3702 matches found
Vertiv Avocent UMG-4000 vulnerable to command injection and cross-site scripting vulnerabilities
Overview The Vertiv Avocent Universal Management Gateway Model UMG-4000 is a data center management appliance. The web interface of the UMG-4000 is vulnerable to command injection, stored cross-site scripting XSS, and reflected XSS, which may allow an authenticated attacker with administrative...
Versiant LYNX Customer Service Portal is vulnerable to stored cross-site scripting
Overview The Versiant LYNX Customer Service Portal version 3.5.2 is vulnerable to stored cross-site scripting, which may allow a local, authenticated attacker to execute arbitrary JavaScript. Description The Versiant LYNX Customer Service Portal CSP is a "full-service customer portal that provide...
Microsoft Windows Type 1 font parsing remote code execution vulnerabilities
Overview Microsoft Windows contains two vulnerabilities in the parsing of Adobe Type 1 fonts, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description Adobe Type Manager, which is provided by atmfd.dll, is a kernel module that is provided by...
Machine learning classifiers trained via gradient descent are vulnerable to arbitrary misclassification attack
Overview Machine learning models trained using gradient descent can be forced to make arbitrary misclassifications by an attacker that can influence the items to be classified. The impact of a misclassification varies widely depending on the ML model's purpose and of what systems it is a part...
Microsoft SMBv3 compression remote code execution vulnerability
Overview Microsoft SMBv3 contains a vulnerability in the handling of compression, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. This vulnerability is being referred to as "SMBGhost and CoronaBlue." Description Microsoft Server Message Block...
pppd vulnerable to buffer overflow due to a flaw in EAP packet processing
Overview pppd Point to Point Protocol Daemon versions 2.4.2 through 2.4.8 are vulnerable to buffer overflow due to a flaw in Extensible Authentication Protocol EAP packet processing in eaprequest and eapresponse subroutines. Description PPP is the protocol used for establishing internet links ove...
ZyXEL pre-authentication command injection in weblogin.cgi
Overview Multiple ZyXEL devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. Description CWE-78: Improper Neutralization of Special Elements used in an OS Command 'OS Command...
IBM ServeRAID Manager exposes unauthenticated Java Remote Method Invocation (RMI) service
Overview IBM ServeRAID Manager version 9.30-17006 and prior exposes a Java RMI that allows a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description IBM ServeRAID Manager includes an embedded instance of Java version 1.4.2. Both ServeRAID Manager and Java...
Cisco Discovery Protocol (CDP) enabled devices are vulnerable to denial-of-service and remote code execution
Overview Cisco Discovery Protocol CDP is a proprietary layer-2 networking protocol that Cisco devices use to gather information about devices connected to the network. Armis Security found that CDP supported devices are vulnerable to heap overflow in Cisco IP Cameras CVE-2020-3110, stack overflow...
OpenSMTPD vulnerable to local privilege escalation and remote code execution
Overview Qualys Research Labs found that the smtpmailaddr function in OpenSMTPD version 6.6 does not properly sanitize user input, which could allow a local attacker to escalate their privileges, and allow either a local or remote attacker to execute arbitrary code as root. Description OpenSMTPD ...
Microsoft Internet Explorer Scripting Engine memory corruption vulnerability
Overview The Microsoft Internet Explorer Scripting Engine contains a memory corruption vulnerability, which can allow a remote, unauthenticated attacker to execute arbitrary code. Description Microsoft Internet Explorer contains a scripting engine, which handles execution of scripting languages...
Microsoft Windows CryptoAPI fails to properly validate ECC certificate chains
Overview The Microsoft Windows CryptoAPI fails to properly validate certificates that use Elliptic Curve Cryptography ECC, which may allow an attacker to spoof the validity of certificate chains. Description The Microsoft Windows CryptoAPI, which is provided by Crypt32.dll, fails to validate ECC...
Content Delivery Networks handle HTTP headers in different and unexpected ways
Overview A Content Delivery Network CDN is a distributed network of proxy servers that deliver web content collected from a back end web server using a temporary local storage called a cache. HTTP cache poisoning is a type of attack that allows a remote attacker to inject arbitrary content using...
Microsoft Windows Remote Desktop Gateway allows for unauthenticated remote code execution
Overview Microsoft Windows Remote Desktop Gateway contains vulnerabilities that may allow a remote, unauthenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. Description Microsoft Windows Remote Desktop Gateway RD Gateway is a Windows Server component that...
Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP web server vulnerability
Overview A vulnerability been identified in Citrix Application Delivery Controller ADC formerly known as NetScaler ADC, Citrix Gateway formerly known as NetScaler Gateway, and Citrix SDWAN WANOP that could allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system...
Apple devices vulnerable to arbitrary code execution in SecureROM
Overview Some Apple devices are vulnerable to arbitrary code execution at the Boot ROM level called "SecureROM" by Apple by exploiting a use-after-free vulnerability. Successful exploitation results in the ability to execute arbitrary code on the device. checkm8 is a public exploit for this...
Telos Automated Message Handling System contains multiple vulnerabilities
Overview Telos Automated Message Handling System AMHS contains multiple XSS vulnerabilities and a database information disclosure vulnerability. Description Telos AMHS is a web-based messaging system that supports DoD and Intelligence Community IC security marking requirements. AMHS versions prio...
Microsoft Office for Mac cannot properly disable XLM macros
Overview The Microsoft Office for Mac option "Disable all macros without notification" enables XLM macros without prompting, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description XLM macros Up to and including Microsoft Excel 4.0, a macro...
Multiple D-Link routers vulnerable to remote command execution
Overview Multiple D-Link routers are vulnerable to unauthenticated remote command execution. Description Several D-Link routers contain CGI capability that is exposed to users as /applysec.cgi, and dispatched on the device by the binary /www/cgi/ssi. This CGI code contains two flaws: 1. The...
Pulse Secure VPN contains multiple vulnerabilities
Overview Pulse Secure SSL VPN contains multiple vulnerabilities that can allow remote unauthenticated remote attacker to compromise the VPN server and connected clients. Description Pulse Secure released an out-of-cycle advisory along with software patches for the various affected products on Apr...
Multiple vulnerabilities found in the Cobham EXPLORER 710 satcom terminal
Overview CERT/CC researchers examined the satcom terminal Cobham EXPLORER 710 as an expansion of work from IOActive’s findings in 2014. They discovered multiple new vulnerabilities affecting the device and the firmware, some of which could allow an unauthenticated, local attacker to gain access t...
iTerm2 with tmux integration is vulnerable to remote command execution
Overview iTerm2, up to and including version 3.3.5, with tmux integration is vulnerable to remote command execution. Description iTerm2 is a popular terminal emulator for macOS that supports terminal multiplexing using tmux integration and is frequently used by developers and system administrator...
Exim fails to properly handle trailing backslashes in string_interpret_escape()
Overview Exim versions up to and including 4.92.1 do not properly handle trailing backslash characters in the stringinterpretescape function. This function is used to handle peer distinguished names DN and Sever Name Indication SNI during a TLS negotiation. This vulnerability could allow a local ...
Bluetooth BR/EDR supported devices are vulnerable to key negotiation attacks
Overview The encryption key length negotiation process in Bluetooth BR/EDR Core v5.1 and earlier is vulnerable to packet injection by an unauthenticated, adjacent attacker that could result in information disclosure and/or escalation of privileges. This can be achieved using an attack referred to...
HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion
Overview Multiple HTTP/2 implementations are vulnerable to a variety of denial-of-service DoS attacks. Description The Security Considerations section of RFC7540 discusses some of the considerations needed for HTTP/2 connections as they demand more resources to operate than HTTP/1.1 connections...
Cylance Antivirus Products Susceptible to Concatenation Bypass
Overview The Cylance AI-based antivirus product, prior to July 21, 2019, contains flaws that allow an adversary to craft malicious files that the AV product will likely mistake for benign files. Description Cylance PROTECT is an endpoint protection system. It contains an antivirus functionality...
Oracle Solaris vulnerable to arbitrary code execution via /proc/self
Overview Oracle Solaris 11 and Solaris 10 are vulnerable to arbitrary code execution if an attacker has read/write access to /proc/self in the process file system. Description The process file system /proc in Oracle Solaris 11 and Solaris 10 provides a self/ alias that refers to the current...
LLVMs Arm stack protection feature can be rendered ineffective
Overview The stack protection feature in LLVM's Arm backend can be rendered ineffective when the stack protector slot is re-allocated so that is appears after the local variables that it is meant to protect, leaving the function potentially vulnerable to a stack-based buffer overflow. Description...
Multiple TCP Selective Acknowledgement (SACK) and Maximum Segment Size (MSS) networking vulnerabilities may cause denial-of-service conditions in Linux and FreeBSD kernels
Overview Multiple TCP Selective Acknowledgement SACK and Maximum Segment Size MSS networking vulnerabilities may cause denial-of-service conditions in Linux and FreeBSD kernels. Description CVE-2019-11477: SACK Panic Linux = 2.6.29. A sequence of specifically crafted selective acknowledgements SA...
Microsoft Windows RDP can bypass the Windows lock screen
Overview Microsoft Windows RDP can allow an attacker to bypass the lock screen on remote sessions. Description In Windows a session can be locked, which presents the user with a screen that requires authentication to continue using the session. Session locking can happen over RDP in the same way...
Multiple vulnerabilities in Quest Kace System Management Appliance
Overview The Quest Kace System Management K1000 Appliance contains multiple vulnerabilities, including a blind SQL injection vulnerability and a stored cross site scripting vulnerability. It also suffers from misconfigurations in the cross-origin resource sharing CORS mechanism and improperly...
Microsoft Windows Task Scheduler SetJobFileSecurityByName privilege escalation vulnerability
Overview Microsoft Windows contains a privilege escalation vulnerability in the way that theTask Scheduler SetJobFileSecurityByName function is used, which can allow an authenticated attacker to gain SYSTEM privileges on an affected system. Description Task Scheduler is a set of Microsoft Windows...
Cisco Trust Anchor module (TAm) improperly checks code and Cisco IOS XE web UI does not sanitize user input
Overview Cisco's Trust Anchor module TAm can be bypassed through manipulating the bitstream of the Field Programmable Gate Array FPGA. This component handles access control to a hardware component within Cisco's Secure Boot implementations, which affects multiple products that support this...
PrinterLogic Print Management Software fails to validate SSL certificates or the integrity of software updates.
Overview PrinterLogic Print Management Software fails to validate SSL and software update certificates, which could allow an attacker to reconfigure the software and remotely execute code. In addition, the PrinterLogic agent does not sanitize browser input allowing a remote attacker to modify...
Broadcom WiFi chipset drivers contain multiple vulnerabilities
Overview The Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets contain multiple vulnerabilities. The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer...
WPA3 design issues and implementation vulnerabilities in hostapd and wpa_supplicant
Overview Multiple vulnerabilities have been identified in WPA3 protocol design and implementations of hostapd and wpasupplicant, which can allow a remote attacker to acquire a weak password, conduct a denial of service, or gain complete authorization. These vulnerabilities have also been referred...
VPN applications insecurely store session cookies
Overview Multiple Virtual Private Network VPN applications store the authentication and/or session cookies insecurely in memory and/or log files. Description Virtual Private Networks VPNs are used to create a secure connection with another network over the internet. Multiple VPN applications stor...
MyCar Controls uses hard-coded credentials
Overview The MyCar Controls mobile applications prior to v3.4.24 on iOS and prior to v4.1.2 on Android contains hard-coded admin credentials. Description MyCar is a small aftermarket telematics unit from AutoMobility Distribution Inc. MyCar add smartphone-controlled geolocation, remote start/stop...
Marvell Avastar wireless SoCs have multiple vulnerabilities
Overview Some Marvell Avastar wireless system on chip SoC models have multiple vulnerabilities, including a block pool overflow during Wi-Fi network scan. Description A presentation at the ZeroNights 2018 conference describes multiple security issues with Marvell Avastar SoCs models 88W8787,...
Microsoft Exchange server 2013 and newer are vulnerable to NTLM relay attacks
Overview Microsoft Exchange 2013 and newer fail to set signing and sealing flags on NTLM authentication traffic, which can allow a remote attacker to gain the privileges of the Exchange server. Description Microsoft Exchange supports a API called Exchange Web Services EWS. One of the EWS API...
Microsoft Windows DNS servers are vulnerable to heap overflow
Overview Microsoft Windows DNS servers are vulnerable to heap overflow attacks, enabling unauthenticated attackers to send malicious requests to affected servers. Description CWE-122: Heap-based Buffer Overflow - CVE-2018-8626Microsoft Windows Domain Name System DNS servers are vulnerable to heap...
Microsoft Windows Kernel Transaction Manager (KTM) is vulnerable to a race condition
Overview The Microsoft Windows Kernel Transaction Manager KTM is vulnerable to a race condition because it fails to properly handle objects in memory, which can result in local privilege escalation. Description CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization 'Rac...
Dokan file system driver contains a stack-based buffer overflow
Overview A system driver in the Dokan Open Source File System contains a stack-based buffer overflow, which could allow an attacker to gain elevated privileges on the host machine. Description CWE-121: Stack-based Buffer Overflow - CVE-2018-5410Dokan, versions between 1.0.0.5000 and 1.2.0.1000,...
Microsoft Windows MsiAdvertiseProduct function vulnerable to privilege escalation via race condition
Overview The Microsoft Windows MsiAdvertiseProduct function contains a race-condition vulnerability, which can allow an authentication attacker to elevate privileges to read protected files. Description The Microsoft Windows MsiAdvertiseProduct function allows a Windows installer product to...
Microsoft Internet Explorer scripting engine JScript memory corruption vulnerability
Overview Microsoft Internet Explorer contains a memory corruption vulnerability in the scripting engine JScript component, which can allow a remote attacker to execute arbitrary code on a vulnerable system. Description Microsoft Internet Explorer contains a scripting engine, which handles executi...
Pixar Tractor contains a stored cross-site scripting vulnerability
Overview Pixar's Tractor network rendering software is vulnerable to stored cross-site scripting which may allow an attacker to execute arbitrary JavaScript. Description Pixar's Tractor software, versions 2.2 and earlier, contain a stored cross-site scripting vulnerability CWE-79 in the field tha...
Self-encrypting hard drives do not adequately protect data
Overview There are multiple vulnerabilities in implementations of ATA Security or TCG Opal Standards in Self-Encrypting Disks SEDs, which can allow an attacker to decrypt contents of an encrypted drive. Description CVE-2018-12037 There is no cryptographic relation between the password provided by...
Texas Instruments CC2640 and CC2650 microcontrollers vulnerable to heap overflow and insecure update
Overview Texas Instruments CC2640 and CC2650 microcontrollers are vulnerable to a heap overflow and may allow unauthenticated firmware installation. Description CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer CVE-2018-16986 - also known as BLEEDINGBIT The following...
Cisco ASA and FTD SIP Inspection denial-of-service vulnerability
Overview Cisco Adaptive Security Appliance ASA software and Cisco Firepower Threat Defense FTD software fails to properly parse SIP traffic, which can result in a denial-of-service condition on affected devices. Description Cisco Adaptive Security Appliance ASA software and Cisco Firepower Threat...
Auto-Maskin DCU 210E RP 210E and Marine Pro Observer App
Overview Auto-Maskin RP remote panels and DCU controls units are used to monitor and control ship engines. The units have several authentication and encryption vulnerabilities which can allow attackers to access the units and control connected engines. Description CWE 798: Use of Hard-Coded...