A cross-site scripting (XSS) vulnerability in the wp-concours plugin through 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the result_message parameter to includes/concours_page.php. Date published : 2017-12-19 http://seclists.org/fulldisclosure/2017/Dec/71...
The Enterprise version of SyncBreeze 10.2.12 and earlier is affected by a Remote Denial of Service vulnerability. The web server does not check bounds when reading server requests in the Host header on making...
The Web Configuration Utility in Meinberg LANTIME devices with firmware before 6.24.004 allows remote authenticated users with certain privileges to read arbitrary files via (1) the ntpclientcounterlogfile parameter to cgi-bin/mainv2 or (2) vectors involving...
Stack-based buffer overflow in the ZoomLauncher binary in the Zoom client for Linux before 2.0.115900.1201 allows remote attackers to execute arbitrary code by leveraging the zoommtg:// scheme handler. Date published : 2017-12-19 https://www.exploit-db.com/exploits/43355/ http://seclists.org/fulldisclosure/2017/Dec/46
The KVM implementation in the Linux kernel through 4.14.7 allows attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h. Date published : 2017-12-18...
contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a...
The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has directory traversal via the /storage.html rp parameter, allowing an attacker to read or write to files. Date published : 2017-12-18 https://www.exploit-db.com/exploits/43364/ http://www.information-paradox.net/2017/12/brightsign-multiple-vulnerablities-cve.html
The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) allows renaming and modifying files via /tools.html. Date published : 2017-12-18 https://www.exploit-db.com/exploits/43364/ http://www.information-paradox.net/2017/12/brightsign-multiple-vulnerablities-cve.html
The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has XSS via the REF parameter to /network_diagnostics.html or /storage_info.html. Date published : 2017-12-18 https://www.exploit-db.com/exploits/43364/ http://www.information-paradox.net/2017/12/brightsign-multiple-vulnerablities-cve.html
CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in cookies. Date published : 2017-12-18 https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=77737 https://www.cmsmadesimple.org/2017/12/Announcing-CMSMS-v2.2.5-Wawa
CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in sessions. Date published : 2017-12-18 https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=77737 https://www.cmsmadesimple.org/2017/12/Announcing-CMSMS-v2.2.5-Wawa
Maccms 8.x allows remote command execution via the wd parameter in an index.php?m=vod-search request. Date published : 2017-12-18 http://www.0day5.com/archives/4383/
DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php. Date published : 2017-12-18 http://0day5.com/archives/1346/