Monthly Archive: June 2019

KeyIdentity LinOTP before 2.10.5.3 has Incorrect Access Control (issue 1 of 2). Date published : 2019-06-27 https://www.linotp.org/CVE-2019-12887.txt

Missing Access Control in the "Free Time" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to...

A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed.cgi CGI program in selected Zyxel ZyWall, USG, and UAG devices allows remote attackers to inject arbitrary web script or HTML via the err_msg parameter. Date...

A stored cross-site scripting (XSS) vulnerability was found in the PDF export component of CloudForms, versions 5.9 and 5.10, due to user input is not properly sanitized. An attacker with least privilege to edit...

An improper computation of p_tx0, p_tx1, p_ty0 and p_ty1 in the function opj_get_encoding_parameters in openjp2/pi.c in OpenJPEG through 2.3.0 can lead to an integer overflow. Date published : 2019-06-26 http://www.securityfocus.com/bid/108921 https://github.com/uclouvain/openjpeg/commit/5d00b719f4b93b1445e6fb4c766b9a9883c57949

Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash). Date published : 2019-06-26 http://www.securityfocus.com/bid/108921...

Division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash). Date published : 2019-06-26 http://www.securityfocus.com/bid/108921 https://github.com/uclouvain/openjpeg/pull/1168/commits/c5bd64ea146162967c29bd2af0cbb845ba3eaaaf

In Couchbase Sync Gateway 2.1.2, an attacker with access to the Sync Gateway’s public REST API was able to issue additional N1QL statements and extract sensitive data or call arbitrary N1QL functions through the...

A vulnerability reported in Lenovo Service Bridge before version 4.1.0.1 could allow unencrypted downloads over FTP. Date published : 2019-06-26 https://support.lenovo.com/solutions/LEN-27725

A vulnerability reported in Lenovo Service Bridge before version 4.1.0.1 could allow remote code execution. Date published : 2019-06-26 https://support.lenovo.com/solutions/LEN-27725

A vulnerability reported in Lenovo Service Bridge before version 4.1.0.1 could allow remote code execution. Date published : 2019-06-26 https://support.lenovo.com/solutions/LEN-27725

A vulnerability reported in Lenovo Service Bridge before version 4.1.0.1 could allow cross-site request forgery. Date published : 2019-06-26 https://support.lenovo.com/solutions/LEN-27725

A denial of service vulnerability was reported in Lenovo System Update before version 5.07.0084 that could allow service log files to be written to non-standard locations. Date published : 2019-06-26 https://support.lenovo.com/solutions/LEN-27348

IBM PureApplication System 2.2.3.0 through 2.2.5.3 could allow an authenticated user with local access to bypass authentication and obtain administrative access. IBM X-Force ID: 159467. Date published : 2019-06-26 https://www-01.ibm.com/support/docview.wss?uid=ibm10885602 https://exchange.xforce.ibmcloud.com/vulnerabilities/159467