Monthly Archive: July 2018

VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial...

RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, and RSA IMG releases have an uncontrolled search vulnerability. The installation scripts set an environment variable in an unintended manner. A local authenticated malicious...

Pivotal Operations Manager, versions 2.1 prior to 2.1.6 and 2.0 prior to 2.0.15 and 1.12 prior to 1.12.22, contains a static Linux Random Number Generator (LRNG) seed file embedded in the appliance image. An...

In Universal Robots Robot Controllers Version CB 3.1, SW Version 3.4.5-100, ports 30001/TCP to 30003/TCP listen for arbitrary URScript code and execute the code. This enables a remote attacker who has access to the...

Universal Robots Robot Controllers Version CB 3.1, SW Version 3.4.5-100 utilizes hard-coded credentials that may allow an attacker to reset passwords for the controller. Date published : 2018-07-11 http://www.securityfocus.com/bid/104710 https://ics-cert.us-cert.gov/advisories/ICSA-18-191-01

Cross-site request forgery (CSRF) vulnerability in TOPdesk before 8.05.017 (June 2018 version) and before 5.7.SR9 allows remote attackers to hijack the authentication of authenticated users for requests that can obtain sensitive information via unspecified...

Cross-site scripting (XSS) vulnerability in TOPdesk before 8.05.017 (June 2018 version) and before 5.7.SR9 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. Date published : 2018-07-11 https://page.topdesk.com/cve-2018-10231-and-cve-2018-10232?hs_preview=slNSCcfI-5931819551

There is a time-based blind SQL injection vulnerability in the Access Manager component before 9.18.040 and 10.x before 10.18.040 in ELO ELOenterprise 9 and 10 and ELOprofessional 9 and 10 that makes it possible...

Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that might be exploitable by an attacker who can control the data that curl transmits over SMTP with...

Juniper Networks CSO versions prior to 4.0.0 may log passwords in log files leading to an information disclosure vulnerability. Date published : 2018-07-11 https://kb.juniper.net/JSA10872

Juniper Networks Contrail Service Orchestration releases prior to 3.3.0 use hardcoded credentials to access Keystone service. These credentials allow network based attackers unauthorized access to information stored in keystone. Date published : 2018-07-11 https://kb.juniper.net/JSA10872

Juniper Networks Contrail Service Orchestrator versions prior to 4.0.0 use hardcoded cryptographic certificates and keys in some cases, which may allow network based attackers to gain unauthorized access to services. Date published : 2018-07-11...

Juniper Networks Contrail Service Orchestration releases prior to 4.0.0 have Grafana service enabled by default with hardcoded credentials. These credentials allow network based attackers unauthorized access to information stored in Grafana or exploit other...

Juniper Networks Contrail Service Orchestration releases prior to 3.3.0 have Cassandra service enabled by default with hardcoded credentials. These credentials allow network based attackers unauthorized access to information stored in Cassandra. Date published :...