Vulnerability Summary for the Week of September 10, 2018
Released
Sep 23, 2018
Document ID
SB18-266
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
High Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| ibm -- websphere_application_server | IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through the SOAP connector with a serialized object from untrusted sources. IBM X-Force ID: 143024. | 2018-09-07 | 7.5 | CVE-2018-1567 SECTRACK XF CONFIRM |
| nordvpn -- nordvpn | An exploitable code execution vulnerability exists in the connect functionality of NordVPN 6.14.28.0. A specially crafted configuration file can cause a privilege escalation, resulting in the execution of arbitrary commands with system privileges. | 2018-09-07 | 7.2 | CVE-2018-3952 BID MISC |
| protonvpn -- protonvpn | An exploitable code execution vulnerability exists in the connect functionality of ProtonVPN VPN client 1.5.1. A specially crafted configuration file can cause a privilege escalation, resulting in the ability to execute arbitrary commands with the system's privileges. | 2018-09-07 | 7.2 | CVE-2018-4010 BID MISC |
Medium Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| ibm -- security_identity_governance_and_intelligence | IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, information in the back-end database. IBM X-Force ID: 148599. | 2018-09-07 | 5.0 | CVE-2018-1756 CONFIRM XF EXPLOIT-DB |
| ibm -- security_identity_governance_and_intelligence | IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 could allow an attacker to obtain sensitive information due to missing authentication in IGI for the survey application. IBM X-Force ID: 148601. | 2018-09-07 | 5.0 | CVE-2018-1757 CONFIRM XF |
| weseek -- growi | Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via Wiki page view. | 2018-09-07 | 4.3 | CVE-2018-0653 JVN CONFIRM |
| weseek -- growi | Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the modal for creating Wiki page. | 2018-09-07 | 4.3 | CVE-2018-0654 JVN CONFIRM |
Low Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| ibm -- campaign | IBM Campaign 9.1, 9.1.2, and 10 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 121152. | 2018-09-07 | 3.5 | CVE-2017-1114 XF CONFIRM |
| ibm -- campaign | IBM Campaign 9.1, 9.1.2, and 10 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 121153. | 2018-09-07 | 3.5 | CVE-2017-1115 XF CONFIRM |
| weseek -- growi | Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the UserGroup Management section of admin page. | 2018-09-07 | 3.5 | CVE-2018-0652 JVN CONFIRM |
| weseek -- growi | Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the app settings section of admin page. | 2018-09-07 | 3.5 | CVE-2018-0655 JVN CONFIRM |
Severity Not Yet Assigned
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| torproject -- tor_browser | Tor Browser on Windows before 8.0 allows remote attackers to bypass the intended anonymity feature and discover a client IP address, a different vulnerability than CVE-2017-16541. User interaction is required to trigger this vulnerability. | 2018-09-14 | not yet calculated | CVE-2017-16639 MISC BID BUGTRAQ MISC |
| synametrics_technologies -- synaman | Multiple cross-site scripting (XSS) vulnerabilities in Synametrics SynaMan 4.0 build 1488 via the (1) Main heading or (2) Sub heading fields in the Partial Branding configuration page. | 2018-09-14 | not yet calculated | CVE-2018-10763 MISC EXPLOIT-DB |
| synametrics_technologies -- synaman | Synametrics SynaMan 4.0 build 1488 uses cleartext password storage for SMTP credentials. | 2018-09-14 | not yet calculated | CVE-2018-10814 MISC EXPLOIT-DB |
| zoho -- manageengine_desktop_central | An issue was discovered in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. | 2018-09-12 | not yet calculated | CVE-2018-13411 BID MISC CONFIRM |
| zoho -- manageengine_desktop_central | An issue was discovered in the Self Service Portal in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. | 2018-09-12 | not yet calculated | CVE-2018-13412 BID MISC CONFIRM |
| openstack -- rabbitmq | The OpenStack RabbitMQ container image insecurely retrieves the rabbitmq_clusterer component over HTTP during the build stage. This could potentially allow an attacker to serve malicious code to the image builder and install in the resultant container image. Version of openstack-rabbitmq-container and openstack-containers as shipped with Red Hat Openstack 12, 13, 14 are believed to be vulnerable. | 2018-09-10 | not yet calculated | CVE-2018-14620 REDHAT REDHAT CONFIRM |
| openstack -- neutron | When using the Linux bridge ml2 driver, non-privileged tenants are able to create and attach ports without specifying an IP address, bypassing IP address validation. A potential denial of service could occur if an IP address, conflicting with existing guests or routers, is then assigned from outside of the allowed allocation pool. Versions of openstack-neutron before 13.0.0.0b2, 12.0.3 and 11.0.5 are vulnerable. | 2018-09-10 | not yet calculated | CVE-2018-14635 REDHAT REDHAT REDHAT CONFIRM CONFIRM CONFIRM |
| lg -- supersign_cms | LG SuperSign CMS allows reading of arbitrary files via signEzUI/playlist/edit/upload/..%2f URIs. | 2018-09-14 | not yet calculated | CVE-2018-16288 MISC EXPLOIT-DB |
| jhead -- jhead | The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because of inconsistency between float and double in a sprintf format string during TAG_GPS_ALT handling. | 2018-09-15 | not yet calculated | CVE-2018-16554 MISC MISC |
| roundcube -- roundcube | In the rcfilters plugin 2.1.6 for Roundcube, XSS exists via the _whatfilter and _messages parameters (in the Filters section of the settings). | 2018-09-09 | not yet calculated | CVE-2018-16736 MISC MISC EXPLOIT-DB |
mongodb -- mongodb | _bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer. | 2018-09-10 | not yet calculated | CVE-2018-16790 CONFIRM CONFIRM MISC |
| artifex -- ghostscript | An issue was discovered in Artifex Ghostscript before 9.25. Incorrect "restoration of privilege" checking when running out of stack during exception handling could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction. This is due to an incomplete fix for CVE-2018-16509. | 2018-09-10 | not yet calculated | CVE-2018-16802 MISC MISC CONFIRM MLIST MLIST MISC UBUNTU DEBIAN |
| openafs_foundation -- openafs | An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8.2. The backup tape controller (butc) process accepts incoming RPCs but does not require (or allow for) authentication of those RPCs. Handling those RPCs results in operations being performed with administrator credentials, including dumping/restoring volume contents and manipulating the backup database. For example, an unauthenticated attacker can replace any volume's content with arbitrary data. | 2018-09-11 | not yet calculated | CVE-2018-16947 CONFIRM MLIST |
| openafs_foundation -- openafs | An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8.2. Several RPC server routines did not fully initialize their output variables before returning, leaking memory contents from both the stack and the heap. Because the OpenAFS cache manager functions as an Rx server for the AFSCB service, clients are also susceptible to information leakage. For example, RXAFSCB_TellMeAboutYourself leaks kernel memory and KAM_ListEntry leaks kaserver memory. | 2018-09-11 | not yet calculated | CVE-2018-16948 CONFIRM MLIST |
| openafs_foundation -- openafs | An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8.2. Several data types used as RPC input variables were implemented as unbounded array types, limited only by the inherent 32-bit length field to 4 GB. An unauthenticated attacker could send, or claim to send, large input values and consume server resources waiting for those inputs, denying service to other valid connections. | 2018-09-11 | not yet calculated | CVE-2018-16949 CONFIRM MLIST |
| ibm -- maximo_asset_management | IBM Maximo Asset Management 7.6 through 7.6.3 could allow an unauthenticated attacker to obtain sensitive information from error messages. IBM X-Force ID: 145967. | 2018-09-13 | not yet calculated | CVE-2018-1698 BID XF CONFIRM |
| N/A -- N/A | A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c (called from TIFFWriteDirectoryTagTransferfunction) in LibTIFF 4.0.9 allows an attacker to cause a denial-of-service through a crafted tiff file. This vulnerability can be triggered by the executable tiffcp. | 2018-09-13 | not yet calculated | CVE-2018-17000 MISC BID |
| N/A -- N/A | BullGuard Safe Browsing before 18.1.355.9 allows XSS on Google, Bing, and Yahoo! pages via domains indexed in search results. | 2018-09-15 | not yet calculated | CVE-2018-17061 MISC CONFIRM |
| N/A -- N/A | An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction within the handler function of the /goform/NTPSyncWithHost route. This could lead to command injection via shell metacharacters. | 2018-09-15 | not yet calculated | CVE-2018-17063 MISC |
| N/A -- N/A | An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction within the handler function of the /goform/sylogapply route. This could lead to command injection via the syslogIp parameter after /goform/clearlog is invoked. | 2018-09-15 | not yet calculated | CVE-2018-17064 MISC |
| N/A -- N/A | An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. Within the handler function of the /goform/DDNS route, a very long password could lead to a stack-based buffer overflow and overwrite the return address. | 2018-09-15 | not yet calculated | CVE-2018-17065 MISC |
| N/A -- N/A | An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction in the handler function of the /goform/form2systime.cgi route. This could lead to command injection via shell metacharacters in the datetime parameter. | 2018-09-15 | not yet calculated | CVE-2018-17066 MISC |
| N/A -- N/A | An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. A very long password to /goform/formLogin could lead to a stack-based buffer overflow and overwrite the return address. | 2018-09-15 | not yet calculated | CVE-2018-17067 MISC |
| N/A -- N/A | An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction in the handler function of the /goform/Diagnosis route. This could lead to command injection via shell metacharacters in the sendNum parameter. | 2018-09-15 | not yet calculated | CVE-2018-17068 MISC |
| N/A -- N/A | An issue was discovered in UNL-CMS 7.59. A CSRF attack can create new content via ?q=node%2Fadd%2Farticle&render=overlay&render=overlay. | 2018-09-15 | not yet calculated | CVE-2018-17069 MISC |
| N/A -- N/A | An issue was discovered in UNL-CMS 7.59. A CSRF attack can update the website settings via ?q=admin%2Fconfig%2Fsystem%2Fsite-information&render=overlay&render=overlay. | 2018-09-15 | not yet calculated | CVE-2018-17070 MISC |
| N/A -- N/A | JSON++ through 2016-06-15 has a buffer over-read in yyparse() in json.y. | 2018-09-15 | not yet calculated | CVE-2018-17072 MISC |
| N/A -- N/A | wernsey/bitmap before 2018-08-18 allows a NULL pointer dereference via a 4-bit image. | 2018-09-15 | not yet calculated | CVE-2018-17073 MISC |
| N/A -- N/A | The Feed Statistics plugin before 4.0 for WordPress has an Open Redirect via the feed-stats-url parameter. | 2018-09-15 | not yet calculated | CVE-2018-17074 MISC MISC MISC MISC |
| N/A -- N/A | The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic: runtime error" for html.Parse of <template><object>, <template><applet>, or <template><marquee>. This is related to HTMLTreeBuilder.cpp in WebKit. | 2018-09-15 | not yet calculated | CVE-2018-17075 MISC MISC MISC |
| N/A -- N/A | GPP through 2.25 will try to use more memory space than is available on the stack, leading to a segmentation fault or possibly unspecified other impact via a crafted file. | 2018-09-15 | not yet calculated | CVE-2018-17076 MISC |
| N/A -- N/A | An issue was discovered in yiqicms through 2016-11-20. There is stored XSS in comment.php because a length limit can be bypassed. | 2018-09-15 | not yet calculated | CVE-2018-17077 MISC |
| N/A -- N/A | IBM Datacap Fastdoc Capture 9.1.1, 9.1.3, and 9.1.4 could allow an authenticated user to bypass future authentication mechanisms once the initial login is completed. IBM X-Force ID: 148691. | 2018-09-12 | not yet calculated | CVE-2018-1773 BID XF CONFIRM |
| N/A -- N/A | IBM API Connect v2018.1.0 through v2018.3.4 could allow an attacker to send a specially crafted request to conduct a server side request forgery attack. IBM X-Force ID: 148939. | 2018-09-07 | not yet calculated | CVE-2018-1789 XF CONFIRM |
| N/A -- N/A | Users of an SAP Mobile Platform (version 3.0) Offline OData application, which uses Offline OData-supplied delta tokens (which is on by default), occasionally receive some data values of a different user. | 2018-09-11 | not yet calculated | CVE-2018-2459 BID MISC CONFIRM |
| N/A -- N/A | Missing authorization check in SAP HCM Fiori "People Profile" (GBX01 HR version 6.0) for an authenticated user which may result in an escalation of privileges. | 2018-09-11 | not yet calculated | CVE-2018-2461 BID MISC CONFIRM |
| N/A -- N/A | A vulnerability in a subsystem in Intel CSME before version 11.21.55, Intel Server Platform Services before version 4.0 and Intel Trusted Execution Engine Firmware before version 3.1.55 may allow an unauthenticated user to potentially modify or disclose information via physical access. | 2018-09-12 | not yet calculated | CVE-2018-3655 CONFIRM CONFIRM |
| N/A -- N/A | On F5 WebSafe Alert Server 1.0.0-4.2.6, a malicious, authenticated user can execute code on the alert server by using a maliciously crafted payload. | 2018-09-13 | not yet calculated | CVE-2018-5545 BID CONFIRM |
| N/A -- N/A | On BIG-IP APM 11.6.0-11.6.3, an insecure AES ECB mode is used for orig_uri parameter in an undisclosed /vdesk link of APM virtual server configured with an access profile, allowing a malicious user to build a redirect URI value using different blocks of cipher texts. | 2018-09-13 | not yet calculated | CVE-2018-5548 MISC BID CONFIRM |
| N/A -- N/A | On BIG-IP APM 11.6.0-11.6.3.1, 12.1.0-12.1.3.3, 13.0.0, and 13.1.0-13.1.0.3, APMD may core when processing SAML Assertion or response containing certain elements. | 2018-09-13 | not yet calculated | CVE-2018-5549 BID CONFIRM |
| N/A -- N/A | The AirWatch Agent for iOS prior to 5.8.1 contains a data protection vulnerability whereby the files and keychain entries in the Agent are not encrypted. | 2018-09-11 | not yet calculated | CVE-2018-6975 BID SECTRACK CONFIRM |
| N/A -- N/A | An elevation of privilege vulnerability exists when the Windows Kernel API improperly handles registry objects in memory, aka "Windows Registry Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. | 2018-09-12 | not yet calculated | CVE-2018-8410 BID SECTRACK CONFIRM EXPLOIT-DB |
| N/A -- N/A | An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2008 R2. This CVE ID is unique from CVE-2018-8424. | 2018-09-12 | not yet calculated | CVE-2018-8422 BID CONFIRM |
| N/A -- N/A | A security feature bypass exists when Device Guard incorrectly validates an untrusted file, aka "Device Guard Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. | 2018-09-12 | not yet calculated | CVE-2018-8449 BID SECTRACK CONFIRM EXPLOIT-DB |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.