Monthly Archive: March 2019

Wireless keys are stored in plain text on version 5 of the Hospira LifeCare PCA Infusion System. According to Hospira, version 3 of the LifeCare PCA Infusion System is not indicated for wireless use,...

A specially crafted configuration file could be used to cause a stack-based buffer overflow condition in the OPCTest.exe, which may allow remote code execution on Opto 22 PAC Project Professional versions prior to R9.4008,...

ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defModule parameter in DefaultConfigDef.do and AssetDefaultConfigDef.do. Date published : 2019-03-25 http://www.securityfocus.com/bid/107558 https://labs.integrity.pt/advisories/cve-2017-9376/

ManageEngine ServiceDesk Plus before 9312 contains an XML injection at add Configuration items CMDB API. Date published : 2019-03-25 https://labs.integrity.pt/advisories/cve-2017-9362

In ovirt-engine 4.1, if a host was provisioned with cloud-init, the root password could be revealed through the REST interface. Date published : 2019-03-25 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7510

A weak password recovery process vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to execute unauthorized code or commands via a hidden Close button Date published : 2019-03-25 https://fortiguard.com/psirt/FG-IR-17-114

A Cross-Site Scripting vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to execute unauthorized code or commands via the applicationSearch parameter in the FortiView functionality. Date published : 2019-03-25 https://fortiguard.com/psirt/FG-IR-17-114

It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a...

A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated...

Cross-Site Scripting (XSS) vulnerability in point_list.php in GNUBOARD5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML via the popup title parameter. Date published : 2019-03-25 https://github.com/gnuboard/gnuboard5/commit/b1fc952c7600b825c4b02e2789ddafdea18c8d13#diff-6e31fc60ba119c0f830f8a22fe1925dc https://github.com/gnuboard/gnuboard5/commits/master?after=831219e2c233b2d721a049b7aeb054936d000dc2+69

A Reflected Cross Site Scripting (XSS) vulnerability exists in Adrenalin HRMS 5.4.0. An attacker can input malicious JavaScript code in /RPT/SSRSDynamicEditReports.aspx via ‘ReportId’ parameter. Date published : 2019-03-25 http://packetstormsecurity.com/files/155244/Adrenalin-Core-HCM-5.4.0-Cross-Site-Scripting.html https://www.knowcybersec.com/2019/02/CVE-2018-12653-reflected-XSS.html

A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin 5.4 HRMS Software. The user supplied input containing JavaScript is echoed back in JavaScript code in an HTML response via the LeaveEmployeeSearch.aspx prntFrmName...

tls1.c in Cameron Hamilton-Rich axTLS before 2.1.5 has a Buffer Overflow via a crafted sequence of TLS packets because the need_bytes value is mismanaged. Date published : 2019-03-25 http://axtls.sourceforge.net https://www.telekom.com/en/corporate-responsibility/data-protection-data-security/security/details/advisories-504842

An issue was discovered in the Interpeak IPCOMShell TELNET server on Green Hills INTEGRITY RTOS 5.0.4. The main shell handler function uses the value of the environment variable ipcom.shell.greeting as the first argument to...