Monthly Archive: May 2018

Liblouis 3.5.0 has a Segmentation fault in lou_logPrint in logging.c. Date published : 2018-05-30 https://github.com/Edward-L/fuzzing-pocs/tree/master/liblouis https://github.com/liblouis/liblouis/issues/582

ngiflib.c in MiniUPnP ngiflib 0.4 has a heap-based buffer over-read in GifIndexToTrueColor. Date published : 2018-05-30 https://github.com/Edward-L/fuzzing-pocs/tree/master/ngiflib https://github.com/miniupnp/ngiflib/issues/6

ngiflib.c in MiniUPnP ngiflib 0.4 has a stack-based buffer overflow in DecodeGifImg. Date published : 2018-05-30 https://github.com/Edward-L/fuzzing-pocs/tree/master/ngiflib https://github.com/miniupnp/ngiflib/issues/4

ClipperCMS 1.3.3 has XSS in the "Module name" field in a "Modules -> Manage modules -> edit" action to the manager/ URI. Date published : 2018-05-30 https://github.com/ClipperCMS/ClipperCMS/issues/485

ClipperCMS 1.3.3 allows Session Fixation. Date published : 2018-05-30 https://github.com/ClipperCMS/ClipperCMS/issues/486

Reflected XSS is possible in the GamePlan theme through 1.5.13.2 for WordPress because of insufficient input sanitization, as demonstrated by the s parameter. In some (but not all) cases, the ‘‘ characters have <...

** DISPUTED ** Prior to 2018-04-27, the reprompt feature in Amazon Echo devices could be misused by a custom Alexa skill. The reprompt feature is designed so that if Alexa does not receive an...

Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 are vulnerable to mentioning the usernames that are already taken by people registered in the system rather than masking that information. Date...

An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick...

DomainMod 4.10.0 has Stored XSS in the "/settings/profile/index.php" new_last_name parameter. Date published : 2018-05-30 https://github.com/domainmod/domainmod/issues/66

DomainMod 4.10.0 has Stored XSS in the "/settings/profile/index.php" new_first_name parameter. Date published : 2018-05-30 https://github.com/domainmod/domainmod/issues/66

YIBAN Easy class education platform 2.0 has XSS via the articlelist.php k parameter. Date published : 2018-05-30 https://github.com/1aker/yiban1/blob/master/README.md

** DISPUTED ** tificc in Little CMS 2.9 has an out-of-bounds write in the cmsPipelineCheckAndRetreiveStages function in cmslut.c in liblcms2.a via a crafted TIFF file. NOTE: Little CMS developers do consider this a vulnerability...

** DISPUTED ** tificc in Little CMS 2.9 has an out-of-bounds write in the PrecalculatedXFORM function in cmsxform.c in liblcms2.a via a crafted TIFF file. NOTE: Little CMS developers do consider this a vulnerability...