NVD

CVE-2018-7682

NVD Vulnerabilities - Fri, 06/22/2018 - 18:29
Micro Focus Solutions Business Manager versions prior to 11.4 allows a user to invoke SBM RESTful services across domains.
Categories: NVD

CVE-2018-12689

NVD Vulnerabilities - Fri, 06/22/2018 - 16:29
phpLDAPadmin 1.2.2 allows LDAP injection via a crafted server_id parameter in a cmd.php?cmd=login_form request, or a crafted username and password in the login panel.
Categories: NVD

CVE-2018-12538

NVD Vulnerabilities - Fri, 06/22/2018 - 15:29
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.
Categories: NVD

CVE-2018-12684

NVD Vulnerabilities - Fri, 06/22/2018 - 15:29
Out-of-bounds Read in the send_ssi_file function in civetweb.c in CivetWeb through 1.10 allows attackers to cause a Denial of Service or Information Disclosure via a crafted SSI file.
Categories: NVD

CVE-2018-12687

NVD Vulnerabilities - Fri, 06/22/2018 - 15:29
tinyexr 0.9.5 has an assertion failure in DecodePixelData in tinyexr.h.
Categories: NVD

CVE-2018-12688

NVD Vulnerabilities - Fri, 06/22/2018 - 15:29
tinyexr 0.9.5 has a segmentation fault in the wav2Decode function.
Categories: NVD

CVE-2018-1000201

NVD Vulnerabilities - Fri, 06/22/2018 - 14:29
ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String This vulnerability appears to have been fixed in v1.9.24 and later.
Categories: NVD

CVE-2018-12678

NVD Vulnerabilities - Fri, 06/22/2018 - 14:29
Portainer before 1.18.0 supports unauthenticated requests to the websocket endpoint with an unvalidated id query parameter for the /websocket/exec endpoint, which allows remote attackers to bypass intended access restrictions or conduct SSRF attacks.
Categories: NVD

CVE-2018-12636

NVD Vulnerabilities - Fri, 06/22/2018 - 12:29
The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page.
Categories: NVD

CVE-2017-7568

NVD Vulnerabilities - Fri, 06/22/2018 - 11:29
NetApp OnCommand Unified Manager for 7-Mode (core package) versions prior to 5.2.3 may disclose sensitive LDAP account information to authenticated users when the LDAP authentication configuration is tested via the user interface.
Categories: NVD

CVE-2018-12654

NVD Vulnerabilities - Fri, 06/22/2018 - 11:29
Reflected Cross-Site Scripting (XSS) exists in the Bibliography module in SLiMS 8 Akasia 8.3.1 via an admin/modules/bibliography/index.php?keywords= URI.
Categories: NVD

CVE-2018-12655

NVD Vulnerabilities - Fri, 06/22/2018 - 11:29
Reflected Cross-Site Scripting (XSS) exists in the Circulation module in SLiMS 8 Akasia 8.3.1 via an admin/modules/circulation/loan_rules.php?keywords= URI, a related issue to CVE-2017-7242.
Categories: NVD

CVE-2018-12656

NVD Vulnerabilities - Fri, 06/22/2018 - 11:29
Reflected Cross-Site Scripting (XSS) exists in the Membership module in SLiMS 8 Akasia 8.3.1 via an admin/modules/membership/index.php?keywords= URI.
Categories: NVD

CVE-2018-12657

NVD Vulnerabilities - Fri, 06/22/2018 - 11:29
Reflected Cross-Site Scripting (XSS) exists in the Master File module in SLiMS 8 Akasia 8.3.1 via an admin/modules/master_file/rda_cmc.php?keywords= URI.
Categories: NVD

CVE-2018-12658

NVD Vulnerabilities - Fri, 06/22/2018 - 11:29
Reflected Cross-Site Scripting (XSS) exists in the Stock Take module in SLiMS 8 Akasia 8.3.1 via an admin/modules/stock_take/index.php?keywords= URI.
Categories: NVD

CVE-2018-12659

NVD Vulnerabilities - Fri, 06/22/2018 - 11:29
SLiMS 8 Akasia 8.3.1 allows remote attackers to bypass the CSRF protection mechanism and obtain admin access by omitting the csrf_token parameter.
Categories: NVD

CVE-2018-12649

NVD Vulnerabilities - Fri, 06/22/2018 - 10:29
An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POST requests.
Categories: NVD

CVE-2018-1655

NVD Vulnerabilities - Fri, 06/22/2018 - 10:29
IBM AIX 5.3, 6.1, 7.1, and 7.2 contains a vulnerability in the rmsock command that may be used to expose kernel memory. IBM X-Force ID: 144748.
Categories: NVD

CVE-2017-2668

NVD Vulnerabilities - Fri, 06/22/2018 - 09:29
389-ds-base before versions 1.3.5.17 and 1.3.6.10 is vulnerable to an invalid pointer dereference in the way LDAP bind requests are handled. A remote unauthenticated attacker could use this flaw to make ns-slapd crash via a specially crafted LDAP bind request, resulting in denial of service.
Categories: NVD

CVE-2017-7466

NVD Vulnerabilities - Fri, 06/22/2018 - 09:29
Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.
Categories: NVD