Vulnerability Summary for the Week of June 17, 2019
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9 • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9 Entries may include additional information provided by organizations and efforts sponsored by Ug-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of Ug- CERT analysis.
High Vulnerabilities
C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
An issue was discovered on Actiontec T2200H T2200H- 31.128L.08 devices, as distributed by Telus. By attaching a UART adapter to the CVE- UART pins on the system board, 2019- an attacker can use a special key 2019 actiontec -- 1278 sequence (Ctrl-\) to obtain a shell -06- 7.2 t2200h_firmware 9 with root privileges. After 17 MISC gaining root access, the attacker MISC can mount the filesystem read- write and make permanent modifications to the device including bricking of the device, disabling vendor management of C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
the device, preventing automatic upgrades, and permanently installing malicious code on the device.
Stack-based buffer overflow in Advantech WebAccess/SCADA CVE- 8.4.0 allows a remote, 2019 2019- advantech -- webaccess unauthenticated attacker to -06- 7.5 3953 execute arbitrary code by 18 MISC sending a crafted IOCTL 10012 RPC call.
Stack-based buffer overflow in Advantech WebAccess/SCADA CVE- 8.4.0 allows a remote, 2019 2019- advantech -- webaccess unauthenticated attacker to -06- 7.5 3954 execute arbitrary code by 18 MISC sending a crafted IOCTL 81024 RPC call.
CVE- SQL Injection exists in the 2018- 2019 AMGallery 1.2.3 component for 1739 arenam -- amgallery -06- 7.5 Joomla! via the 8 19 filter_category_id parameter. MISC MISC
In BubbleUPnP 0.9 update 30, CVE- the XML parsing engine for 2018- 2019 bubblesoftapps -- SSDP/UPnP functionality is 1550 -06- 7.5 bubbleupnp vulnerable to an XML External 6 19 Entity Processing (XXE) attack. CON Remote, unauthenticated FIRM C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running BubbleUPnP, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack the cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.
CVE- BZ2_decompress in 2019 2019- decompress.c in bzip2 through bzip -- bzip2 -06- 7.5 1290 1.0.6 has an out-of-bounds write 19 0 when there are many selectors. MISC
SQL injection vulnerability in CVE- ChronoScan version 1.5.4.3 and 2018- 2019 earlier allows an unauthenticated 1586 chronoscan -- chronoscan -06- 7.5 attacker to execute arbitrary SQL 8 21 commands via the MISC wcr_machineid cookie. MISC
A vulnerability in the CLI CVE- configuration shell of Cisco 2019- Meeting Server could allow an 2019 1623 cisco -- meeting_server authenticated, local attacker to -06- 7.2 BID inject arbitrary commands as the 19 CISC root user. The vulnerability is O due to insufficient input C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
validation during the execution of a vulnerable CLI command. An attacker with administrator- level credentials could exploit this vulnerability by injecting crafted arguments during command execution. A successful exploit could allow the attacker to perform arbitrary code execution as root on an affected product.
In firmware version MS_2.6.9900 of Columbia CVE- Weather MicroServer, the 2018- columbiaweather -- BACnet daemon does not 2019 1887 weather_microserver_fir properly validate input, which -06- 7.8 8 mware could allow a remote attacker to 18 MISC send specially crafted packets MISC causing the device to become unavailable.
Delta Electronics DeviceNet CVE- Builder 2.04 has a User Mode 2019 2019- deltaww -- Write AV starting at -06- 7.5 1289 devicenet_builder image00400000+0x0000000000 19 8 17a45e. MISC
Delta Electronics DeviceNet CVE- Builder 2.04 has a User Mode 2019 2019- deltaww -- Write AV starting at -06- 7.5 1289 devicenet_builder ntdll!RtlQueueWorkItem+0x000 19 9 00000000005e3. MISC C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
CVE- SQL injection exists in Scriptzee 2018- 2019 education_website_proje Education Website 1.0 via the 1784 -06- 7.5 ct -- education_website college_list.html subject, city, or 0 19 country parameter. MISC MISC
An issue was discovered in EthereumJ 1.8.2. There is Unsafe CVE- Deserialization in ois.readObject 2018- in mine/Ethash.java and 2019 1589 10. ethereum -- ethereumj decoder.readObject in -06- 0 0 crypto/ECKey.java. When a 20 MISC node syncs and mines a new MISC block, arbitrary OS commands MISC can be run on the server.
CVE- Jonathan Looney discovered that 2019- the TCP_SKB_CB(skb)- 1147 >tcp_gso_segs value was subject 7 to an integer overflow in the MISC Linux kernel when handling MLIS TCP Selective T f5 -- big- Acknowledgments (SACKs). A 2019 MISC ip_access_policy_manag remote attacker could use this to -06- 7.8 MISC er cause a denial of service. This 18 MISC has been fixed in stable kernel CON releases 4.4.182, 4.9.182, FIRM 4.14.127, 4.19.52, 5.1.11, and is CON fixed in commit FIRM 3b4929f65b0d8249f19a50245cd MISC 88ed1a2f78cff. CER T-VN C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
CVE- flippa_marketplace_clon SQL injection exists in Scriptzee 2018- 2019 e_project -- Flippa Marketplace Clone 1.0 1784 -06- 7.5 flippa_marketplace_clon via the site-search sortBy or 1 19 e sortDir parameter. MISC MISC
app/backup/index.php in the Backup Module in FusionPBX CVE- 4.4.3 suffers from a command 2019- 2019 injection vulnerability due to a 1141 fusionpbx -- fusionpbx -06- 9.0 lack of input validation, which 0 17 allows authenticated MISC administrative attackers to MISC execute commands on the host.
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device firmware CVE- file contains a file known as 2017- relay.sh which allows the device 9384 2019 getvera -- to create relay ports and connect MISC -06- 9.0 veraedge_firmware the device to Vera servers. This MISC 17 is primarily used as a method of BUG communication between the TRA device and Vera servers so the Q devices can be communicated with even when the user is not at home. One of the parameters retrieved by this specific script is "remote_host". This parameter is not sanitized by the script C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
correctly and is passed in a call to "eval" to execute another script where remote_host is concatenated to be passed a parameter to the second script. This allows an attacker to escape from the executed command and then execute any commands of his/her choice.
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device firmware file contains a file known as proxy.sh which allows the device to proxy a specific request to and CVE- from from another website. This 2017- is primarily used as a method of 9388 2019 getvera -- communication between the MISC -06- 9.0 veraedge_firmware device and Vera website when MISC 17 the user is logged in to the BUG https://home.getvera.com and TRA allows the device to Q communicate between the device and website. One of the parameters retrieved by this specific script is "url". This parameter is not sanitized by the script correctly and is passed in a call to "eval" to execute "curl" functionality. This allows an attacker to escape from the C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
executed command and then execute any commands of his/her choice.
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device allows a user to install applications written in the Lua programming language. Also the interface allows any user to write his/her application in the Lua language. However, this functionality is CVE- not protected by authentication 2017- and this allows an attacker to run 9389 2019 getvera -- arbitrary Lua code on the device. MISC -06- 9.0 veraedge_firmware The POST request is forwarded MISC 17 to LuaUPNP daemon on the BUG device. This binary handles the TRA received Lua code in the Q function "LU::JobHandler_LuaUPnP::Ru nLua(LU::JobHandler_LuaUPnP *__hidden this, LU::UPnPActionWrapper *)". The value in the "code" parameter is then passed to the function "LU::LuaInterface::RunCode(ch ar const*)" which actually loads the Lua engine and runs the code. C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url "/port_3480". It seems that the UPnP services provide "request_image" as one of the service actions for a normal user to retrieve an image from a camera that is controlled by the controller. It seems that the "URL" parameter passed in the query string is not sanitized CVE- and is stored on the stack which 2017- allows an attacker to overflow 9391 the buffer. The function 2019 getvera -- MISC "LU::Generic_IP_Camera_Mana -06- 9.0 veraedge_firmware MISC ger::REQ_Image" is activated 17 BUG when the lu_request_image is TRA passed as the "id" parameter in Q query string. This function then calls "LU::Generic_IP_Camera_Mana ger::GetUrlFromArguments" and passes a "pointer" to the function where it will be allowed to store the value from the URL parameter. This pointer is passed as the second parameter $a2 to the function "LU::Generic_IP_Camera_Mana ger::GetUrlFromArguments". However, neither the callee or the caller in this case performs a simple length check and as a C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
result an attacker who is able to send more than 1336 characters can easily overflow the values stored on the stack including the $RA value and thus execute code on the device.
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url "/port_3480". It seems that the UPnP services provide "request_image" as one of the service actions for a normal user to retrieve an image CVE- from a camera that is controlled 2017- by the controller. It seems that 9392 the "res" (resolution) parameter 2019 getvera -- MISC passed in the query string is not -06- 9.0 veraedge_firmware MISC sanitized and is stored on the 17 BUG stack which allows an attacker to TRA overflow the buffer. The Q function "LU::Generic_IP_Camera_Mana ger::REQ_Image" is activated when the lu_request_image is passed as the "id" parameter in the query string. This function then calls "LU::Generic_IP_Camera_Mana ger::GetUrlFromArguments". This function retrieves all the parameters passed in the query C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
string including "res" and then uses the value passed in it to fill up buffer using the sprintf function. However, the function in this case lacks a simple length check and as a result an attacker who is able to send more than 184 characters can easily overflow the values stored on the stack including the $RA value and thus execute code on the device.
In llcp_util_parse_connect of llcp_util.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional CVE- 2019 execution privileges needed. 2018- google -- android -06- 7.1 User interaction is needed for 9561 19 exploitation.Product: MISC AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 111660010
In llcp_util_parse_cc of llcp_util.cc, there is a possible out-of-bound read due to a CVE- 2019 missing bounds check. This 2018- google -- android -06- 7.1 could lead to local information 9563 19 disclosure with no additional MISC execution privileges needed. User interaction is needed for C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 114237888
In llcp_util_parse_link_params of llcp_util.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional CVE- 2019 execution privileges needed. 2018- google -- android -06- 7.1 User interaction is needed for 9564 19 exploitation.Product: MISC AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 114238578
In findAvailSpellCheckerLocked of TextServicesManagerService.jav a, there is a possible way to bypass the warning dialog when selecting an untrusted spell CVE- 2019 checker due to a permissions 2019- google -- android -06- 7.2 bypass. This could lead to local 1985 19 escalation of privilege with no MISC additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
Android-8.0Android ID: A- 118694079
In ih264d_fmt_conv_420sp_to_420 p of ih264d_format_conv.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote CVE- code execution with no 2019 2019- google -- android additional execution privileges -06- 9.3 1989 needed. User interaction is 19 MISC needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 118399205
In ihevcd_fmt_conv_420sp_to_420 p of ihevcd_fmt_conv.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code CVE- execution with no additional 2019 2019- google -- android execution privileges needed. -06- 9.3 1990 User interaction is needed for 19 MISC exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 118453553 C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
In addLinks of Linkify.java, there is a possible phishing vector due to an unusual root cause. This could lead to remote code execution or misdirection of clicks with no additional CVE- 2019 execution privileges needed. 2019- google -- android -06- 9.3 User interaction is needed for 2003 19 exploitation.Product: MISC AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 116321860
In serviceDied of HalDeathHandlerHidl.cpp, there is a possible memory corruption due to a use after free. This could lead to local escalation of CVE- 2019 privilege in the audio server with 10. 2019- google -- android -06- no additional execution 0 2006 19 privileges needed. User MISC interaction is not needed for exploitation.Product: AndroidVersions: Android- 9Android ID: A-116665972
In getReadIndex and getWriteIndex of FifoControllerBase.cpp, there is CVE- 2019 a possible out-of-bounds write 10. 2019- google -- android -06- due to an integer overflow. This 0 2007 19 could lead to local escalation of MISC privilege in the audio server with no additional execution C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9Android ID: A- 120789744
In createEffect of AudioFlinger.cpp, there is a possible memory corruption due to a race condition. This could lead to local escalation of CVE- 2019 privilege with no additional 2019- google -- android -06- 7.6 execution privileges needed. 2008 19 User interaction is needed for MISC exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9Android ID: A-122309228
In l2c_lcc_proc_pdu of l2c_fcr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional CVE- 2019 execution privileges needed. 2019- google -- android -06- 8.3 User interaction is not needed for 2009 19 exploitation.Product: MISC AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 120665616 C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
In phNxpNciHal_process_ext_rsp of phNxpNciHal_ext.cc, there is a possible out-of-bound write due to a missing bounds check. This could lead to local CVE- escalation of privilege with no 2019 2019- google -- android additional execution privileges -06- 7.2 2010 needed. User interaction is not 19 MISC needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 118152591
In readNullableNativeHandleNoDu p of Parcel.cpp, there is a possible out of bounds write due to a missing bounds check. This CVE- could lead to local escalation of 2019 2019- google -- android privilege with no additional -06- 7.2 2011 execution privileges needed. 19 MISC User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9Android ID: A-120084106
In rw_t3t_act_handle_fmt_rsp of rw_t3t.cc, there is a possible out- CVE- 2019 of-bound write due to a missing 2019- google -- android -06- 9.3 bounds check. This could lead to 2012 19 local escalation of privilege with MISC no additional execution C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 120497437
In rw_t3t_act_handle_sro_rsp of rw_t3t.cc, there is a possible out- of-bound write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution CVE- 2019 privileges needed. User 2019- google -- android -06- 9.3 interaction is needed for 2013 19 exploitation.Product: MISC AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 120497583
In rw_t3t_handle_get_sc_poll_rsp of rw_t3t.cc, there is a possible out-of-bound write due to a missing bounds check. This CVE- 2019 could lead to local escalation of 2019- google -- android -06- 9.3 privilege with no additional 2014 19 execution privileges needed. MISC User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
Android-8.0 Android-8.1 Android-9Android ID: A- 120499324
In rw_t3t_act_handle_check_rsp of rw_t3t.cc, there is a possible out-of-bound write due to a missing bounds check. This could lead to local escalation of privilege with no additional CVE- 2019 execution privileges needed. 2019- google -- android -06- 9.3 User interaction is needed for 2015 19 exploitation.Product: MISC AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 120503926
In NFA_SendRawFrame of nfa_dm_api.cc, there is a possible out-of-bound write due to improper input validation. This could lead to local escalation of privilege with no CVE- 2019 additional execution privileges 2019- google -- android -06- 9.3 needed. User interaction is 2016 19 needed for exploitation.Product: MISC AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 120664978 C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
In rw_t2t_handle_tlv_detect_rsp of rw_t2t_ndef.cc, there is a possible out-of-bound write due to a missing bounds check. This could lead to local escalation of privilege with no additional CVE- 2019 execution privileges needed. 2019- google -- android -06- 7.2 User interaction is needed for 2017 19 exploitation.Product: MISC AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 121035711
In resetPasswordInternal of DevicePolicyManagerService.ja va, there is a possible bypass of password reset protection due to CVE- 2019 an unusual root cause. Remote 2019- google -- android -06- 9.3 user interaction is needed for 2018 19 exploitation.Product: MISC AndroidVersions: Android-8.1 Android-9Android ID: A- 110172241
In ce_t4t_data_cback of ce_t4t.cc, there is a possible out- of-bound read due to a missing bounds check. This could lead to CVE- 2019 local information disclosure with 2019- google -- android -06- 7.1 no additional execution 2019 19 privileges needed. User MISC interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 115635871
In llcp_dlc_proc_rr_rnr_pdu of llcp_dlc.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional CVE- 2019 execution privileges needed. 2019- google -- android -06- 7.1 User interaction needed for 2020 19 exploitation.Product: MISC AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 116788646
In rw_t3t_act_handle_ndef_detect_ rsp of rw_t3t.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information CVE- disclosure with no additional 2019 2019- google -- android execution privileges needed. -06- 7.1 2021 User interaction is needed for 19 MISC exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 120428041 C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
In rw_t3t_act_handle_fmt_rsp and rw_t3t_act_handle_sro_rsp of rw_t3t.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information CVE- disclosure with no additional 2019 2019- google -- android execution privileges needed. -06- 7.1 2022 User interaction is needed for 19 MISC exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 120506143
In ServiceManager::add function in the hardware service manager, there is an insecure permissions check based on the PID of the caller. This could allow an app to CVE- add or replace a HAL service 2019 2019- google -- android with its own service, gaining -06- 7.2 2023 code execution in a privileged 19 MISC process.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9Android ID: A-121035042Upstream kernel
In em28xx_unregister_dvb of em28xx-dvb.c, there is a CVE- 2019 possible use after free issue. This 2019- google -- android -06- 7.2 could lead to local escalation of 2024 19 privilege with no additional MISC execution privileges needed. C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A- 111761954References: Upstream kernel
In binder_thread_read of binder.c, there is a possible use- after-free due to improper locking. This could lead to local escalation of privilege in the CVE- kernel with no additional 2019 2019- google -- android execution privileges needed. -06- 7.2 2025 User interaction is not needed for 19 MISC exploitation.Product: AndroidVersions: Android kernelAndroid ID: A- 116855682References: Upstream kernel
SQL Injection exists in CVE- healthnode_hospital_man HealthNode Hospital 2018- agement_system_project Management System 1.0 via the 2019 1739 -- id parameter to -06- 7.5 3 healthnode_hospital_man dashboard/Patient/info.php or 19 MISC agement_system dashboard/Patient/patientdetails. MISC php.
CVE- SQL injection exists in Scriptzee 2018- hotel_booking_engine_pr 2019 Hotel Booking Engine 1.0 via 1784 oject -- -06- 7.5 the hotels h_room_type 2 hotel_booking_engine 19 parameter. MISC MISC C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
IBM Maximo Asset CVE- Management 7.6 is vulnerable to 2019- CSV injection, which could 2019 4364 ibm -- control_desk allow a remote authenticated -06- 8.5 XF attacker to execute arbirary 19 CON commands on the system. IBM FIRM X-Force ID: 161680.
IBM Tivoli Netcool/Impact 7.1.0 allows for remote execution of CVE- command by low privileged 2019- 2019 ibm -- User. Remote code execution 4103 -06- 7.7 tivoli_netcool/impact allow to execute arbitrary code XF 17 on system which lead to take CON control over the system. IBM X- FIRM Force ID: 158094.
A privilege escalation vulnerability in the "support access" feature on Infoblox NIOS 6.8 through 8.4.1 could allow a locally authenticated administrator to temporarily gain additional privileges on an CVE- affected device and perform 2018- actions within the super user 2019 1023 infoblox -- nios scope. The vulnerability is due to -06- 7.2 9 a weakness in the "support 17 CON access" password generation FIRM algorithm. A locally authenticated administrative user may be able to exploit this vulnerability if the "support access" feature is enabled, they know the support access code for the current session, and they C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
know the algorithm to generate the support access password from the support access code. "Support access" is disabled by default. When enabled, the access will be automatically disabled (and support access code will expire) after the 24 hours.
CVE- 2018- SQL Injection exists in the 2019 jimtawl_project -- 1739 Jimtawl 2.2.7 component for -06- 7.5 jimtawl 9 Joomla! via the id parameter. 19 MISC MISC
CVE- The GD Graphics Library (aka 2019 2018- libgd) through 2.2.5 has a libgd -- libgd -06- 7.5 1587 Double Free Vulnerability in the 20 8 gdImageBmpPtr function. MISC
CVE- The GD Graphics Library (aka 2019 2018- libgd) through 2.2.5 has a libgd -- libgd -06- 7.5 1587 Double Free Vulnerability in the 20 9 gdImageBmpPt function. MISC
A flaw was found in the Linux CVE- kernel. A heap based buffer 2019 2019- linux -- linux_kernel overflow in -06- 7.5 1012 mwifiex_uap_parse_tail_ies 14 6 function in BID C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
drivers/net/wireless/marvell/mwi CON fiex/ie.c might lead to memory FIRM corruption and possibly other MLIS consequences. T MLIS T BUG TRA Q DEBI AN
A double-free can happen in CVE- idr_remove_all() in lib/idr.c in 2019- the Linux kernel 2.6 branch. An 2019 3896 linux -- linux_kernel unprivileged local attacker can -06- 7.2 BID use this flaw for a privilege 18 CON escalation or for a system crash FIRM and a denial of service (DoS).
OnApp before 5.0.0-88, 5.5.0- 93, and 6.0.0-196 allows an attacker to run arbitrary commands with root privileges on servers managed by OnApp CVE- for XEN/KVM hypervisors. To 2019- exploit the vulnerability an 2019 1249 onapp -- onapp attacker has to have control of a -06- 8.5 1 single server on a given cloud 19 CON (e.g. by renting one). From the FIRM source server, the attacker can MISC craft any command and trigger the OnApp platform to execute that command with root privileges on a target server. C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
CVE- 2019 open-xchange -- open- OX App Suite 7.10.0 and earlier 2019- -06- 7.5 xchange_appsuite has Incorrect Access Control. 7158 17 MISC
Open Faculty Evaluation System CVE- open_faculty_evaluation 5.6 for PHP 5.6 allows 2018- 2019 _system_project -- submit_feedback.php SQL 1875 -06- 7.5 open_faculty_evaluation Injection, a different 7 19 _system vulnerability than CVE-2018- MISC 18758. MISC
Open Faculty Evaluation System CVE- open_faculty_evaluation 7 for PHP 7 allows 2018- 2019 _system_project -- submit_feedback.php SQL 1875 -06- 7.5 open_faculty_evaluation Injection, a different 8 19 _system vulnerability than CVE-2018- MISC 18757. MISC
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily CVE- 2019 exploitable vulnerability allows 2019- oracle -- weblogic_server -06- 7.5 unauthenticated attacker with 2729 19 network access via HTTP to MISC compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/U I:N/S:U/C:H/I:H/A:H).
SQL Injection exists in Twilio CVE- WEB To Fax Machine System 2018- ranksol -- 1.0 via the email or password 2019 1738 twilio_web_to_fax_mach parameter to login_check.php, or -06- 7.5 8 ine_system the id parameter to 19 MISC add_email.php or MISC edit_content.php.
An issue was discovered in Tyto CVE- Sahi Pro through 7.x.x and 8.0.0. 2018- A parameter in the web reports 2019 2046 sahipro -- sahi_pro module is vulnerable to h2 SQL -06- 7.5 9 injection. This can be exploited 17 MISC to inject SQL queries and run MISC standard h2 system functions.
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device CVE- provides a user with the 2017- capability of changing the 8328 2019 securifi -- administrative password for the MISC -06- 9.3 almond+firmware web management interface. It MISC 18 seems that the device does not BUG implement any cross site request TRA forgery protection mechanism Q which allows an attacker to trick a user who is logged in to the web management interface to C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
change a user's password. Also this is a systemic issue.
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of adding new routes to the device. It seems that the POST parameters passed in this request to set up routes on the device can be set in such a way that would result in passing commands to a "popen" API in the function and thus result in CVE- command injection on the 2017- device. If the firmware version 8333 AL-R096 is dissected using 2019 securifi -- MISC binwalk tool, we obtain a cpio- -06- 9.0 almond+firmware MISC root archive which contains the 18 BUG filesystem set up on the device TRA that contains all the binaries. The Q binary "goahead" is the one that has the vulnerable function that receives the values sent by the POST request. If we open this binary in IDA-pro we will notice that this follows a MIPS little endian format. The function sub_00420F38 in IDA pro is identified to be receiving the values sent in the POST request and the value set in POST parameter "dest" is extracted at address 0x00420FC4. The POST C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
parameter "dest is concatenated in a route add command and this is passed to a "popen" function at address 0x00421220. This allows an attacker to provide the payload of his/her choice and finally take control of the device.
A shell escape vulnerability in CVE- /webconsole/Controller in 2018- Admin Portal of Sophos XG 1611 2019 firewall 17.0.8 MR-8 allow 7 sophos -- sfos -06- 9.0 remote authenticated attackers to CON 20 execute arbitrary OS commands FIRM via shell metacharacters in the MISC "dbName" POST parameter. MISC
CVE- SQL Injection exists in the 2018- Auction Factory 4.5.5 2019 thephpfactory -- 1737 component for Joomla! via the -06- 7.5 auction_factory 4 filter_order_Dir or filter_order 19 MISC parameter. MISC
CVE- SQL Injection exists in the 2018- Dutch Auction Factory 2.0.2 2019 thephpfactory -- 1738 component for Joomla! via the -06- 7.5 dutch_auction_factory 1 filter_order_Dir or filter_order 19 MISC parameter. MISC
SQL Injection exists in the 2019 CVE- thephpfactory -- Micro Deal Factory 2.4.0 -06- 7.5 2018- micro_deal_factory component for Joomla! via the id 19 1738 C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
parameter, or the PATH_INFO 6 to mydeals/ or listdeals/. MISC MISC
An issue was discovered on TP- Link TL-WR1043ND V2 devices. An attacker can send a CVE- cookie in an HTTP 2019 2019- tp-link -- tl- 10. authentication packet to the -06- 6971 wr1043nd_firmware 0 router management web 19 MISC interface, and fully control the MISC router without knowledge of the credentials.
An issue was discovered in zlib_decompress_extra in CVE- modules/demux/mkv/util.cpp in 2019 2019- videolan -- VideoLAN VLC media player -06- 7.5 1287 vlc_media_player 3.x through 3.0.7. The Matroska 18 4 demuxer, while parsing a MISC malformed MKV file type, has a double free.
CVE- In Webmin through 1.910, any 2019- user authorized to the "Package 1284 2019 Updates" module can execute 0 webmin -- webmin -06- 9.0 arbitrary commands with root MISC 15 privileges via the data parameter BID to update.cgi. MISC MISC C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
Western Digital WD My Book Live (all versions) has a root Remote Command Execution CVE- bug via shell metacharacters in 2018- 2019 westerndigital -- the 10. 1847 -06- my_book_live_firmware /api/1.0/rest/language_configurat 0 2 19 ion language parameter. It can be MISC triggered by anyone who knows MISC the IP address of the affected device.
When receiving calls using WhatsApp for iOS, a missing CVE- size check when parsing a 2018- sender-provided packet allowed 2019 2065 whatsapp -- whatsapp for a stack-based overflow. This -06- 7.5 5 issue affects WhatsApp for iOS 14 BID prior to v2.18.90.24 and MISC WhatsApp Business for iOS prior to v2.18.90.24.
An out-of-bounds read was possible in WhatsApp due to incorrect parsing of RTP extension headers. This issue affects WhatsApp for Android CVE- prior to 2.18.276, WhatsApp 2019 2018- whatsapp -- whatsapp Business for Android prior to -06- 7.5 6350 2.18.99, WhatsApp for iOS prior 14 BID to 2.18.100.6, WhatsApp MISC Business for iOS prior to 2.18.100.2, and WhatsApp for Windows Phone prior to 2.18.224. C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
An authentication bypass vulnerability in the password reset functionality in Zoho CVE- ManageEngine ADSelfService 2019- zohocorp -- Plus before 5.0.6 allows an 2019 1247 manageengine_adselfser attacker with physical access to -06- 7.2 6 vice_plus gain a shell with SYSTEM 17 BID privileges via the restricted thick MISC client browser. The attack uses a MISC long sequence of crafted keyboard input.
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEn gine directory and its sub- folders. Moreover, the services associated with said products try to execute binaries such as CVE- sc.exe from the current directory 2019- upon system start. This will zohocorp -- 2019 1213 effectively allow non-privileged manageengine_analytics -06- 7.2 3 users to escalate privileges to NT _plus 18 MISC AUTHORITY\SYSTEM. This CON affects Desktop Central FIRM 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e
Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus.
Medium Vulnerabilities
CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
FileRun 2019.05.21 allows XSS CVE- via the filename to the 2019- 2019- afian -- filerun 4.3 ?module=fileman§ion=do&pa 06-20 12905 ge=up URI. MISC
Alpine Linux abuild through 3.4.0 CVE- allows an unprivileged member of 2019- the abuild group to add an 2019- alpinelinux -- abuild 4.0 12875 untrusted package via a --keys-dir 06-18 MISC option that causes acceptance of an MISC untrusted signing key.
Alternate Pic View 2.600 has a CVE- alternate-tools -- User Mode Write AV starting at 2019- 2019- 5.0 alternate_pic_view PicViewer!PerfgrapFinalize+0x00 06-19 12893 000000000a8868. MISC CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
Alternate Pic View 2.600 has a Read Access Violation at the CVE- alternate-tools -- Instruction Pointer after a call 2019- 2019- 5.0 alternate_pic_view from 06-19 12894 PicViewer!PerfgrapFinalize+0x00 MISC 000000000a9a1b.
In Alternate Pic View 2.600, the CVE- Exception Handler Chain is alternate-tools -- 2019- 2019- Corrupted starting at 5.0 alternate_pic_view 06-19 12895 PicViewer!PerfgrapFinalize+0x00 MISC 000000000b916d.
In Apache Allura prior to 1.11.0, a CVE- vulnerability exists for stored XSS 2019- on the user dropdown selector 10085 2019- apache -- allura when creating or editing tickets. 4.3 BID 06-18 The XSS executes when a user MISC engages with that dropdown on MLIS that page. T
CVE- 2018- Artha ~ The Open Thesaurus 2019- artha_project -- artha 5.0 18944 1.0.3.0 has a Buffer Overflow. 06-18 MISC MISC
b3log Solo 2.9.3 has XSS in the Input page under the "Publish Articles" menu with an ID of CVE- "articleTags" stored in the "tag" 2019- 2018- b3log -- solo JSON field, which allows remote 4.3 06-20 16248 attackers to inject arbitrary Web MISC scripts or HTML via a carefully crafted site name in an admin- authenticated HTTP request. CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to CVE- access potentially sensitive system 2019- cisco -- usage information. The 2019- 1631 integrated_managem vulnerability is due to a lack of 5.0 06-19 BID ent_controller proper data protection CISC mechanisms. An attacker could O exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow an attacker to view sensitive system data.
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross- site request forgery (CSRF) attack on an affected system. The CVE- vulnerability is due to insufficient 2019- cisco -- CSRF protection mechanisms on 2019- 1874 prime_service_catal 6.8 the web-based management 06-19 BID og interface on an affected device. An CISC attacker could exploit this O vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. cloudera -- An issue was discovered in CVE- 2019- data_science_workb Cloudera Data Science Workbench 5.0 2018- 06-21 ench (CDSW) 1.2.x through 1.4.0. 15665 CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
Unauthenticated users can get a MISC list of user accounts. CONF IRM
In firmware version MS_2.6.9900 CVE- of Columbia Weather columbiaweather -- 2018- MicroServer, a readouts_rd.php 2019- weather_microserver 5.0 18876 directory traversal issue makes it 06-18 _firmware MISC possible to read any file present on MISC the underlying operating system.
In firmware version MS_2.6.9900 of Columbia Weather CVE- columbiaweather -- MicroServer, an authenticated web 2018- 2019- weather_microserver user can access an alternative 6.5 18877 06-18 _firmware configuration page MISC config_main.php that allows MISC manipulation of the device.
In firmware version MS_2.6.9900 of Columbia Weather CVE- columbiaweather -- MicroServer, an authenticated web 2018- 2019- weather_microserver user can pipe commands directly 6.5 18879 06-18 _firmware to the underlying operating system MISC as user input is not sanitized in MISC networkdiags.php.
An issue was discovered in Corel PaintShop Pro 2019 21.0.0.119. CVE- corel -- An integer overflow in the jp2 2019- 2019- 6.8 paintshop_pro_2019 parsing library allows an attacker 06-19 6114 to overwrite memory and to MISC execute arbitrary code. craftcms -- 2019- CVE- Craft CMS 3.1.30 has XSS. 4.3 craft_cms 06-18 2019- CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
12823 MISC CONF IRM
A "search for user discovery" injection issue exists in Creatiwity wityCMS 0.6.2 via the CVE- creatiwity -- "Utilisateur" menu. No input 2019- 2018- 4.0 witycms parameters are filtered, e.g., the 06-20 16251 /admin/user/users Nickname, MISC email, firstname, lastname, and groupe parameters.
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.7, Community CVE- Edition 6.0.x through 6.0.19, and 2019- Community Edition 5.0.x through debian -- 2019- 12248 5.0.36. An attacker could send a 4.3 debian_linux 06-17 CONF malicious email to an OTRS IRM system. If a logged-in agent user MISC quotes it, the email could cause the browser to load external image resources.
dotCMS before 5.1.6 is vulnerable CVE- to a SQL injection that can be 2019- 2019- dotcms -- dotcms exploited by an attacker of the role 6.5 12872 06-18 Publisher via MISC view_unpushed_bundles.jsp. MISC
BlogEngine.NET 3.3.7.0 and CVE- dotnetblogengine -- earlier allows XML External 2019- 5.0 2019- blogengine.net Entity Blind Injection, related to 06-21 10718 pingback.axd and CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
BlogEngine.Core/Web/HttpHandle MISC rs/PingbackHandler.cs. MISC
BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution CVE- because file creation is 2019- mishandled, related to /api/upload 10719 dotnetblogengine -- 2019- and 6.5 MISC blogengine.net 06-21 BlogEngine.NET/AppCode/Api/U FULL ploadController.cs. NOTE: this DISC issue exists because of an MISC incomplete fix for CVE-2019- 6714.
BlogEngine.NET 3.3.7.0 and CVE- earlier allows Directory Traversal 2019- and Remote Code Execution via 10720 dotnetblogengine -- 2019- the theme cookie to the File 6.5 MISC blogengine.net 06-21 Manager. NOTE: this issue exists FULL because of an incomplete fix for DISC CVE-2019-6714. MISC
CVE- BlogEngine.NET 3.3.7 and earlier dotnetblogengine -- 2019- 2019- allows XXE via an apml file to 5.0 blogengine.net 06-21 11392 syndication.axd. MISC
Edraw Max 7.9.3 has Heap CVE- edrawsoft -- Corruption starting at 2019- 2019- 5.0 edraw_max ntdll!RtlpNtMakeTemporaryKey+ 06-19 12896 0x0000000000001a77. MISC
Edraw Max 7.9.3 has a Read edrawsoft -- 2019- CVE- Access Violation at the Instruction 5.0 edraw_max 06-19 2019- Pointer after a call from CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
ObjectModule!Paint::Clear+0x000 12897 0000000000074. MISC
A vulnerability in the exacqVision Enterprise System Manager (ESM) v5.12.2 application whereby unauthorized privilege escalation can potentially be achieved. This vulnerability impacts exacqVision ESM v5.12.2 and all prior versions of ESM running on a Windows operating system. This issue does not impact any Windows Server OSs, or Linux deployments with permissions that are not inherited from the root directory. CVE- Authorized Users have ?modify? 2019- permission to the ESM folders, 7588 which allows a low privilege exacq -- CONF account to modify files located in 2019- enterprise_system_ 6.9 IRM these directories. An executable 06-18 manager MISC can be renamed and replaced by a MISC malicious file that could connect CONF back to a bad actor providing IRM system level privileges. A low privileged user is not able to restart the service, but a restart of the system would trigger the execution of the malicious file. This issue affects: Exacq Technologies, Inc. exacqVision Enterprise System Manager (ESM) Version 5.12.2 and prior versions; This issue does not affect: Exacq Technologies, Inc. exacqVision Enterprise System Manager (ESM) 19.03 and above. CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
Jonathan Looney discovered that CVE- the TCP retransmission queue 2019- implementation in tcp_fragment in 11478 the Linux kernel could be MISC fragmented when handling certain MISC TCP Selective Acknowledgment MISC f5 -- big- (SACK) sequences. A remote 2019- MISC ip_access_policy_m attacker could use this to cause a 5.0 06-18 CONF anager denial of service. This has been IRM fixed in stable kernel releases CONF 4.4.182, 4.9.182, 4.14.127, IRM 4.19.52, 5.1.11, and is fixed in MISC commit CERT- f070ef2ac66716357066b683fb0ba VN f55f8191a2e.
Jonathan Looney discovered that CVE- the Linux kernel default MSS is 2019- hard-coded to 48 bytes. This 11479 allows a remote peer to fragment BID TCP resend queues significantly MISC more than if a larger MSS were MISC enforced. A remote attacker could f5 -- big- MISC use this to cause a denial of 2019- ip_access_policy_m 5.0 MISC service. This has been fixed in 06-18 anager CONF stable kernel releases 4.4.182, IRM 4.9.182, 4.14.127, 4.19.52, 5.1.11, CONF and is fixed in commits IRM 967c05aee439e6e5d7d805e195b3a MISC 20ef5c433d6 and CERT- 5f3e2bf008c2221478101ee72f5cb VN 4654b9fc363.
A Polymorphic Typing issue was CVE- discovered in FasterXML jackson- 2019- fasterxml -- jackson- 2019- databind 2.x through 2.9.9. When 4.3 12814 databind 06-19 Default Typing is enabled (either CONF globally or for a specific property) IRM CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
for an externally exposed JSON MLIS endpoint and the service has T JDOM 1.x or 2.x jar in the MLIS classpath, an attacker can send a T specifically crafted JSON message MLIS that allows them to read arbitrary T local files on the server. MLIS T MLIS T
A use after free in the TextBox field Validate action in IReader_ContentProvider can occur for specially crafted PDF files in Foxit Reader SDK CVE- foxitsoftware -- (ActiveX) Professional 5.4.0.1031. 2019- 2018- foxit_pdf_sdk_activ 6.8 An attacker can leverage this to 06-17 19444 ex gain remote code execution. MISC Relative to CVE-2018-19452, this has a different free location and requires different JavaScript code for exploitation.
A command injection can occur for specially crafted PDF files in CVE- foxitsoftware -- Foxit Reader SDK (ActiveX) 2019- 2018- foxit_pdf_sdk_activ Professional 5.4.0.1031 when the 6.8 06-17 19445 ex JavaScript API app.launchURL is MISC used. An attacker can leverage this to gain remote code execution.
A File Write can occur for CVE- foxitsoftware -- specially crafted PDF files in Foxit 2019- 2018- foxit_pdf_sdk_activ Reader SDK (ActiveX) 6.8 06-17 19446 ex Professional 5.4.0.1031 when the MISC JavaScript API CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
Doc.createDataObject is used. An attacker can leverage this to gain remote code execution.
A stack-based buffer overflow can occur for specially crafted PDF CVE- foxitsoftware -- files in Foxit Reader SDK 2019- 2018- foxit_pdf_sdk_activ (ActiveX) 5.4.0.1031 when 6.8 06-17 19447 ex parsing the URI string. An attacker MISC can leverage this to gain remote code execution.
In Foxit Reader SDK (ActiveX) Professional 5.4.0.1031, an uninitialized object in IReader_ContentProvider::GetDoc CVE- foxitsoftware -- EventHandler occurs when 2019- 2018- foxit_pdf_sdk_activ embedding the control into Office 6.8 06-17 19448 ex documents. By opening a specially MISC crafted document, an attacker can trigger an out of bounds write condition, possibly leveraging this to gain remote code execution.
A File Write can occur for specially crafted PDF files in Foxit CVE- foxitsoftware -- Reader SDK (ActiveX) 2019- 2018- foxit_pdf_sdk_activ Professional 5.4.0.1031 when the 6.8 06-17 19449 ex JavaScript API Doc.exportAsFDF MISC is used. An attacker can leverage this to gain remote code execution.
A command injection can occur CVE- foxitsoftware -- for specially crafted PDF files in 2019- 2018- foxit_pdf_sdk_activ 6.8 Foxit Reader SDK (ActiveX) 06-17 19450 ex 5.4.0.1031 when parsing a launch MISC CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
action. An attacker can leverage this to gain remote code execution.
app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 suffers from an CVE- information disclosure 2019- fusionpbx -- 2019- vulnerability due to excessive 4.0 11407 fusionpbx 06-17 debug information, which allows MISC authenticated administrative MISC attackers to obtain credentials and other sensitive information.
XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote CVE- unauthenticated attackers to inject 2019- arbitrary JavaScript characters by fusionpbx -- 2019- 11408 placing a phone call using a 4.3 fusionpbx 06-17 MISC specially crafted caller ID number. MISC This can further lead to remote MISC code execution by chaining this vulnerability with a command injection vulnerability also present in FusionPBX.
app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a CVE- command injection vulnerability 2019- fusionpbx -- due to a lack of input validation 2019- 11409 6.5 fusionpbx that allows authenticated non- 06-17 MISC administrative attackers to execute MISC commands on the host. This can MISC further lead to remote code execution when combined with an CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
XSS vulnerability also present in the FusionPBX Operator Panel module.
Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices through 3.x are vulnerable to directory traversal via the web interface, as CVE- genieaccess -- demonstrated by reading 2019- 2019- 5.0 wip3bvaf_firmware /etc/shadow. NOTE: this product 06-17 7315 is discontinued, and its final MISC firmware version has this vulnerability (4.x versions exist only for other Genie Access products).
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a user with the capability of installing or deleting apps on the device using the web CVE- management interface. It seems 2017- that the device does not implement 9381 getvera -- 2019- any cross-site request forgery 6.8 MISC veraedge_firmware 06-17 protection mechanism which MISC allows an attacker to trick a user BUGT who navigates to an attacker RAQ controlled page to install or delete an application on the device. Note: The cross-site request forgery is a systemic issue across all other functionalities of the device. getvera -- An issue was discovered on Vera 2019- CVE- 4.0 veraedge_firmware VeraEdge 1.7.19 and Veralite 06-17 2017- CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
1.7.481 devices. The device 9382 provides UPnP services that are MISC available on port 3480 and can MISC also be accessed via port 80 using BUGT the url "/port_3480". It seems that RAQ the UPnP services provide "file" as one of the service actions for a normal user to read a file that is stored under the /etc/cmh-lu folder. It retrieves the value from the "parameters" query string variable and then passes it to an internal function "FileUtils::ReadFileIntoBuffer" which is a library function that does not perform any sanitization on the value submitted and this allows an attacker to use directory traversal characters "../" and read files from other folders within the device.
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can CVE- also be accessed via port 80 using 2017- the url "/port_3480". It seems that 9383 getvera -- 2019- the UPnP services provide "wget" 6.5 MISC veraedge_firmware 06-17 as one of the service actions for a MISC normal user to connect the device BUGT to an external website. It retrieves RAQ the parameter "URL" from the query string and then passes it to an internal function that uses the curl module on the device to CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
retrieve the contents of the website.
An issue was discovered on Vera Veralite 1.7.481 devices. The device has an additional OpenWRT interface in addition to CVE- the standard web interface which 2017- allows the highest privileges a user 9385 getvera -- can obtain on the device. This web 2019- 5.0 MISC veraedge_firmware interface uses root as the username 06-17 MISC and the password in the BUGT /etc/cmh/cmh.conf file which can RAQ be extracted by an attacker using a directory traversal attack, and then log in to the device with the highest privileges.
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a script file called "get_file.sh" which allows a user to retrieve any file stored in the "cmh-ext" folder on the device. CVE- However, the "filename" 2017- parameter is not validated 9386 getvera -- 2019- correctly and this allows an 4.0 MISC veraedge_firmware 06-17 attacker to directory traverse MISC outside the /cmh-ext folder and BUGT read any file on the device. It is RAQ necessary to create the folder "cmh-ext" on the device which can be executed by an attacker first in an unauthenticated fashion and then execute a directory traversal attack. CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a shell script called connect.sh which is supposed to CVE- return a specific cookie for the 2017- user when the user is authenticated 9390 getvera -- 2019- to https://home.getvera.com. One 4.3 MISC veraedge_firmware 06-17 of the parameters retrieved by this MISC script is "RedirectURL". However, BUGT the application lacks strict input RAQ validation of this parameter and this allows an attacker to execute the client-side code on this application.
A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment CVE- variable, are printed through the 2012- echo built-in function. A local 2019- 6711 gnu -- bash attacker, who can provide data to 4.6 06-18 MISC print through the "echo -e" built-in BID function, may use this flaw to MISC crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv().
In publishKeyEvent, publishMotionEvent and CVE- sendUnchainedFinishedSignal of 2019- 2019- google -- android 4.9 InputTransport.cpp, there are 06-19 2004 uninitialized data leading to local MISC information disclosure with no CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android- 9Android ID: A-115739809
In onPermissionGrantResult of GrantPermissionsActivity.java, there is a possible incorrectly granted permission due to a missing permission check. This CVE- could lead to local escalation of 2019- 2019- google -- android privilege on a locked device with 6.8 06-19 2005 no additional execution privileges MISC needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9Android ID: A-68777217
An XSS issue was discovered in i- CVE- doit Open 1.12 via the 2019- 2019- i-doit -- i-doit 4.3 src/tools/php/qr/qr.php url 06-18 6965 parameter. MISC
IBM Campaign 9.1.2 and 10.1 could allow a remote attacker to CVE- traverse directories on the system. 2019- An attacker could send a specially- 2019- 4384 ibm -- campaign 4.0 crafted URL request containing 06-19 XF "dot dot" sequences (/../) to view CONF arbitrary files on the system. IBM IRM X-Force ID: 162172. CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
IBM Cloud Private 2.1.0, 3.1.0, 3.1.1, and 3.1.2 is vulnerable to CVE- cross-site request forgery which 2019- could allow an attacker to execute 2019- 4142 ibm -- cloud_private 6.8 malicious and unauthorized 06-18 XF actions transmitted from a user CONF that the website trusts. IBM X- IRM Force ID: 158338.
IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 could allow a remote attacker to obtain sensitive information, CVE- caused by a flaw in the HTTP 2019- OPTIONS method, aka ibm -- 2019- 4173 Optionsbleed. By sending an 4.0 cognos_controller 06-17 CONF OPTIONS HTTP request, a remote IRM attacker could exploit this XF vulnerability to read secret data from process memory and obtain sensitive information. IBM X- Force ID: 158878.
IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 CVE- could allow a remote attacker to 2019- bypass security restrictions, caused ibm -- 2019- 4176 by an error related to insecure 5.0 cognos_controller 06-17 CONF HTTP Methods. An attacker could IRM exploit this vulnerability to gain XF access to the system. IBM X-Force ID: 158881.
IBM InfoSphere Information CVE- ibm -- Server 11.3, 11.5, and 11.7 is 2019- 2018- infosphere_governan 5.5 vulnerable to a XML External 06-17 1845 ce_catalog Entity Injection (XXE) attack XF CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
when processing XML data. A CONF remote attacker could exploit this IRM vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150905.
IBM Marketing Platform 9.1.0, CVE- 9.1.2, 10.0, and 10.1 exposes 2017- sensitive information in the ibm -- 2019- 1107 headers that could be used by an 4.0 marketing_platform 06-19 XF authenticated attacker in further CONF attacks against the system. IBM X- IRM Force ID: 120906.
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that any malicious user connecting to the device can change the default SSID and password thereby denying the owner an access to his/her own device. This device CVE- acts as an Endoscope camera that 2017- ishekar -- allows its users to use it in various 10718 2019- endoscope_camera_f industrial systems and settings, car 4.0 MISC 06-17 irmware garages, and also in some cases in MISC the medical clinics to get access to BUGT areas that are difficult for a human RAQ being to reach. Any breach of this system can allow an attacker to get access to video feed and pictures viewed by that user and might allow them to get a foot hold in air gapped networks especially in case of nation critical infrastructure/industries. CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has default Wi-Fi credentials that are exactly the same for every device. This device acts as an Endoscope camera that allows its CVE- users to use it in various industrial 2017- ishekar -- systems and settings, car garages, 10719 2019- endoscope_camera_f and also in some cases in the 4.0 MISC 06-17 irmware medical clinics to get access to MISC areas that are difficult for a human BUGT being to reach. Any breach of this RAQ system can allow an attacker to get access to video feed and pictures viewed by that user and might allow them to get a foot hold in air gapped networks especially in case of nation critical infrastructure/industries.
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the CVE- device suffers from a stack 2017- overflow if more than 26 ishekar -- 10720 characters are passed to it as the 2019- endoscope_camera_f 4.6 MISC Wi-Fi name. This application is 06-17 irmware MISC installed on the device and an BUGT attacker who can provide the right RAQ payload can execute code on the user's system directly. Any breach of this system can allow an attacker to get access to all the data that the user has access too. CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
The application uses a dynamic link library(DLL) called "avilib.dll" which is used by the application to send binary packets to the device that allow to control the device. One such action that the DLL provides is change password in the function "sendchangename" which allows a user to change the Wi-Fi name on the device. This function calls a sub function "sub_75876EA0" at address 0x758784F8. The function determines which action to execute based on the parameters sent to it. The "sendchangename" passes the datastring as the second argument which is the name we enter in the textbox and integer 1 as first argument. The rest of the 3 arguments are set to 0. The function "sub_75876EA0" at address 0x75876F19 uses the first argument received and to determine which block to jump to. Since the argument passed is 1, it jumps to 0x75876F20 and proceeds from there to address 0x75876F56 which calculates the length of the data string passed as the first parameter. This length and the first argument are then passed to the address 0x75877001 which calls the memmove function which uses a stack address as the destination where the password typed by us is passed as the source and length calculated above is passed as the number of bytes to CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
copy which leads to a stack overflow.
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its CVE- users to use it in various industrial 2017- systems and settings, car garages, ishekar -- 10721 and also in some cases in the 2019- endoscope_camera_f 4.0 MISC medical clinics to get access to 06-17 irmware MISC areas that are difficult for a human BUGT being to reach. Any breach of this RAQ system can allow an attacker to get access to video feed and pictures viewed by that user and might allow them to get a foot hold in air gapped networks especially in case of nation critical infrastructure/industries.
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop CVE- application used to connect to the 2017- device suffers from a stack ishekar -- 10722 overflow if more than 26 2019- endoscope_camera_f 4.6 MISC characters are passed to it as the 06-17 irmware MISC Wi-Fi password. This application BUGT is installed on the device and an RAQ attacker who can provide the right payload can execute code on the user's system directly. Any breach of this system can allow an CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
attacker to get access to all the data that the user has access too. The application uses a dynamic link library(DLL) called "avilib.dll" which is used by the application to send binary packets to the device that allow to control the device. One such action that the DLL provides is change password in the function "sendchangepass" which allows a user to change the Wi-Fi password on the device. This function calls a sub function "sub_75876EA0" at address 0x7587857C. The function determines which action to execute based on the parameters sent to it. The "sendchangepass" passes the datastring as the second argument which is the password we enter in the textbox and integer 2 as first argument. The rest of the 3 arguments are set to 0. The function "sub_75876EA0" at address 0x75876F19 uses the first argument received and to determine which block to jump to. Since the argument passed is 2, it jumps to 0x7587718C and proceeds from there to address 0x758771C2 which calculates the length of the data string passed as the first parameter.This length and the first argument are then passed to the address 0x7587726F which calls a memmove function which uses a stack address as the destination where the password typed by us is passed as the source CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
and length calculated above is passed as the number of bytes to copy which leads to a stack overflow.
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car garages, and also in some cases in the medical clinics to get access to areas that are CVE- difficult for a human being to 2017- ishekar -- reach. Any breach of this system 10723 2019- endoscope_camera_f can allow an attacker to get access 6.5 MISC 06-17 irmware to video feed and pictures viewed MISC by that user and might allow them BUGT to get a foot hold in air gapped RAQ networks especially in case of nation critical infrastructure/industries. The firmware contains binary uvc_stream that is the UDP daemon which is responsible for handling all the UDP requests that the device receives. The client application sends a UDP request to change the Wi-Fi name which contains the following format: "SETCMD0001+0001+[2 byte length of wifiname]+[Wifiname]. CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
This request is handled by "control_Dev_thread" function which at address "0x00409AE0" compares the incoming request and determines if the 10th byte is 01 and if it is then it redirects to 0x0040A74C which calls the function "setwifiname". The function "setwifiname" uses a memcpy function but uses the length of the payload obtained by using strlen function as the third parameter which is the number of bytes to copy and this allows an attacker to overflow the function and control the $PC value.
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This CVE- device acts as an Endoscope 2017- ishekar -- camera that allows its users to use 10724 2019- endoscope_camera_f it in various industrial systems and 6.5 MISC 06-17 irmware settings, car garages, and also in MISC some cases in the medical clinics BUGT to get access to areas that are RAQ difficult for a human being to reach. Any breach of this system can allow an attacker to get access to video feed and pictures viewed by that user and might allow them to get a foot hold in air gapped networks especially in case of CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
nation critical infrastructure/industries. The firmware contains binary uvc_stream that is the UDP daemon which is responsible for handling all the UDP requests that the device receives. The client application sends a UDP request to change the Wi-Fi name which contains the following format: "SETCMD0001+0002+[2 byte length of wifipassword]+[Wifipassword]. This request is handled by "control_Dev_thread" function which at address "0x00409AE4" compares the incoming request and determines if the 10th byte is 02 and if it is then it redirects to 0x0040A7D8, which calls the function "setwifipassword". The function "setwifipassword" uses a memcpy function but uses the length of the payload obtained by using strlen function as the third parameter which is the number of bytes to copy and this allows an attacker to overflow the function and control the $PC value.
CVE- In Jspxcms 9.0.0, a vulnerable 2018- URL routing implementation 2019- jspxcms -- jspxcms 6.5 16553 allows remote code execution after 06-20 MISC logging in as web admin. MISC
An exploitable arbitrary memory 2019- CVE- kcodes -- netusb.ko 6.4 read vulnerability exists in the 06-17 2019- CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
KCodes NetUSB.ko kernel 5016 module which enables the BID ReadySHARE Printer MISC functionality of at least two NETGEAR Nighthawk Routers and potentially several other vendors/products. A specially crafted index value can cause an invalid memory read, resulting in a denial of service or remote information disclosure. An unauthenticated attacker can send a crafted packet on the local network to trigger this vulnerability.
An exploitable information disclosure vulnerability exists in the KCodes NetUSB.ko kernel module that enables the ReadySHARE Printer functionality of at least two NETGEAR Nighthawk Routers CVE- and potentially several other 2019- 2019- kcodes -- netusb.ko vendors/products. An 5.0 5017 06-17 unauthenticated, remote attacker BID can craft and send a packet MISC containing an opcode that will trigger the kernel module to return several addresses. One of which can be used to calculate the dynamic base address of the module for further exploitation.
An issue was discovered on linksys -- CVE- Linksys WRT1900ACS 2019- wrt1900acs_firmwar 5.0 2019- 1.0.3.187766 devices. An ability 06-17 e 7579 exists for an unauthenticated user CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
to browse a confidential MISC ui/1.0.99.187766/dynamic/js/setup MISC .js.localized file on the router's webserver, allowing for an attacker to identify possible passwords that the system uses to set the default guest network password. An attacker can use this list of 30 words along with a random 2 digit number to brute force their access onto a router's guest network.
i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_u serptr.c in the Linux kernel 4.15.0 CVE- on Ubuntu 18.04.2 allows local 2019- 2019- linux -- linux_kernel users to cause a denial of service 4.6 06-18 12881 (NULL pointer dereference and MISC BUG) or possibly have unspecified other impact via crafted ioctl calls to /dev/dri/card0.
app/Model/Server.php in MISP 2.4.109 allows remote command CVE- execution by a super administrator 2019- 2019- misp -- misp because the PHP file_exists 6.5 06-17 12868 function is used with user- MISC controlled entries, and phar:// URLs trigger deserialization.
An issue was discovered in CVE- Netdata 1.10.0. JSON injection 2018- my-netdata -- exists via the api/v1/data tqx 2019- 18836 4.3 netdata parameter because of 06-18 MISC web_client_api_request_v1_data MISC in web/api/web_api_v1.c. MISC CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
CONF IRM MISC
CVE- An issue was discovered in 2018- Netdata 1.10.0. HTTP Header 18837 my-netdata -- Injection exists via the api/v1/data 2019- MISC 5.8 netdata filename parameter because of 06-18 MISC web_client_api_request_v1_data CONF in web/api/web_api_v1.c. IRM MISC
CVE- An issue was discovered in 2018- Netdata 1.10.0. Log Injection (or 18838 my-netdata -- 2019- Log Forgery) exists via a %0a 5.0 MISC netdata 06-18 sequence in the url parameter to CONF api/v1/registry. IRM MISC
CVE- ** DISPUTED ** An issue was 2018- discovered in Netdata 1.10.0. Full my-netdata -- 2019- 18839 Path Disclosure (FPD) exists via 5.0 netdata 06-18 MISC api/v1/alarms. NOTE: the vendor MISC says "is intentional." MISC
An Insufficient Access Control vulnerability (leading to credential CVE- disclosure) in 2019- 2018- nagios -- nagios_xi coreconfigsnapshot.php (aka 5.0 06-19 17148 configuration snapshot page) in MISC Nagios XI before 5.5.4 allows remote attackers to gain access to CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info
configuration files containing confidential credentials.
CVE- NGA ResourceLink 20.0.2.1 2019- 2018- ngahr -- resourcelink 4.0 allows local file inclusion. 06-19 18863 MISC
CVE- open-xchange -- 2019- OX App Suite 7.10.1 and earlier 2019- open- 5.0 7159 allows Information Exposure. 06-18 xchange_appsuite MISC MISC
An issue was discovered in Openfind Mail2000 v6 Webmail. CVE- openfind -- XSS can occur via an '