Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter. Date published : 2019-04-01 https://www.synology.com/security/advisory/Synology_SA_18_26
Missing custom error page vulnerability in Synology Web Station before 2.1.3-0139 allows remote attackers to conduct phishing attacks via a crafted URL. Date published : 2019-04-01 https://www.synology.com/security/advisory/Synology_SA_18_29
An issue was discovered on AudioCodes 450HD IP Phone devices with firmware 3.0.0.535.106. The traceroute and ping functionality, which uses a parameter in a request to command.cgi from the Monitoring page in the web...
An exploitable local privilege escalation vulnerability exists in the privileged helper tool of GOG Galaxy’s Games, version 1.2.47 for macOS. An attacker can globally adjust folder permissions leading to execution of arbitrary code with...
A remote denial-of-service vulnerability exists in the way the Nouveau Display Driver (the default Ubuntu Nvidia display driver) handles GPU shader execution. A specially crafted pixel shader can cause remote denial-of-service issues. An attacker...
The Pronestor PNHM (aka Health Monitoring or HealthMonitor) add-in before 8.1.13.0 for Outlook has "BUILTINUsers:(I)(F)" permissions for the "%PROGRAMFILES(X86)%proNestorOutlook add-in for PronestorPronestorHealthMonitor.exe" file, which allows local users to gain privileges via a Trojan horse...
An issue was discovered on D-Link DSL-3782 devices with firmware 1.01. An OS command injection vulnerability in Acl.asp allows a remote authenticated attacker to execute arbitrary OS commands via the ScrIPaddrEndTXT parameter. Date published...
A stored XSS vulnerability exists in the web interface on D-Link DSL-3782 devices with firmware 1.01 that allows authenticated attackers to inject a JavaScript or HTML payload inside the ACL page. The injected payload...
Shell Metacharacter Injection in the SSH configuration interface on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to execute arbitrary system commands and gain a root shell. Date published : 2019-04-01 http://grandstream.com/support/firmware Three simple CVEs...
A Malformed Input String to /cgi-bin/delete_CA on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to delete configuration parameters and gain admin access to the device. Date published : 2019-04-01 http://grandstream.com/support/firmware Three simple CVEs for...
A Malformed Input String to /cgi-bin/api-get_line_status on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to dump the device’s configuration in cleartext. Date published : 2019-04-01 http://grandstream.com/support/firmware Three simple CVEs for a good VoIP phone
Relative path traversal vulnerability in Attachment Uploader in Synology Calendar before 2.2.2-0532 allows remote authenticated users to upload arbitrary files via the filename parameter. Date published : 2019-04-01 https://www.synology.com/security/advisory/Synology_SA_18_54
Channel accessible by non-endpoint vulnerability in privacy page in Synology Android Moments before 1.2.3-199 allows man-in-the-middle attackers to execute arbitrary code via unspecified vectors. Date published : 2019-04-01 https://www.synology.com/security/advisory/Synology_SA_18_52
Information exposure vulnerability in SYNO.SynologyDrive.Files in Synology Drive before 1.1.2-10562 allows remote attackers to obtain sensitive system information via the dsm_path parameter. Date published : 2019-04-01 https://www.synology.com/security/advisory/Synology_SA_18_50