Monthly Archive: September 2018

All versions up to V1.0.0B05 of ZTE MF65 and all versions up to V1.0.0B02 of ZTE MF65M1 are impacted by cross-site scripting vulnerability. Due to improper neutralization of input during web page generation, an...

An exploitable code execution vulnerability exists in the Levin deserialization functionality of the Epee library, as used in Monero ‘Lithium Luna’ (v0.12.2.0-master-ffab6700) and other cryptocurrencies. A specially crafted network packet can cause a logic...

IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt sensitive information. IBM X-Force ID: 148870. Date published : 2018-09-26 http://www.ibm.com/support/docview.wss?uid=ibm10729873...

IBM Spectrum Protect Plus 10.1.0 and 10.1.1 could disclose sensitive information when an authorized user executes a test operation, the user id an password may be displayed in plain text within an instrumentation log...

utils/ut_ws_svr.c in ViaBTC Exchange Server before 2018-08-21 has an integer overflow leading to memory corruption. Date published : 2018-09-26 https://github.com/viabtc/viabtc_exchange_server/commit/4a7c27bfe98f409623d4d857894d017ff0672cc9#diff-515c81af848352583bff286d6224875f https://github.com/viabtc/viabtc_exchange_server/pull/131

network/nw_buf.c in ViaBTC Exchange Server before 2018-08-21 has an integer overflow leading to memory corruption. Date published : 2018-09-26 https://github.com/viabtc/viabtc_exchange_server/commit/4a7c27bfe98f409623d4d857894d017ff0672cc9#diff-9fabc53ea796ec492aef432594298baa https://github.com/viabtc/viabtc_exchange_server/pull/131

utils/ut_rpc.c in ViaBTC Exchange Server before 2018-08-21 has an integer overflow leading to memory corruption. Date published : 2018-09-26 https://github.com/viabtc/viabtc_exchange_server/commit/4a7c27bfe98f409623d4d857894d017ff0672cc9#diff-0c23effa84a7b85053bac7981a8580c8 https://github.com/viabtc/viabtc_exchange_server/pull/131

In ThinkPHP 5.1.24, the inner function delete can be used for SQL injection when its WHERE condition’s value can be controlled by a user’s request. Date published : 2018-09-26 https://github.com/top-think/think/issues/858

MODX Revolution v2.6.5-pl allows stored XSS via a Create New Media Source action. Date published : 2018-09-26 https://github.com/modxcms/revolution/issues/14094

The web component on ARRIS TG2492LG-NA 061213 devices allows remote attackers to obtain sensitive information via the /snmpGet oids parameter. Date published : 2018-09-26 http://misteralfa-hack.blogspot.com/2018/09/arris-tg2492lg-na-cable-modem-gateway.html

** DISPUTED ** Axon (formerly TASER International) Evidence Sync 3.15.89 is vulnerable to process injection. NOTE: the vendor’s position is that this CVE is not associated with information that supports any finding of any...

An XML External Entity (XXE) vulnerability exists in iWay Data Quality Suite Web Console 10.6.1.ga-2016-11-20. Date published : 2018-09-26 https://github.com/MrR3boot/CVE-Hunting/blob/master/iWay%20DQS%20XXE.pdf

Horus CMS allows SQL Injection, as demonstrated by a request to the /busca or /home URI. Date published : 2018-09-26 https://lab.insightsecurity.com.br/horus-cms/

SeaCMS 6.64 and 7.2 allows remote attackers to delete arbitrary files via the filedir parameter. Date published : 2018-09-26 http://blog.51cto.com/13770310/2177226 https://github.com/sfh320/seacms/issues/1