Monthly Archive: April 2019

Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack....

Detcon Sitewatch Gateway, all versions without cellular, an attacker can edit settings on the device using a specially crafted URL. Date published : 2019-04-02 https://ics-cert.us-cert.gov/advisories/ICSA-17-136-01

Detcon Sitewatch Gateway, all versions without cellular, Passwords are presented in plaintext in a file that is accessible without authentication. Date published : 2019-04-02 https://ics-cert.us-cert.gov/advisories/ICSA-17-136-01

An exploitable local denial-of-service vulnerability exists in the privileged helper tool of GOG Galaxy’s Games, version 1.2.47 for macOS. An attacker can send malicious data to the root-listening service, causing the application to terminate...

An exploitable local information leak vulnerability exists in the privileged helper tool of GOG Galaxy’s Games, version 1.2.47 for macOS. An attacker can pass a PID and receive information running on it that would...

An exploitable local privilege escalation vulnerability exists in the privileged helper tool of GOG Galaxy’s Games, version 1.2.47 for macOS. An attacker can globally create directories and subdirectories on the root file system, as...

An exploitable local privilege elevation vulnerability exists in the file system permissions of GOG Galaxy’s “Games” directory, version 1.2.48.36 (Windows 64-bit Installer). An attacker can overwrite executables of installed games to exploit this vulnerability...

An exploitable local privilege elevation vulnerability exists in the file system permissions of GOG Galaxy’s install directory. An attacker can overwrite an executable that is launched as a system service on boot by default...

The BluStar component in Mitel InAttend before 2.5 SP3 and CMG before 8.4 SP3 Suite Servers has a default password, which could allow remote attackers to gain unauthorized access and execute arbitrary scripts with...

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could allow an authenticated user to access JSP files and disclose sensitive information. IBM X-Force ID: 152784. Date published : 2019-04-02 http://www.securityfocus.com/bid/107688 https://www.ibm.com/support/docview.wss?uid=ibm10872274

IBM InfoSphere Information Server 11.3, 11.5, and 11.7could allow an authenticated user to download code using a specially crafted HTTP request. IBM X-Force ID: 152663. Date published : 2019-04-02 http://www.securityfocus.com/bid/107735 https://www.ibm.com/support/docview.wss?uid=ibm10872320

IBM API Connect 5.0.0.0 through 5.0.8.5 could display highly sensitive information to an attacker with physical access to the system. IBM X-Force ID: 151636. Date published : 2019-04-02 http://www.securityfocus.com/bid/107733 https://www.ibm.com/support/docview.wss?uid=ibm10876994

A vulnerability in flashcanvas.swf in OpenEMR before 5.0.1 Patch 6 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. Date published : 2019-04-02 https://www.open-emr.org/wiki/index.php/OpenEMR_Patches https://www.purplemet.com/blog/openemr-xss-vulnerability

IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 145236. Date...