NVD

CVE-2018-16524

NVD Vulnerabilities - Thu, 12/06/2018 - 18:29
Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component allow information disclosure during parsing of TCP options in prvCheckOptions.
Categories: NVD

CVE-2018-16525

NVD Vulnerabilities - Thu, 12/06/2018 - 18:29
Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component allow remote attackers to execute arbitrary code or leak information because of a Buffer Overflow during parsing of DNS\LLMNR packets in prvParseDNSReply.
Categories: NVD

CVE-2018-16526

NVD Vulnerabilities - Thu, 12/06/2018 - 18:29
Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component allow remote attackers to leak information or execute arbitrary code because of a Buffer Overflow during generation of a protocol checksum in usGenerateProtocolChecksum and prvProcessIPPacket.
Categories: NVD

CVE-2018-16527

NVD Vulnerabilities - Thu, 12/06/2018 - 18:29
Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component allow information disclosure during parsing of ICMP packets in prvProcessICMPPacket.
Categories: NVD

CVE-2018-16528

NVD Vulnerabilities - Thu, 12/06/2018 - 18:29
Amazon Web Services (AWS) FreeRTOS through 1.3.1 allows remote attackers to execute arbitrary code because of mbedTLS context object corruption in prvSetupConnection and GGD_SecureConnect_Connect in AWS TLS connectivity modules.
Categories: NVD

CVE-2018-16598

NVD Vulnerabilities - Thu, 12/06/2018 - 18:29
An issue was discovered in Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component. In xProcessReceivedUDPPacket and prvParseDNSReply, any received DNS response is accepted, without confirming it matches a sent DNS request.
Categories: NVD

CVE-2018-16599

NVD Vulnerabilities - Thu, 12/06/2018 - 18:29
An issue was discovered in Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component. Out of bounds memory access during parsing of NBNS packets in prvTreatNBNS can be used for information disclosure.
Categories: NVD

CVE-2018-16600

NVD Vulnerabilities - Thu, 12/06/2018 - 18:29
An issue was discovered in Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component. Out of bounds memory access during parsing of ARP packets in eARPProcessPacket can be used for information disclosure.
Categories: NVD

CVE-2018-19921

NVD Vulnerabilities - Thu, 12/06/2018 - 17:29
Zoho ManageEngine OpManager 12.3 before 123237 has XSS in the domain controller.
Categories: NVD

CVE-2018-19922

NVD Vulnerabilities - Thu, 12/06/2018 - 17:29
Persistent Cross-Site Scripting (XSS) in the advancedsetup_websiteblocking.html Website Blocking page of the Actiontec C1000A router with firmware through CAC004-31.30L.95 allows a remote attacker to inject arbitrary HTML into the Website Blocking page by inserting arbitrary HTML into the 'TodUrlAdd' URL parameter in a /urlfilter.cmd POST request.
Categories: NVD

CVE-2018-19919

NVD Vulnerabilities - Thu, 12/06/2018 - 15:29
Pixelimity 1.0 has Persistent XSS via the admin/portfolio.php data[title] parameter, as demonstrated by a crafted onload attribute of an SVG element.
Categories: NVD

CVE-2018-18362

NVD Vulnerabilities - Thu, 12/06/2018 - 14:29
Norton Password Manager for Android (formerly Norton Identity Safe) may be susceptible to a cross site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to potentially bypass access controls such as the same-origin policy.
Categories: NVD

CVE-2018-19913

NVD Vulnerabilities - Thu, 12/06/2018 - 14:29
DomainMOD through 4.11.01 has XSS via the assets/add/registrar-accounts.php UserName, Reseller ID, or notes field.
Categories: NVD

CVE-2018-19914

NVD Vulnerabilities - Thu, 12/06/2018 - 14:29
DomainMOD through 4.11.01 has XSS via the assets/add/dns.php Profile Name or notes field.
Categories: NVD

CVE-2018-19915

NVD Vulnerabilities - Thu, 12/06/2018 - 14:29
DomainMOD through 4.11.01 has XSS via the assets/edit/host.php Web Host Name or Web Host URL field.
Categories: NVD

CVE-2018-19911

NVD Vulnerabilities - Thu, 12/06/2018 - 13:29
FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used.
Categories: NVD

CVE-2018-19908

NVD Vulnerabilities - Thu, 12/06/2018 - 11:29
An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.
Categories: NVD

CVE-2018-9547

NVD Vulnerabilities - Thu, 12/06/2018 - 09:29
In unflatten of GraphicBuffer.cpp, there is a possible bad fd close due to improper input validation. This could lead to local escalation of privilege in the system server with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-8.1 Android-9. Android ID: A-114223584.
Categories: NVD

CVE-2018-9548

NVD Vulnerabilities - Thu, 12/06/2018 - 09:29
In multiple functions of ContentProvider.java, there is a possible permission bypass due to a missing URI validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-112555574.
Categories: NVD

CVE-2018-9549

NVD Vulnerabilities - Thu, 12/06/2018 - 09:29
In lppTransposer of lpp_tran.cpp there is a possible out of bounds write due to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-112160868.
Categories: NVD