NVD

CVE-2018-13435

NVD Vulnerabilities - Thu, 08/16/2018 - 16:29
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method to disable passcode authentication. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes iOS devices on which a jailbreak has occurred.
Categories: NVD

CVE-2018-13446

NVD Vulnerabilities - Thu, 08/16/2018 - 16:29
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.1 for Android. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method's return value to true. In other words, an attacker could authenticate with an arbitrary passcode. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes Android devices on which rooting has occurred.
Categories: NVD

CVE-2018-14567

NVD Vulnerabilities - Thu, 08/16/2018 - 16:29
libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.
Categories: NVD

CVE-2018-15122

NVD Vulnerabilities - Thu, 08/16/2018 - 16:29
An issue found in Progress Telerik JustAssembly through 2018.1.323.2 and JustDecompile through 2018.2.605.0 makes it possible to execute code by decompiling a compiled .NET object (such as DLL or EXE) with an embedded resource file by clicking on the resource.
Categories: NVD

CVE-2018-11509

NVD Vulnerabilities - Thu, 08/16/2018 - 16:29
ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository. This may allow an attacker to login and upload a webshell.
Categories: NVD

CVE-2018-11511

NVD Vulnerabilities - Thu, 08/16/2018 - 16:29
The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'album_id' or 'scope' parameter via a photo-gallery/api/album/tree_lists/ URI.
Categories: NVD

CVE-2018-12256

NVD Vulnerabilities - Thu, 08/16/2018 - 16:29
admin/vqmods.app/vqmods.inc.php in LiteCart before 2.1.3 allows remote authenticated attackers to upload a malicious file (resulting in remote code execution) by using the text/xml or application/xml Content-Type in a public_html/admin/?app=vqmods&doc=vqmods request.
Categories: NVD

CVE-2018-13434

NVD Vulnerabilities - Thu, 08/16/2018 - 16:29
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS. The LAContext class for Biometric (TouchID) validation allows authentication bypass by overriding the LAContext return Boolean value to be "true" because the kSecAccessControlUserPresence protection mechanism is not used. In other words, an attacker could authenticate with an arbitrary fingerprint. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes iOS devices on which a jailbreak has occurred.
Categories: NVD

CVE-2016-9596

NVD Vulnerabilities - Thu, 08/16/2018 - 16:29
libxml2, as used in Red Hat JBoss Core Services and when in recovery mode, allows context-dependent attackers to cause a denial of service (stack consumption) via a crafted XML document. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-3627.
Categories: NVD

CVE-2016-9598

NVD Vulnerabilities - Thu, 08/16/2018 - 16:29
libxml2, as used in Red Hat JBoss Core Services, allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted XML document. NOTE: this vulnerability exists because of a missing fix for CVE-2016-4483.
Categories: NVD

CVE-2018-1712

NVD Vulnerabilities - Thu, 08/16/2018 - 15:29
IBM API Connect's Developer Portal 5.0.0.0 through 5.0.8.3 is vulnerable to Server Side Request Forgery. An attacker, using specially crafted input parameters can trick the server into making potentially malicious calls within the trusted network. IBM X-Force ID: 146370.
Categories: NVD

CVE-2018-10139

NVD Vulnerabilities - Thu, 08/16/2018 - 14:29
The PAN-OS response page for GlobalProtect in Palo Alto Networks PAN-OS 6.1.21 and earlier, PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier may allow an unauthenticated attacker to inject arbitrary JavaScript or HTML. PAN-OS 8.1 is NOT affected.
Categories: NVD

CVE-2018-10140

NVD Vulnerabilities - Thu, 08/16/2018 - 14:29
The PAN-OS Management Web Interface in Palo Alto Networks PAN-OS 8.1.2 and earlier may allow an authenticated user to shut down all management sessions, resulting in all logged in users to be redirected to the login page. PAN-OS 6.1, PAN-OS 7.1 and PAN-OS 8.0 are NOT affected.
Categories: NVD

CVE-2018-11771

NVD Vulnerabilities - Thu, 08/16/2018 - 11:29
When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.
Categories: NVD

CVE-2018-1715

NVD Vulnerabilities - Thu, 08/16/2018 - 09:29
IBM Maximo Asset Management 7.6 through 7.6.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 147003.
Categories: NVD

CVE-2017-13106

NVD Vulnerabilities - Wed, 08/15/2018 - 18:29
Cheetahmobile CM Launcher 3D - Theme, wallpaper, Secure, Efficient, 5.0.3, 2017-09-19, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
Categories: NVD

CVE-2017-13107

NVD Vulnerabilities - Wed, 08/15/2018 - 18:29
Live.me - live stream video chat, 3.7.20, 2017-11-06, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
Categories: NVD

CVE-2017-13108

NVD Vulnerabilities - Wed, 08/15/2018 - 18:29
DFNDR Security Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
Categories: NVD

CVE-2017-13100

NVD Vulnerabilities - Wed, 08/15/2018 - 18:29
DistinctDev, Inc., The Moron Test, 6.3.1, 2017-05-04, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
Categories: NVD

CVE-2017-13101

NVD Vulnerabilities - Wed, 08/15/2018 - 18:29
Musical.ly Inc., musical.ly - your video social network, 6.1.6, 2017-10-03, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
Categories: NVD