ID SECURITYVULNS:DOC:18688 Type securityvulns Reporter Securityvulns Modified 2007-12-19T00:00:00
Description
Google Toolbar allows spoofing the information presented in the dialog which
is being displayed when adding a new Google Toolbar button. This can allow
an attacker to convince the users that his button comes from a trusted
domain. This button can then be used to download malicious files or conduct
phishing attacks (e.g. show a login form of a bank).
Affected versions
* Google Toolbar 5 beta for Internet Explorer
* Google Toolbar 4 for Internet Explorer
* Google Toolbar 4 for Firefox (partially)
{"id": "SECURITYVULNS:DOC:18688", "bulletinFamily": "software", "title": "Google Toolbar Dialog Spoofing Vulnerability", "description": "Google Toolbar allows spoofing the information presented in the dialog which\r\nis being displayed when adding a new Google Toolbar button. This can allow\r\nan attacker to convince the users that his button comes from a trusted\r\ndomain. This button can then be used to download malicious files or conduct\r\nphishing attacks (e.g. show a login form of a bank).\r\n\r\nAffected versions\r\n* Google Toolbar 5 beta for Internet Explorer \r\n* Google Toolbar 4 for Internet Explorer \r\n* Google Toolbar 4 for Firefox (partially)\r\n\r\nTechnical details:\r\nhttp://aviv.raffon.net/2007/12/18/GoogleToolbarDialogSpoofingVulnerability.a\r\nspx\r\n\r\n--Aviv.", "published": "2007-12-19T00:00:00", "modified": "2007-12-19T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:18688", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:24", "edition": 1, "viewCount": 5, "enchantments": {"score": {"value": 2.0, "vector": "NONE", "modified": "2018-08-31T11:10:24", "rev": 2}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB2526297", "KB2501721", "KB317244", "KB980408", "KB981401", "KB2785908", "KB953331", "KB2510690", "KB3191913", "KB2874216"]}], "modified": "2018-08-31T11:10:24", "rev": 2}, "vulnersScore": 2.0}, "affectedSoftware": []}
{"cve": [{"lastseen": "2021-02-02T06:52:33", "description": "The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, an Incremental Saving vulnerability exists in multiple products. When an attacker uses the Incremental Saving feature to add pages or annotations, Body Updates are displayed to the user without any action by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects LibreOffice, Master PDF Editor, Nitro Pro, Nitro Reader, Nuance Power PDF Standard, PDF Editor 6 Pro, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, Perfect PDF 10 Premium, and Perfect PDF Reader.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-01-07T18:15:00", "title": "CVE-2018-18688", "type": "cve", "cwe": ["CWE-347"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-18688"], "modified": "2021-01-14T18:35:00", "cpe": ["cpe:/a:iskysoft:pdfelement6:6.8.0.3523", "cpe:/a:foxitsoftware:foxit_reader:9.2.0", "cpe:/a:iskysoft:pdfelement6:6.8.4.3921", "cpe:/a:iskysoft:pdfelement6:6.7.6.3399", "cpe:/a:nuance:power_pdf_standard:7.0", "cpe:/a:libreoffice:libreoffice:6.1.0.3", "cpe:/a:iskysoft:pdf_editor_6:6.4.2.3521", "cpe:/a:libreoffice:libreoffice:6.1.3.2", "cpe:/a:gonitro:nitro_reader:5.5.9.2", "cpe:/a:qoppa:pdf_studio_viewer_2018:2018.0.1", "cpe:/a:iskysoft:pdf_editor_6:6.7.6.3399", "cpe:/a:soft-xpansion:perfect_pdf_reader:13.1.5", "cpe:/a:libreoffice:libreoffice:6.0.6.2", "cpe:/a:qoppa:pdf_studio:12.0.7", "cpe:/a:gonitro:nitro_pro:11.0.3.173", "cpe:/a:foxitsoftware:phantompdf:8.3.9", "cpe:/a:code-industry:master_pdf_editor:5.1.24", "cpe:/a:code-industry:master_pdf_editor:5.1.68", "cpe:/a:nuance:power_pdf_standard:3.0.0.30", "cpe:/a:iskysoft:pdfelement6:6.7.1.3355", "cpe:/a:iskysoft:pdf_editor_6:6.6.2.3315", "cpe:/a:nuance:power_pdf_standard:3.0.0.17", "cpe:/a:soft-xpansion:perfect_pdf_10:10.0.0.1", "cpe:/a:foxitsoftware:foxit_reader:9.1.0", "cpe:/a:code-industry:master_pdf_editor:5.1.12", "cpe:/a:soft-xpansion:perfect_pdf_reader:13.0.3", "cpe:/a:qoppa:pdf_studio_viewer_2018:2018.2.0", "cpe:/a:foxitsoftware:foxit_reader:9.4"], "id": "CVE-2018-18688", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18688", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:libreoffice:libreoffice:6.0.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:soft-xpansion:perfect_pdf_reader:13.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:nuance:power_pdf_standard:3.0.0.17:*:*:*:*:*:*:*", "cpe:2.3:a:qoppa:pdf_studio:12.0.7:*:*:*:professional:*:*:*", "cpe:2.3:a:iskysoft:pdfelement6:6.7.1.3355:*:*:*:professional:*:*:*", "cpe:2.3:a:iskysoft:pdfelement6:6.7.6.3399:*:*:*:professional:*:*:*", "cpe:2.3:a:iskysoft:pdfelement6:6.8.0.3523:*:*:*:professional:*:*:*", "cpe:2.3:a:foxitsoftware:phantompdf:8.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:iskysoft:pdf_editor_6:6.4.2.3521:*:*:*:professional:*:*:*", "cpe:2.3:a:code-industry:master_pdf_editor:5.1.24:*:*:*:*:*:*:*", "cpe:2.3:a:iskysoft:pdf_editor_6:6.6.2.3315:*:*:*:professional:*:*:*", "cpe:2.3:a:iskysoft:pdf_editor_6:6.7.6.3399:*:*:*:professional:*:*:*", "cpe:2.3:a:nuance:power_pdf_standard:3.0.0.30:*:*:*:*:*:*:*", "cpe:2.3:a:gonitro:nitro_reader:5.5.9.2:*:*:*:*:*:*:*", "cpe:2.3:a:qoppa:pdf_studio_viewer_2018:2018.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:libreoffice:libreoffice:6.1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:soft-xpansion:perfect_pdf_reader:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:foxitsoftware:foxit_reader:9.4:*:*:*:*:*:*:*", "cpe:2.3:a:code-industry:master_pdf_editor:5.1.12:*:*:*:*:*:*:*", "cpe:2.3:a:nuance:power_pdf_standard:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:soft-xpansion:perfect_pdf_10:10.0.0.1:*:*:*:premium:*:*:*", "cpe:2.3:a:libreoffice:libreoffice:6.1.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:gonitro:nitro_pro:11.0.3.173:*:*:*:*:*:*:*", "cpe:2.3:a:qoppa:pdf_studio_viewer_2018:2018.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:foxitsoftware:foxit_reader:9.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:code-industry:master_pdf_editor:5.1.68:*:*:*:*:*:*:*", "cpe:2.3:a:iskysoft:pdfelement6:6.8.4.3921:*:*:*:professional:*:*:*", "cpe:2.3:a:foxitsoftware:foxit_reader:9.2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:42", "description": "An issue was discovered on Samsung mobile devices with L(5.1), M(6.0), and N(7.0) software. There is an information disclosure (of memory locations outside a buffer) via /dev/dsm_ctrl_dev. The Samsung ID is SVE-2016-7340 (January 2017).", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-04-07T16:15:00", "title": "CVE-2017-18688", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18688"], "modified": "2020-04-08T19:35:00", "cpe": ["cpe:/o:google:android:6.0", "cpe:/o:google:android:7.0", "cpe:/o:google:android:5.1"], "id": "CVE-2017-18688", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18688", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:14:28", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:21", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T05:35:21", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2020-10-03T13:38:48", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.", "edition": 2, "cvss3": {}, "published": "2019-11-04T21:15:00", "title": "CVE-2019-18688", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2019-18688"], "modified": "2019-11-04T21:15:00", "cpe": [], "id": "CVE-2019-18688", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18688", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2021-02-02T06:21:32", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "packetstorm": [{"lastseen": "2019-05-29T03:40:04", "description": "", "published": "2019-05-26T00:00:00", "type": "packetstorm", "title": "Joomla Attachments 3.x File Upload", "bulletinFamily": "exploit", "cvelist": [], "modified": "2019-05-26T00:00:00", "id": "PACKETSTORM:153088", "href": "https://packetstormsecurity.com/files/153088/Joomla-Attachments-3.x-File-Upload.html", "sourceData": "`#################################################################### \n \n# Exploit Title : Joomla Com_Attachments Components 3.x Arbitrary File Upload \n# Author [ Discovered By ] : KingSkrupellos \n# Team : Cyberizm Digital Security Army \n# Date : 26/05/2019 \n# Vendor Homepage : jmcameron.net \n# Software Download Links : jmcameron.net/attachments/ \njmcameron.net/attachments/updates/3.2.6/attachments-3.2.6.zip \njoomlacode.org/gf/download/frsrelease/18688/83852/attachments-2.2.2.zip \njoomlacode.org/gf/project/attachments/frs/ \ngithub.com/sdc/DevonStudioSchool/tree/master/administrator/components/com_attachments/ \n# Software Information Links : extensions.joomla.org/extension/attachments/ \njoomlacode.org/gf/project/attachments/ \njoomlacode.org/gf/project/attachments3/ \n# Joomla Affected Versions : \nJoomla 3.4.8 \nJoomla 3.5.1 \nJoomla 3.6.5 \nJoomla 3.8.1 \nJoomla 3.8.11 \nJoomla 3.8.3 \nJoomla 3.9.6 \n# Software Affected Versions [ Component Com_Attachments ] : \n2.2.2 and 3.2.6 - 3.x / All previous versions. \n# Tested On : Windows and Linux \n# Category : WebApps \n# Exploit Risk : Medium \n# Google Dorks : \ninurl:/index.php?option=com_attachments&task=upload \nintext:Copyright (C) 2006-2020 BSA Troop 444. All Rights Reserved. \nintext:Treadmill Desk from TrekDesk \nintext:Copyright \u00a9 2015 Ashleigh-D. All rights reserved. Website designed by Mojosync Pty Ltd using Joomla \nintext:Fundaci\u00f3n Jesuitas Paraguay \nintext:\u00a9 2019 Mars Society Polska \nintext:Designed by atict.com \nintext:Copyright \u00a9 2017. All Rights Reserved.Webaloss - Realizzazione siti webwebaloss.com \nintext:Designed by Burosphere. \nintext:Conselho Nacional de Recursos H\u00eddricos CNRH Ministerio Do Desenvolvimento Regional \nand more on Google and other Search Engines...... Have Fun.... \n# Vulnerability Type : CWE-264 [ Permissions, Privileges, and Access Controls ] \n# PacketStormSecurity : packetstormsecurity.com/files/authors/13968 \n# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ \n# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos \n# Reference Link [ Similar ] : dl.packetstormsecurity.net/1902-exploits/joomlaattachments326-shell.txt \n \n#################################################################### \n \n# Description about Software : \n*************************** \nThe 'Attachments' extension allows files to be uploaded and attached to content \narticles in Joomla. Includes a plugin to display attachments and a component \nfor uploading and managing attachments. \n \n#################################################################### \n \n# Impact : \n*********** \nJoomla Attachments Components 3.x and other previous versions could allow a \nremote attacker to upload arbitrary files upload/shell upload, caused by the improper validation \nof file extensions by the multiple scripts to index.php. The issue occurs because \nthe application fails to adequately sanitize user-supplied input. \nExploiting this issue will allow attackers to execute arbitrary code within \nthe context of the affected application. This may facilitate unauthorized access \nor privilege escalation; other attacks may also possible. \nBy sending a specially-crafted HTTP request, a remote attacker could exploit \nthis vulnerability to upload a malicious PHP script, which could allow the \nattacker to execute arbitrary PHP code on the vulnerable system. \n \n#################################################################### \n \n# Arbitrary File Upload/Unauthorized File Insertion Exploit : \n**************************************************** \n/index.php?option=com_attachments&task=upload&uri=file&parent_id=1&parent_type=com_content&tmpl=component&from=closeme \n \n/index.php?option=com_attachments&task=upload&uri=file&parent_id=[ARTICLE-ID-NUMBER]/&parent_type=com_content&tmpl=component&from=closeme \n \nClick to \" Select file to upload instead \" - Fill the Form - Published => '' Yes '' and Click \" Public \" \n \nAttach file: - Upload your .txt .jpg .gif .png .phtml .php;.gif file to the vulnerable system. \n \n# Directory File Path : \n******************** \n/attachments/article/[ARTICLE-ID-NUMBER]/kingskrupellos.txt \n \n#################################################################### \n \n# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team \n \n#################################################################### \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/153088/joomlaattachments3x-upload.txt"}, {"lastseen": "2019-02-20T02:55:57", "description": "", "published": "2019-02-19T00:00:00", "type": "packetstorm", "title": "Joomla Attachments 3.2.6 Shell Upload", "bulletinFamily": "exploit", "cvelist": [], "modified": "2019-02-19T00:00:00", "id": "PACKETSTORM:151747", "href": "https://packetstormsecurity.com/files/151747/Joomla-Attachments-3.2.6-Shell-Upload.html", "sourceData": "`#################################################################### \n \n# Exploit Title : Joomla Attachments Components 3.2.6 Shell Upload \n# Author [ Discovered By ] : KingSkrupellos \n# Team : Cyberizm Digital Security Army \n# Date : 18/02/2019 \n# Vendor Homepage : jmcameron.net \n# Software Download Links : jmcameron.net/attachments/ \njmcameron.net/attachments/updates/3.2.6/attachments-3.2.6.zip \njoomlacode.org/gf/download/frsrelease/18688/83852/attachments-2.2.2.zip \njoomlacode.org/gf/project/attachments/frs/ \ngithub.com/sdc/DevonStudioSchool/tree/master/administrator/components/com_attachments/ \n# Software Information Links : extensions.joomla.org/extension/attachments/ \njoomlacode.org/gf/project/attachments/ \njoomlacode.org/gf/project/attachments3/ \n# Software Version : 2.2.2 and 3.2.6 / All previous versions. \n# Tested On : Windows and Linux \n# Category : WebApps \n# Exploit Risk : Medium \n# Google Dorks : inurl:''/index.php?option=com_attachments'' \nintext:''Desenvolvido com o CMS de codigo aberto Joomla'' site:mil.br \nintext:''JSN Mico template designed by JoomlaShine.com'' site:gov.my \nintext:''(c) Copyright 2011 TrekDesk Treadmill Desk.'' \nintext:''Tasarym ve Yazylym : 2A Ajans Unternet ve Tanytym Hizmetleri'' \nintext:''HLAVNI STRANKA - POCASI - SELF BRIEFING'' site:cz \nintext:''(c) 2017 Panzaldomus s.r.l. | Corso Nazionale, 88 - 84020 Controne (SA)'' \nintext:''Desarollo eAprando.com'' site:py \nintext:''(c) Dom Pomocy Spolecznej w Moczarach 2019'' \nintext:Seniorenverband BRH Niedersachsen \nintext:''RasaByte'' site:org \nintext:''CITTA DELLA GIOIA ONLUS 2019'' \nand more on Google and other Search Engines...... \n# Vulnerability Type : CWE-434 [ Unrestricted Upload of File with Dangerous Type ] \nCWE-264 [ Permissions, Privileges, and Access Controls ] \n# PacketStormSecurity : packetstormsecurity.com/files/authors/13968 \n# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ \n# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos \n \n#################################################################### \n \n# Description about Software : \n*************************** \nThe 'Attachments' extension allows files to be uploaded and attached to content \n \narticles in Joomla. Includes a plugin to display attachments and a component \n \nfor uploading and managing attachments. \n \n#################################################################### \n \n# Impact : \n*********** \nJoomla Attachments Components 3.2.6 and other previous versions could allow a \n \nremote attacker to upload arbitrary files upload/shell upload, caused by the improper validation \n \nof file extensions by the multiple scripts to index.php. The issue occurs because \n \nthe application fails to adequately sanitize user-supplied input. \n \nExploiting this issue will allow attackers to execute arbitrary code within \n \nthe context of the affected application. This may facilitate unauthorized access \n \nor privilege escalation; other attacks may also possible. \n \nBy sending a specially-crafted HTTP request, a remote attacker could exploit \n \nthis vulnerability to upload a malicious PHP script, which could allow the \n \nattacker to execute arbitrary PHP code on the vulnerable system. \n \n#################################################################### \n \n# Arbitrary File Upload/Shell Upload Exploit : \n**************************************** \n/index.php?option=com_attachments&task=upload&article_id=[PUT-ID-NUMBER-HERE]&tmpl=component&from=closeme \n \n/index.php?option=com_attachments&task=upload&article_id=11&tmpl=component&from=closeme \n \n/index.php/en/?option=com_attachments&task=upload&article_id=21&tmpl=component&from=closeme \n \n/index.php?option=com_attachments&task=upload&uri=url&parent_id=[PUT-ID-NUMBER-HERE]&parent_type=com_content&tmpl=component&from=closeme \n \n/index.php?option=com_attachments&task=upload&uri=file&parent_id=22&parent_type=com_content&tmpl=component&from=closeme \n \n/index.php?option=com_attachments&task=upload&uri=url&parent_id=34&parent_type=com_content&tmpl=component&from=closeme \n \n/index.php?option=com_attachments&task=upload&uri=url&parent_id=142&parent_type=com_content&tmpl=component&from=closeme \n \n/index.php?option=com_attachments&task=upload&parent_id=,new&parent_type=com_content.article&from=closeme&editor=article \n \n# Directory File Paths : \n******************** \n/index.php?option=com_attachments&task=download&id=[ID-NUMBER] \n \n/index.php?option=com_attachments&task=download&file=[FILENAME.php] \n \n/attachments/article/[ID-NUMBER]/[FILENAME.php] \n \n/index.php?option=com_attachments&task=update&id=index.php&update=file[FILENAME.php]&tmpl=component&from=article \n \n/administrator/components/com_attachments/........ \n \n/administrator/components/com_attachments/views/attachments/tmpl/........ \n \nNote : It is unknown exactly where the file is located. You have to search carefully. \n \n#################################################################### \n \n# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team \n \n#################################################################### \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/151747/joomlaattachments326-shell.txt"}], "nessus": [{"lastseen": "2021-03-01T02:47:48", "description": "According to its version, the Foxit PhantomPDF application (formally\nknown as Phantom) installed on the remote Windows host is prior to\n8.3.9. It is, therefore, affected by following vulnerabilities:\n\n - An out-of-bounds read/write vulnerability exists\n when handling certain XFA element attributes.\n This occurs due to improper calculation of a\n null-terminated character and may cause an application crash.\n (CVE-2018-3956)\n\n - A signature validation bypass vulnerability exists\n which provides incorrect results when validating\n certain PDF documents.\n (CVE-2018-18688/CVE-2018-18689)\n\n - Flaws in how PDF files are processed/handled could\n lead to arbitrary code execution. An attacker can \n exploit this by convincing a user to open a specially\n crafted file in order to cause the execution of arbitrary\n code. (CVE-2019-6728,CVE-2019-6729)\n\nAdditionally, the application was affected by multiple potential \ninformation disclosure, denial of service, and remote code execution\nvulnerabilities.", "edition": 22, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-01-18T00:00:00", "title": "Foxit PhantomPDF < 8.3.9 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-18689", "CVE-2018-18688", "CVE-2019-5005", "CVE-2019-6728", "CVE-2019-5006", "CVE-2019-5007", "CVE-2019-6732", "CVE-2019-6733", "CVE-2019-6730", "CVE-2019-6729", "CVE-2019-6734", "CVE-2019-6735", "CVE-2019-6731", "CVE-2018-3956", "CVE-2019-6727"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:foxitsoftware:phantompdf", "cpe:/a:foxitsoftware:phantom"], "id": "FOXIT_PHANTOM_8_3_9.NASL", "href": "https://www.tenable.com/plugins/nessus/121246", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121246);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/10/31 15:18:52\");\n\n script_cve_id(\n \"CVE-2018-3956\",\n \"CVE-2018-18688\",\n \"CVE-2018-18689\",\n \"CVE-2019-5005\",\n \"CVE-2019-5006\",\n \"CVE-2019-5007\",\n \"CVE-2019-6727\",\n \"CVE-2019-6728\",\n \"CVE-2019-6729\",\n \"CVE-2019-6730\",\n \"CVE-2019-6731\",\n \"CVE-2019-6732\",\n \"CVE-2019-6733\",\n \"CVE-2019-6734\",\n \"CVE-2019-6735\"\n );\n script_bugtraq_id(106798, 107496, 107552);\n script_xref(name:\"ZDI\", value:\"ZDI-CAN-7347\");\n script_xref(name:\"ZDI\", value:\"ZDI-CAN-7452\");\n script_xref(name:\"ZDI\", value:\"ZDI-CAN-7601\");\n script_xref(name:\"ZDI\", value:\"ZDI-CAN-7353\");\n script_xref(name:\"ZDI\", value:\"ZDI-CAN-7423\");\n script_xref(name:\"ZDI\", value:\"ZDI-CAN-7368\");\n script_xref(name:\"ZDI\", value:\"ZDI-CAN-7369\");\n script_xref(name:\"ZDI\", value:\"ZDI-CAN-7453\");\n script_xref(name:\"ZDI\", value:\"ZDI-CAN-7576\");\n script_xref(name:\"ZDI\", value:\"ZDI-CAN-7355\");\n\n script_name(english:\"Foxit PhantomPDF < 8.3.9 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Foxit PhantomPDF.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A PDF toolkit installed on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the Foxit PhantomPDF application (formally\nknown as Phantom) installed on the remote Windows host is prior to\n8.3.9. It is, therefore, affected by following vulnerabilities:\n\n - An out-of-bounds read/write vulnerability exists\n when handling certain XFA element attributes.\n This occurs due to improper calculation of a\n null-terminated character and may cause an application crash.\n (CVE-2018-3956)\n\n - A signature validation bypass vulnerability exists\n which provides incorrect results when validating\n certain PDF documents.\n (CVE-2018-18688/CVE-2018-18689)\n\n - Flaws in how PDF files are processed/handled could\n lead to arbitrary code execution. An attacker can \n exploit this by convincing a user to open a specially\n crafted file in order to cause the execution of arbitrary\n code. (CVE-2019-6728,CVE-2019-6729)\n\nAdditionally, the application was affected by multiple potential \ninformation disclosure, denial of service, and remote code execution\nvulnerabilities.\");\n # https://www.foxitsoftware.com/support/security-bulletins.php\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2f244c3e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Foxit PhantomPDF version 8.3.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6729\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/01/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:foxitsoftware:phantom\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:foxitsoftware:phantompdf\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"foxit_phantom_installed.nasl\");\n script_require_keys(\"installed_sw/FoxitPhantomPDF\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp = 'FoxitPhantomPDF';\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\nconstraints = [{\n 'min_version' : '8.0',\n 'max_version' : '8.3.8.39677',\n 'fixed_version' : '8.3.9'\n }];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-01T02:47:50", "description": "According to its version, the Foxit PhantomPDF application (formally\nknown as Phantom) installed on the remote Windows host is prior to\n9.4. It is, therefore, affected by multiple vulnerabilities:\n\n - An out-of-bounds read/write vulnerability and crash\n when handling XFA element attributes. (CVE-2018-3956)\n\n - A signature validation bypass vulnerability which\n could lead to incorrect validation results.\n (CVE-2018-18688, CVE-2018-18689)\n\n - Flaws in how PDF files are processed/handled could\n lead to arbitrary code execution. An attacker can \n exploit this by convincing a user to open a specially\n crafted file in order to cause the execution of arbitrary\n code. (CVE-2019-6728,CVE-2019-6729)\n\nAdditionally, the application was affected by multiple potential \ninformation disclosure, denial of service, and remote code execution\nvulnerabilities.", "edition": 24, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-01-09T00:00:00", "title": "Foxit PhantomPDF < 9.4 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-18689", "CVE-2018-18688", "CVE-2019-5005", "CVE-2019-6728", "CVE-2019-5006", "CVE-2019-5007", "CVE-2019-6732", "CVE-2019-6733", "CVE-2019-6730", "CVE-2019-6729", "CVE-2019-6734", "CVE-2019-6735", "CVE-2019-6731", "CVE-2018-3956", "CVE-2019-6727"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:foxitsoftware:phantompdf", "cpe:/a:foxitsoftware:phantom"], "id": "FOXIT_PHANTOM_9_4.NASL", "href": "https://www.tenable.com/plugins/nessus/121045", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121045);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/10/31 15:18:52\");\n\n script_cve_id(\n \"CVE-2018-3956\",\n \"CVE-2018-18688\",\n \"CVE-2018-18689\",\n \"CVE-2019-5005\",\n \"CVE-2019-5006\",\n \"CVE-2019-5007\",\n \"CVE-2019-6727\",\n \"CVE-2019-6728\",\n \"CVE-2019-6729\",\n \"CVE-2019-6730\",\n \"CVE-2019-6731\",\n \"CVE-2019-6732\",\n \"CVE-2019-6733\",\n \"CVE-2019-6734\",\n \"CVE-2019-6735\"\n );\n script_bugtraq_id(106798, 107496, 107552);\n\n script_name(english:\"Foxit PhantomPDF < 9.4 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Foxit PhantomPDF.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A PDF toolkit installed on the remote Windows host is affected by\na multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the Foxit PhantomPDF application (formally\nknown as Phantom) installed on the remote Windows host is prior to\n9.4. It is, therefore, affected by multiple vulnerabilities:\n\n - An out-of-bounds read/write vulnerability and crash\n when handling XFA element attributes. (CVE-2018-3956)\n\n - A signature validation bypass vulnerability which\n could lead to incorrect validation results.\n (CVE-2018-18688, CVE-2018-18689)\n\n - Flaws in how PDF files are processed/handled could\n lead to arbitrary code execution. An attacker can \n exploit this by convincing a user to open a specially\n crafted file in order to cause the execution of arbitrary\n code. (CVE-2019-6728,CVE-2019-6729)\n\nAdditionally, the application was affected by multiple potential \ninformation disclosure, denial of service, and remote code execution\nvulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.foxitsoftware.com/support/security-bulletins.php\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Foxit PhantomPDF version 9.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6729\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:foxitsoftware:phantom\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:foxitsoftware:phantompdf\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"foxit_phantom_installed.nasl\");\n script_require_keys(\"installed_sw/FoxitPhantomPDF\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp = 'FoxitPhantomPDF';\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\nconstraints = [{\n 'min_version' : '9.0',\n 'max_version' : '9.3.0.10826',\n 'fixed_version' : '9.4'\n }];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-01T02:47:54", "description": "The version of Foxit Reader installed on the remote Windows host is\nprior to 9.4. It is, therefore, affected by multiple vulnerabilities:\n\n - An out-of-bounds read/write vulnerability and crash\n when handling XFA element attributes. (CVE-2018-3956)\n\n - A signature validation bypass vulnerability which\n could lead to incorrect validation results.\n (CVE-2018-18688, CVE-2018-18689)\n\n - Flaws in how PDF files are processed/handled could\n lead to arbitrary code execution. An attacker can \n exploit this by convincing a user to open a specially\n crafted file in order to cause the execution of arbitrary\n code. (CVE-2019-6728,CVE-2019-6729)\n\nAdditionally, the application was affected by multiple potential \ninformation disclosure, denial of service, and remote code execution\nvulnerabilities.", "edition": 24, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-01-09T00:00:00", "title": "Foxit Reader < 9.4 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-18689", "CVE-2018-18688", "CVE-2019-5005", "CVE-2019-6728", "CVE-2019-5006", "CVE-2019-5007", "CVE-2019-6732", "CVE-2019-6733", "CVE-2019-6730", "CVE-2019-6729", "CVE-2019-6734", "CVE-2019-6735", "CVE-2019-6731", "CVE-2018-3956", "CVE-2019-6727"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:foxitsoftware:foxit_reader"], "id": "FOXIT_READER_9_4.NASL", "href": "https://www.tenable.com/plugins/nessus/121046", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121046);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/10/31 15:18:52\");\n\n script_cve_id(\n \"CVE-2018-3956\",\n \"CVE-2018-18688\",\n \"CVE-2018-18689\",\n \"CVE-2019-5005\",\n \"CVE-2019-5006\",\n \"CVE-2019-5007\",\n \"CVE-2019-6727\",\n \"CVE-2019-6728\",\n \"CVE-2019-6729\",\n \"CVE-2019-6730\",\n \"CVE-2019-6731\",\n \"CVE-2019-6732\",\n \"CVE-2019-6733\",\n \"CVE-2019-6734\",\n \"CVE-2019-6735\"\n );\n script_bugtraq_id(106798, 107496, 107552);\n\n script_name(english:\"Foxit Reader < 9.4 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Foxit Reader.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A PDF viewer installed on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Foxit Reader installed on the remote Windows host is\nprior to 9.4. It is, therefore, affected by multiple vulnerabilities:\n\n - An out-of-bounds read/write vulnerability and crash\n when handling XFA element attributes. (CVE-2018-3956)\n\n - A signature validation bypass vulnerability which\n could lead to incorrect validation results.\n (CVE-2018-18688, CVE-2018-18689)\n\n - Flaws in how PDF files are processed/handled could\n lead to arbitrary code execution. An attacker can \n exploit this by convincing a user to open a specially\n crafted file in order to cause the execution of arbitrary\n code. (CVE-2019-6728,CVE-2019-6729)\n\nAdditionally, the application was affected by multiple potential \ninformation disclosure, denial of service, and remote code execution\nvulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.foxitsoftware.com/support/security-bulletins.php\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Foxit PhantomPDF version 9.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6729\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:foxitsoftware:foxit_reader\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"foxit_reader_installed.nasl\");\n script_require_keys(\"installed_sw/Foxit Reader\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp = 'Foxit Reader';\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\nconstraints = [{\n 'min_version' : '9.0',\n 'max_version' : '9.3.0.10826',\n 'fixed_version' : '9.4'\n }];\n \nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2020-09-02T11:47:05", "bulletinFamily": "info", "cvelist": ["CVE-2018-18689", "CVE-2018-18688", "CVE-2018-3956"], "description": "### *Detect date*:\n01/10/2019\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Foxit Reader and Foxit PhantomPDF. Malicious users can exploit these vulnerabilities to cause denial of service, obtain sensitive information.\n\n### *Affected products*:\nFoxit Reader 9.3.0.10826 and earlier \nFoxit PhantomPDF 9.3.0.10826 and earlier\n\n### *Solution*:\nUpdate to the latest version \n[Download Foxit PhantomPDF](<https://www.foxitsoftware.com/downloads/#Foxit-PhantomPDF-Business>) \n[Download Foxit Reader](<https://www.foxitsoftware.com/downloads/#Foxit-Reader>)\n\n### *Original advisories*:\n[CVE-2018-3956](<https://www.foxitsoftware.com/support/security-bulletins.php>) \n[CVE-2018-18688/CVE-2018-18689](<https://www.foxitsoftware.com/support/security-bulletins.php>) \n[ZDI-CAN-7347/ZDI-CAN-7452/ZDI-CAN-7601](<https://www.zerodayinitiative.com/advisories/upcoming/>) \n[ZDI-CAN-7353/ZDI-CAN-7423](<https://www.zerodayinitiative.com/advisories/upcoming/>) \n[ZDI-CAN-7368](<https://www.zerodayinitiative.com/advisories/upcoming/>) \n[ZDI-CAN-7369](<https://www.zerodayinitiative.com/advisories/upcoming/>) \n[ZDI-CAN-7453](<https://www.zerodayinitiative.com/advisories/upcoming/>) \n[ZDI-CAN-7576](<https://www.zerodayinitiative.com/advisories/upcoming/>) \n[ZDI-CAN-7355](<https://www.zerodayinitiative.com/advisories/upcoming/>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Foxit Reader](<https://threats.kaspersky.com/en/product/Foxit-Reader/>)\n\n### *CVE-IDS*:\n[CVE-2018-3956](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3956>)7.8Critical \n[CVE-2018-18688](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18688>)0.0Unknown \n[CVE-2018-18689](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18689>)0.0Unknown", "edition": 8, "modified": "2020-05-22T00:00:00", "published": "2019-01-10T00:00:00", "id": "KLA11398", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11398", "title": "\r KLA11398Multiple vulnerabilities in Foxit Reader and Foxit PhantomPDF ", "type": "kaspersky", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}}], "openvas": [{"lastseen": "2019-07-17T14:04:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-18689", "CVE-2018-18688", "CVE-2019-5005", "CVE-2019-5006", "CVE-2019-5007", "CVE-2018-3956"], "description": "The host is installed with Foxit Reader and\n is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2019-01-04T00:00:00", "id": "OPENVAS:1361412562310814581", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814581", "type": "openvas", "title": "Foxit Reader Multiple Vulnerabilities-Jan 2019 (Windows)", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Foxit Reader Multiple Vulnerabilities-Jan 2019 (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2019 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation;\n# either version 2 of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:foxitsoftware:reader\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814581\");\n script_version(\"2019-07-05T10:16:38+0000\");\n script_cve_id(\"CVE-2018-18688\", \"CVE-2018-18689\", \"CVE-2018-3956\",\n \"CVE-2019-5005\", \"CVE-2019-5006\", \"CVE-2019-5007\");\n script_tag(name:\"cvss_base\", value:\"6.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:M/C:C/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 10:16:38 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-01-04 13:50:04 +0530 (Fri, 04 Jan 2019)\");\n script_name(\"Foxit Reader Multiple Vulnerabilities-Jan 2019 (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Foxit Reader and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on\n the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to:\n\n - Error in handing image data, because two bytes are written to the end\n of the allocated memory without judging whether this will cause\n corruption\n\n - A NULL pointer dereference during PDF parsing\n\n - An Out-of-Bounds Read Information Disclosure and crash due to a\n NULL pointer dereference when reading TIFF data during TIFF parsing\n\n - An out-of-bounds read/write vulnerability and crash\n when handling XFA element attributes\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to cause a denial of service.\");\n\n script_tag(name:\"affected\", value:\"Foxit Reader versions 9.3.0.10826 and prior on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Foxit Reader 9.4 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.foxitsoftware.com/support/security-bulletins.php\");\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_foxit_reader_detect_portable_win.nasl\");\n script_mandatory_keys(\"foxit/reader/ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\npdfVer = infos['version'];\npdfPath = infos['location'];\n\nif(version_is_less(version:pdfVer, test_version:\"9.4\"))\n{\n report = report_fixed_ver(installed_version:pdfVer, fixed_version:\"9.4\", install_path:pdfPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2019-07-17T14:04:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-18689", "CVE-2018-18688", "CVE-2019-5005", "CVE-2019-5006", "CVE-2019-5007", "CVE-2018-3956"], "description": "The host is installed with Foxit PhantomPDF and\n is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2019-01-04T00:00:00", "id": "OPENVAS:1361412562310814582", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814582", "type": "openvas", "title": "Foxit PhantomPDF Multiple Vulnerabilities-Jan 2019 (Windows)", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Foxit PhantomPDF Multiple Vulnerabilities-Jan 2019 (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2019 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation;\n# either version 2 of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:foxitsoftware:phantompdf\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814582\");\n script_version(\"2019-07-05T10:16:38+0000\");\n script_cve_id(\"CVE-2018-18688\", \"CVE-2018-18689\", \"CVE-2018-3956\",\n \"CVE-2019-5005\", \"CVE-2019-5006\", \"CVE-2019-5007\");\n script_tag(name:\"cvss_base\", value:\"6.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:M/C:C/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 10:16:38 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-01-04 15:15:18 +0530 (Fri, 04 Jan 2019)\");\n script_name(\"Foxit PhantomPDF Multiple Vulnerabilities-Jan 2019 (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Foxit PhantomPDF and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on\n the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to:\n\n - Error in handing image data, because two bytes are written to the end\n of the allocated memory without judging whether this will cause\n corruption\n\n - A NULL pointer dereference during PDF parsing\n\n - An Out-of-Bounds Read Information Disclosure and crash due to a\n NULL pointer dereference when reading TIFF data during TIFF parsing\n\n - An out-of-bounds read/write vulnerability and crash\n when handling XFA element attributes\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to cause a denial of service.\");\n\n script_tag(name:\"affected\", value:\"Foxit PhantomPDF versions 9.3.0.10826 and prior on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Foxit PhantomPDF 9.4 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.foxitsoftware.com/support/security-bulletins.php\");\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_foxit_phantom_reader_detect.nasl\");\n script_mandatory_keys(\"foxit/phantompdf/ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\npdfVer = infos['version'];\npdfPath = infos['location'];\n\nif(version_is_less(version:pdfVer, test_version:\"9.4\"))\n{\n report = report_fixed_ver(installed_version:pdfVer, fixed_version:\"9.4\", install_path:pdfPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}}], "openbugbounty": [{"lastseen": "2017-12-26T02:06:08", "bulletinFamily": "bugbounty", "cvelist": [], "description": "##### Vulnerable URL:\n \n \n http://www.wurkforce.wur.nl/job.php/#\n \n\n##### Details:\n\nDescription| Value \n---|--- \nPatched:| Yes, at \nVulnerability type:| XSS \nVulnerability status:| Publicly disclosed \nAlexa Rank| 18688 \nVIP website status:| Yes \n \n##### Coordinated Disclosure Timeline:\n\nDescription| Value \n---|--- \nVulnerability submitted via Open Bug Bounty| 16 November, 2017 08:49 GMT \nGeneric security notifications sent to website owner| 16 November, 2017 08:51 GMT \nVulnerability details disclosed by researcher| 16 December, 2017 09:19 GMT \nVulnerability patched by the website owner| 17 December, 2017 00:36 GMT\n", "modified": "2017-12-17T00:36:00", "published": "2017-11-16T08:49:00", "href": "https://www.openbugbounty.org/reports/417902/", "id": "OBB:417902", "type": "openbugbounty", "title": "wurkforce.wur.nl XSS vulnerability ", "cvss": {"score": 0.0, "vector": "NONE"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-7747"], "description": "Crash on audiofiles processing.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14754", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14754", "title": "audiofile memory corruption", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7803", "CVE-2015-7804"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2786-1\r\nOctober 28, 2015\r\n\r\nphp5 vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nPHP could be made to crash if it processed a specially crafted file.\r\n\r\nSoftware Description:\r\n- php5: HTML-embedded scripting language interpreter\r\n\r\nDetails:\r\n\r\nIt was discovered that the PHP phar extension incorrectly handled certain\r\nfiles. A remote attacker could use this issue to cause PHP to crash,\r\nresulting in a denial of service. (CVE-2015-7803, CVE-2015-7804)\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libapache2-mod-php5 5.6.11+dfsg-1ubuntu3.1\r\n php5-cgi 5.6.11+dfsg-1ubuntu3.1\r\n php5-cli 5.6.11+dfsg-1ubuntu3.1\r\n php5-fpm 5.6.11+dfsg-1ubuntu3.1\r\n\r\nUbuntu 15.04:\r\n libapache2-mod-php5 5.6.4+dfsg-4ubuntu6.4\r\n php5-cgi 5.6.4+dfsg-4ubuntu6.4\r\n php5-cli 5.6.4+dfsg-4ubuntu6.4\r\n php5-fpm 5.6.4+dfsg-4ubuntu6.4\r\n\r\nUbuntu 14.04 LTS:\r\n libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.14\r\n php5-cgi 5.5.9+dfsg-1ubuntu4.14\r\n php5-cli 5.5.9+dfsg-1ubuntu4.14\r\n php5-fpm 5.5.9+dfsg-1ubuntu4.14\r\n\r\nUbuntu 12.04 LTS:\r\n libapache2-mod-php5 5.3.10-1ubuntu3.21\r\n php5-cgi 5.3.10-1ubuntu3.21\r\n php5-cli 5.3.10-1ubuntu3.21\r\n php5-fpm 5.3.10-1ubuntu3.21\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2786-1\r\n CVE-2015-7803, CVE-2015-7804\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/php5/5.6.11+dfsg-1ubuntu3.1\r\n https://launchpad.net/ubuntu/+source/php5/5.6.4+dfsg-4ubuntu6.4\r\n https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.14\r\n https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.21\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32651", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32651", "title": "[USN-2786-1] PHP vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4878", "CVE-2015-4877"], "description": "\r\n\r\n======================================================================\r\n\r\n Secunia Research (now part of Flexera Software) 26/10/2015\r\n\r\n Oracle Outside In Two Buffer Overflow Vulnerabilities\r\n\r\n======================================================================\r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nDescription of Vulnerabilities.......................................3\r\nSolution.............................................................4\r\nTime Table...........................................................5\r\nCredits..............................................................6\r\nReferences...........................................................7\r\nAbout Secunia........................................................8\r\nVerification.........................................................9\r\n\r\n======================================================================\r\n\r\n1) Affected Software\r\n\r\n* Oracle Outside In versions 8.5.0, 8.5.1, and 8.5.2.\r\n\r\n====================================================================== \r\n2) Severity\r\n\r\nRating: Moderately critical\r\nImpact: System Access\r\nWhere: From remote\r\n\r\n====================================================================== \r\n3) Description of Vulnerabilities\r\n\r\nSecunia Research has discovered two vulnerabilities in Oracle Outside\r\nIn Technology, which can be exploited by malicious people to cause a\r\nDoS (Denial of Service) and compromise an application using the SDK.\r\n\r\n1) An error in the vstga.dll when processing TGA files can be\r\nexploited to cause an out-of-bounds write memory access.\r\n\r\n2) An error in the libxwd2.dll when processing XWD files can be\r\nexploited to cause a stack-based buffer overflow.\r\n\r\nSuccessful exploitation of the vulnerabilities may allow execution of\r\narbitrary code.\r\n\r\n====================================================================== \r\n4) Solution\r\n\r\nApply update. Please see the Oracle Critical Patch Update Advisory\r\nfor October 2015 for details.\r\n\r\n====================================================================== \r\n5) Time Table\r\n\r\n14/07/2015 - Vendor notified of vulnerabilities.\r\n14/07/2015 - Vendor acknowledges report.\r\n16/07/2015 - Vendor supplied bug ticket ID.\r\n27/07/2015 - Vendor supplied information of fix in main codeline.\r\n24/09/2015 - Replied to vendor and asked about CVE references.\r\n25/09/2015 - Vendor replied that they check our request.\r\n27/09/2015 - Vendor assigned two CVE references.\r\n17/10/2015 - Vendor supplied 20/10/2015 as estimated fix date.\r\n20/10/2015 - Release of vendor patch.\r\n21/10/2015 - Public disclosure.\r\n26/10/2015 - Publication of research advisory.\r\n\r\n======================================================================\r\n\r\n6) Credits\r\n\r\nDiscovered by Behzad Najjarpour Jabbari, Secunia Research (now part\r\nof Flexera Software).\r\n\r\n======================================================================\r\n\r\n7) References\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nthe CVE-2015-4877 and CVE-2015-4878 identifiers for the\r\nvulnerabilities.\r\n\r\n======================================================================\r\n\r\n8) About Secunia (now part of Flexera Software)\r\n\r\nIn September 2015, Secunia has been acquired by Flexera Software:\r\n\r\nhttps://secunia.com/blog/435/\r\n\r\nSecunia offers vulnerability management solutions to corporate\r\ncustomers with verified and reliable vulnerability intelligence\r\nrelevant to their specific system configuration:\r\n\r\nhttp://secunia.com/advisories/business_solutions/\r\n\r\nSecunia also provides a publicly accessible and comprehensive advisory\r\ndatabase as a service to the security community and private\r\nindividuals, who are interested in or concerned about IT-security.\r\n\r\nhttp://secunia.com/advisories/\r\n\r\nSecunia believes that it is important to support the community and to\r\ndo active vulnerability research in order to aid improving the\r\nsecurity and reliability of software in general:\r\n\r\nhttp://secunia.com/secunia_research/\r\n\r\nSecunia regularly hires new skilled team members. Check the URL below\r\nto see currently vacant positions:\r\n\r\nhttp://secunia.com/corporate/jobs/\r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories:\r\n\r\nhttp://secunia.com/advisories/mailing_lists/\r\n\r\n======================================================================\r\n\r\n9) Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2015-04/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32659", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32659", "title": "Secunia Research: Oracle Outside In Two Buffer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 1.5, "vector": "AV:LOCAL/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4845"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - Database user enumeration\r\nAdvisory ID: [ERPSCAN-15-025]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nDate published:20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: User Enumeration\r\nImpact: user enumeration, SSRF\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4845\r\nCVSS Information\r\nCVSS Base Score: 4.3 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity None (N)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThere is a script in EBS that is used to connect to the database and\r\ndisplays the connection status. Different connection results can help\r\nan attacker to find existing database accounts.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.2.4\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nDatabase users enumeration\r\nVunerable script: Aoljtest.js\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32656", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32656", "title": "[ERPSCAN-15-025] Oracle E-Business Suite Database user enumeration Vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}