Monthly Archive: July 2017

Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster...

Red Hat 3scale (aka RH-3scale) API Management Platform (AMP) before 2.0.0 would permit creation of an access token without a client secret. An attacker could use this flaw to circumvent authentication controls and gain...

The D-Link DIR-615 device before v20.12PTb04 doesn’t use SSL for any of the authenticated pages. Also, it doesn’t allow the user to generate his own SSL Certificate. An attacker can simply monitor network traffic...

On the D-Link DIR-615 before v20.12PTb04, once authenticated, this device identifies the user based on the IP address of his machine. By spoofing the IP address belonging to the victim’s host, an attacker might...

On the D-Link DIR-615 before v20.12PTb04, if a victim logged in to the Router’s Web Interface visits a malicious site from another Browser tab, the malicious site then can send requests to the victim’s...

An Improper Authentication issue was discovered in Siemens SIMATIC CP 44x-1 RNA, all versions prior to 1.4.1. An unauthenticated remote attacker may be able to perform administrative actions on the Communication Process (CP) of...

Directory traversal vulnerability in Shortcodes Ultimate prior to version 4.10.0 allows remote attackers to read arbitrary files via unspecified vectors. Date published : 2017-07-07 http://www.securityfocus.com/bid/99495 https://plugins.trac.wordpress.org/changeset/1684377/#file217

Cross-site request forgery (CSRF) vulnerability in MFC-J960DWN firmware ver.D and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. Date published : 2017-07-07 http://support.brother.co.jp/j/s/support/vul_info/JVN95996423/index.html http://jvn.jp/en/jp/JVN95996423/index.html

Cross-site scripting vulnerability in Responsive Lightbox prior to version 1.7.2 allows an attacker to inject arbitrary web script or HTML via unspecified vectors. Date published : 2017-07-07 http://www.securityfocus.com/bid/99463 Responsive Lightbox & Gallery

Marp versions v0.0.10 and earlier may allow an attacker to access local resources and files using JavaScript. Date published : 2017-07-07 http://jvn.jp/en/jp/JVN21174546/index.html

Cross-site request forgery (CSRF) vulnerability in Toshiba Home gateway HEM-GW16A firmware HEM-GW16A-FW-V1.2.0 and earlier and Toshiba Home gateway HEM-GW26A firmware HEM-GW26A-FW-V1.2.0 and earlier allows remote attackers to hijack the authentication of administrators via unspecified...

Toshiba Home gateway HEM-GW16A firmware HEM-GW16A-FW-V1.2.0 and earlier. Toshiba Home gateway HEM-GW26A firmware HEM-GW26A-FW-V1.2.0 and earlier allows an attacker to execute arbitrary OS commands via unspecified vectors. Date published : 2017-07-07 http://jvn.jp/en/jp/JVN85901441/index.html

Toshiba Home gateway HEM-GW16A firmware HEM-GW16A-FW-V1.2.0 and earlier, Toshiba Home gateway HEM-GW26A firmware HEM-GW26A-FW-V1.2.0 and earlier uses hard-coded credentials, which may allow attackers to perform operations on device with administrative privileges. Date published :...

Toshiba Home gateway HEM-GW16A firmware HEM-GW16A-FW-V1.2.0 and earlier. Toshiba Home gateway HEM-GW26A firmware HEM-GW26A-FW-V1.2.0 and earlier allows an attacker to bypass access restriction to change the administrator account password via unspecified vectors. Date published...