-NRPC) uses insecure AES-CFB8 initialization vector
Overview The Microsoft Windows Netlogon Remote Protocol MS-NRPC reuses a known, static, zero-value initialization vector IV in AES-CFB8 mode. This allows an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and potentially obtain domain administrator...
IPTV encoder devices contain multiple vulnerabilities
Overview Multiple vulnerabilities exist in various Video Over IP Internet Protocol encoder devices, also known as IPTV/H.264/H.265 video encoders. These vulnerabilities allow an unauthenticated remote attacker to execute arbitrary code and perform other unauthorized actions on a vulnerable system...
Devices supporting Bluetooth BR/EDR and LE using CTKD are vulnerable to key overwrite
Overview Devices supporting both Bluetooth BR/EDR and LE using Cross-Transport Key Derivation CTKD for pairing are vulnerable to key overwrite, which enables an attacker to to gain additional access to profiles or services that are not restricted by reducing the encryption key strength or...
Diebold Nixdorf ProCash 2100xe USB ATM does not adequately secure communications between CCDM and host
Overview Diebold Nixdorf 2100xe USB automated teller machines ATMs are vulnerable to physical attacks on the communication channel between the cash and check deposit module CCDM and the host computer. An attacker with physical access to internal ATM components may be able to exploit this...
NCR SelfServ ATM BNA contains multiple vulnerabilities
Overview NCR SelfServ automated teller machines ATMs running APTRA XFS 04.02.01 and 05.01.00 are vulnerable to physical attacks on the communications bus between the host computer and the bunch note accepter BNA. Description NCR ATM SelfServ devices running APTRA XFS 04.02.01 and 05.01.00 contain...
NCR SelfServ ATM dispenser software contains multiple vulnerabilities
Overview NCR SelfServ automated teller machines ATMs running APTRA XFS 05.01.00 or older are vulnerable to physical attacks on the communications bus between the currency dispenser component and the host computer. Description NCR SelfServ ATMs running APTRA XFS 05.01.00 or older contain...
GRUB2 bootloader is vulnerable to buffer overflow
Overview The GRUB2 boot loader is vulnerable to buffer overflow, which results in arbitrary code execution during the boot process, even when Secure Boot is enabled. Description GRUB2 is a multiboot boot loader that replaced GRUB Legacy in 2012. A boot loader is the first program that runs upon...
F5 BIG-IP contains multiple vulnerabilities including unauthenticated remote command execution
Overview F5 BIG-IP provides a Traffic Management User Interface TMUI, also referred to as the Configuration utility, that has multiple vulnerabilities including a remotely exploitable command injection vulnerability that can be used to execute arbitrary commands and subsequently take control of a...
Netgear httpd upgrade_check.cgi stack buffer overflow
Overview Multiple Netgear devices contain a stack buffer overflow in the httpd web server's handling of upgradecheck.cgi, which may allow for unauthenticated remote code execution with root privileges. Description Many Netgear devices contain an embedded web server, which is provided by the httpd...
Treck IP stacks contain multiple vulnerabilities
Overview Treck IP stack implementations for embedded systems are affected by multiple vulnerabilities. This set of vulnerabilities was researched and reported by JSOF, who calls them Ripple20. Description Treck IP network stack software is designed for and used in a variety of embedded systems. T...
Universal Plug and Play (UPnP) SUBSCRIBE can be abused to send traffic to arbitrary destinations
Overview The Universal Plug and Play UPnP protocol in effect prior to April 17, 2020 can be abused to send traffic to arbitrary destinations using the SUBSCRIBE functionality. Description The UPnP protocol, as specified by the Open Connectivity Foundation OCF, is designed to provide automatic...
IP-in-IP protocol routes arbitrary traffic by default
Overview IP Encapsulation within IP RFC2003 IP-in-IP can be abused by an unauthenticated attacker to unexpectedly route arbitrary network traffic through a vulnerable device. Description IP-in-IP encapsulation is a tunneling protocol specified in RFC 2003 that allows for IP packets to be...
iOS, iPadOS, tvOS, watchOS, and macOS contain a double-free vulnerability in the XNU kernel lio_listio() function
Overview iOS, iPadOS, tvOS, watchOS, and macOS contain a double-free vulnerability in the GNU kernel's liolistio function, which can allow a malicious application to achieve unsandboxed, kernel-level code execution. Description iOS, iPadOS, tvOS, watchOS, and macOS contain an a double-free...
Bluetooth devices supporting LE and specific BR/EDR implementations are vulnerable to method confusion attacks
Overview Bluetooth Low Energy BLE and Basic Rate / Enhanced Data Rate BR/EDR Core Configurations are used for low-power short-range communications. To establish an encrypted connection, two Bluetooth devices must pair with each other using an agreed upon Association Model. It is possible for an...
Bluetooth devices supporting BR/EDR are vulnerable to impersonation attacks
Overview Bluetooth Basic Rate / Enhanced Data Rate BR/EDR Core Configurations are used for low-power short-range communications. To establish an encrypted connection, two Bluetooth devices must pair with each other using a link key. It is possible for an unauthenticated, adjacent attacker to...
Samsung Qmage codec for Android Skia library does not properly validate image files
Overview The Samsung Qmage codec used in the Android Skia library does not properly validate image files. A number of memory corruption vulnerabilities allow an attacker to execute arbitrary code by causing a vulnerable system to parse a Qmage file. Description The Samsung May 2020 Android Securi...
Periscope BuySpeed is vulnerable to stored cross-site scripting
Overview Periscope BuySpeed version 14.5 is vulnerable to stored cross-site scripting, which may allow a local, authenticated attacker to execute arbitrary JavaScript. Description Periscope BuySpeed is a "tool to automate the full procure-to-pay process efficiently and intelligently". BuySpeed...