Vulnerability Summary for the Week of June 17, 2019

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9 • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9 Entries may include additional information provided by organizations and efforts sponsored by Ug-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of Ug- CERT analysis.

High Vulnerabilities

C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

An issue was discovered on Actiontec T2200H T2200H- 31.128L.08 devices, as distributed by Telus. By attaching a UART adapter to the CVE- UART pins on the system board, 2019- an attacker can use a special key 2019 actiontec -- 1278 sequence (Ctrl-\) to obtain a shell -06- 7.2 t2200h_firmware 9 with root privileges. After 17 MISC gaining root access, the attacker MISC can mount the filesystem read- write and make permanent modifications to the device including bricking of the device, disabling vendor management of VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

the device, preventing automatic upgrades, and permanently installing malicious code on the device.

Stack-based buffer overflow in Advantech WebAccess/SCADA CVE- 8.4.0 allows a remote, 2019 2019- advantech -- webaccess unauthenticated attacker to -06- 7.5 3953 execute arbitrary code by 18 MISC sending a crafted IOCTL 10012 RPC call.

Stack-based buffer overflow in Advantech WebAccess/SCADA CVE- 8.4.0 allows a remote, 2019 2019- advantech -- webaccess unauthenticated attacker to -06- 7.5 3954 execute arbitrary code by 18 MISC sending a crafted IOCTL 81024 RPC call.

CVE- SQL Injection exists in the 2018- 2019 AMGallery 1.2.3 component for 1739 arenam -- amgallery -06- 7.5 Joomla! via the 8 19 filter_category_id parameter. MISC MISC

In BubbleUPnP 0.9 update 30, CVE- the XML parsing engine for 2018- 2019 bubblesoftapps -- SSDP/UPnP functionality is 1550 -06- 7.5 bubbleupnp vulnerable to an XML External 6 19 Entity Processing (XXE) attack. CON Remote, unauthenticated FIRM C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running BubbleUPnP, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack the cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.

CVE- BZ2_decompress in 2019 2019- decompress.c in bzip2 through bzip -- bzip2 -06- 7.5 1290 1.0.6 has an out-of-bounds write 19 0 when there are many selectors. MISC

SQL injection vulnerability in CVE- ChronoScan version 1.5.4.3 and 2018- 2019 earlier allows an unauthenticated 1586 chronoscan -- chronoscan -06- 7.5 attacker to execute arbitrary SQL 8 21 commands via the MISC wcr_machineid cookie. MISC

A vulnerability in the CLI CVE- configuration shell of Cisco 2019- Meeting Server could allow an 2019 1623 cisco -- meeting_server authenticated, local attacker to -06- 7.2 BID inject arbitrary commands as the 19 CISC root user. The vulnerability is O due to insufficient input C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

validation during the execution of a vulnerable CLI command. An attacker with administrator- level credentials could exploit this vulnerability by injecting crafted arguments during command execution. A successful exploit could allow the attacker to perform arbitrary code execution as root on an affected product.

In firmware version MS_2.6.9900 of Columbia CVE- Weather MicroServer, the 2018- columbiaweather -- BACnet daemon does not 2019 1887 weather_microserver_fir properly validate input, which -06- 7.8 8 mware could allow a remote attacker to 18 MISC send specially crafted packets MISC causing the device to become unavailable.

Delta Electronics DeviceNet CVE- Builder 2.04 has a User Mode 2019 2019- deltaww -- Write AV starting at -06- 7.5 1289 devicenet_builder image00400000+0x0000000000 19 8 17a45e. MISC

Delta Electronics DeviceNet CVE- Builder 2.04 has a User Mode 2019 2019- deltaww -- Write AV starting at -06- 7.5 1289 devicenet_builder ntdll!RtlQueueWorkItem+0x000 19 9 00000000005e3. MISC C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

CVE- SQL injection exists in Scriptzee 2018- 2019 education_website_proje Education Website 1.0 via the 1784 -06- 7.5 ct -- education_website college_list. subject, city, or 0 19 country parameter. MISC MISC

An issue was discovered in EthereumJ 1.8.2. There is Unsafe CVE- Deserialization in ois.readObject 2018- in mine/Ethash.java and 2019 1589 10. ethereum -- ethereumj decoder.readObject in -06- 0 0 crypto/ECKey.java. When a 20 MISC node syncs and mines a new MISC block, arbitrary OS commands MISC can be run on the server.

CVE- Jonathan Looney discovered that 2019- the TCP_SKB_CB(skb)- 1147 >tcp_gso_segs value was subject 7 to an integer overflow in the MISC Linux kernel when handling MLIS TCP Selective T f5 -- big- Acknowledgments (SACKs). A 2019 MISC ip_access_policy_manag remote attacker could use this to -06- 7.8 MISC er cause a denial of service. This 18 MISC has been fixed in stable kernel CON releases 4.4.182, 4.9.182, FIRM 4.14.127, 4.19.52, 5.1.11, and is CON fixed in commit FIRM 3b4929f65b0d8249f19a50245cd MISC 88ed1a2f78cff. CER T-VN C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

CVE- flippa_marketplace_clon SQL injection exists in Scriptzee 2018- 2019 e_project -- Flippa Marketplace Clone 1.0 1784 -06- 7.5 flippa_marketplace_clon via the site-search sortBy or 1 19 e sortDir parameter. MISC MISC

app/backup/index. in the Backup Module in FusionPBX CVE- 4.4.3 suffers from a command 2019- 2019 injection vulnerability due to a 1141 fusionpbx -- fusionpbx -06- 9.0 lack of input validation, which 0 17 allows authenticated MISC administrative attackers to MISC execute commands on the host.

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web that allows a user to manage the device. As a part of the functionality the device firmware CVE- file contains a file known as 2017- relay.sh which allows the device 9384 2019 getvera -- to create relay ports and connect MISC -06- 9.0 veraedge_firmware the device to Vera servers. This MISC 17 is primarily used as a method of BUG communication between the TRA device and Vera servers so the Q devices can be communicated with even when the user is not at home. One of the parameters retrieved by this specific script is "remote_host". This parameter is not sanitized by the script C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

correctly and is passed in a call to "eval" to execute another script where remote_host is concatenated to be passed a parameter to the second script. This allows an attacker to escape from the executed command and then execute any commands of his/her choice.

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device firmware file contains a file known as proxy.sh which allows the device to proxy a specific request to and CVE- from from another website. This 2017- is primarily used as a method of 9388 2019 getvera -- communication between the MISC -06- 9.0 veraedge_firmware device and Vera website when MISC 17 the user is logged in to the BUG https://home.getvera.com and TRA allows the device to Q communicate between the device and website. One of the parameters retrieved by this specific script is "url". This parameter is not sanitized by the script correctly and is passed in a call to "eval" to execute "curl" functionality. This allows an attacker to escape from the C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

executed command and then execute any commands of his/her choice.

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device allows a user to install applications written in the Lua programming language. Also the interface allows any user to write his/her application in the Lua language. However, this functionality is CVE- not protected by authentication 2017- and this allows an attacker to run 9389 2019 getvera -- arbitrary Lua code on the device. MISC -06- 9.0 veraedge_firmware The POST request is forwarded MISC 17 to LuaUPNP daemon on the BUG device. This binary handles the TRA received Lua code in the Q function "LU::JobHandler_LuaUPnP::Ru nLua(LU::JobHandler_LuaUPnP *__hidden this, LU::UPnPActionWrapper *)". The value in the "code" parameter is then passed to the function "LU::LuaInterface::RunCode(ch ar const*)" which actually loads the Lua engine and runs the code. C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url "/port_3480". It seems that the UPnP services provide "request_image" as one of the service actions for a normal user to retrieve an image from a camera that is controlled by the controller. It seems that the "URL" parameter passed in the query string is not sanitized CVE- and is stored on the stack which 2017- allows an attacker to overflow 9391 the buffer. The function 2019 getvera -- MISC "LU::Generic_IP_Camera_Mana -06- 9.0 veraedge_firmware MISC ger::REQ_Image" is activated 17 BUG when the lu_request_image is TRA passed as the "id" parameter in Q query string. This function then calls "LU::Generic_IP_Camera_Mana ger::GetUrlFromArguments" and passes a "pointer" to the function where it will be allowed to store the value from the URL parameter. This pointer is passed as the second parameter $a2 to the function "LU::Generic_IP_Camera_Mana ger::GetUrlFromArguments". However, neither the callee or the caller in this case performs a simple length check and as a C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

result an attacker who is able to send more than 1336 characters can easily overflow the values stored on the stack including the $RA value and thus execute code on the device.

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url "/port_3480". It seems that the UPnP services provide "request_image" as one of the service actions for a normal user to retrieve an image CVE- from a camera that is controlled 2017- by the controller. It seems that 9392 the "res" (resolution) parameter 2019 getvera -- MISC passed in the query string is not -06- 9.0 veraedge_firmware MISC sanitized and is stored on the 17 BUG stack which allows an attacker to TRA overflow the buffer. The Q function "LU::Generic_IP_Camera_Mana ger::REQ_Image" is activated when the lu_request_image is passed as the "id" parameter in the query string. This function then calls "LU::Generic_IP_Camera_Mana ger::GetUrlFromArguments". This function retrieves all the parameters passed in the query C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

string including "res" and then uses the value passed in it to fill up buffer using the sprintf function. However, the function in this case lacks a simple length check and as a result an attacker who is able to send more than 184 characters can easily overflow the values stored on the stack including the $RA value and thus execute code on the device.

In llcp_util_parse_connect of llcp_util.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional CVE- 2019 execution privileges needed. 2018- google -- android -06- 7.1 User interaction is needed for 9561 19 exploitation.Product: MISC AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 111660010

In llcp_util_parse_cc of llcp_util.cc, there is a possible out-of-bound read due to a CVE- 2019 missing bounds check. This 2018- google -- android -06- 7.1 could lead to local information 9563 19 disclosure with no additional MISC execution privileges needed. User interaction is needed for C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 114237888

In llcp_util_parse_link_params of llcp_util.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional CVE- 2019 execution privileges needed. 2018- google -- android -06- 7.1 User interaction is needed for 9564 19 exploitation.Product: MISC AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 114238578

In findAvailSpellCheckerLocked of TextServicesManagerService.jav a, there is a possible way to bypass the warning dialog when selecting an untrusted spell CVE- 2019 checker due to a permissions 2019- google -- android -06- 7.2 bypass. This could lead to local 1985 19 escalation of privilege with no MISC additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

Android-8.0Android ID: A- 118694079

In ih264d_fmt_conv_420sp_to_420 p of ih264d_format_conv.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote CVE- code execution with no 2019 2019- google -- android additional execution privileges -06- 9.3 1989 needed. User interaction is 19 MISC needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 118399205

In ihevcd_fmt_conv_420sp_to_420 p of ihevcd_fmt_conv.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code CVE- execution with no additional 2019 2019- google -- android execution privileges needed. -06- 9.3 1990 User interaction is needed for 19 MISC exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 118453553 C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

In addLinks of Linkify.java, there is a possible phishing vector due to an unusual root cause. This could lead to remote code execution or misdirection of clicks with no additional CVE- 2019 execution privileges needed. 2019- google -- android -06- 9.3 User interaction is needed for 2003 19 exploitation.Product: MISC AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 116321860

In serviceDied of HalDeathHandlerHidl.cpp, there is a possible memory corruption due to a use after free. This could lead to local escalation of CVE- 2019 privilege in the audio server with 10. 2019- google -- android -06- no additional execution 0 2006 19 privileges needed. User MISC interaction is not needed for exploitation.Product: AndroidVersions: Android- 9Android ID: A-116665972

In getReadIndex and getWriteIndex of FifoControllerBase.cpp, there is CVE- 2019 a possible out-of-bounds write 10. 2019- google -- android -06- due to an integer overflow. This 0 2007 19 could lead to local escalation of MISC privilege in the audio server with no additional execution C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9Android ID: A- 120789744

In createEffect of AudioFlinger.cpp, there is a possible memory corruption due to a race condition. This could lead to local escalation of CVE- 2019 privilege with no additional 2019- google -- android -06- 7.6 execution privileges needed. 2008 19 User interaction is needed for MISC exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9Android ID: A-122309228

In l2c_lcc_proc_pdu of l2c_fcr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional CVE- 2019 execution privileges needed. 2019- google -- android -06- 8.3 User interaction is not needed for 2009 19 exploitation.Product: MISC AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 120665616 C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

In phNxpNciHal_process_ext_rsp of phNxpNciHal_ext.cc, there is a possible out-of-bound write due to a missing bounds check. This could lead to local CVE- escalation of privilege with no 2019 2019- google -- android additional execution privileges -06- 7.2 2010 needed. User interaction is not 19 MISC needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 118152591

In readNullableNativeHandleNoDu p of Parcel.cpp, there is a possible out of bounds write due to a missing bounds check. This CVE- could lead to local escalation of 2019 2019- google -- android privilege with no additional -06- 7.2 2011 execution privileges needed. 19 MISC User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9Android ID: A-120084106

In rw_t3t_act_handle_fmt_rsp of rw_t3t.cc, there is a possible out- CVE- 2019 of-bound write due to a missing 2019- google -- android -06- 9.3 bounds check. This could lead to 2012 19 local escalation of privilege with MISC no additional execution C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 120497437

In rw_t3t_act_handle_sro_rsp of rw_t3t.cc, there is a possible out- of-bound write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution CVE- 2019 privileges needed. User 2019- google -- android -06- 9.3 interaction is needed for 2013 19 exploitation.Product: MISC AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 120497583

In rw_t3t_handle_get_sc_poll_rsp of rw_t3t.cc, there is a possible out-of-bound write due to a missing bounds check. This CVE- 2019 could lead to local escalation of 2019- google -- android -06- 9.3 privilege with no additional 2014 19 execution privileges needed. MISC User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

Android-8.0 Android-8.1 Android-9Android ID: A- 120499324

In rw_t3t_act_handle_check_rsp of rw_t3t.cc, there is a possible out-of-bound write due to a missing bounds check. This could lead to local escalation of privilege with no additional CVE- 2019 execution privileges needed. 2019- google -- android -06- 9.3 User interaction is needed for 2015 19 exploitation.Product: MISC AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 120503926

In NFA_SendRawFrame of nfa_dm_api.cc, there is a possible out-of-bound write due to improper input validation. This could lead to local escalation of privilege with no CVE- 2019 additional execution privileges 2019- google -- android -06- 9.3 needed. User interaction is 2016 19 needed for exploitation.Product: MISC AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 120664978 C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

In rw_t2t_handle_tlv_detect_rsp of rw_t2t_ndef.cc, there is a possible out-of-bound write due to a missing bounds check. This could lead to local escalation of privilege with no additional CVE- 2019 execution privileges needed. 2019- google -- android -06- 7.2 User interaction is needed for 2017 19 exploitation.Product: MISC AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 121035711

In resetPasswordInternal of DevicePolicyManagerService.ja va, there is a possible bypass of password reset protection due to CVE- 2019 an unusual root cause. Remote 2019- google -- android -06- 9.3 user interaction is needed for 2018 19 exploitation.Product: MISC AndroidVersions: Android-8.1 Android-9Android ID: A- 110172241

In ce_t4t_data_cback of ce_t4t.cc, there is a possible out- of-bound read due to a missing bounds check. This could lead to CVE- 2019 local information disclosure with 2019- google -- android -06- 7.1 no additional execution 2019 19 privileges needed. User MISC interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 115635871

In llcp_dlc_proc_rr_rnr_pdu of llcp_dlc.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional CVE- 2019 execution privileges needed. 2019- google -- android -06- 7.1 User interaction needed for 2020 19 exploitation.Product: MISC AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 116788646

In rw_t3t_act_handle_ndef_detect_ rsp of rw_t3t.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information CVE- disclosure with no additional 2019 2019- google -- android execution privileges needed. -06- 7.1 2021 User interaction is needed for 19 MISC exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 120428041 C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

In rw_t3t_act_handle_fmt_rsp and rw_t3t_act_handle_sro_rsp of rw_t3t.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information CVE- disclosure with no additional 2019 2019- google -- android execution privileges needed. -06- 7.1 2022 User interaction is needed for 19 MISC exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A- 120506143

In ServiceManager::add function in the hardware service manager, there is an insecure permissions check based on the PID of the caller. This could allow an app to CVE- add or replace a HAL service 2019 2019- google -- android with its own service, gaining -06- 7.2 2023 code execution in a privileged 19 MISC process.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9Android ID: A-121035042Upstream kernel

In em28xx_unregister_dvb of em28xx-dvb.c, there is a CVE- 2019 possible use after free issue. This 2019- google -- android -06- 7.2 could lead to local escalation of 2024 19 privilege with no additional MISC execution privileges needed. C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A- 111761954References: Upstream kernel

In binder_thread_read of binder.c, there is a possible use- after-free due to improper locking. This could lead to local escalation of privilege in the CVE- kernel with no additional 2019 2019- google -- android execution privileges needed. -06- 7.2 2025 User interaction is not needed for 19 MISC exploitation.Product: AndroidVersions: Android kernelAndroid ID: A- 116855682References: Upstream kernel

SQL Injection exists in CVE- healthnode_hospital_man HealthNode Hospital 2018- agement_system_project Management System 1.0 via the 2019 1739 -- id parameter to -06- 7.5 3 healthnode_hospital_man dashboard/Patient/info.php or 19 MISC agement_system dashboard/Patient/patientdetails. MISC php.

CVE- SQL injection exists in Scriptzee 2018- hotel_booking_engine_pr 2019 Hotel Booking Engine 1.0 via 1784 oject -- -06- 7.5 the hotels h_room_type 2 hotel_booking_engine 19 parameter. MISC MISC C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

IBM Maximo Asset CVE- Management 7.6 is vulnerable to 2019- CSV injection, which could 2019 4364 ibm -- control_desk allow a remote authenticated -06- 8.5 XF attacker to execute arbirary 19 CON commands on the system. IBM FIRM X-Force ID: 161680.

IBM Tivoli Netcool/Impact 7.1.0 allows for remote execution of CVE- command by low privileged 2019- 2019 ibm -- User. Remote code execution 4103 -06- 7.7 tivoli_netcool/impact allow to execute arbitrary code XF 17 on system which lead to take CON control over the system. IBM X- FIRM Force ID: 158094.

A privilege escalation vulnerability in the "support access" feature on Infoblox NIOS 6.8 through 8.4.1 could allow a locally authenticated administrator to temporarily gain additional privileges on an CVE- affected device and perform 2018- actions within the super user 2019 1023 infoblox -- nios scope. The vulnerability is due to -06- 7.2 9 a weakness in the "support 17 CON access" password generation FIRM algorithm. A locally authenticated administrative user may be able to exploit this vulnerability if the "support access" feature is enabled, they know the support access code for the current session, and they C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

know the algorithm to generate the support access password from the support access code. "Support access" is disabled by default. When enabled, the access will be automatically disabled (and support access code will expire) after the 24 hours.

CVE- 2018- SQL Injection exists in the 2019 jimtawl_project -- 1739 Jimtawl 2.2.7 component for -06- 7.5 jimtawl 9 Joomla! via the id parameter. 19 MISC MISC

CVE- The GD Graphics Library (aka 2019 2018- libgd) through 2.2.5 has a libgd -- libgd -06- 7.5 1587 Double Free Vulnerability in the 20 8 gdImageBmpPtr function. MISC

CVE- The GD Graphics Library (aka 2019 2018- libgd) through 2.2.5 has a libgd -- libgd -06- 7.5 1587 Double Free Vulnerability in the 20 9 gdImageBmpPt function. MISC

A flaw was found in the Linux CVE- kernel. A heap based buffer 2019 2019- linux -- linux_kernel overflow in -06- 7.5 1012 mwifiex_uap_parse_tail_ies 14 6 function in BID C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

drivers/net/wireless/marvell/mwi CON fiex/ie.c might lead to memory FIRM corruption and possibly other MLIS consequences. T MLIS T BUG TRA Q DEBI AN

A double-free can happen in CVE- idr_remove_all() in lib/idr.c in 2019- the Linux kernel 2.6 branch. An 2019 3896 linux -- linux_kernel unprivileged local attacker can -06- 7.2 BID use this flaw for a privilege 18 CON escalation or for a system crash FIRM and a denial of service (DoS).

OnApp before 5.0.0-88, 5.5.0- 93, and 6.0.0-196 allows an attacker to run arbitrary commands with root privileges on servers managed by OnApp CVE- for XEN/KVM hypervisors. To 2019- exploit the vulnerability an 2019 1249 onapp -- onapp attacker has to have control of a -06- 8.5 1 single server on a given cloud 19 CON (e.g. by renting one). From the FIRM source server, the attacker can MISC craft any command and trigger the OnApp platform to execute that command with root privileges on a target server. C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

CVE- 2019 open-xchange -- open- OX App Suite 7.10.0 and earlier 2019- -06- 7.5 xchange_appsuite has Incorrect Access Control. 7158 17 MISC

Open Faculty Evaluation System CVE- open_faculty_evaluation 5.6 for PHP 5.6 allows 2018- 2019 _system_project -- submit_feedback.php SQL 1875 -06- 7.5 open_faculty_evaluation Injection, a different 7 19 _system vulnerability than CVE-2018- MISC 18758. MISC

Open Faculty Evaluation System CVE- open_faculty_evaluation 7 for PHP 7 allows 2018- 2019 _system_project -- submit_feedback.php SQL 1875 -06- 7.5 open_faculty_evaluation Injection, a different 8 19 _system vulnerability than CVE-2018- MISC 18757. MISC

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily CVE- 2019 exploitable vulnerability allows 2019- oracle -- weblogic_server -06- 7.5 unauthenticated attacker with 2729 19 network access via HTTP to MISC compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/U I:N/S:U/C:H/I:H/A:H).

SQL Injection exists in Twilio CVE- WEB To Fax Machine System 2018- ranksol -- 1.0 via the email or password 2019 1738 twilio_web_to_fax_mach parameter to login_check.php, or -06- 7.5 8 ine_system the id parameter to 19 MISC add_email.php or MISC edit_content.php.

An issue was discovered in Tyto CVE- Sahi Pro through 7.x.x and 8.0.0. 2018- A parameter in the web reports 2019 2046 sahipro -- sahi_pro module is vulnerable to h2 SQL -06- 7.5 9 injection. This can be exploited 17 MISC to inject SQL queries and run MISC standard h2 system functions.

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device CVE- provides a user with the 2017- capability of changing the 8328 2019 securifi -- administrative password for the MISC -06- 9.3 almond+firmware web management interface. It MISC 18 seems that the device does not BUG implement any cross site request TRA forgery protection mechanism Q which allows an attacker to trick a user who is logged in to the web management interface to C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

change a user's password. Also this is a systemic issue.

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of adding new routes to the device. It seems that the POST parameters passed in this request to set up routes on the device can be set in such a way that would result in passing commands to a "popen" API in the function and thus result in CVE- command injection on the 2017- device. If the firmware version 8333 AL-R096 is dissected using 2019 securifi -- MISC binwalk tool, we obtain a cpio- -06- 9.0 almond+firmware MISC root archive which contains the 18 BUG filesystem set up on the device TRA that contains all the binaries. The Q binary "goahead" is the one that has the vulnerable function that receives the values sent by the POST request. If we open this binary in IDA-pro we will notice that this follows a MIPS little endian format. The function sub_00420F38 in IDA pro is identified to be receiving the values sent in the POST request and the value set in POST parameter "dest" is extracted at address 0x00420FC4. The POST C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

parameter "dest is concatenated in a route add command and this is passed to a "popen" function at address 0x00421220. This allows an attacker to provide the payload of his/her choice and finally take control of the device.

A shell escape vulnerability in CVE- /webconsole/Controller in 2018- Admin Portal of Sophos XG 1611 2019 firewall 17.0.8 MR-8 allow 7 sophos -- sfos -06- 9.0 remote authenticated attackers to CON 20 execute arbitrary OS commands FIRM via shell metacharacters in the MISC "dbName" POST parameter. MISC

CVE- SQL Injection exists in the 2018- Auction Factory 4.5.5 2019 thephpfactory -- 1737 component for Joomla! via the -06- 7.5 auction_factory 4 filter_order_Dir or filter_order 19 MISC parameter. MISC

CVE- SQL Injection exists in the 2018- Dutch Auction Factory 2.0.2 2019 thephpfactory -- 1738 component for Joomla! via the -06- 7.5 dutch_auction_factory 1 filter_order_Dir or filter_order 19 MISC parameter. MISC

SQL Injection exists in the 2019 CVE- thephpfactory -- Micro Deal Factory 2.4.0 -06- 7.5 2018- micro_deal_factory component for Joomla! via the id 19 1738 C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

parameter, or the PATH_INFO 6 to mydeals/ or listdeals/. MISC MISC

An issue was discovered on TP- Link TL-WR1043ND V2 devices. An attacker can send a CVE- cookie in an HTTP 2019 2019- tp-link -- tl- 10. authentication packet to the -06- 6971 wr1043nd_firmware 0 router management web 19 MISC interface, and fully control the MISC router without knowledge of the credentials.

An issue was discovered in zlib_decompress_extra in CVE- modules/demux/mkv/util.cpp in 2019 2019- videolan -- VideoLAN VLC media player -06- 7.5 1287 vlc_media_player 3.x through 3.0.7. The Matroska 18 4 demuxer, while parsing a MISC malformed MKV file type, has a double free.

CVE- In Webmin through 1.910, any 2019- user authorized to the "Package 1284 2019 Updates" module can execute 0 webmin -- webmin -06- 9.0 arbitrary commands with root MISC 15 privileges via the data parameter BID to update.cgi. MISC MISC C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

Western Digital WD My Book Live (all versions) has a root Remote Command Execution CVE- bug via shell metacharacters in 2018- 2019 westerndigital -- the 10. 1847 -06- my_book_live_firmware /api/1.0/rest/language_configurat 0 2 19 ion language parameter. It can be MISC triggered by anyone who knows MISC the IP address of the affected device.

When receiving calls using WhatsApp for iOS, a missing CVE- size check when parsing a 2018- sender-provided packet allowed 2019 2065 whatsapp -- whatsapp for a stack-based overflow. This -06- 7.5 5 issue affects WhatsApp for iOS 14 BID prior to v2.18.90.24 and MISC WhatsApp Business for iOS prior to v2.18.90.24.

An out-of-bounds read was possible in WhatsApp due to incorrect parsing of RTP extension headers. This issue affects WhatsApp for Android CVE- prior to 2.18.276, WhatsApp 2019 2018- whatsapp -- whatsapp Business for Android prior to -06- 7.5 6350 2.18.99, WhatsApp for iOS prior 14 BID to 2.18.100.6, WhatsApp MISC Business for iOS prior to 2.18.100.2, and WhatsApp for Windows Phone prior to 2.18.224. C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

An authentication bypass vulnerability in the password reset functionality in Zoho CVE- ManageEngine ADSelfService 2019- zohocorp -- Plus before 5.0.6 allows an 2019 1247 manageengine_adselfser attacker with physical access to -06- 7.2 6 vice_plus gain a shell with SYSTEM 17 BID privileges via the restricted thick MISC client browser. The attack uses a MISC long sequence of crafted keyboard input.

Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEn gine directory and its sub- folders. Moreover, the services associated with said products try to execute binaries such as CVE- sc.exe from the current directory 2019- upon system start. This will zohocorp -- 2019 1213 effectively allow non-privileged manageengine_analytics -06- 7.2 3 users to escalate privileges to NT _plus 18 MISC AUTHORITY\SYSTEM. This CON affects Desktop Central FIRM 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow C VS Sour Publ Primary S ce & Description ishe Vendor -- Product Sc Patch d or Info e

Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus.

Medium Vulnerabilities

CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

FileRun 2019.05.21 allows XSS CVE- via the filename to the 2019- 2019- afian -- filerun 4.3 ?module=fileman§ion=do&pa 06-20 12905 ge=up URI. MISC

Alpine Linux abuild through 3.4.0 CVE- allows an unprivileged member of 2019- the abuild group to add an 2019- alpinelinux -- abuild 4.0 12875 untrusted package via a --keys-dir 06-18 MISC option that causes acceptance of an MISC untrusted signing key.

Alternate Pic View 2.600 has a CVE- alternate-tools -- User Mode Write AV starting at 2019- 2019- 5.0 alternate_pic_view PicViewer!PerfgrapFinalize+0x00 06-19 12893 000000000a8868. MISC CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

Alternate Pic View 2.600 has a Read Access Violation at the CVE- alternate-tools -- Instruction Pointer after a call 2019- 2019- 5.0 alternate_pic_view from 06-19 12894 PicViewer!PerfgrapFinalize+0x00 MISC 000000000a9a1b.

In Alternate Pic View 2.600, the CVE- Exception Handler Chain is alternate-tools -- 2019- 2019- Corrupted starting at 5.0 alternate_pic_view 06-19 12895 PicViewer!PerfgrapFinalize+0x00 MISC 000000000b916d.

In Apache Allura prior to 1.11.0, a CVE- vulnerability exists for stored XSS 2019- on the user dropdown selector 10085 2019- apache -- allura when creating or editing tickets. 4.3 BID 06-18 The XSS executes when a user MISC engages with that dropdown on MLIS that page. T

CVE- 2018- Artha ~ The Open Thesaurus 2019- artha_project -- artha 5.0 18944 1.0.3.0 has a Buffer Overflow. 06-18 MISC MISC

b3log Solo 2.9.3 has XSS in the Input page under the "Publish Articles" menu with an ID of CVE- "articleTags" stored in the "tag" 2019- 2018- b3log -- solo JSON field, which allows remote 4.3 06-20 16248 attackers to inject arbitrary Web MISC scripts or HTML via a carefully crafted site name in an admin- authenticated HTTP request. CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to CVE- access potentially sensitive system 2019- cisco -- usage information. The 2019- 1631 integrated_managem vulnerability is due to a lack of 5.0 06-19 BID ent_controller proper data protection CISC mechanisms. An attacker could O exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow an attacker to view sensitive system data.

A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross- site request forgery (CSRF) attack on an affected system. The CVE- vulnerability is due to insufficient 2019- cisco -- CSRF protection mechanisms on 2019- 1874 prime_service_catal 6.8 the web-based management 06-19 BID og interface on an affected device. An CISC attacker could exploit this O vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. cloudera -- An issue was discovered in CVE- 2019- data_science_workb Cloudera Data Science Workbench 5.0 2018- 06-21 ench (CDSW) 1.2.x through 1.4.0. 15665 CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

Unauthenticated users can get a MISC list of user accounts. CONF IRM

In firmware version MS_2.6.9900 CVE- of Columbia Weather columbiaweather -- 2018- MicroServer, a readouts_rd.php 2019- weather_microserver 5.0 18876 directory traversal issue makes it 06-18 _firmware MISC possible to read any file present on MISC the underlying .

In firmware version MS_2.6.9900 of Columbia Weather CVE- columbiaweather -- MicroServer, an authenticated web 2018- 2019- weather_microserver user can access an alternative 6.5 18877 06-18 _firmware configuration page MISC config_main.php that allows MISC manipulation of the device.

In firmware version MS_2.6.9900 of Columbia Weather CVE- columbiaweather -- MicroServer, an authenticated web 2018- 2019- weather_microserver user can pipe commands directly 6.5 18879 06-18 _firmware to the underlying operating system MISC as user input is not sanitized in MISC networkdiags.php.

An issue was discovered in Corel PaintShop Pro 2019 21.0.0.119. CVE- corel -- An integer overflow in the jp2 2019- 2019- 6.8 paintshop_pro_2019 parsing library allows an attacker 06-19 6114 to overwrite memory and to MISC execute arbitrary code. craftcms -- 2019- CVE- Craft CMS 3.1.30 has XSS. 4.3 craft_cms 06-18 2019- CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

12823 MISC CONF IRM

A "search for user discovery" injection issue exists in Creatiwity wityCMS 0.6.2 via the CVE- creatiwity -- "Utilisateur" menu. No input 2019- 2018- 4.0 witycms parameters are filtered, e.g., the 06-20 16251 /admin/user/users Nickname, MISC email, firstname, lastname, and groupe parameters.

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.7, Community CVE- Edition 6.0.x through 6.0.19, and 2019- Community Edition 5.0.x through debian -- 2019- 12248 5.0.36. An attacker could send a 4.3 debian_linux 06-17 CONF malicious email to an OTRS IRM system. If a logged-in agent user MISC quotes it, the email could cause the browser to load external image resources.

dotCMS before 5.1.6 is vulnerable CVE- to a SQL injection that can be 2019- 2019- dotcms -- dotcms exploited by an attacker of the role 6.5 12872 06-18 Publisher via MISC view_unpushed_bundles.jsp. MISC

BlogEngine.NET 3.3.7.0 and CVE- dotnetblogengine -- earlier allows XML External 2019- 5.0 2019- blogengine.net Entity Blind Injection, related to 06-21 10718 pingback.axd and CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

BlogEngine.Core/Web/HttpHandle MISC rs/PingbackHandler.cs. MISC

BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution CVE- because file creation is 2019- mishandled, related to /api/upload 10719 dotnetblogengine -- 2019- and 6.5 MISC blogengine.net 06-21 BlogEngine.NET/AppCode/Api/U FULL ploadController.cs. NOTE: this DISC issue exists because of an MISC incomplete fix for CVE-2019- 6714.

BlogEngine.NET 3.3.7.0 and CVE- earlier allows Directory Traversal 2019- and Remote Code Execution via 10720 dotnetblogengine -- 2019- the theme cookie to the File 6.5 MISC blogengine.net 06-21 Manager. NOTE: this issue exists FULL because of an incomplete fix for DISC CVE-2019-6714. MISC

CVE- BlogEngine.NET 3.3.7 and earlier dotnetblogengine -- 2019- 2019- allows XXE via an apml file to 5.0 blogengine.net 06-21 11392 syndication.axd. MISC

Edraw Max 7.9.3 has Heap CVE- edrawsoft -- Corruption starting at 2019- 2019- 5.0 edraw_max ntdll!RtlpNtMakeTemporaryKey+ 06-19 12896 0x0000000000001a77. MISC

Edraw Max 7.9.3 has a Read edrawsoft -- 2019- CVE- Access Violation at the Instruction 5.0 edraw_max 06-19 2019- Pointer after a call from CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

ObjectModule!Paint::Clear+0x000 12897 0000000000074. MISC

A vulnerability in the exacqVision Enterprise System Manager (ESM) v5.12.2 application whereby unauthorized privilege escalation can potentially be achieved. This vulnerability impacts exacqVision ESM v5.12.2 and all prior versions of ESM running on a Windows operating system. This issue does not impact any Windows Server OSs, or Linux deployments with permissions that are not inherited from the root directory. CVE- Authorized Users have ?modify? 2019- permission to the ESM folders, 7588 which allows a low privilege exacq -- CONF account to modify files located in 2019- enterprise_system_ 6.9 IRM these directories. An executable 06-18 manager MISC can be renamed and replaced by a MISC malicious file that could connect CONF back to a bad actor providing IRM system level privileges. A low privileged user is not able to restart the service, but a restart of the system would trigger the execution of the malicious file. This issue affects: Exacq Technologies, Inc. exacqVision Enterprise System Manager (ESM) Version 5.12.2 and prior versions; This issue does not affect: Exacq Technologies, Inc. exacqVision Enterprise System Manager (ESM) 19.03 and above. CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

Jonathan Looney discovered that CVE- the TCP retransmission queue 2019- implementation in tcp_fragment in 11478 the Linux kernel could be MISC fragmented when handling certain MISC TCP Selective Acknowledgment MISC f5 -- big- (SACK) sequences. A remote 2019- MISC ip_access_policy_m attacker could use this to cause a 5.0 06-18 CONF anager denial of service. This has been IRM fixed in stable kernel releases CONF 4.4.182, 4.9.182, 4.14.127, IRM 4.19.52, 5.1.11, and is fixed in MISC commit CERT- f070ef2ac66716357066b683fb0ba VN f55f8191a2e.

Jonathan Looney discovered that CVE- the Linux kernel default MSS is 2019- hard-coded to 48 bytes. This 11479 allows a remote peer to fragment BID TCP resend queues significantly MISC more than if a larger MSS were MISC enforced. A remote attacker could f5 -- big- MISC use this to cause a denial of 2019- ip_access_policy_m 5.0 MISC service. This has been fixed in 06-18 anager CONF stable kernel releases 4.4.182, IRM 4.9.182, 4.14.127, 4.19.52, 5.1.11, CONF and is fixed in commits IRM 967c05aee439e6e5d7d805e195b3a MISC 20ef5c433d6 and CERT- 5f3e2bf008c2221478101ee72f5cb VN 4654b9fc363.

A Polymorphic Typing issue was CVE- discovered in FasterXML jackson- 2019- fasterxml -- jackson- 2019- databind 2.x through 2.9.9. When 4.3 12814 databind 06-19 Default Typing is enabled (either CONF globally or for a specific property) IRM CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

for an externally exposed JSON MLIS endpoint and the service has T JDOM 1.x or 2.x jar in the MLIS classpath, an attacker can send a T specifically crafted JSON message MLIS that allows them to read arbitrary T local files on the server. MLIS T MLIS T

A use after free in the TextBox field Validate action in IReader_ContentProvider can occur for specially crafted PDF files in Foxit Reader SDK CVE- foxitsoftware -- (ActiveX) Professional 5.4.0.1031. 2019- 2018- foxit_pdf_sdk_activ 6.8 An attacker can leverage this to 06-17 19444 ex gain remote code execution. MISC Relative to CVE-2018-19452, this has a different free location and requires different JavaScript code for exploitation.

A command injection can occur for specially crafted PDF files in CVE- foxitsoftware -- Foxit Reader SDK (ActiveX) 2019- 2018- foxit_pdf_sdk_activ Professional 5.4.0.1031 when the 6.8 06-17 19445 ex JavaScript API app.launchURL is MISC used. An attacker can leverage this to gain remote code execution.

A File Write can occur for CVE- foxitsoftware -- specially crafted PDF files in Foxit 2019- 2018- foxit_pdf_sdk_activ Reader SDK (ActiveX) 6.8 06-17 19446 ex Professional 5.4.0.1031 when the MISC JavaScript API CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

Doc.createDataObject is used. An attacker can leverage this to gain remote code execution.

A stack-based buffer overflow can occur for specially crafted PDF CVE- foxitsoftware -- files in Foxit Reader SDK 2019- 2018- foxit_pdf_sdk_activ (ActiveX) 5.4.0.1031 when 6.8 06-17 19447 ex parsing the URI string. An attacker MISC can leverage this to gain remote code execution.

In Foxit Reader SDK (ActiveX) Professional 5.4.0.1031, an uninitialized object in IReader_ContentProvider::GetDoc CVE- foxitsoftware -- EventHandler occurs when 2019- 2018- foxit_pdf_sdk_activ embedding the control into Office 6.8 06-17 19448 ex documents. By opening a specially MISC crafted document, an attacker can trigger an out of bounds write condition, possibly leveraging this to gain remote code execution.

A File Write can occur for specially crafted PDF files in Foxit CVE- foxitsoftware -- Reader SDK (ActiveX) 2019- 2018- foxit_pdf_sdk_activ Professional 5.4.0.1031 when the 6.8 06-17 19449 ex JavaScript API Doc.exportAsFDF MISC is used. An attacker can leverage this to gain remote code execution.

A command injection can occur CVE- foxitsoftware -- for specially crafted PDF files in 2019- 2018- foxit_pdf_sdk_activ 6.8 Foxit Reader SDK (ActiveX) 06-17 19450 ex 5.4.0.1031 when parsing a launch MISC CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

action. An attacker can leverage this to gain remote code execution.

app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 suffers from an CVE- information disclosure 2019- fusionpbx -- 2019- vulnerability due to excessive 4.0 11407 fusionpbx 06-17 debug information, which allows MISC authenticated administrative MISC attackers to obtain credentials and other sensitive information.

XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote CVE- unauthenticated attackers to inject 2019- arbitrary JavaScript characters by fusionpbx -- 2019- 11408 placing a phone call using a 4.3 fusionpbx 06-17 MISC specially crafted caller ID number. MISC This can further lead to remote MISC code execution by chaining this vulnerability with a command injection vulnerability also present in FusionPBX.

app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a CVE- command injection vulnerability 2019- fusionpbx -- due to a lack of input validation 2019- 11409 6.5 fusionpbx that allows authenticated non- 06-17 MISC administrative attackers to execute MISC commands on the host. This can MISC further lead to remote code execution when combined with an CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

XSS vulnerability also present in the FusionPBX Operator Panel module.

Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices through 3.x are vulnerable to directory traversal via the web interface, as CVE- genieaccess -- demonstrated by reading 2019- 2019- 5.0 wip3bvaf_firmware /etc/shadow. NOTE: this product 06-17 7315 is discontinued, and its final MISC firmware version has this vulnerability (4.x versions exist only for other Genie Access products).

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a user with the capability of installing or deleting apps on the device using the web CVE- management interface. It seems 2017- that the device does not implement 9381 getvera -- 2019- any cross-site request forgery 6.8 MISC veraedge_firmware 06-17 protection mechanism which MISC allows an attacker to trick a user BUGT who navigates to an attacker RAQ controlled page to install or delete an application on the device. Note: The cross-site request forgery is a systemic issue across all other functionalities of the device. getvera -- An issue was discovered on Vera 2019- CVE- 4.0 veraedge_firmware VeraEdge 1.7.19 and Veralite 06-17 2017- CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

1.7.481 devices. The device 9382 provides UPnP services that are MISC available on port 3480 and can MISC also be accessed via port 80 using BUGT the url "/port_3480". It seems that RAQ the UPnP services provide "file" as one of the service actions for a normal user to read a file that is stored under the /etc/cmh-lu folder. It retrieves the value from the "parameters" query string variable and then passes it to an internal function "FileUtils::ReadFileIntoBuffer" which is a library function that does not perform any sanitization on the value submitted and this allows an attacker to use directory traversal characters "../" and read files from other folders within the device.

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can CVE- also be accessed via port 80 using 2017- the url "/port_3480". It seems that 9383 getvera -- 2019- the UPnP services provide "wget" 6.5 MISC veraedge_firmware 06-17 as one of the service actions for a MISC normal user to connect the device BUGT to an external website. It retrieves RAQ the parameter "URL" from the query string and then passes it to an internal function that uses the curl module on the device to CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

retrieve the contents of the website.

An issue was discovered on Vera Veralite 1.7.481 devices. The device has an additional OpenWRT interface in addition to CVE- the standard web interface which 2017- allows the highest privileges a user 9385 getvera -- can obtain on the device. This web 2019- 5.0 MISC veraedge_firmware interface uses root as the username 06-17 MISC and the password in the BUGT /etc/cmh/cmh.conf file which can RAQ be extracted by an attacker using a directory traversal attack, and then log in to the device with the highest privileges.

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a script file called "get_file.sh" which allows a user to retrieve any file stored in the "cmh-ext" folder on the device. CVE- However, the "filename" 2017- parameter is not validated 9386 getvera -- 2019- correctly and this allows an 4.0 MISC veraedge_firmware 06-17 attacker to directory traverse MISC outside the /cmh-ext folder and BUGT read any file on the device. It is RAQ necessary to create the folder "cmh-ext" on the device which can be executed by an attacker first in an unauthenticated fashion and then execute a directory traversal attack. CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a shell script called connect.sh which is supposed to CVE- return a specific cookie for the 2017- user when the user is authenticated 9390 getvera -- 2019- to https://home.getvera.com. One 4.3 MISC veraedge_firmware 06-17 of the parameters retrieved by this MISC script is "RedirectURL". However, BUGT the application lacks strict input RAQ validation of this parameter and this allows an attacker to execute the client-side code on this application.

A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment CVE- variable, are printed through the 2012- echo built-in function. A local 2019- 6711 gnu -- bash attacker, who can provide data to 4.6 06-18 MISC print through the "echo -e" built-in BID function, may use this flaw to MISC crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv().

In publishKeyEvent, publishMotionEvent and CVE- sendUnchainedFinishedSignal of 2019- 2019- google -- android 4.9 InputTransport.cpp, there are 06-19 2004 uninitialized data leading to local MISC information disclosure with no CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android- 9Android ID: A-115739809

In onPermissionGrantResult of GrantPermissionsActivity.java, there is a possible incorrectly granted permission due to a missing permission check. This CVE- could lead to local escalation of 2019- 2019- google -- android privilege on a locked device with 6.8 06-19 2005 no additional execution privileges MISC needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9Android ID: A-68777217

An XSS issue was discovered in i- CVE- doit Open 1.12 via the 2019- 2019- i-doit -- i-doit 4.3 src/tools/php/qr/qr.php url 06-18 6965 parameter. MISC

IBM Campaign 9.1.2 and 10.1 could allow a remote attacker to CVE- traverse directories on the system. 2019- An attacker could send a specially- 2019- 4384 ibm -- campaign 4.0 crafted URL request containing 06-19 XF "dot dot" sequences (/../) to view CONF arbitrary files on the system. IBM IRM X-Force ID: 162172. CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

IBM Cloud Private 2.1.0, 3.1.0, 3.1.1, and 3.1.2 is vulnerable to CVE- cross-site request forgery which 2019- could allow an attacker to execute 2019- 4142 ibm -- cloud_private 6.8 malicious and unauthorized 06-18 XF actions transmitted from a user CONF that the website trusts. IBM X- IRM Force ID: 158338.

IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 could allow a remote attacker to obtain sensitive information, CVE- caused by a flaw in the HTTP 2019- OPTIONS method, aka ibm -- 2019- 4173 Optionsbleed. By sending an 4.0 cognos_controller 06-17 CONF OPTIONS HTTP request, a remote IRM attacker could exploit this XF vulnerability to read secret data from process memory and obtain sensitive information. IBM X- Force ID: 158878.

IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 CVE- could allow a remote attacker to 2019- bypass security restrictions, caused ibm -- 2019- 4176 by an error related to insecure 5.0 cognos_controller 06-17 CONF HTTP Methods. An attacker could IRM exploit this vulnerability to gain XF access to the system. IBM X-Force ID: 158881.

IBM InfoSphere Information CVE- ibm -- Server 11.3, 11.5, and 11.7 is 2019- 2018- infosphere_governan 5.5 vulnerable to a XML External 06-17 1845 ce_catalog Entity Injection (XXE) attack XF CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

when processing XML data. A CONF remote attacker could exploit this IRM vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150905.

IBM Marketing Platform 9.1.0, CVE- 9.1.2, 10.0, and 10.1 exposes 2017- sensitive information in the ibm -- 2019- 1107 headers that could be used by an 4.0 marketing_platform 06-19 XF authenticated attacker in further CONF attacks against the system. IBM X- IRM Force ID: 120906.

Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that any malicious user connecting to the device can change the default SSID and password thereby denying the owner an access to his/her own device. This device CVE- acts as an Endoscope camera that 2017- ishekar -- allows its users to use it in various 10718 2019- endoscope_camera_f industrial systems and settings, car 4.0 MISC 06-17 irmware garages, and also in some cases in MISC the medical clinics to get access to BUGT areas that are difficult for a human RAQ being to reach. Any breach of this system can allow an attacker to get access to video feed and pictures viewed by that user and might allow them to get a foot hold in air gapped networks especially in case of nation critical infrastructure/industries. CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has default Wi-Fi credentials that are exactly the same for every device. This device acts as an Endoscope camera that allows its CVE- users to use it in various industrial 2017- ishekar -- systems and settings, car garages, 10719 2019- endoscope_camera_f and also in some cases in the 4.0 MISC 06-17 irmware medical clinics to get access to MISC areas that are difficult for a human BUGT being to reach. Any breach of this RAQ system can allow an attacker to get access to video feed and pictures viewed by that user and might allow them to get a foot hold in air gapped networks especially in case of nation critical infrastructure/industries.

Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the CVE- device suffers from a stack 2017- overflow if more than 26 ishekar -- 10720 characters are passed to it as the 2019- endoscope_camera_f 4.6 MISC Wi-Fi name. This application is 06-17 irmware MISC installed on the device and an BUGT attacker who can provide the right RAQ payload can execute code on the user's system directly. Any breach of this system can allow an attacker to get access to all the data that the user has access too. CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

The application uses a dynamic link library(DLL) called "avilib.dll" which is used by the application to send binary packets to the device that allow to control the device. One such action that the DLL provides is change password in the function "sendchangename" which allows a user to change the Wi-Fi name on the device. This function calls a sub function "sub_75876EA0" at address 0x758784F8. The function determines which action to execute based on the parameters sent to it. The "sendchangename" passes the datastring as the second argument which is the name we enter in the textbox and integer 1 as first argument. The rest of the 3 arguments are set to 0. The function "sub_75876EA0" at address 0x75876F19 uses the first argument received and to determine which block to jump to. Since the argument passed is 1, it jumps to 0x75876F20 and proceeds from there to address 0x75876F56 which calculates the length of the data string passed as the first parameter. This length and the first argument are then passed to the address 0x75877001 which calls the memmove function which uses a stack address as the destination where the password typed by us is passed as the source and length calculated above is passed as the number of bytes to CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

copy which leads to a stack overflow.

Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its CVE- users to use it in various industrial 2017- systems and settings, car garages, ishekar -- 10721 and also in some cases in the 2019- endoscope_camera_f 4.0 MISC medical clinics to get access to 06-17 irmware MISC areas that are difficult for a human BUGT being to reach. Any breach of this RAQ system can allow an attacker to get access to video feed and pictures viewed by that user and might allow them to get a foot hold in air gapped networks especially in case of nation critical infrastructure/industries.

Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop CVE- application used to connect to the 2017- device suffers from a stack ishekar -- 10722 overflow if more than 26 2019- endoscope_camera_f 4.6 MISC characters are passed to it as the 06-17 irmware MISC Wi-Fi password. This application BUGT is installed on the device and an RAQ attacker who can provide the right payload can execute code on the user's system directly. Any breach of this system can allow an CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

attacker to get access to all the data that the user has access too. The application uses a dynamic link library(DLL) called "avilib.dll" which is used by the application to send binary packets to the device that allow to control the device. One such action that the DLL provides is change password in the function "sendchangepass" which allows a user to change the Wi-Fi password on the device. This function calls a sub function "sub_75876EA0" at address 0x7587857C. The function determines which action to execute based on the parameters sent to it. The "sendchangepass" passes the datastring as the second argument which is the password we enter in the textbox and integer 2 as first argument. The rest of the 3 arguments are set to 0. The function "sub_75876EA0" at address 0x75876F19 uses the first argument received and to determine which block to jump to. Since the argument passed is 2, it jumps to 0x7587718C and proceeds from there to address 0x758771C2 which calculates the length of the data string passed as the first parameter.This length and the first argument are then passed to the address 0x7587726F which calls a memmove function which uses a stack address as the destination where the password typed by us is passed as the source CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

and length calculated above is passed as the number of bytes to copy which leads to a stack overflow.

Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car garages, and also in some cases in the medical clinics to get access to areas that are CVE- difficult for a human being to 2017- ishekar -- reach. Any breach of this system 10723 2019- endoscope_camera_f can allow an attacker to get access 6.5 MISC 06-17 irmware to video feed and pictures viewed MISC by that user and might allow them BUGT to get a foot hold in air gapped RAQ networks especially in case of nation critical infrastructure/industries. The firmware contains binary uvc_stream that is the UDP daemon which is responsible for handling all the UDP requests that the device receives. The client application sends a UDP request to change the Wi-Fi name which contains the following format: "SETCMD0001+0001+[2 byte length of wifiname]+[Wifiname]. CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

This request is handled by "control_Dev_thread" function which at address "0x00409AE0" compares the incoming request and determines if the 10th byte is 01 and if it is then it redirects to 0x0040A74C which calls the function "setwifiname". The function "setwifiname" uses a memcpy function but uses the length of the payload obtained by using strlen function as the third parameter which is the number of bytes to copy and this allows an attacker to overflow the function and control the $PC value.

Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This CVE- device acts as an Endoscope 2017- ishekar -- camera that allows its users to use 10724 2019- endoscope_camera_f it in various industrial systems and 6.5 MISC 06-17 irmware settings, car garages, and also in MISC some cases in the medical clinics BUGT to get access to areas that are RAQ difficult for a human being to reach. Any breach of this system can allow an attacker to get access to video feed and pictures viewed by that user and might allow them to get a foot hold in air gapped networks especially in case of CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

nation critical infrastructure/industries. The firmware contains binary uvc_stream that is the UDP daemon which is responsible for handling all the UDP requests that the device receives. The client application sends a UDP request to change the Wi-Fi name which contains the following format: "SETCMD0001+0002+[2 byte length of wifipassword]+[Wifipassword]. This request is handled by "control_Dev_thread" function which at address "0x00409AE4" compares the incoming request and determines if the 10th byte is 02 and if it is then it redirects to 0x0040A7D8, which calls the function "setwifipassword". The function "setwifipassword" uses a memcpy function but uses the length of the payload obtained by using strlen function as the third parameter which is the number of bytes to copy and this allows an attacker to overflow the function and control the $PC value.

CVE- In Jspxcms 9.0.0, a vulnerable 2018- URL routing implementation 2019- jspxcms -- jspxcms 6.5 16553 allows remote code execution after 06-20 MISC logging in as web admin. MISC

An exploitable arbitrary memory 2019- CVE- kcodes -- netusb.ko 6.4 read vulnerability exists in the 06-17 2019- CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

KCodes NetUSB.ko kernel 5016 module which enables the BID ReadySHARE Printer MISC functionality of at least two NETGEAR Nighthawk Routers and potentially several other vendors/products. A specially crafted index value can cause an invalid memory read, resulting in a denial of service or remote information disclosure. An unauthenticated attacker can send a crafted packet on the local network to trigger this vulnerability.

An exploitable information disclosure vulnerability exists in the KCodes NetUSB.ko kernel module that enables the ReadySHARE Printer functionality of at least two NETGEAR Nighthawk Routers CVE- and potentially several other 2019- 2019- kcodes -- netusb.ko vendors/products. An 5.0 5017 06-17 unauthenticated, remote attacker BID can craft and send a packet MISC containing an opcode that will trigger the kernel module to return several addresses. One of which can be used to calculate the dynamic base address of the module for further exploitation.

An issue was discovered on linksys -- CVE- Linksys WRT1900ACS 2019- wrt1900acs_firmwar 5.0 2019- 1.0.3.187766 devices. An ability 06-17 e 7579 exists for an unauthenticated user CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

to browse a confidential MISC ui/1.0.99.187766/dynamic/js/setup MISC .js.localized file on the router's webserver, allowing for an attacker to identify possible passwords that the system uses to set the default guest network password. An attacker can use this list of 30 words along with a random 2 digit number to brute force their access onto a router's guest network.

i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_u serptr.c in the Linux kernel 4.15.0 CVE- on Ubuntu 18.04.2 allows local 2019- 2019- linux -- linux_kernel users to cause a denial of service 4.6 06-18 12881 (NULL pointer dereference and MISC BUG) or possibly have unspecified other impact via crafted ioctl calls to /dev/dri/card0.

app/Model/Server.php in MISP 2.4.109 allows remote command CVE- execution by a super administrator 2019- 2019- misp -- misp because the PHP file_exists 6.5 06-17 12868 function is used with user- MISC controlled entries, and phar:// URLs trigger deserialization.

An issue was discovered in CVE- Netdata 1.10.0. JSON injection 2018- my-netdata -- exists via the api/v1/data tqx 2019- 18836 4.3 netdata parameter because of 06-18 MISC web_client_api_request_v1_data MISC in web/api/web_api_v1.c. MISC CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

CONF IRM MISC

CVE- An issue was discovered in 2018- Netdata 1.10.0. HTTP Header 18837 my-netdata -- Injection exists via the api/v1/data 2019- MISC 5.8 netdata filename parameter because of 06-18 MISC web_client_api_request_v1_data CONF in web/api/web_api_v1.c. IRM MISC

CVE- An issue was discovered in 2018- Netdata 1.10.0. Log Injection (or 18838 my-netdata -- 2019- Log Forgery) exists via a %0a 5.0 MISC netdata 06-18 sequence in the url parameter to CONF api/v1/registry. IRM MISC

CVE- ** DISPUTED ** An issue was 2018- discovered in Netdata 1.10.0. Full my-netdata -- 2019- 18839 Path Disclosure (FPD) exists via 5.0 netdata 06-18 MISC api/v1/alarms. NOTE: the vendor MISC says "is intentional." MISC

An Insufficient Access Control vulnerability (leading to credential CVE- disclosure) in 2019- 2018- nagios -- nagios_xi coreconfigsnapshot.php (aka 5.0 06-19 17148 configuration snapshot page) in MISC Nagios XI before 5.5.4 allows remote attackers to gain access to CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

configuration files containing confidential credentials.

CVE- NGA ResourceLink 20.0.2.1 2019- 2018- ngahr -- resourcelink 4.0 allows local file inclusion. 06-19 18863 MISC

CVE- open-xchange -- 2019- OX App Suite 7.10.1 and earlier 2019- open- 5.0 7159 allows Information Exposure. 06-18 xchange_appsuite MISC MISC

An issue was discovered in Openfind Mail2000 v6 Webmail. CVE- openfind -- XSS can occur via an '

An issue was discovered in Tyto CVE- Sahi Pro through 7.x.x and 8.0.0. 2019- sahipro -- sahi_pro 4.3 2018- The logs web interface is 06-17 20472 vulnerable to stored XSS. CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

MISC MISC

CVE- Samba 4.9.x before 4.9.9 and 2019- 4.10.x before 4.10.5 has a NULL 12435 pointer dereference, leading to 2019- BID samba -- samba Denial of Service. This is related 4.0 06-19 UBUN to the AD DC DNS management TU server (dnsserver) RPC server CONF process. IRM

Samba 4.10.x before 4.10.5 has a CVE- NULL pointer dereference, 2019- leading to an AD DC LDAP server 12436 Denial of Service. This is related 2019- BID samba -- samba 4.0 to an attacker using the paged 06-19 UBUN search control. The attacker must TU have directory read access in order CONF to attempt an exploit. IRM

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability CVE- of setting a name for the wireless 2017- network. These values are stored 8329 securifi -- by the device in NVRAM (Non- 2019- 4.6 MISC almond+firmware volatile RAM). It seems that the 06-18 MISC POST parameters passed in this BUGT request to set up names on the RAQ device do not have a string length check on them. This allows an attacker to send a large payload in the "mssid_1" POST parameter. The device also allows a user to CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

view the name of the Wifi Network set by the user. While processing this request, the device calls a function at address 0x00412CE4 (routerSummary) in the binary "webServer" located in Almond folder, which retrieves the value set earlier by "mssid_1" parameter as SSID2 and this value then results in overflowing the stack set up for this function and allows an attacker to control $ra register value on the stack which allows an attacker to control the device by executing a payload of an attacker's choice. If the firmware version AL-R096 is dissected using binwalk tool, we obtain a cpio-root archive which contains the filesystem set up on the device that contains all the binaries. The binary "goahead" is the one that has the vulnerable function that receives the values sent by the POST request. If we open this binary in IDA-pro we will notice that this follows a MIPS little endian format. The function sub_00420F38 in IDA pro is identified to be receiving the values sent in the POST parameter "mssid_1" at address 0x0042BA00 and then sets in the NVRAM at address 0x0042C314. The value is later retrieved in the function at address 0x00412EAC and this results in overflowing the buffer as the function copies the value directly on the stack. CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of adding new port forwarding rules to the device. It seems that the POST parameters passed in this request to set up routes on the device can be set in such a way that would result in passing commands to a "system" API in the function and thus result in command injection on the device. If the firmware version AL-R096 is dissected using binwalk tool, we CVE- obtain a cpio-root archive which 2017- contains the filesystem set up on 8331 securifi -- the device that contains all the 2019- 6.5 MISC almond+firmware binaries. The binary "goahead" is 06-18 MISC the one that has the vulnerable BUGT function that recieves the values RAQ sent by the POST request. If we open this binary in IDA-pro we will notice that this follows a MIPS little endian format. The function sub_43C280in IDA pro is identified to be receiving the values sent in the POST request and the value set in POST parameter "ip_address" is extracted at address 0x0043C2F0. The POST parameter "ipaddress" is concatenated at address 0x0043C958 and this is passed to a "system" function at address 0x00437284. This allows an attacker to provide the payload of CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

his/her choice and finally take control of the device.

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of blocking key words passing in the web traffic to prevent kids CVE- from watching content that might 2017- be deemed unsafe using the web 8332 securifi -- management interface. It seems 2019- 6.5 MISC almond+firmware that the device does not implement 06-18 MISC any cross-site scripting protection BUGT mechanism which allows an RAQ attacker to trick a user who is logged in to the web management interface into executing a stored cross-site scripting payload on the user's browser and execute any action on the device provided by the web management interface.

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device CVE- provides a user with the capability 2017- of blocking IP addresses using the 8334 securifi -- web management interface. It 2019- 6.0 MISC almond+firmware seems that the device does not 06-18 MISC implement any cross-site scripting BUGT forgery protection mechanism RAQ which allows an attacker to trick a user who is logged in to the web management interface into executing a cross-site scripting CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

payload on the user's browser and execute any action on the device provided by the web management interface.

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of setting name for wireless network. These values are stored by the device in NVRAM (Non- volatile RAM). It seems that the POST parameters passed in this request to set up names on the device do not have a string length check on them. This allows an attacker to send a large payload in CVE- the "mssid_1" POST parameter. 2017- The device also allows a user to 8335 securifi -- 2019- view the name of the Wifi 6.0 MISC almond+firmware 06-18 Network set by the user. While MISC processing this request, the device BUGT calls a function named RAQ "getCfgToHTML" at address 0x004268A8 which retrieves the value set earlier by "mssid_1" parameter as SSID2 and this value then results in overflowing the stack set up for this function and allows an attacker to control $ra register value on the stack which allows an attacker to control the device by executing a payload of an attacker's choice. If the firmware version AL-R096 is dissected using binwalk tool, we CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

obtain a cpio-root archive which contains the filesystem set up on the device that contains all the binaries. The binary "goahead" is the one that has the vulnerable function that recieves the values sent by the POST request. If we open this binary in IDA-pro we will notice that this follows a MIPS little endian format. The function sub_00420F38 in IDA pro is identified to be receiving the values sent in the POST parameter "mssid_1" at address 0x0042BA00 and then sets in the NVRAM at address 0x0042C314. The value is later retrieved in the function "getCfgToHTML" at address 0x00426924 and this results in overflowing the buffer due to "strcat" function that is utilized by this function.

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability CVE- of adding new routes to the device. 2017- It seems that the POST parameters 8336 securifi -- 2019- passed in this request to set up 6.5 MISC almond+firmware 06-18 routes on the device can be set in MISC such a way that would result in BUGT overflowing the stack set up and RAQ allow an attacker to control the $ra register stored on the stack. If the firmware version AL-R096 is dissected using binwalk tool, we CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

obtain a cpio-root archive which contains the filesystem set up on the device that contains all the binaries. The binary "goahead" is the one that has the vulnerable function that recieves the values sent by the POST request. If we open this binary in IDA-pro we will notice that this follows a MIPS little endian format. The function sub_00420F38 in IDA pro is identified to be receiving the values sent in the POST request. The POST parameter "gateway" allows to overflow the stack and control the $ra register after 1546 characters. The value from this post parameter is then copied on the stack at address 0x00421348 as shown below. This allows an attacker to provide the payload of his/her choice and finally take control of the device.

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device CVE- provides a user with the capability 2017- of executing various actions on the 8337 securifi -- web management interface. It 2019- 6.8 MISC almond+firmware seems that the device does not 06-18 MISC implement any Origin header BUGT check which allows an attacker RAQ who can trick a user to navigate to an attacker's webpage to exploit this issue and brute force the password for the web management CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

interface. It also allows an attacker to then execute any other actions which include management if rules, sensors attached to the devices using the websocket requests.

SeedDMS before 5.1.11 allows CVE- Remote Command Execution 2019- (RCE) because of unvalidated file 2019- 12744 seeddms -- seeddms 6.0 upload of PHP scripts, a different 06-20 MISC vulnerability than CVE-2018- CONF 12940. IRM

out/out.GroupMgr.php in CVE- SeedDMS 5.1.11 has Stored XSS 2019- 2019- seeddms -- seeddms by making a new group with a 4.3 06-17 12801 JavaScript payload as the MISC "GROUP" Name.

An issue was discovered on Teltonika RTU950 R_31.04.89 devices. The application allows a user to login without limitation. CVE- For every successful login request, 2018- teltonika -- the application saves a session. A 2019- 6.8 19878 rut950_firmware user can re-login without logging 06-19 MISC out, causing the application to MISC store the session in memory. Exploitation of this vulnerability will increase memory use and consume free space.

An issue was discovered on TP- CVE- tp-link -- tl- 2019- Link TL-WR1043ND V2 devices. 5.0 2019- wr1043nd_firmware 06-19 The credentials can be easily 6972 CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

decoded and cracked by brute- MISC force, WordList, or Rainbow MISC Table attacks. Specifically, credentials in the "Authorization" cookie are encoded with URL encoding and base64, leading to easy decoding. Also, the username is cleartext, and the password is hashed with the MD5 algorithm (after decoding of the URL encoded string with base64).

The Tubigan "Welcome to our CVE- tubigan -- Resort" 1.0 software allows CSRF 2018- 2019- welcome_to_our_res via 6.8 18802 06-18 ort admin/mod_users/controller.php?a MISC ction=edit. MISC

In CVE- words.protocols.jabber.xmlstream 2019- twistedmatrix -- in Twisted through 19.2.1, XMPP 2019- 5.8 12855 twisted support did not verify certificates 06-16 MISC when used with TLS, allowing an MISC attacker to MITM connections.

In UrBackup 2.2.6, an attacker can send a malformed request to the client over the network, and CVE- trigger a 2018- urbackup -- 2019- fileservplugin/CClientThread.cpp 5.0 20013 urbackup 06-18 CClientThread::ProcessPacket MISC metadata_id!=0 assertion, leading MISC to shutting down the client application. CV Sourc Primary Publi SS e & Description Vendor -- Product shed Sco Patch re Info

CVE- 2019- 12816 Modules.cpp in ZNC before 1.7.4- CONF rc1 allows remote authenticated IRM non-admin users to escalate 2019- znc -- znc 6.5 CONF privileges and execute arbitrary 06-15 IRM code by loading a module with a MLIS crafted name. T BUGT RAQ

CVE- An issue was discovered in 2018- ZRLOG 2.0.1. There is a Stored 2019- zrlog -- zrlog 4.3 17079 XSS vulnerability in the nickname 06-19 MISC field of the comment area. MISC

Zucchetti HR Portal through 2019- 03-15 allows Directory Traversal. Unauthenticated users can escape outside of the restricted location CVE- (dot-dot-slash notation) to access 2019- 2019- zucchetti -- hr_portal 5.0 files or directories that are 06-19 10257 elsewhere on the system. Through MISC this vulnerability it is possible to read the application's java sources from /WEB-INF/classes/*.class

Low Vulnerabilities CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info

In Symphony before 3.3.0, there is XSS in the Title under Post. The ID "articleTitle" of this is stored in the "articleTitle" JSON field, and CVE- executes a payload when 2019- 2018- b3log -- symphony accessing the 3.5 06-20 16249 /member/test/points URI, MISC allowing remote attacks. Any Web script or HTML can be inserted by an admin- authenticated user via a crafted web site name.

A vulnerability in the web- based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user- CVE- cisco -- supplied input by the web- 2019- 2019- prime_service_catalo based management interface. 3.5 1875 06-19 g An attacker could exploit this BID vulnerability by adding CISCO specific strings to multiple configuration fields. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info

In firmware version MS_2.6.9900 of Columbia CVE- Weather MicroServer, a stored columbiaweather -- 2018- Cross-site scripting (XSS) 2019- weather_microserver_ 3.5 18875 vulnerability allows remote 06-18 firmware MISC authenticated users to inject MISC arbitrary web script via changestationname.php.

In firmware version MS_2.6.9900 of Columbia CVE- Weather MicroServer, a columbiaweather -- 2018- networkdiags.php reflected 2019- weather_microserver_ 3.5 18880 Cross-site scripting (XSS) 06-18 firmware MISC vulnerability allows remote MISC authenticated users to inject arbitrary web script.

CVE- Concrete5 8.4.3 has XSS 2018- because config/concrete.php 19146 allows uploads (by 2019- concrete5 -- concrete5 3.5 MISC administrators) of SVG files 06-17 MISC that may contain HTML data MISC with a SCRIPT element. MISC

The "utilisateur" menu in Creatiwity wityCMS 0.6.2 CVE- modifies the presence of XSS 2019- 2018- creatiwity -- witycms at two input points for user 3.5 06-20 16250 information, with the "first MISC name" and "last name" parameters.

An issue was discovered in 2019- CVE- e107 -- e107 3.5 e107 v2.1.9. There is a XSS 06-19 2018- CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info

attack on 17423 e107_admin/comment.php. MISC MISC

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a shell script called relay.sh which is used for creating new SSH relays for the device so that the device connects to Vera servers. All the parameters passed in this specific script are logged to a log file called log.relay in the /tmp folder. The user can also read all the log files from the device using CVE- a script called log.sh. 2017- However, when the script getvera -- 2019- 9387 loads the log files it displays 3.5 veraedge_firmware 06-17 MISC them with content-type BUGT text/html and passes all the RAQ logs through the ansi2html binary which converts all the character text including HTML meta-characters correctly to be displayed in the browser. This allows an attacker to use the log files as a storing mechanism for the XSS payload and thus whenever a user navigates to that log.sh script, it enables the XSS payload and allows an attacker to execute his malicious payload on the user's browser. CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info

IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 is vulnerable to cross-site scripting. This CVE- vulnerability allows users to 2019- embed arbitrary JavaScript ibm -- 2019- 4136 code in the Web UI thus 3.5 cognos_controller 06-17 CONFI altering the intended RM functionality potentially XF leading to credentials disclosure within a trusted session. IBM X-Force ID: 158332.

IBM Cognos Controller CVE- 10.2.0, 10.2.1, 10.3.0, 10.3.1, 2019- and 10.4.0 allows web pages to ibm -- 2019- 4174 be stored locally which can be 2.1 cognos_controller 06-17 CONFI read by another user on the RM system. IBM X-Force ID: XF 158879.

IBM Cognos Controller CVE- 10.2.0, 10.2.1, 10.3.0, 10.3.1, 2019- and 10.4.0 allows web pages to ibm -- 2019- 4177 be stored locally which can be 2.1 cognos_controller 06-17 CONFI read by another user on the RM system. IBM X-Force ID: XF 158882.

IBM Maximo Asset CVE- Management 7.6 is vulnerable 2019- to cross-site scripting. This 2019- 4303 ibm -- control_desk vulnerability allows users to 3.5 06-19 XF embed arbitrary JavaScript CONFI code in the Web UI thus RM altering the intended CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info

functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 160949.

IBM i 7.27.3 Clustering could allow a local attacker to obtain CVE- sensitive information, caused 2019- by the use of advanced node 4381 failure detection using the 2019- ibm -- i 2.1 BID REST API to interface with 06-14 XF the HMC. An attacker could CONFI exploit this vulnerability to RM obtain HMC credentials. IBM X-Force ID: 162159.

A cross-site scripting (XSS) vulnerability in the View Filters page (view_filters_page.php) and Edit Filter page (manage_filter_edit_page.php) CVE- in MantisBT 2.1.0 through 2019- 2018- mantisbt -- mantisbt 2.6 2.17.0 allows remote attackers 06-20 16514 to inject arbitrary code (if CSP MISC settings permit it) through a crafted PATH_INFO. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-13055.

Cross-Site Scripting CVE- microfocus -- vulnerability in Micro Focus 2019- 2019- fortify_software_secu Fortify Software Security 3.5 06-19 11649 rity_center Center Server, versions 17.2, MISC 18.1, 18.2, has been identified CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info

in Micro Focus Software Security Center. The vulnerability could be exploited to execute JavaScript code in user?s browser. The vulnerability could be exploited to execute JavaScript code in user?s browser.

A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 via the 'name' parameter within the Account CVE- Information page. Exploitation 2019- 2018- nagios -- nagios_xi 3.5 of this vulnerability allows an 06-19 17146 attacker to execute arbitrary MISC JavaScript code within the auto login admin management page.

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a UPnP functionality for devices to CVE- interface with the router and 2017- interact with the device. It 8330 securifi -- seems that the 2019- 3.3 MISC almond+firmware "NewInMessage" SOAP 06-18 MISC parameter passed with a huge BUGT payload results in crashing the RAQ process. If the firmware version AL-R096 is dissected using binwalk tool, we obtain a cpio-root archive which contains the filesystem set up on the device that contains all CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info

the binaries. The binary "miniupnpd" is the one that has the vulnerable function that receives the values sent by the SOAP request. If we open this binary in IDA-pro we will notice that this follows a MIPS little endian format. The function WscDevPutMessage at address 0x0041DBB8 in IDA pro is identified to be receiving the values sent in the SOAP request. The SOAP parameter "NewInMesage" received at address 0x0041DC30 causes the miniupnpd process to finally crash when a second request is sent to the same process.

CVE- out/out.UsrMgr.php in 2019- SeedDMS before 5.1.11 allows 2019- 12745 seeddms -- seeddms 3.5 Stored Cross-Site Scripting 06-20 MISC (XSS) via the name field. CONFI RM

An issue was discovered in STOPzilla AntiMalware CVE- 6.5.2.59. The driver file 2018- stopzilla -- szkg64.sys contains a Denial 2019- 2.1 15729 antimalware of Service vulnerability due to 06-21 MISC not validating the output buffer MISC address value from IOCtl 0x8000204B. CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info

An issue was discovered in STOPzilla AntiMalware CVE- 6.5.2.59. The driver file 2018- stopzilla -- szkg64.sys contains a Denial 2019- 2.1 15730 antimalware of Service vulnerability due to 06-21 MISC not validating the output buffer MISC address value from IOCtl 0x80002067.

An issue was discovered in STOPzilla AntiMalware CVE- 6.5.2.59. The driver file 2018- stopzilla -- szkg64.sys contains a Denial 2019- 2.1 15731 antimalware of Service vulnerability due to 06-21 MISC not validating the output buffer MISC address value from IOCtl 0x8000205B.

An issue was discovered in STOPzilla AntiMalware CVE- 6.5.2.59. The driver file 2018- stopzilla -- szkg64.sys contains an 2019- 2.1 15732 antimalware Arbitrary Write vulnerability 06-21 MISC due to not validating the output MISC buffer address value from IOCtl 0x80002063.

An issue was discovered in STOPzilla AntiMalware 6.5.2.59. The driver file CVE- szkg64.sys contains a NULL 2018- stopzilla -- 2019- Pointer Dereference 2.1 15733 antimalware 06-21 vulnerability due to not MISC validating the size of the MISC output buffer value from IOCtl 0x80002028. CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info

An issue was discovered in STOPzilla AntiMalware CVE- 6.5.2.59. The driver file 2018- stopzilla -- szkg64.sys contains an 2019- 2.1 15734 antimalware Arbitrary Write vulnerability 06-21 MISC due to not validating the output MISC buffer address value from IOCtl 0x8000206B.

An issue was discovered in STOPzilla AntiMalware CVE- 6.5.2.59. The driver file 2018- stopzilla -- szkg64.sys contains an 2019- 2.1 15735 antimalware Arbitrary Write vulnerability 06-21 MISC due to not validating the output MISC buffer address value from IOCtl 0x8000206F.

An issue was discovered in STOPzilla AntiMalware CVE- 6.5.2.59. The driver file 2018- stopzilla -- szkg64.sys contains a Denial 2019- 2.1 15736 antimalware of Service vulnerability due to 06-21 MISC not validating the output buffer MISC address value from IOCtl 0x8000204F.

An issue was discovered in STOPzilla AntiMalware CVE- 6.5.2.59. The driver file 2018- stopzilla -- szkg64.sys contains a Denial 2019- 2.1 15737 antimalware of Service vulnerability due to 06-21 MISC not validating the output buffer MISC address value from IOCtl 0x80002043. CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info

DLP 15.5 MP1 and all prior versions may be susceptible to a cross-site scripting (XSS) vulnerability, a type of issue that can enable attackers to CVE- symantec -- inject client-side scripts into 2019- 2019- 3.5 data_loss_prevention web pages viewed by other 06-19 9701 users. A cross-site scripting MISC vulnerability may be used by attackers to bypass access controls such as the same- origin policy.

CVE- YzmCMS 5.1 has XSS via the 2019- 2018- yzmcms -- yzmcms admin/system_manage/user_c 3.5 06-20 16247 onfig_add.html title parameter. MISC

Severity Not Yet Assigned

Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

CV not E- 201 yet 201 Akamai CloudTest before 58.30 9- akamai -- cloudtest calc 9- allows remote code execution. 06- ulat 110 21 ed 11 CO Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

NFI RM

When an Apache Geode server CV versions 1.0.0 to 1.8.0 is operating E- in secure mode, a user with write not 201 201 permissions for specific data yet 9- 7- apache -- geode regions can modify internal calc 06- 156 cluster metadata. A malicious user ulat 21 94 could modify this data in a way ed MIS that affects the operation of the C cluster.

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window CV exhaustion on write in Apache E- not Tomcat versions 9.0.0.M1 to 201 201 yet 9.0.19 and 8.5.0 to 8.5.40 . By not 9- 9- apache -- tomcat calc sending WINDOW_UPDATE 06- 100 ulat messages for the connection 21 72 ed window (stream 0) clients were MIS able to cause server-side threads C to block eventually leading to thread exhaustion and a DoS.

CV E- not The ASUS Vivobaby application 201 201 yet asus -- before 1.1.09 for Android has 9- 7- calc vivobaby_for_android Missing SSL Certificate 06- 179 ulat Validation. 20 44 ed MIS C Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

/api/2.0/rest/aggregator/xml in CV Axentra firmware, used by E- NETGEAR Stora, Seagate 201 GoFlex Home, and MEDION not 201 8- LifeCloud, has an XXE yet 9- 184 axentra -- hipserv vulnerability that can be chained calc 06- 71 with an SSRF bug to gain remote ulat 19 MIS command execution as root. It can ed C be triggered by anyone who MIS knows the IP address of the C affected device.

The Bobronix JEditor editor CV before 3.0.6 for allows an E- attacker to add a URL/Link (to an 201 existing issue) that can cause not 9- 201 forgery of a request to an out-of- yet 128 bobronix -- 9- origin domain. This in turn may calc 36 jeditor_for_jira 06- allow for a forged request that can ulat MIS 21 be invoked in the context of an ed C authenticated user, leading to CO stealing of session tokens and NFI account takeover. RM

Cerio DT-300N 1.1.6 through CV 1.1.12 devices allow OS E- not command injection because of 201 201 yet improper input validation of the 9- 8- cerio -- dt-300n_devices calc web-interface PING feature's use 06- 188 ulat of Save.cgi to execute a ping 18 52 ed command, as exploited in the wild MIS in October 2018. C check_point_software_te Check Point Endpoint Security 201 not CV chnologies -- Client for Windows, with Anti- 9- yet E- Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info endpoint_security_client Malware blade installed, before 06- calc 201 _for_windows version E81.00, tries to load a 20 ulat 9- non-existent DLL during an ed 845 update initiated by the UI. An 8 attacker with administrator CO privileges can leverage this to NFI gain code execution within a RM Check Point Software Technologies signed binary, where under certain circumstances may cause the client to terminate.

Check Point Endpoint Security CV Client for Windows, with the E- VPN blade, before version not 201 check_point_software_te 201 E80.83, starts a process without yet 9- chnologies -- 9- using quotes in the path. This can calc 845 endpoint_security_client 06- cause loading of a previously ulat 9 _for_windows 20 placed executable with a name ed CO similar to the parts of the path, NFI instead of the intended one. RM

A vulnerability in the web-based management interface of Cisco RV110W, RV130W, and CV RV215W Routers could allow an E- unauthenticated, remote attacker not 201 to disconnect clients that are 201 cisco -- yet 9- connected to the guest network on 9- rv110w_and_rv130w_an calc 189 an affected router. The 06- d_rv215w_routers ulat 7 vulnerability is due to improper 19 ed BID authorization of an HTTP request. CIS An attacker could exploit this CO vulnerability by accessing the URL for device disconnection and providing the connected device Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

information. A successful exploit could allow the attacker to deny service to specific clients that are connected to the guest network.

A vulnerability in the web interface of Cisco RV110W, RV130W, and RV215W Routers CV could allow an unauthenticated, E- remote attacker to acquire the list not 201 201 cisco -- of devices that are connected to yet 9- 9- rv110w_and_rv130w_an the guest network. The calc 189 06- d_rv215w_routers vulnerability is due to improper ulat 9 19 authorization of an HTTP request. ed BID An attacker could exploit this CIS vulnerability by accessing a CO specific URI on the web interface of the router.

A vulnerability in the web-based management interface of Cisco RV110W, RV130W, and CV RV215W Routers could allow an E- unauthenticated, remote attacker not 201 to access the syslog file on an 201 cisco -- yet 9- affected device. The vulnerability 9- rv110w_and_rv130w_an calc 189 is due to improper authorization 06- d_rv215w_routers ulat 8 of an HTTP request. An attacker 19 ed BID could exploit this vulnerability by CIS accessing the URL for the syslog CO file. A successful exploit could allow the attacker to access the information contained in the file. Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

A vulnerability in the internal packet-processing functionality of the Cisco StarOS operating system running on virtual platforms could allow an unauthenticated, remote attacker to cause an affected device to stop processing traffic, resulting in a CV denial of service (DoS) condition. E- The vulnerability is due to a logic not 201 error that may occur under 201 yet 9- specific traffic conditions. An 9- cisco -- staros calc 186 attacker could exploit this 06- ulat 9 vulnerability by sending a series 19 ed BID of crafted packets to an affected CIS device. A successful exploit could CO allow the attacker to prevent the targeted service interface from receiving any traffic, which would lead to a DoS condition on the affected interface. The device may have to be manually reloaded to recover from exploitation of this vulnerability.

A vulnerability in Cisco Digital Network Architecture (DNA) CV Center could allow an E- unauthenticated, adjacent attacker not 201 201 to bypass authentication and yet 9- 9- cisco -- dna_center access critical internal services. calc 184 06- The vulnerability is due to ulat 8 19 insufficient access restriction to ed BID ports necessary for system CIS operation. An attacker could CO exploit this vulnerability by Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

connecting an unauthorized network device to the subnet designated for cluster services. A successful exploit could allow an attacker to reach internal services that are not hardened for external access.

A vulnerability in the GZIP decompression engine of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, CV remote attacker to bypass E- configured content filters on the not 201 201 device. The vulnerability is due to yet 9- cisco -- 9- improper validation of GZIP- calc 190 email_security_appliance 06- formatted files. An attacker could ulat 5 19 exploit this vulnerability by ed BID sending a malicious file inside a CIS crafted GZIP-compressed file. A CO successful exploit could allow the attacker to bypass configured content filters that would normally drop the email.

A vulnerability in the web-based CV management interface of Cisco E- Integrated Management not 201 Controller (IMC) could allow an 201 cisco -- yet 9- authenticated, remote attacker to 9- integrated_management_ calc 163 conduct a cross-site request 06- controller ulat 2 forgery (CSRF) attack and 19 ed BID perform arbitrary actions on an CIS affected device. The vulnerability CO is due to insufficient CSRF Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

protections for the web-based management interface of the affected device. An attacker could exploit this vulnerability by persuading a user to follow a malicious link. A successful exploit could allow the attacker to use a web browser and the privileges of the user to perform arbitrary actions on the affected device.

A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are CV executed with root privileges. The E- vulnerability is due to insufficient not 201 validation of user-supplied input 201 cisco -- yet 9- at the CLI. An attacker could 9- integrated_management_ calc 187 exploit this vulnerability by 06- controller ulat 9 authenticating with the 19 ed BID administrator password via the CIS CLI of an affected device and CO submitting crafted input to the affected commands. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges.

A vulnerability in the Server not CV 201 cisco -- Utilities of Cisco Integrated yet E- 9- integrated_management_ Management Controller (IMC) calc 201 06- controller could allow an authenticated, ulat 9- 19 remote attacker to gain ed 162 Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

unauthorized access to sensitive 7 user information from the BID configuration data that is stored CIS on the affected system. The CO vulnerability is due to insufficient protection of data in the configuration file. An attacker could exploit this vulnerability by downloading the configuration file. An exploit could allow the attacker to use the sensitive information from the file to elevate privileges.

A vulnerability in the firmware signature checking program of Cisco Integrated Management Controller (IMC) could allow an CV authenticated, local attacker to E- cause a buffer overflow, resulting not 201 in a denial of service (DoS) 201 cisco -- yet 9- condition. The vulnerability is due 9- integrated_management_ calc 163 to insufficient checking of an 06- controller ulat 0 input buffer. An attacker could 19 ed BID exploit this vulnerability by CIS passing a crafted file to the CO affected system. A successful exploit could inhibit an administrator's ability to access the system.

A vulnerability in the not CV 201 cisco -- of Cisco Integrated Management yet E- 9- integrated_management_ Controller (IMC) could allow an calc 201 06- controller authenticated, local attacker to ulat 9- 19 cause a buffer overflow, resulting ed 162 Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

in a denial of service (DoS) 8 condition on an affected device. BID The vulnerability is due to CIS incorrect bounds checking. An CO attacker could exploit this vulnerability by sending a crafted HTTP request to the affected system. An exploit could allow the attacker to cause a buffer overflow, resulting in a process crash and DoS condition on the device.

A vulnerability in the configuration import utility of Cisco Integrated Management Controller (IMC) could allow an CV unauthenticated, remote attacker E- to have write access and upload not 201 arbitrary data to the filesystem. 201 cisco -- yet 9- The vulnerability is due to a 9- integrated_management_ calc 162 failure to delete temporarily 06- controller ulat 9 uploaded files. An attacker could 19 ed BID exploit this vulnerability by CIS crafting a malicious file and CO uploading it to the affected device. An exploit could allow the attacker to fill up the filesystem or upload malicious scripts.

A vulnerability in the web-based CV not UI (web UI) of Cisco IOS XE 201 E- yet Software could allow an 9- 201 cisco -- ios_xe_software calc unauthenticated, remote attacker 06- 9- ulat to conduct a cross-site request 20 190 ed forgery (CSRF) attack on an 4 Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

affected system. The vulnerability MIS is due to insufficient CSRF C protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software with the HTTP Server feature enabled. The default state of the HTTP Server feature is version dependent.

A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN CV Firewall, Cisco RV130W E- Wireless-N Multifunction VPN not 201 201 Router, and Cisco RV215W yet 9- cisco -- 9- Wireless-N VPN Router could calc 184 multiple_products 06- allow an unauthenticated, remote ulat 3 19 attacker to cause a reload of an ed BID affected device, resulting in a CIS denial of service (DoS) condition. CO This vulnerability is due to improper validation of user- Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. A successful exploit could allow the attacker to reload the device and causing a DoS condition.

A vulnerability in the Virtual Domain system of Cisco Prime Infrastructure (PI) could allow an authenticated, remote attacker to CV change the virtual domain E- configuration, which could lead to not 201 privilege escalation. The 201 yet 9- cisco -- vulnerability is due to improper 9- calc 190 prime_infrastructure validation of API requests. An 06- ulat 6 attacker could exploit this 19 ed BID vulnerability by manipulating CIS requests sent to an affected PI CO server. A successful exploit could allow the attacker to change the virtual domain configuration and possibly elevate privileges.

A vulnerability in the vManage CV web-based UI (Web UI) of the E- Cisco SD-WAN Solution could not 201 201 allow an authenticated, remote yet 9- 9- cisco -- sd_wan_solution attacker to gain elevated calc 162 06- privileges on an affected vManage ulat 6 19 device. The vulnerability is due to ed BID a failure to properly authorize CIS certain user actions in the device CO Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

configuration. An attacker could exploit this vulnerability by logging in to the vManage Web UI and sending crafted HTTP requests to vManage. A successful exploit could allow attackers to gain elevated privileges and make changes to the configuration that they would not normally be authorized to make.

A vulnerability in the CLI of Cisco SD-WAN Solution could allow an authenticated, local attacker to elevate lower-level CV privileges to the root user on an E- affected device. The vulnerability not 201 is due to insufficient authorization 201 yet 9- enforcement. An attacker could 9- cisco -- sd_wan_solution calc 162 exploit this vulnerability by 06- ulat 5 authenticating to the targeted 19 ed BID device and executing commands CIS that could lead to elevated CO privileges. A successful exploit could allow the attacker to make configuration changes to the system as the root user.

A vulnerability in the vManage CV web-based UI (Web UI) in the not E- Cisco SD-WAN Solution could 201 yet 201 allow an authenticated, remote 9- cisco -- sd_wan_solution calc 9- attacker to inject arbitrary 06- ulat 162 commands that are executed with 19 ed 4 root privileges. The vulnerability BID is due to insufficient input Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

validation. An attacker could CIS exploit this vulnerability by CO authenticating to the device and submitting crafted input to the vManage Web UI. A successful exploit could allow the attacker to execute commands with root privileges.

A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to access sensitive information or cause a denial of service (DoS) condition. The vulnerability is due CV to improper restrictions on XML E- entities. An attacker could exploit not 201 201 cisco -- this vulnerability by sending yet 9- 9- security_manager malicious requests to a targeted calc 190 06- system that contain references ulat 3 19 within XML entities. An exploit ed BID could allow the attacker to CIS retrieve files from the local CO system, resulting in the disclosure of sensitive information, or cause the application to consume available resources, resulting in a DoS condition.

A vulnerability in the Cisco CV Discovery Protocol (CDP) not cisco -- 201 E- implementation for the Cisco yet telepresence_codec_and_ 9- 201 TelePresence Codec (TC) and calc collaboration_endpoint 06- 9- Collaboration Endpoint (CE) ulat _software 19 187 Software could allow an ed 8 unauthenticated, adjacent attacker Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

to inject arbitrary shell commands CIS that are executed by the device. CO The vulnerability is due to insufficient input validation of received CDP packets. An attacker could exploit this vulnerability by sending crafted CDP packets to an affected device. A successful exploit could allow the attacker to execute arbitrary shell commands or scripts on the targeted device.

A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker CV to use the Central Manager as an E- HTTPS proxy. The vulnerability not 201 is due to insufficient 201 cisco -- yet 9- authentication of proxy 9- wide_area_application_s calc 187 connection requests. An attacker 06- ervices_software ulat 6 could exploit this vulnerability by 19 ed BID sending a malicious HTTPS CIS CONNECT message to the CO Central Manager. A successful exploit could allow the attacker to access public internet resources that would normally be blocked by corporate policies.

Cloud Foundry BOSH 270.x 201 CV not cloud_foundry_foundatio versions prior to v270.1.1, contain 9- E- yet n -- bosh a BOSH Director that does not 06- 201 calc properly redact credentials when 18 9- Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

configured to use a MySQL ulat 112 database. A local authenticated ed 71 malicious user may read any CO credentials that are contained in a NFI BOSH manifest. RM

Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending ?unknown.org? to a CV user's email address when one is E- not provided and the user name not 201 does not contain an @ character. 201 yet 9- cloud_foundry_foundatio This domain is held by a private 9- calc 378 n -- uua_release company, which leads to attack 06- ulat 7 vectors including password 19 ed CO recovery emails sent to a NFI potentially fraudulent address. RM This would allow the attacker to gain complete control of the user's account.

An issue was discovered in Cloudera Manager 5.x through 5.15.0. One type of page in CV Cloudera Manager uses a E- 'returnUrl' parameter to redirect 201 the user to another page in not 8- 201 Cloudera Manager once a wizard yet 159 9- cloudera -- manager is completed. The validity of this calc 13 06- parameter was not checked. As a ulat CO 20 result, the user could be ed NFI automatically redirected to an RM attacker's external site or perform MIS a malicious JavaScript function C that results in cross-site scripting (XSS). This was fixed by not Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

allowing any value in the returnUrl parameter with patterns such as http://, https://, //, or . The only exceptions to this rule are the SAML Login/Logout URLs, which remain supported since they are explicitly configured and they are not passed via the returnUrl parameter.

Dell EMC Avamar ADMe Web CV Interface 1.0.50 and 1.0.51 are E- not affected by an LFI vulnerability 201 201 dell_emc -- yet which may allow a malicious user 9- 9- avamar_adme_web_inter calc to download arbitrary files from 06- 373 face ulat the affected system by sending a 19 7 ed specially crafted request to the MIS Web Interface application. C

Dell SupportAssist for Business PCs version 2.0 and Dell SupportAssist for Home PCs CV version 2.2, 2.2.1, 2.2.2, 2.2.3, E- 3.0, 3.0.1, 3.0.2, 3.1, 3.2, and not dell_emc -- 201 201 3.2.1 contain an Improper yet supportassist_for_busine 9- 9- Privilege Management calc ss_and_supportassist_for 06- 373 Vulnerability. A malicious local ulat _home_pcs 20 5 user can exploit this vulnerability ed MIS by inheriting a system thread C using a leaked thread handle to gain system privileges on the affected machine. Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

The doAirdrop function of a smart contract implementation for CV Primeo (PEO), an Ethereum E- token, does not check the 201 numerical relationship between not 201 8- the amount of the air drop and the yet ethereum -- 9- 184 token's total supply, which lets the calc primeo_token 06- 25 owner of the contract issue an ulat 19 MIS arbitrary amount of currency. ed C (Increasing the total supply by MIS using 'doAirdrop' ignores the hard C cap written in the contract and devalues the token.)

CV A universal Cross-site scripting E- (UXSS) vulnerability in the 201 not Evernote Web Clipper extension 201 9- yet evernote_corporation -- before 7.11.1 for Chrome allows 9- 125 calc evernote remote attackers to run arbitrary 06- 92 ulat web script or HTML in the 18 MIS ed context of any loaded 3rd-party C IFrame. MIS C

EXCELLENT INFOTEK BiYan v1.57 ~ v2.8 allows an attacker to CV leak user information without E- not being authenticated, by sending a 201 201 yet excellent_infotec_corpor LOGIN_ID element to the 9- 9- calc ation -- biyan auth/main/asp/check_user_login_i 06- 112 ulat nfo.aspx URI, and then reading 19 33 ed the response, as demonstrated by MIS the KW_EMAIL or KW_TEL C field. Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

EXCELLENT INFOTEK BiYan CV v1.57 ~ v2.8 allows an attacker to E- not leak user information (Password) 201 201 yet excellent_infotec_corpor without being authenticated, by 9- 9- calc ation -- biyan sending an EMP_NO element to 06- 112 ulat the kws_login/asp/query_user.asp 19 32 ed URI, and then reading the PWD MIS element. C

OAuth 2.0 Authorization Server of ForgeRock Access CV Management (OpenAM) 13.5.0- E- not 13.5.1 and Access Management 201 201 yet forgerock -- (AM) 5.0.0-5.1.1 does not 9- 7- calc openam_and_am correctly validate redirect_uri for 06- 143 ulat some invalid requests, which 19 94 ed allows attackers to perform MIS phishing via an unvalidated C redirect.

Auth 2.0 Authorization Server of CV ForgeRock Access Management E- (OpenAM) 13.5.0-13.5.1 and not 201 201 Access Management (AM) 5.0.0- yet forgerock -- 9- 7- 5.1.1 does not correctly validate calc openam_and_am 06- 143 redirect_uri for some invalid ulat 19 95 requests, which allows attackers ed MIS to execute a script in the user's C browser via reflected XSS.

FreePBX 13 and 14 has SQL not CV 201 Injection in the DISA module via yet E- 9- freepbx -- freepbx the hangup variable on the calc 201 06- /admin/config.php?display=disa& ulat 8- 20 view=form page. ed 158 Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

92 CO NFI RM MIS C

CV E- An issue was discovered in 201 FreePBX core before 3.0.122.43, not 8- 201 14.0.18.34, and 5.0.1beta4. By yet 158 9- freepbx -- freepbx crafting a request for adding calc 91 06- Asterisk modules, an attacker is ulat CO 20 able to store JavaScript ed NFI commands in a module name. RM MIS C

CV The default configuration of glot- E- www through 2018-05-19 allows not 201 201 remote attackers to execute yet 9- 8- glot.io -- glot-www arbitrary code because glot-code- calc 06- 157 runner supports os.system within ulat 21 47 a "python" "files" "content" JSON ed MIS file. C

CV not E- 201 yet 201 Helpy v2.1.0 has Stored XSS via 9- helpy -- helpy calc 8- the Ticket title. 06- ulat 188 18 ed 86 MIS Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

C CO NFI RM

HP Color LaserJet Pro M280- CV hp -- M281 Multifunction Printer series E- not color_laserjet_pro_m280 (before v. 20190419), HP LaserJet 201 201 yet - Pro MFP M28-M31 Printer series 9- 9- calc m281_multifunction_pri (before v. 20190426) may have an 06- 632 ulat nter_and_laserjet_pro_m embedded web server potentially 17 4 ed fp_m28-m31_printer vulnerable to stored XSS in MIS wireless configuration page C

HP Color LaserJet Pro M280- CV hp -- M281 Multifunction Printer series E- not color_laserjet_pro_m280 (before v. 20190419), HP LaserJet 201 201 yet - Pro MFP M28-M31 Printer series 9- 9- calc m281_multifunction_pri (before v. 20190426) may have an 06- 632 ulat nter_and_laserjet_pro_m embedded web server potentially 17 3 ed fp_m28-m31_printer vulnerable to reflected XSS in MIS wireless configuration page. C

HP Color LaserJet Pro M280- CV hp -- M281 Multifunction Printer series E- not color_laserjet_pro_m280 (before v. 20190419), HP LaserJet 201 201 yet - Pro MFP M28-M31 Printer series 9- 9- calc m281_multifunction_pri (before v. 20190426) may have an 06- 632 ulat nter_and_laserjet_pro_m embedded web server that is 17 5 ed fp_m28-m31_printer potentially vulnerable to Cross- MIS site Request Forgery. C hp -- HP Color LaserJet Pro M280- 201 not CV color_laserjet_pro_m280 M281 Multifunction Printer series 9- yet E- Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

- (before v. 20190419), HP LaserJet 06- calc 201 m281_multifunction_pri Pro MFP M28-M31 Printer series 17 ulat 9- nter_and_laserjet_pro_m (before v. 20190426) may have an ed 632 fp_m28-m31_printer IPP Parser potentially vulnerable 7 to Buffer Overflow. MIS C

HP Color LaserJet Pro M280- CV hp -- M281 Multifunction Printer series E- not color_laserjet_pro_m280 (before v. 20190419), HP LaserJet 201 201 yet - Pro MFP M28-M31 Printer series 9- 9- calc m281_multifunction_pri (before v. 20190426) may have 06- 632 ulat nter_and_laserjet_pro_m embedded web server attributes 17 6 ed fp_m28-m31_printer which may be potentially MIS vulnerable to Buffer Overflow. C

CV IBM Spectrum Protect Plus 10.1.2 E- may display the vSnap CIFS 201 not password in the IBM Spectrum 201 9- yet ibm -- Protect Plus Joblog. This can 9- 438 calc sprectrum_protect_plus result in an attacker gaining 06- 5 ulat access to sensitive information as 19 CO ed well as vSnap. IBM X-Force ID: NFI 162173. RM XF

In Libgcrypt 1.8.4, the C CV implementation of AES is E- not vulnerable to a flush-and-reload 201 201 yet side-channel attack because 9- 9- libgcrypt -- libgcrypt calc physical addresses are available to 06- 129 ulat other processes. (The C 19 04 ed implementation is used on MIS platforms where an assembly- C Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

language implementation is MIS unavailable.) C MIS C

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client 1.0.2 (build 02363) for Windows could allow an authenticated, local attacker to run arbitrary code with elevated privileges. On startup, the PIA Windows service (pia- CV service.exe) loads the OpenSSL E- library from 201 %PROGRAMFILES%\Private not 201 9- london_trust_media -- Internet Access\libeay32.dll. This yet 9- 125 private_internet_access_ library attempts to load the calc 06- 72 vpn_client_for_windows C:\etc\ssl\openssl.cnf ulat 21 MIS configuration file which does not ed C exist. By default on Windows MIS systems, authenticated users can C create directories under C:\. A low privileged user can create a C:\etc\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine library resulting in arbitrary code execution as SYSTEM when the service starts.

not CV 201 Denial of Service (DOS) in Dial yet E- 9- netflix -- dial Reference Source Code Used calc 201 06- before June 18th, 2019. ulat 9- 21 ed 100 Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

28 CO NFI RM

CV E- 201 OpenStack Magnum passes 6- OpenStack credentials into the 740 Heat templates creating its not 4 instances. While these should just 201 yet MIS be used for retrieving the 9- openstack -- magnum calc C instances' SSL certificates, they 06- ulat MIS allow full API access, though and 21 ed C can be used to perform any API CO operation the user is authorized to NFI perform. RM MIS C

CV E- 201 not 8- 201 yet 189 OPNsense 18.7.x before 18.7.7 9- opnsense -- opnsense calc 58 has Incorrect Access Control. 06- ulat MIS 17 ed C CO NFI RM Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

An issue was discovered on Phoenix Contact AXC F 2152 CV (No.2404267) before 2019.0 LTS E- and AXC F 2152 STARTERKIT not 201 201 phoenix_contact -- (No.1046568) before 2019.0 LTS yet 9- 9- axc_f_2152_and_axc_f_ devices. Unlimited physical calc 109 06- 2152_starterkit_devices access to the PLC may lead to a ulat 98 18 manipulation of SD cards data. ed CO SD card manipulation may lead to NFI an authentication bypass RM opportunity.

An issue was discovered on Phoenix Contact AXC F 2152 CV (No.2404267) before 2019.0 LTS E- and AXC F 2152 STARTERKIT not 201 (No.1046568) before 2019.0 LTS 201 phoenix_contact -- yet 9- devices. Protocol Fuzzing on PC 9- axc_f_2152_and_axc_f_ calc 109 WORX Engineer by a man in the 06- 2152_starterkit_devices ulat 97 middle attacker stops the PLC 17 ed CO service. The device must be NFI rebooted, or the PLC service must RM be restarted manually via a Linux shell.

An XSS issue on the PIX-Link CV Repeater/Router LV-WR09 with E- not firmware 201 201 yet pix-link -- v28K.MiniRouter.20180616 9- 9- calc repeater/router_lv-wr09 allows attackers to steal 06- 129 ulat credentials without being 22 33 ed connected to the network. The MIS attack vector is a crafted ESSID. C Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

CV E- Pydio Cells before 1.5.0 fails to 201 neutralize '../' elements, allowing not 201 9- an attacker with minimum yet 9- 129 pydio -- pydio privilege to Upload files to, and calc 06- 01 Delete files/folders from, an ulat 19 MIS unprivileged directory, leading to ed C Privilege escalation. MIS C

CV E- Pydio Cells before 1.5.0, when 201 supplied with a Name field in an not 201 9- unexpected Unicode format, fails yet 9- 129 pydio -- pydio to handle this and includes the calc 06- 03 database column/table name as ulat 19 MIS pert of the error message, ed C exposing sensitive information. MIS C

CV E- Pydio Cells before 1.5.0 does 201 not incomplete cleanup of a user's 201 9- yet data upon deletion. This allows a 9- 129 pydio -- pydio calc new user, holding the same User 06- 02 ulat ID as a deleted user, to restore the 19 MIS ed deleted user's data. C MIS C rdk_management -- rdkb- A heap-based buffer overflow in 201 not CV 20181217-1 cosa_dhcpv4_dml.c in the RDK 9- yet E- Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

RDKB-20181217-1 CcspPandM 06- calc 201 module may allow attackers with 20 ulat 9- login credentials to achieve ed 696 remote code execution by crafting 3 a long buffer in the "Comment" MIS field of an IP reservation form in C the admin panel. This is related to the CcspCommonLibrary module.

A shell injection issue in cosa_wifi_apis.c in the RDK RDKB-20181217-1 CcspWifiAgent module allows CV attackers with login credentials to E- execute arbitrary shell commands not 201 201 under the CcspWifiSsp process yet rdk_management -- rdkb- 9- 9- (running as root) if the platform calc 20181217-1 06- 696 was compiled with the ulat 20 2 ENABLE_FEATURE_MESHWI ed MIS FI macro. The attack is conducted C by changing the Wi-Fi network password to include crafted escape characters. This is related to the WebUI module.

Incorrect access control in actionHandlerUtility.php in the CV RDK RDKB-20181217-1 WebUI E- module allows a logged in user to not 201 201 control DDNS, QoS, RIP, and yet rdk_management -- rdkb- 9- 9- other privileged configurations calc 20181217-1 06- 696 (intended only for the network ulat 20 1 operator) by sending an HTTP ed MIS POST to the PHP backend, C because the page filtering for non- superuser (in header.php) is done Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

only for GET requests and not for direct calls.

A heap-based buffer over-read in Service_SetParamStringValue in cosa_x_cisco_com_ddns_dml.c of the RDK RDKB-20181217-1 CcspPandM module may allow CV attackers with login credentials to E- not achieve information disclosure 201 201 yet rdk_management -- rdkb- and code execution by crafting an 9- 9- calc 20181217-1 AJAX call responsible for DDNS 06- 696 ulat configuration with an exactly 64- 20 4 ed byte username, password, or MIS domain, for which the buffer size C is insufficient for the final '\0' character. This is related to the CcspCommonLibrary and WebUI modules.

CV E- RedwoodHQ 2.5.5 does not 201 require any authentication for not 201 9- database operations, which allows yet 9- 128 redwoodhq -- redwoodhq remote attackers to create admin calc 06- 90 users via a ulat 19 MIS con.automationframework users ed C insert_one call. MIS C

On Shenzhen Cylan Clever Dog 201 CV shenzhen_cylan_technol not Smart Camera DOG-2W and 9- E- ogy -- yet DOG-2W-V4 devices, an attacker 06- 201 clever_dog_smart_camer calc on the local network has 20 9- Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info a_dog-2w_and_dog-2w- unauthenticated access to the ulat 129 v4 internal SD card via the HTTP ed 19 service on port 8000. The HTTP MIS web server on the camera allows C anyone to view or download the video archive recorded and saved on the external memory card attached to the device.

On Shenzhen Cylan Clever Dog CV Smart Camera DOG-2W and E- shenzhen_cylan_technol DOG-2W-V4 devices, an attacker not 201 201 ogy -- on the network can login remotely yet 9- 9- clever_dog_smart_camer to the camera and gain root calc 06- 129 a_dog-2w_and_dog-2w- access. The device ships with a ulat 20 20 v4 hardcoded 12345678 password for ed MIS the root account, accessible from a C TELNET login prompt.

CV E- 201 9- 121 81 not 201 MIS A privilege escalation yet solarwinds -- serv- 9- C vulnerability exists in SolarWinds calc u_ftp_server 06- MIS Serv-U before 15.1.7 for Linux. ulat 17 C ed CO NFI RM CO NFI RM Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

CV E- 201 not The Photo Sharing Plus 201 8- yet sony -- component on Sony Bravia TV 9- 165 calc bravia_smart_tv_devices through 8.587 devices has a 06- 95 ulat Buffer Overflow. 19 MIS ed C MIS C

CV E- 201 not The Photo Sharing Plus 201 8- yet sony -- component on Sony Bravia TV 9- 165 calc bravia_smart_tv_devices through 8.587 devices allows 06- 94 ulat Directory Traversal. 19 MIS ed C MIS C

CV E- 201 not The Photo Sharing Plus 201 8- yet sony -- component on Sony Bravia TV 9- 165 calc bravia_smart_tv_devices through 8.587 devices allows 06- 93 ulat Shell Metacharacter Injection. 19 MIS ed C MIS C

A shell escape vulnerability in 201 not CV sophos -- xg_firewall /webconsole/APIController in the 9- yet E- Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

API Configuration component of 06- calc 201 Sophos XG firewall 17.0.8 MR-8 20 ulat 8- allows remote attackers to execute ed 161 arbitrary OS commands via shell 18 metachracters in the "X- CO Forwarded-for" HTTP header. NFI RM MIS C MIS C

CV E- 201 SQL injection vulnerability in 8- AccountStatus.jsp in Admin not 161 201 Portal of Sophos XG firewall yet 16 9- sophos -- xg_firewall 17.0.8 MR-8 allow remote calc CO 06- authenticated attackers to execute ulat NFI 20 arbitrary SQL commands via the ed RM "username" GET parameter. MIS C MIS C

CV Stack-based buffer overflow in E- the httpd server of TP-Link 201 not WR1043nd (Firmware Version 3) 201 8- yet tp_link -- allows remote attackers to execute 9- 161 calc wr1043nd_devices arbitrary code via a malicious 06- 19 ulat MediaServer request to 20 MIS ed /userRpm/MediaServerFoldersCfg C Rpm.htm. MIS C Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

An issue was discovered in Tufin SecureTrack 18.1 with TufinOS 2.16 build 1179(Final). The Audit CV Report module is affected by a E- blind XXE vulnerability when a 201 new Best Practices Report is 8- saved using a special payload not 201 184 inside the xml input field. The yet 9- 06 tufin -- securetrack XXE vulnerability is blind since calc 06- MIS the response doesn't directly ulat 19 C display a requested file, but rather ed MIS returns it inside the name data C field when the report is saved. An MIS attacker is able to view restricted C operating system files. This issue affects all types of users: administrators or normal users.

CV E- An issue was discovered in Tyto 201 Sahi Pro through 7.x.x and 8.0.0. not 201 8- A directory traversal (arbitrary file yet 9- 204 tyto_software -- sahi_pro access) vulnerability exists in the calc 06- 70 web reports module. This allows ulat 17 MIS an outside attacker to view ed C contents of sensitive files. MIS C

VTech Storio Max before CV 56.D3JM6 allows remote not E- 201 command execution via shell yet 201 vtech -- 9- metacharacters in an Android calc 8- storio_max_devices 06- activity name. It exposes the ulat 166 19 storeintenttranslate.x service on ed 18 port 1668 listening for requests on MIS Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

localhost. Requests submitted to C this service are checked for a MIS string of random characters C followed by the name of an Android activity to start. Activities are started by inserting their name into a string that is executed in a shell command. By inserting metacharacters this can be exploited to run arbitrary commands as root. The requests also match those of the HTTP protocol and can be triggered on any web page rendered on the device by requesting resources stored at an http://127.0.0.1:1668/ URI, as demonstrated by the http://127.0.0.1:1668/dacdb70556 479813fab2d92896596eef?';{ping ,example.org}' URL.

CV E- 201 WAGO 852-303 before FW06, 9- not 852-1305 before FW06, and 852- 201 125 yet 1505 before FW03 devices 9- 50 wago -- multiple_devices calc contain hardcoded users and 06- MIS ulat passwords that can be used to 17 C ed login via SSH and TELNET. MIS C MIS C

WAGO 852-303 before FW06, 201 not CV wago -- multiple_devices 852-1305 before FW06, and 852- 9- yet E- Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

1505 before FW03 devices 06- calc 201 contain hardcoded private keys for 17 ulat 9- the SSH daemon. The fingerprint ed 125 of the SSH host key from the 49 corresponding SSH daemon MIS matches the embedded private C key. MIS C MIS C

When receiving calls using CV WhatsApp for Android, a missing E- size check when parsing a sender- not 201 201 provided packet allowed for a yet 8- 9- whatsapp -- whatsapp stack-based overflow. This issue calc 634 06- affects WhatsApp for Android ulat 9 14 prior to 2.18.248 and WhatsApp ed BID Business for Android prior to MIS 2.18.132. C

CV E- 201 An issue was discovered in the 8- update function in the wpForo not 201 166 Forum plugin before 1.5.2 for yet 9- 13 wordpress -- wordpress WordPress. A registered forum is calc 06- MIS able to escalate privilege to the ulat 19 C forum administrator without any ed MIS form of user interaction. C MIS C Sou CV rce Pub Primary SS & Description lish Vendor -- Product Sco Patc ed re h Info

An arbitrary password reset issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It is possible (due to lack of verification and correlation between the reset password key CV sent by mail and the user_id E- parameter) to reset the password not 201 201 of another user. One only needs to yet 9- 9- wordpress -- wordpress know the user_id, which is calc 06- 102 publicly available. One just has to ulat 21 70 intercept the password ed MIS modification request and modify C user_id. It is possible to modify the passwords for any users or admin WordPress Ultimate Members. This could lead to account compromise and privilege escalation.