NVD

CVE-2017-13102

NVD Vulnerabilities - Wed, 08/15/2018 - 18:29
Gameloft Asphalt Xtreme: Offroad Rally Racing, 1.6.0, 2017-08-13, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
Categories: NVD

CVE-2017-13103

NVD Vulnerabilities - Wed, 08/15/2018 - 18:29
Pinterest, 6.37, 2017-10-24, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
Categories: NVD

CVE-2017-13104

NVD Vulnerabilities - Wed, 08/15/2018 - 18:29
Uber Technologies, Inc. UberEATS: Uber for Food Delivery, 1.108.10001, 2017-11-02, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
Categories: NVD

CVE-2017-13105

NVD Vulnerabilities - Wed, 08/15/2018 - 18:29
Hi Security Virus Cleaner - Antivirus, Booster, 3.7.1.1329, 2017-09-13, Android application accepts all SSL certificates during SSL communication. This opens the application up to a man-in-the-middle attack having all of its encrypted traffic intercepted and read by an attacker.
Categories: NVD

CVE-2018-0418

NVD Vulnerabilities - Wed, 08/15/2018 - 16:29
A vulnerability in the Local Packet Transport Services (LPTS) feature set of Cisco ASR 9000 Series Aggregation Services Router Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a lack of input and validation checking on certain Precision Time Protocol (PTP) ingress traffic to an affected device. An attacker could exploit this vulnerability by injecting malformed traffic into an affected device. A successful exploit could allow the attacker to cause services on the device to become unresponsive, resulting in a DoS condition. Cisco Bug IDs: CSCvj22858.
Categories: NVD

CVE-2018-0419

NVD Vulnerabilities - Wed, 08/15/2018 - 16:29
A vulnerability in certain attachment detection mechanisms of Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to bypass the filtering functionality of an affected system. The vulnerability is due to the improper detection of content within executable (EXE) files. An attacker could exploit this vulnerability by sending a customized EXE file that is not recognized and blocked by the ESA. A successful exploit could allow an attacker to send email messages that contain malicious executable files to unsuspecting users. Cisco Bug IDs: CSCvh03786.
Categories: NVD

CVE-2018-0427

NVD Vulnerabilities - Wed, 08/15/2018 - 16:29
A vulnerability in the CronJob scheduler API of Cisco Digital Network Architecture (DNA) Center could allow an authenticated, remote attacker to perform a command injection attack. The vulnerability is due to incorrect input validation of user-supplied data. An attacker could exploit this vulnerability by sending a malicious packet. A successful exploit could allow the attacker to execute arbitrary commands with root privileges. Cisco Bug IDs: CSCvi42263.
Categories: NVD

CVE-2018-0428

NVD Vulnerabilities - Wed, 08/15/2018 - 16:29
A vulnerability in the account management subsystem of Cisco Web Security Appliance (WSA) could allow an authenticated, local attacker to elevate privileges to root. The attacker must authenticate with valid administrator credentials. The vulnerability is due to improper implementation of access controls. An attacker could exploit this vulnerability by authenticating to the device as a specific user to gain the information needed to elevate privileges to root in a separate login shell. A successful exploit could allow the attacker to escape the CLI subshell and execute system-level commands on the underlying operating system as root. Cisco Bug IDs: CSCvj93548.
Categories: NVD

CVE-2018-0367

NVD Vulnerabilities - Wed, 08/15/2018 - 16:29
A vulnerability in the web-based management interface of the Cisco Registered Envelope Service could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected service. The vulnerability is due to insufficient validation of user-supplied input that is processed by the web-based management interface of the affected service. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive browser-based information. Cisco Bug IDs: CVE-2018-0367.
Categories: NVD

CVE-2018-0386

NVD Vulnerabilities - Wed, 08/15/2018 - 16:29
A vulnerability in Cisco Unified Communications Domain Manager Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on an affected system. The vulnerability is due to improper validation of input that is passed to the affected software. An attacker could exploit this vulnerability by persuading a user of the affected software to access a malicious URL. A successful exploit could allow the attacker to access sensitive, browser-based information on the affected system or perform arbitrary actions in the affected software in the security context of the user. Cisco Bug IDs: CSCvh49694.
Categories: NVD

CVE-2018-0409

NVD Vulnerabilities - Wed, 08/15/2018 - 16:29
A vulnerability in the XCP Router service of the Cisco Unified Communications Manager IM & Presence Service (CUCM IM&P) and the Cisco TelePresence Video Communication Server (VCS) and Expressway could allow an unauthenticated, remote attacker to cause a temporary service outage for all IM&P users, resulting in a denial of service (DoS) condition. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending a malicious IPv4 or IPv6 packet to an affected device on TCP port 7400. An exploit could allow the attacker to overread a buffer, resulting in a crash and restart of the XCP Router service. Cisco Bug IDs: CSCvg97663, CSCvi55947.
Categories: NVD

CVE-2018-0410

NVD Vulnerabilities - Wed, 08/15/2018 - 16:29
A vulnerability in the web proxy functionality of Cisco AsyncOS Software for Cisco Web Security Appliances could allow an unauthenticated, remote attacker to exhaust system memory and cause a denial of service (DoS) condition on an affected system. The vulnerability exists because the affected software improperly manages memory resources for TCP connections to a targeted device. An attacker could exploit this vulnerability by establishing a high number of TCP connections to the data interface of an affected device via IPv4 or IPv6. A successful exploit could allow the attacker to exhaust system memory, which could cause the system to stop processing new connections and result in a DoS condition. System recovery may require manual intervention. Cisco Bug IDs: CSCvf36610.
Categories: NVD

CVE-2018-0412

NVD Vulnerabilities - Wed, 08/15/2018 - 16:29
A vulnerability in the implementation of Extensible Authentication Protocol over LAN (EAPOL) functionality in Cisco Small Business 100 Series Wireless Access Points and Cisco Small Business 300 Series Wireless Access Points could allow an unauthenticated, adjacent attacker to force the downgrade of the encryption algorithm that is used between an authenticator (access point) and a supplicant (Wi-Fi client). The vulnerability is due to the improper processing of certain EAPOL messages that are received during the Wi-Fi handshake process. An attacker could exploit this vulnerability by establishing a man-in-the-middle position between a supplicant and an authenticator and manipulating an EAPOL message exchange to force usage of a WPA-TKIP cipher instead of the more secure AES-CCMP cipher. A successful exploit could allow the attacker to conduct subsequent cryptographic attacks, which could lead to the disclosure of confidential information. Cisco Bug IDs: CSCvj29229.
Categories: NVD

CVE-2018-0415

NVD Vulnerabilities - Wed, 08/15/2018 - 16:29
A vulnerability in the implementation of Extensible Authentication Protocol over LAN (EAPOL) functionality in Cisco Small Business 100 Series Wireless Access Points and Cisco Small Business 300 Series Wireless Access Points could allow an authenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to the improper processing of certain EAPOL frames. An attacker could exploit this vulnerability by sending a stream of crafted EAPOL frames to an affected device. A successful exploit could allow the attacker to force the access point (AP) to disassociate all the associated stations (STAs) and to disallow future, new association requests. Cisco Bug IDs: CSCvj97472.
Categories: NVD

CVE-2018-10510

NVD Vulnerabilities - Wed, 08/15/2018 - 15:29
A Directory Traversal Remote Code Execution vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) could allow an attacker to execute arbitrary code on vulnerable installations.
Categories: NVD

CVE-2018-10511

NVD Vulnerabilities - Wed, 08/15/2018 - 15:29
A vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) could allow an attacker to conduct a server-side request forgery (SSRF) attack on vulnerable installations.
Categories: NVD

CVE-2018-10512

NVD Vulnerabilities - Wed, 08/15/2018 - 15:29
A vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) could allow an attacker to manipulate a reverse proxy .dll on vulnerable installations, which may lead to a denial of server (DoS).
Categories: NVD

CVE-2018-8753

NVD Vulnerabilities - Wed, 08/15/2018 - 14:29
The IKEv1 implementation in Clavister cOS Core before 11.00.11, 11.20.xx before 11.20.06, and 12.00.xx before 12.00.09 allows remote attackers to decrypt RSA-encrypted nonces by leveraging a Bleichenbacher attack.
Categories: NVD

CVE-2018-9129

NVD Vulnerabilities - Wed, 08/15/2018 - 14:29
ZyXEL ZyWALL/USG series devices have a Bleichenbacher vulnerability in their Internet Key Exchange (IKE) handshake implementation used for IPsec based VPN connections.
Categories: NVD

CVE-2018-11247

NVD Vulnerabilities - Wed, 08/15/2018 - 14:29
The JMX/RMI interface in Nasdaq BWise 5.0 does not require authentication for an SAP BO Component, which allows remote attackers to execute arbitrary code via a session on port 81.
Categories: NVD