Vulnerability Summary for the Week of November 18, 2019

9base — 9base 9base 1:6-6 and 1:6-7 insecurely creates temporary files which results in predictable filenames. 2019-11-21 not yet calculated CVE-2014-1935

MISC

MISC

MISC ace — ace generate_doygen.pl in ace before 6.2.7+dfsg-2 creates predictable file names in the /tmp directory which allows attackers to gain elevated privileges. 2019-11-22 not yet calculated CVE-2014-6311

MISC

MISC

MISC

MISC angularjs — angularjs In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload. 2019-11-19 not yet calculated CVE-2019-10768

MISC apache — nifi When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to. 2019-11-19 not yet calculated CVE-2019-10083

CONFIRM apple — iphone_3gs Apple iPhone 3GS bootrom malloc implementation returns a non-NULL pointer when unable to allocate memory, aka ‘alloc8’. An attacker with physical access to the device can install arbitrary firmware. 2019-11-22 not yet calculated CVE-2019-9536

MISC

MISC asus — rt-ac66u_firmware Stack-based buffer overflow in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices allows remote attackers to execute arbitrary code by providing a long string to the blocking.asp page via a GET or POST request. Vulnerable parameters are flag, mac, and cat_id. 2019-11-21 not yet calculated CVE-2018-8879

MISC

MISC beckhoff — twincat_runtime When Beckhoff TwinCAT is configured to use the Profinet driver, a denial of service of the controller could be reached by sending a malformed UDP packet to the device. 2019-11-21 not yet calculated CVE-2019-5637

MISC

CONFIRM beckhoff — twincat_runtime When a Beckhoff TwinCAT Runtime receives a malformed UDP packet, the ADS Discovery Service shuts down. Note that the TwinCAT devices are still performing as normal. 2019-11-21 not yet calculated CVE-2019-5636

MISC

CONFIRM belkin — linksys_velop_devices Belkin Linksys Velop 1.1.8.192419 devices allows remote attackers to discover the recovery key via a direct request for the /sysinfo_json.cgi URI. 2019-11-21 not yet calculated CVE-2019-16340

MISC

MISC

MISC blackboard — blackboard_learn The bb-auth-provider-cas authentication module within Blackboard Learn 2018-07-02 is susceptible to HTTP host header spoofing during Central Authentication Service (CAS) service ticket validation, enabling a phishing attack from the CAS server login page. 2019-11-18 not yet calculated CVE-2018-13257

MISC centreon — web Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) files, allowing attackers to gain privileges via a Trojan horse Centreon-autodisco executable file that is launched by cron. 2019-11-21 not yet calculated CVE-2019-16406

MISC

MISC centreon — web Centreon Web 19.04.4 allows Remote Code Execution by an administrator who can modify Macro Expression location settings. 2019-11-21 not yet calculated CVE-2019-16405

MISC

MISC

MISC chyrp — chyrp Multiple cross-site scripting (XSS) vulnerabilities in Chyrp before 2.1.2 and before 2.5 Beta 2 allow remote attackers to inject arbitrary web script or HTML via the (1) content parameter to includes/ajax.php or (2) body parameter to includes/error.php. 2019-11-21 not yet calculated CVE-2012-1001

MISC

MISC

MISC

MISC

MISC

MISC cloud_foundry_foundation — cloud_foundry_routing Cloud Foundry Routing, all versions before 0.193.0, does not properly validate nonce input. A remote unauthorized malicious user could forge a route service request using an invalid nonce that will cause the Gorouter to crash. 2019-11-19 not yet calculated CVE-2019-11289

CONFIRM cog — galaxy_client_service An exploitable local privilege escalation vulnerability exists in the GalaxyClientService installed by GOG Galaxy. Due to Improper Access Control, an attacker can send unauthenticated local TCP packets to the service to gain SYSTEM privileges in Windows system where GOG Galaxy software is installed. All GOG Galaxy versions before 1.2.60 and all corresponding versions of GOG Galaxy 2.0 Beta are affected. 2019-11-21 not yet calculated CVE-2019-15511

MISC

MISC cumin — cumin cumin: At installation postgresql database user created without password 2019-11-21 not yet calculated CVE-2012-3460

MISC

MISC d-link — dsl-6740u_gateway Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DSL-6740U gateway (Rev. H1) allow remote attackers to hijack the authentication of administrators for requests that change administrator credentials or enable remote management services to (1) Custom Services in Port Forwarding, (2) Port Triggering Entries, (3) URL Filters in Parental Control, (4) Print Server settings, (5) QoS Queue Setup, or (6) QoS Classification Entries. 2019-11-22 not yet calculated CVE-2013-6811

MISC

MISC drupal — drupal A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal. 2019-11-22 not yet calculated CVE-2012-2079

MISC

MISC drupal — drupal Cross-site scripting vulnerability (XSS) in the Quick Tabs module 6.x-2.x before 6.x-2.1, 6.x-3.x before 6.x-3.1, and 7.x-3.x before 7.x-3.3 for Drupal. 2019-11-21 not yet calculated CVE-2012-1637

MISC

MISC drupal — drupal Cross-site scripting (XSS) vulnerability in the Activity module 6.x-1.x for Drupal. 2019-11-21 not yet calculated CVE-2012-2078

MISC

MISC e-deploy — e-deploy eDeploy through at least 2014-10-14 has remote code execution due to eval() of untrusted data 2019-11-21 not yet calculated CVE-2014-3700

MISC

MISC embedthis — goahead Embedthis GoAhead before 5.0.1 mishandles redirected HTTP requests with a large Host header. The GoAhead WebsRedirect uses a static host buffer that has a limited length and can overflow. This can cause a copy of the Host header to fail, leaving that buffer uninitialized, which may leak uninitialized data in a response. 2019-11-22 not yet calculated CVE-2019-19240

MISC

MISC

MISC eracent — epa_agent An issue was discovered in Eracent EPA Agent through 10.2.26. The agent executable, when installed for non-root operations (scanning), can be used to start external programs with elevated permissions because of an Untrusted Search Path. 2019-11-22 not yet calculated CVE-2019-17446

CONFIRM eracent — multiple_linux_agents An issue was discovered in Eracent EDA, EPA, EPM, EUA, FLW, and SUM Agent through 10.2.26. The agent executable, when installed for non-root operations (scanning), can be forced to copy files from the filesystem to other locations via Symbolic Link Following. 2019-11-22 not yet calculated CVE-2019-17445

CONFIRM exis-ti — contexis Cross-site scripting (XSS) vulnerability in the photo gallery model in Exis Contexis before 2.0 allows remote attackers to inject arbitrary web script or HTML via the image parameter in a detail action. 2019-11-22 not yet calculated CVE-2013-6239

MISC

MISC

MISC flashcanvas — flashcanvas Open redirect in proxy.php in FlashCanvas before 1.6 allows remote attackers to redirect users to arbitrary web sites and conduct cross-site scripting (XSS) attacks via the HTTP Referer header. 2019-11-22 not yet calculated CVE-2013-6880

MISC

MISC

MISC

MISC fortinet — forticlient_for_mac An Improper Neutralization of Special Elements used in a Command vulnerability in one of FortiClient for Mac OS root processes, may allow a local user of the system on which FortiClient is running to execute unauthorized code as root by bypassing a security check. 2019-11-21 not yet calculated CVE-2019-17650

CONFIRM fortinet — forticlient_for_mac A clear text storage of sensitive information vulnerability in FortiClient for Mac may allow a local attacker to read sensitive information logged in the console window when the user connects to an SSL VPN Gateway. 2019-11-21 not yet calculated CVE-2019-15704

CONFIRM fortinet — fortios Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key. The aforementioned sensitive data includes users’ passwords (except the administrator’s password), private keys’ passphrases and High Availability password (when set). 2019-11-21 not yet calculated CVE-2019-6693

CONFIRM gitlab — gitlab GitLab 12.2.3 contains a security vulnerability that allows a user to affect the availability of the service through a Denial of Service attack in Issue Comments. 2019-11-22 not yet calculated CVE-2019-15593

MISC gnu — c_library On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. 2019-11-19 not yet calculated CVE-2019-19126

MISC gnu — gnusound gnusound 0.7.5 has format string issue 2019-11-19 not yet calculated CVE-2012-0824

MISC

MISC

MISC

MISC hotkeyp — hotkeyp HotkeyP through 4.9 r96 allows privilege escalation in the privilege function in Commands.cpp. 2019-11-21 not yet calculated CVE-2019-18349

MISC

MISC

MISC hp — thinpro The VPN software within HP ThinPro does not safely handle user supplied input, which may be leveraged by an attacker to inject commands that will execute with root privileges. 2019-11-22 not yet calculated CVE-2019-18909

CONFIRM hp — thinpro The Citrix Receiver wrapper function does not safely handle user supplied input, which may be leveraged by an attacker to inject commands that will execute with local user privileges. 2019-11-22 not yet calculated CVE-2019-18910

CONFIRM hp — thinpro An attacker may be able to bypass the OS application filter meant to restrict applications that can be executed by changing browser preferences to launch a separate process that in turn can execute arbitrary commands. 2019-11-22 not yet calculated CVE-2019-16286

CONFIRM hp — thinpro An attacker may be able to leverage the application filter bypass vulnerability to gain privileged access to create a file on the local file system whose presence puts the device in Administrative Mode, which will allow the attacker to executed commands with elevated privileges. 2019-11-22 not yet calculated CVE-2019-16287

CONFIRM hp — thinpro If a local user has been configured and logged in, an unauthenticated attacker with physical access may be able to extract sensitive information onto a local drive. 2019-11-22 not yet calculated CVE-2019-16285

CONFIRM ibm — tivoli_netcool_impact IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.16 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 166719. 2019-11-22 not yet calculated CVE-2019-4569

XF

CONFIRM ibm — tivoli_netcool_impact IBM Tivoli Netcool Impact 7.1.0 through 7.1.0.16 generates an error message that includes sensitive information about its environment, users, or associated data. IBM X-Force ID: 166720. 2019-11-22 not yet calculated CVE-2019-4570

XF

CONFIRM ikiwiki — ikiwiki Cross-site scripting (XSS) vulnerability in templates/openid-selector.tmpl in ikiwiki before 3.20150329 allows remote attackers to inject arbitrary web script or HTML via the openid_identifier parameter in a verify action to ikiwiki.cgi. 2019-11-21 not yet calculated CVE-2015-2793

MISC

MISC

MISC

MISC

MISC

MISC

MISC

MISC

MISC iobroker — iobroker.js-controller An attacker can include file contents from outside the `/adapter/xxx/` directory, where `xxx` is the name of an existent adapter like “admin”. It is exploited using the administrative web panel with a request for an adapter file. **Note:** The attacker has to be logged in if the authentication is enabled (by default isn’t enabled). 2019-11-21 not yet calculated CVE-2019-10767

MISC jalios — jcms Jalios JCMS 10 allows attackers to access any part of the website and the WebDAV server with administrative privileges via a backdoor account, by using any username and the hardcoded dev password. 2019-11-21 not yet calculated CVE-2019-19033

MISC

MISC

MISC jenkins — jenkins Jenkins Anchore Container Image Scanner Plugin 1.0.19 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. 2019-11-21 not yet calculated CVE-2019-16542

MLIST

CONFIRM jenkins — jenkins Jenkins Spira Importer Plugin 3.2.2 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. 2019-11-21 not yet calculated CVE-2019-16543

MLIST

CONFIRM jenkins — jenkins Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site definitions, allowing users to select and use credentials with System scope. 2019-11-21 not yet calculated CVE-2019-16541

MLIST

CONFIRM jenkins — jenkins A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions in closures allowed attackers to execute arbitrary code in sandboxed scripts. 2019-11-21 not yet calculated CVE-2019-16538

MLIST

CONFIRM joomla! — joomla! The Mijosoft MijoSearch component 2.0.1 and earlier for Joomla! allows remote attackers to obtain sensitive information via a request to component/mijosearch/search, which reveals the installation path in an error message. 2019-11-22 not yet calculated CVE-2013-6879

MISC joomla! — joomla! Cross-site scripting (XSS) vulnerability in the Mijosoft MijoSearch component 2.0.4 and earlier for Joomla! allows remote attackers to inject arbitrary web script or HTML via the query parameter to component/mijosearch/search. 2019-11-22 not yet calculated CVE-2013-6878

MISC kyrol_security_labs — kyrol_internet_security IOCTL Handling in the kyrld.sys driver in Kyrol Internet Security 9.0.6.9 allows an attacker to achieve privilege escalation, denial-of-service, and code execution via usermode because 0x9C402401 using METHOD_NEITHER results in a read primitive. 2019-11-21 not yet calculated CVE-2019-19197

MISC

MISC lexmark — services_monitor In Lexmark Services Monitor 2.27.4.0.39 (running on TCP port 2070), a remote attacker can use a directory traversal technique using /../../../ or ..%2F..%2F..%2F to obtain local files on the host operating system. 2019-11-21 not yet calculated CVE-2019-16758

MISC

MISC libarchive — libarchive In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call. For example, bsdtar crashes via a crafted archive. 2019-11-21 not yet calculated CVE-2019-19221

MISC

MISC lightdm — lightdm lightdm before 0.9.6 writes in .dmrc and Xauthority files using root permissions while the files are in user controlled folders. A local user can overwrite root-owned files via a symlink, which can allow possible privilege escalation. 2019-11-19 not yet calculated CVE-2011-3349

MISC

MISC

MISC

MISC

MISC

MISC linux_foundation — foomatic-rip_filter foomatic-rip filter, all versions, used insecurely creates temporary files for storage of PostScript data by rendering the data when the debug mode was enabled. This flaw may be exploited by a local attacker to conduct symlink attacks by overwriting arbitrary files accessible with the privileges of the user running the foomatic-rip universal print filter. 2019-11-19 not yet calculated CVE-2011-2923

MISC

MISC

MISC

MISC linux_foundation — foomatic-rip_filter foomatic-rip filter v4.0.12 and prior used insecurely creates temporary files for storage of PostScript data by rendering the data when the debug mode was enabled. This flaw may be exploited by a local attacker to conduct symlink attacks by overwriting arbitrary files accessible with the privileges of the user running the foomatic-rip universal print filter. 2019-11-19 not yet calculated CVE-2011-2924

MISC

MISC

MISC

MISC

MISC

MISC linux — linux_kernel In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122. 2019-11-22 not yet calculated CVE-2019-19227

MISC

MISC loftek — nexus_543_ip_camera The Loftek Nexus 543 IP Camera allows remote attackers to obtain (1) IP addresses via a request to get_realip.cgi or (2) firmware versions (ui and system), timestamp, serial number, p2p port number, and wifi status via a request to get_status.cgi. 2019-11-21 not yet calculated CVE-2013-3314

MISC

MISC

MISC loftek — nexus_543_ip_camera Directory traversal vulnerability in the Loftek Nexus 543 IP Camera allows remote attackers to read arbitrary files via a .. (dot dot) in the URL of an HTTP GET request. 2019-11-21 not yet calculated CVE-2013-3311

MISC

MISC

MISC loftek — nexus_543_ip_camera The Loftek Nexus 543 IP Camera stores passwords in cleartext, which allows remote attackers to obtain sensitive information via an HTTP GET request to check_users.cgi. NOTE: cleartext passwords can also be obtained from proc/kcore when leveraging the directory traversal vulnerability in CVE-2013-3311. 2019-11-21 not yet calculated CVE-2013-3313

MISC

MISC

MISC loftek — nexus_543_ip_camera Multiple cross-site request forgery (CSRF) vulnerabilities in the Loftek Nexus 543 IP Camera allow remote attackers to hijack the authentication of unspecified victims for requests that change (1) passwords or (2) firewall configuration, as demonstrated by a request to set_users.cgi. 2019-11-21 not yet calculated CVE-2013-3312

MISC

MISC masqmail — masqmail masqmail 0.2.21 through 0.2.30 improperly calls seteuid() in src/log.c and src/masqmail.c that results in improper privilege dropping. 2019-11-19 not yet calculated CVE-2011-3350

MISC

MISC

MISC mcafee — client_proxy Authentication Bypass vulnerability in the Microsoft Windows client in McAfee Client Proxy (MCP) prior to 3.0.0 allows local user to bypass scanning of web traffic and gain access to blocked sites for a short period of time via generating an authorization key on the client which should only be generated by the network administrator. 2019-11-22 not yet calculated CVE-2019-3654

MISC myphpadmin — myphpadmin An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature. 2019-11-22 not yet calculated CVE-2019-18622

CONFIRM naver — vaccine nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive. 2019-11-22 not yet calculated CVE-2019-13157

CONFIRM netapp — ontap_select_deploy ONTAP Select Deploy administration utility versions 2.11.2 through 2.12.2 are susceptible to a code injection vulnerability which when successfully exploited could allow an unauthenticated remote attacker to enable and use a privileged user account. 2019-11-21 not yet calculated CVE-2019-5509

CONFIRM netapp — ontap_select_deploy All versions of ONTAP Select Deploy administration utility are susceptible to a vulnerability which when successfully exploited could allow an administrative user to escalate their privileges. 2019-11-21 not yet calculated CVE-2019-17272

CONFIRM newbee-mall — newbee-mall main/resources/mapper/NewBeeMallGoodsMapper.xml in newbee-mall (aka New Bee) before 2019-10-23 allows search?goodsCategoryId=&keyword= SQL Injection. 2019-11-18 not yet calculated CVE-2019-19113

MISC nginx — nginx nginx http proxy module does not verify peer identity of https origin server which could facilitate man-in-the-middle attack (MITM) 2019-11-19 not yet calculated CVE-2011-4968

MISC

MISC

MISC

MISC

MISC

MISC

MISC nitro_software — nitro_pro Nitro Pro before 13.2 creates a debug.log file in the directory where a .pdf file is located, if the .pdf document was produced by an OCR operation on the JPEG output of a scanner. Reportedly, this can have a security risk if debug.log is later edited and then executed. 2019-11-21 not yet calculated CVE-2019-18958

MISC nlnet_labs — unbound Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `–enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration. 2019-11-19 not yet calculated CVE-2019-18934

MLIST

MISC

MISC

CONFIRM nsslglobal_technologies — satlink_vsat_modem_unit_devices The web interface for NSSLGlobal SatLink VSAT Modem Unit (VMU) devices before 18.1.0 doesn’t properly sanitize input for error messages, leading to the ability to inject client-side code. 2019-11-22 not yet calculated CVE-2019-15652

MISC

MISC nusphere — nusoap nuSOAP before 0.7.3-5 does not properly check the hostname of a cert. 2019-11-19 not yet calculated CVE-2012-6071

MISC

MISC

MISC

MISC oniguruma — oniguruma An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read. 2019-11-21 not yet calculated CVE-2019-19203

MISC

MISC oniguruma — oniguruma An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read. 2019-11-21 not yet calculated CVE-2019-19204

MISC

MISC openshift-origin-note_gem_for_ruby_on_rails — openshift-origin-note_gem_for_ruby_on_rails Ruby gem openshift-origin-node before 2014-02-14 does not contain a cronjob timeout which could result in a denial of service in cron.daily and cron.weekly. 2019-11-21 not yet calculated CVE-2014-0084

MISC openstack — designate Designate does not enforce the DNS protocol limit concerning record set sizes 2019-11-22 not yet calculated CVE-2015-5694

MISC

MISC

MISC

MISC ovirt — ovirt oVirt users with MANIPULATE_STORAGE_DOMAIN permissions can attach a storage domain to any data-center 2019-11-22 not yet calculated CVE-2015-1780

MISC

MISC owncloud — owncloud Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php. 2019-11-22 not yet calculated CVE-2013-0203

MISC

MISC pagekit — pagekit A CSRF vulnerability in Pagekit 1.0.17 allows an attacker to upload an arbitrary file by removing the CSRF token from a request. 2019-11-22 not yet calculated CVE-2019-19013

MISC pannellum — pannellum In Pannellum from 2.5.0 through 2.5.4 URLs were not sanitized for data URIs (or vbscript:), allowing for potential XSS attacks. Such an attack would require a user to click on a hot spot to execute and would require an attacker-provided configuration. The most plausible potential attack would be if pannellum.htm was hosted on a domain that shared cookies with the targeted site’s user authentication; an