Monthly Archive: July 2018

An issue has been found in Bento4 1.5.1-624. It is a SEGV in AP4_StcoAtom::AdjustChunkOffsets in Core/Ap4StcoAtom.cpp. Date published : 2018-07-10 https://github.com/axiomatic-systems/Bento4/issues/283

An issue has been found in Bento4 1.5.1-624. AP4_Mpeg2TsVideoSampleStream::WriteSample in Core/Ap4Mpeg2Ts.cpp has a heap-based buffer over-read after a call from Mp42Ts.cpp, a related issue to CVE-2018-14532. Date published : 2018-07-10 https://github.com/axiomatic-systems/Bento4/issues/282

An issue has been found in HTSlib 1.8. It is a buffer over-read in sam_parse1 in sam.c. Date published : 2018-07-10 https://github.com/samtools/htslib/issues/731#issuecomment-403681105

** DISPUTED ** An issue has been found in HTSlib 1.8. It is a memory leak in fai_read in faidx.c. NOTE: This has been disputed with the assertion that this vulnerability exists in the...

** DISPUTED ** An issue has been found in HTSlib 1.8. It is a memory leak in bgzf_getline in bgzf.c. NOTE: the software maintainer’s position is that the "failure to free memory" can be...

An issue was discovered in cmft through 2017-09-24. The cmft::rwReadFile function in image.cpp allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact....

** DISPUTED ** Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is...

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call. Date published : 2018-07-10 https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332 https://github.com/scravy/node-macaddress/pull/20/

The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of application/rdf+xml. Date published : 2018-07-10 http://www.securityfocus.com/bid/104755...

The review attachment resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in attached files. Date published :...

In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established,...

In Apache Storm 0.10.0 through 0.10.2, 1.0.0 through 1.0.6, 1.1.0 through 1.1.2, and 1.2.0 through 1.2.1, an attacker with access to a secure storm cluster in some cases could execute arbitrary code as a...

NetIQ iManager 3.1.1 addresses potential XSS vulnerabilities. Date published : 2018-07-10 https://support.microfocus.com/kb/doc.php?id=7016795

Fixed issues with NetIQ eDirectory prior to 9.1.1 when checking certificate revocation. Date published : 2018-07-10 https://www.netiq.com/support/kb/doc.php?id=7016794