Monthly Archive: July 2017

CVE-2016-6018

IBM Emptoris Contract Management 10.0 and 10.1 reveals detailed error messages in certain features that could cause an attacker to gain additional information to conduct further attacks. IBM X-Force ID: 116738. Date published :...

CVE-2016-5394

In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded,...

CVE-2017-9765

Integer overflow in the soap_get function in Genivia gSOAP 2.7.x and 2.8.x before 2.8.48, as used on Axis cameras and other devices, allows remote attackers to execute arbitrary code or cause a denial of...

CVE-2017-9764

Cross-site scripting (XSS) vulnerability in MetInfo 5.3.17 allows remote attackers to inject arbitrary web script or HTML via the Client-IP or X-Forwarded-For HTTP header to /include/stat/stat.php in a para action. Date published : 2017-07-19...

CVE-2017-7977

The Screensavercc component in eLux RP before 5.5.0 allows attackers to bypass intended configuration restrictions and execute arbitrary commands with root privileges by inserting commands in a local configuration dialog in the control panel....

CVE-2017-1223

IBM Tivoli Endpoint Manager could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this...

CVE-2017-1219

IBM Tivoli Endpoint Manager is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM...

CVE-2017-1218

IBM Tivoli Endpoint Manager is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 123858. Date...

CVE-2017-1203

IBM Tivoli Endpoint Manager (for Lifecycle/Power/Patch) Platform and Applications is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading...

CVE-2017-11467

OrientDB through 2.2.22 does not enforce privilege requirements during "where" or "fetchplan" or "order by" use, which allows remote attackers to execute arbitrary OS commands via a crafted request. Date published : 2017-07-19 http://www.heavensec.org/?p=1703...

CVE-2017-11466

Arbitrary file upload vulnerability in com/dotmarketing/servlets/AjaxFileUploadServlet.class in dotCMS 4.1.1 allows remote authenticated administrators to upload .jsp files to arbitrary locations via directory traversal sequences in the fieldName parameter to servlets/ajax_file_upload. This results in arbitrary...

CVE-2017-11465

The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related...