A heap-based buffer over-read was discovered in wasm::SExpressionParser::skipWhitespace() in wasm-s-parser.cpp in Binaryen 1.38.22. A crafted wasm input can cause a segmentation fault, leading to denial-of-service, as demonstrated by wasm2js. Date published : 2019-02-10 https://github.com/WebAssembly/binaryen/issues/1863
A heap-based buffer over-read was discovered in wasm::WasmBinaryBuilder::visitCall in wasm-binary.cpp in Binaryen 1.38.22. A crafted wasm input can cause a segmentation fault, leading to denial-of-service, as demonstrated by wasm-merge. Date published : 2019-02-10 https://github.com/WebAssembly/binaryen/issues/1864
A heap-based buffer over-read occurs in AP4_BitStream::WriteBytes in Codecs/Ap4BitStream.cpp in Bento4 v1.5.1-627. Remote attackers could leverage this vulnerability to cause an exception via crafted mp4 input, which leads to a denial of service. Date...
An issue was discovered in AP4_Array::EnsureCapacity in Core/Ap4Array.h in Bento4 1.5.1-627. Crafted MP4 input triggers an attempt at excessive memory allocation, as demonstrated by mp42hls, a related issue to CVE-2018-20095. Date published : 2019-02-10...
An issue was discovered in Bento4 v1.5.1-627. There is an assertion failure in AP4_AtomListWriter::Action in Core/Ap4Atom.cpp, leading to a denial of service (program crash), as demonstrated by mp42hls. Date published : 2019-02-10 https://github.com/axiomatic-systems/Bento4/issues/351
Axios Italia Axios RE 1.7.0/7.0.0 devices have XSS via the RELogOff.aspx Error_Parameters parameter. In some situations, the XSS would be on the family.axioscloud.it cloud service; however, the vendor also supports "Sissi in Rete (con...
install/install.php in CIM 0.9.3 allows remote attackers to execute arbitrary PHP code via a crafted prefix value because of configuration file mishandling in the N=83 case, as demonstrated by a call to the PHP...
An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. There is a default password of meinsm for the admin account. Date published : 2019-02-09 https://gist.github.com/llandeilocymro/7dbe3daaab6d058d609fd9a0b24301cb https://www.use-ip.co.uk/forum/threads/mobotix-default-password.76/
Multiple SQL injection vulnerabilities in the monitoring feature in the HTTP API in ABBYY FlexiCapture before 12 Release 2 allow an attacker to execute arbitrary SQL commands via the mask, sortOrder, filter, or Order...
inxedu through 2018-12-24 has a vulnerability that can lead to the upload of a malicious JSP file. The vulnerable code location is com.inxedu.os.common.controller.VideoUploadController#gok4 (com/inxedu/os/common/controller/VideoUploadController.java). The attacker uses the /video/uploadvideo fileType parameter to change the...
A directory traversal vulnerability was discovered in Enphase Envoy R3.*.* via images/, include/, include/js, or include/css on TCP port 8888. Date published : 2019-02-09 https://github.com/pudding2/enphase-energy/blob/master/directory_traversal_1.png https://github.com/pudding2/enphase-energy/blob/master/directory_traversal_exp.txt
XSS exists in Enphase Envoy R3.*.* via the profileName parameter to the /home URI on TCP port 8888. Date published : 2019-02-09 https://github.com/pudding2/enphase-energy/blob/master/XSS-exp.txt https://github.com/pudding2/enphase-energy/blob/master/XSS.png
A weak password vulnerability was discovered in Enphase Envoy R3.*.*. One can login via TCP port 8888 with the admin password for the admin account. Date published : 2019-02-09 https://github.com/pudding2/enphase-energy/blob/master/weak_password.txt https://github.com/pudding2/enphase-energy/blob/master/weak_password_1.png
An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. The default management application is delivered over cleartext HTTP with Basic Authentication, as demonstrated by the /admin/index.html URI. Date published : 2019-02-09 https://gist.github.com/llandeilocymro/7dbe3daaab6d058d609fd9a0b24301cb