IBM WebSphere Commerce Enterprise, Professional, Express, and Developer 9.0.0.0 – 9.0.0.4, 8.0.0.0 – 8.0.0.19, 8.0.1.0 – 8.0.1.13, 8.0.3.0 – 8.0.3.6, 8.0.4.0 – 8.0.4.14, and 7.0.0.0 Feature Pack 8 could allow an authenticated user to...
In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the LockDistillerParams parameter to crash the interpreter or execute code. Date published : 2018-08-27 http://www.securityfocus.com/bid/105122 https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
In Artifex Ghostscript 9.23 before 2018-08-24, a type confusion using the .shfill operator could be used by attackers able to supply crafted PostScript files to crash the interpreter or potentially execute code. Date published...
In Artifex Ghostscript 9.23 before 2018-08-23, attackers are able to supply malicious PostScript files to bypass .tempfile restrictions and write files. Date published : 2018-08-27 https://www.debian.org/security/2018/dsa-4288 https://security.gentoo.org/glsa/201811-12
A10 ACOS Web Application Firewall (WAF) 2.7.1 and 2.7.2 before 2.7.2-P12, 4.1.0 before 4.1.0-P11, 4.1.1 before 4.1.1-P8, and 4.1.2 before 4.1.2-P4 mishandles the configured rules for blocking SQL injection attacks, aka A10-2017-0008. Date published...
An issue was discovered in MiniCMS 1.10. There is a post.php?date= XSS vulnerability. Date published : 2018-08-27 https://github.com/bg5sbk/MiniCMS/issues/21
An SSRF vulnerability was discovered in idreamsoft iCMS 7.0.11 because the remote function in app/spider/spider_tools.class.php does not block DNS hostnames associated with private and reserved IP addresses, as demonstrated by 127.0.0.1 in an A...
A SQL injection was discovered in /coreframe/app/admin/pay/admin/index.php in WUZHI CMS 4.1.0 via the index.php?m=pay&f=index&v=listing keyValue parameter. Date published : 2018-08-27 https://github.com/wuzhicms/wuzhicms/issues/150
A SQL injection was discovered in /coreframe/app/admin/copyfrom.php in WUZHI CMS 4.1.0 via the index.php?m=core&f=copyfrom&v=listing keywords parameter. Date published : 2018-08-27 https://github.com/wuzhicms/wuzhicms/issues/149
Main_Analysis_Content.asp in ASUS DSL-N12E_C1 1.1.2.3_345 is prone to Authenticated Remote Command Execution, which allows a remote attacker to execute arbitrary OS commands via service parameters, such as shell metacharacters in the destIP parameter of...
Visiology Flipbox Software Suite before 2.7.0 allows directory traversal via %5c%2e%2e%2f because it does not sanitize filename parameters. Date published : 2018-08-27 http://flipbox.net/news/620/ https://gist.github.com/nenf/7ed2d800ca8d1538cf6bb0a771dc7dae
ASUSTOR Data Master 3.1.5 and below makes an HTTP request for a configuration file that is vulnerable to XSS. A man in the middle can take advantage of this by inserting Javascript into the...
ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on the file system when providing the full path to loginimage.cgi. Date published : 2018-08-27 https://www.tenable.com/security/research/tra-2018-22
ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on a share by providing the full path. For example, /home/admin/.ash_history. Date published : 2018-08-27 https://www.tenable.com/security/research/tra-2018-22