Monthly Archive: February 2018

A vulnerability in the use of JSON web tokens by the web-based service portal of Cisco Elastic Services Controller Software could allow an unauthenticated, remote attacker to gain administrative access to an affected system....

A vulnerability in Cisco Unified Communications Domain Manager could allow an unauthenticated, remote attacker to bypass security protections, gain elevated privileges, and execute arbitrary code. The vulnerability is due to insecure key generation during...

A vulnerability in the authentication functionality of the web-based service portal of Cisco Elastic Services Controller Software could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrator privileges on...

id3_utf16_deserialize() in utf16.c in libid3tag through 0.15.1b misparses ID3v2 tags encoded in UTF-16 with an odd number of bytes, triggering an endless loop allocating memory until an OOM condition is reached, leading to denial-of-service...

Datto ALTO and SIRIS devices allow remote attackers to obtain sensitive information via access to device/VM restore mount points, because they do not have ACLs by default. Date published : 2018-02-20 http://www.information-paradox.net/2015/02/cve-2015-2081-multiple-vulnerabilities.html

Datto ALTO and SIRIS devices allow remote attackers to obtain sensitive information about data, software versions, configuration, and virtual machines via a request to a Web Virtual Directory. Date published : 2018-02-20 http://www.information-paradox.net/2015/02/cve-2015-2081-multiple-vulnerabilities.html

Datto ALTO and SIRIS devices have a default VNC password. Date published : 2018-02-20 http://www.information-paradox.net/2015/02/cve-2015-2081-multiple-vulnerabilities.html

Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title. Date published : 2018-02-20 http://sourceforge.net/p/itop/code/3662/ http://sourceforge.net/p/itop/tickets/1114/

Datto ALTO and SIRIS devices allow Remote Code Execution via unauthenticated requests to PHP scripts. Date published : 2018-02-20 http://www.information-paradox.net/2015/02/cve-2015-2081-multiple-vulnerabilities.html

XPath injection vulnerability in Epic MyChart allows remote attackers to access contents of an XML document containing static display strings, such as field labels, via the topic parameter to help.asp. NOTE: this was originally...

Buffer overflow in APNGDis 2.8 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted image containing a malformed image size descriptor in the IHDR...

Buffer overflow in APNGDis 2.8 and earlier allows a remote attackers to cause denial of service and possibly execute arbitrary code via a crafted image containing a malformed chunk size descriptor. Date published :...

smart/calculator/gallerylock/CalculatorActivity.java in the "Photo,Video Locker-Calculator" application through 18 for Android allows attackers to access files via the backdoor 17621762 PIN. Date published : 2018-02-20 https://www.ds-security.com/2017/11/16/photovideo-locker-calculator-leak-of-sensitive-files/

Mahara 16.10 before 16.10.7, 17.04 before 17.04.5, and 17.10 before 17.10.2 are vulnerable to being forced, via a man-in-the-middle attack, to interact with Mahara on the HTTP protocol rather than HTTPS even when an...