Monthly Archive: February 2018

SQL Injection exists in the PrayerCenter 3.0.2 component for Joomla! via the sessionid parameter, a different vulnerability than CVE-2008-6429. Date published : 2018-02-22 https://exploit-db.com/exploits/44160

SQL Injection exists in the CW Tags 2.0.6 component for Joomla! via the searchtext array parameter. Date published : 2018-02-22 https://www.exploit-db.com/exploits/44158/

SQL Injection exists in the Alexandria Book Library 3.1.2 component for Joomla! via the letter parameter. Date published : 2018-02-22 https://exploit-db.com/exploits/44162

eQ-3 AG HomeMatic CCU2 2.29.22 devices have an open XML-RPC port without authentication. This can be exploited by sending arbitrary XML-RPC requests to control the attached BidCos devices. Date published : 2018-02-22 http://atomic111.github.io/article/homematic-ccu2-xml-rpc

Directory Traversal / Arbitrary File Write / Remote Code Execution in the User.setLanguage method in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to write arbitrary files to the device’s filesystem. This...

Remote Code Execution in the addon installation process in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows authenticated attackers to create or overwrite arbitrary files or install malicious software on the device. Date published...

In /usr/local/etc/config/addons/mh/loopupd.sh on eQ-3 AG HomeMatic CCU2 2.29.22 devices, software update packages are downloaded via the HTTP protocol, which does not provide any cryptographic protection of the downloaded contents. An attacker with a privileged...

Remote Code Execution in the TCL script interpreter in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to obtain read/write access and execute system commands on the device. This vulnerability can be...

Directory Traversal / Arbitrary File Read in User.getLanguage method in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to read the first line of an arbitrary file on the CCU2’s filesystem. This...

Cross-site scripting (XSS) vulnerability in Wolf CMS 0.8.3.1 via the page editing feature, as demonstrated by /?/admin/page/edit/3. Date published : 2018-02-22 https://github.com/pradeepjairamani/WolfCMS-XSS-POC https://github.com/pradeepjairamani/WolfCMS-XSS-POC/blob/master/Wolfcms%20v0.8.3.1%20xss%20POC%20by%20Pradeep%20Jairamani.pdf

XML External Entity (XXE) vulnerability in Micro Focus Project and Portfolio Management Center, version 9.32. This vulnerability can be exploited to allow XML External Entity (XXE) Date published : 2018-02-22 https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03014426

Arbitrary Code Execution vulnerability in Micro Focus Universal CMDB, version 4.10, 4.11, 4.12. This vulnerability could be remotely exploited to allow Arbitrary Code Execution. Date published : 2018-02-22 https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03086019

Under certain circumstances, a flaw in the J9 JVM (IBM SDK, Java Technology Edition 7.1 and 8.0) allows untrusted code running under a security manager to elevate its privileges. IBM X-Force ID: 138823. Date...

IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within...