Monthly Archive: August 2018

Several resources in Atlassian Fisheye and Crucible before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in linked issue keys. Date published : 2018-08-13...

A cross-site scripting (XSS) vulnerability was found in valeuraddons German Spelling Dictionary v1.3 (an Opera Browser add-on). Instead of providing text for a spelling check, remote attackers may inject arbitrary web script or HTML...

From version 1.3.0 onward, Apache Spark’s standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property ‘spark.authenticate.secret’ establishes a shared secret...

An uncontrolled resource consumption flaw has been discovered in redhat-certification in the way documents are loaded. A remote attacker may provide an existing but invalid XML file which would be opened and never closed,...

CNCSoft Version 1.00.83 and prior with ScreenEditor Version 1.00.54 has multiple stack-based buffer overflow vulnerabilities that could cause the software to crash due to lacking user input validation before copying data from project files...

Medtronic MMT 508 MiniMed insulin pump, 522 / MMT – 722 Paradigm REAL-TIME, 523 / MMT – 723 Paradigm Revel, 523K / MMT – 723K Paradigm Revel, and 551 / MMT – 751 MiniMed...

CNCSoft Version 1.00.83 and prior with ScreenEditor Version 1.00.54 has two out-of-bounds read vulnerabilities could cause the software to crash due to lacking user input validation for processing project files. Which may allow an...

An issue was discovered in Edimax EW-7438RPn Mini v2 before version 1.26. There is XSS in an SSID field. Date published : 2018-08-13

Command injection vulnerability in Helpdesk versions 1.1.21 and earlier in QNAP QTS 4.2.6 build 20180531, QTS 4.3.3 build 20180528, QTS 4.3.4 build 20180528 and their earlier versions could allow remote attackers to run arbitrary...

Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker’s actions not being logged in the audit log. Date published : 2018-08-12 https://nextcloud.com/security/advisory/?id=NC-SA-2018-006 https://hackerone.com/reports/232347

Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obtained user credentials to bypass the 2 Factor Authentication. Date published : 2018-08-12 https://nextcloud.com/security/advisory/?id=NC-SA-2018-007 https://hackerone.com/reports/248656

Incorrect parsing in url-parse

The aoedisk_debugfs_show function in drivers/block/aoe/aoeblk.c in the Linux kernel through 4.16.4rc4 allows local users to obtain sensitive address information by reading "ffree: " lines in a debugfs file. Date published : 2018-08-10 https://elixir.bootlin.com/linux/v4.16-rc4/source/drivers/block/aoe/aoeblk.c#L421 https://github.com/johnsonwangqize/cve-linux/blob/master/CVE-2018-7754.md

lxc-user-nic when asked to delete a network interface will unconditionally open a user provided path. This code path may be used by an unprivileged user to check for the existence of a path which...