An information disclosure vulnerability has been reported in the Windows Media Foundation component of Microsoft Windows. The vulnerability is due to improper handling of objects in memory. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted QuickTime media file. Successful exploitation could result in the execution of arbitrary code within the context of...
CVSS: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
This strike exploits a Java deserialization vulnerability in the Zoho ManageEngine Desktop Central. This vulnerability is in the getChartImage function of the FileStorage class, due to lack of proper validation of user-supplied data, which results in deserialization of untrusted data. A remote unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests to the target...
CVSS: 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)
An image injection vulnerability exists in Oracle iPlanet Web Server versions 7.0.x, due to poor 'productNameSrc' HTTP parameter sanitization. By tricking an admin to follow a crafted URL, a remote attacker may perform phishing attacks by injecting a custom image in the admin panel.
CVSS: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
A denial of service vulnerability exists in BIND DNS Server versions 9.0.0-9.11.18, 9.12.0-9.12.4-P2, 9.14.0-9.14.11, 9.16.0-9.16.2-9.17.0 to 9.17.1 due to lack of MAC field size check when parsing TSIG records. A remote attacker may conduct a denial of service attack by sending a crafted DNS packet which leads to abnormal process termination due to a failed assertion.
CVSS: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
An authentication bypass vulnerability exists in the bbPress Wordpress plugin. The vulnerability is due to lack of validation on user authorization requests. A remote unauthorized attacker can exploit this vulnerability by sending a crafted HTTP POST request to the system. Successful exploitation results in creating a user with full privileges ('Keymaster' role).
CVSS: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
A command injection vulnerability exists in Eaton Intelligent Power Manager 1.67 and prior, due to lack of user input sanitization. An authenticated remote attacker may execute arbitrary OS commands as a superuser by providing a crafted filename parameter when uploading a configuration file.
CVSS: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
This strike exploits a vulnerability in Spidermonkey, the Javascript engine of Mozilla Firefox. An attacker can craft Javascript promise resolutions in such a way that make it possible to cause an out-of-bounds read off the end of an array resized during script execution. This can lead to a denial of service or potentially allow for remote code execution to occur.
CVSS: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
This strike simulates a malspam phishing email that has been seen in the wild AZORult and Neutrino malware. This specific phishing attempt is related to the AZORult Neutrino Sept 2018 malware campaign.
CVSS: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
A command injection vulnerability exists in VMware Cloud Director. The vulnerability is due to the lack of sanitization while parsing input passed to 'hostname' parameter within the SMPT configuration form. An authenticated attacker can exploit this vulnerability by crafting a malicious HTTP PUT request. Successful exploitation results in full control of the cloud director platform.
CVSS: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via a crafted HTTP request. A remote attacker can use this vulnerability to either execute shell commands under root privileges (on versions before 1.0.19.20) or inject HTML in password recovery emails (on versions before 1.0.20.17).
CVSS: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
An information disclosure vulnerability exists in Oracle iPlanet Web Server versions 7.x and prior. By accessing specific paths related to the admin panel, a remote unauthenticated attacker may obtain sensitive information regarding server's configuration.
CVSS: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
A remote command injection exists in multiple TP-Link Cloud Camera devices (NC2XX) due to lack of user input sanitization. By sending a crafted 'sysname' POST parameter to '/setsysname.fcgi' path, a remote authenticated commander may execute arbitrary commands on the target system.
CVSS: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
This strike exploits an insecure deserialization vulnerability in Oracle Coherence library, which is used in popular products such as Oracle WebLogic Server. The vulnerability lies in the 'ReflectionExtractor.class' in the Coherence REST library. The vulnerability is a result of insufficient validation of T3 requests. The server allows deserialization of classes in objects embedded with T3...
CVSS: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
This strike exploits an insecure deserialization vulnerability in Microsoft SharePoint. The vulnerability is due to insufficient validation of user-supplied data to 'EntityInstanceIdEncoder' class. A remote, authenticated attacker could exploit this vulnerability by sending maliciously crafted HTTP requests to a target SharePoint server. Successful exploitation of this vulnerability leads...
CVSS: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
A memory corruption vulnerability has been reported in Adobe Type Manager component of Microsoft Windows. The vulnerability is due to improper handling of specially crafted BlendDesignPositions array in multiple master Type 1 fonts. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted font file. Successful exploitation could result either in the execution of...
CVSS: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
This strike exploits an insecure deserialization vulnerability in Oracle Coherence library, which is used in popular products such as Oracle WebLogic Server. The vulnerability lies in the 'MvelExtractor.class' in the Coherence REST library. The vulnerability is a result of insufficient validation of T3 requests. The server allows deserialization of classes in objects embedded with T3...
CVSS: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
A use after free vulnerability exists in Adobe Reader and Acrobat due to incorrect manipulation of objects in memory. The vulnerability exists in 'AcroForm.api' dynamic library and may be triggered by a Field object that begins with an UTF-16 BE BOM sequence. An attacker may execute arbitrary code on a victim's system by enticing the victim to open a crafted PDF file.
CVSS: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
This strike exploits a vulnerability in the TerraMaster NAS device. This device allows for an attacker to execute a cross site scripting attack against the system by performing HTML injection via the sysname parameter. It is then possible to hijack the user session the vulnerable system.
CVSS: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
This strike exploits a vulnerability in the TerraMaster NAS device. This device allows for the option to pass command line arguments to the system during the creation of a user but does not properly validate the arguments passed via the groupname parameter. It is possible to execute system commands as a root user on a vulnerable device.
Pages