MCO Security CERT Global

• CVE-2018-18777
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** Directory traversal vulnerability in Microstrategy Web, version 7, in "/WebMstr7/servlet/mstrWeb" (in the parameter subpage) allows remote authenticated users to bypass ... read more
• CVE-2018-18777
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** Directory traversal vulnerability in Microstrategy Web, version 7, in "/WebMstr7/servlet/mstrWeb" (in the parameter subpage) allows remote authenticated users to bypass ... read more
• CVE-2018-18775
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the Login.asp ... read more
• CVE-2018-18775
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the Login.asp ... read more
• CVE-2018-6908
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** An authentication bypass vulnerability exists in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allowing ... read more
• CVE-2018-6908
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** An authentication bypass vulnerability exists in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allowing ... read more
• CVE-2018-6909
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** A missing X-Frame-Options header in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application could be ... read more
• CVE-2018-6909
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** A missing X-Frame-Options header in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application could be ... read more
• CVE-2018-6907
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** A Cross Site Request Forgery (CSRF) vulnerability in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web ... read more
• CVE-2018-6907
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** A Cross Site Request Forgery (CSRF) vulnerability in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web ... read more
• CVE-2018-18714
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** RegFilter.sys in IOBit Malware Fighter 6.2 and earlier is susceptible to a stack-based buffer overflow when an attacker uses IOCTL ... read more
• CVE-2018-18714
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** RegFilter.sys in IOBit Malware Fighter 6.2 and earlier is susceptible to a stack-based buffer overflow when an attacker uses IOCTL ... read more
• CVE-2018-18776
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the admin/admin.asp ... read more
• CVE-2018-18776
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the admin/admin.asp ... read more
• CVE-2018-10586
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** NetGain Enterprise Manager (EM) is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities in versions before 10.1.12. ... read more
• CVE-2018-10586
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** NetGain Enterprise Manager (EM) is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities in versions before 10.1.12. ... read more
• CVE-2018-18695
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** M2SOFT Report Designer Viewer 5.0 allows a Buffer Overflow with Extended Instruction Pointer (EIP) control via a crafted MRD file. ... read more
• CVE-2018-18695
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** M2SOFT Report Designer Viewer 5.0 allows a Buffer Overflow with Extended Instruction Pointer (EIP) control via a crafted MRD file. ... read more
• CVE-2018-10587
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** NetGain Enterprise Manager (EM) is affected by OS Command Injection vulnerabilities in versions before 10.0.57. These vulnerabilities could allow remote ... read more
• CVE-2018-10587
  Gravedad: NonePublicado: 01/11/2018Last revised: 01/11/2018Descripción: *** Pendiente de traducción *** NetGain Enterprise Manager (EM) is affected by OS Command Injection vulnerabilities in versions before 10.0.57. These vulnerabilities could allow remote ... read more
• Cisco Releases Security Advisory
  Original release date: November 01, 2018Cisco has released a security advisory to address a vulnerability affecting Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software. A remote attacker ... read more
• CVE-2018-18695
  M2SOFT Report Designer Viewer 5.0 allows a Buffer Overflow with Extended Instruction Pointer (EIP) control via a crafted MRD file. ... read more
• CVE-2018-18776
  Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the admin/admin.asp ShowAll parameter. NOTE: this is a deprecated product. ... read more
• CVE-2018-6909
  A missing X-Frame-Options header in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application could be used by a remote attacker for clickjacking, as demonstrated by ... read more
• CVE-2018-10586
  NetGain Enterprise Manager (EM) is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities in versions before 10.1.12. ... read more
• CVE-2018-10587
  NetGain Enterprise Manager (EM) is affected by OS Command Injection vulnerabilities in versions before 10.0.57. These vulnerabilities could allow remote authenticated attackers to inject arbitrary code, resulting in remote code ... read more
• CVE-2018-6908
  An authentication bypass vulnerability exists in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allowing an unauthenticated attacker to perform authenticated actions on the device ... read more
• CVE-2018-18777
  Directory traversal vulnerability in Microstrategy Web, version 7, in "/WebMstr7/servlet/mstrWeb" (in the parameter subpage) allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a ... read more
• CVE-2018-18775
  Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the Login.asp Msg parameter. NOTE: this is a deprecated product. ... read more
• CVE-2018-6906
  A persistent Cross Site Scripting (XSS) vulnerability in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allows an attacker to inject arbitrary JavaScript via the ... read more
• CVE-2018-6011
  The time-based one-time-password (TOTP) function in the application logic of the Green Electronics RainMachine Mini-8 (2nd generation) uses the administrator's password hash to generate a 6-digit temporary passcode that can ... read more
• CVE-2018-18714
  RegFilter.sys in IOBit Malware Fighter 6.2 and earlier is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E010. This can lead to denial of service (DoS) or ... read more
• CVE-2018-6012
  The 'Weather Service' feature of the Green Electronics RainMachine Mini-8 (2nd generation) allows an attacker to inject arbitrary Python code via the 'Add new weather data source' upload function. ... read more
• CVE-2018-6907
  A Cross Site Request Forgery (CSRF) vulnerability in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allows an attacker to control the RainMachine device via ... read more
• CVE-2018-18883
  Gravedad: NonePublicado: 31/10/2018Last revised: 31/10/2018Descripción: *** Pendiente de traducción *** An issue was discovered in Xen 4.9.x through 4.11.x, on Intel x86 platforms, allowing x86 HVM and PVH guests to ... read more
• CVE-2018-18892
  Gravedad: NonePublicado: 31/10/2018Last revised: 31/10/2018Descripción: *** Pendiente de traducción *** MiniCMS 1.10 allows execution of arbitrary PHP code via the install.php sitename parameter, which affects the site_name field in mc_conf.php. ... read more
• CVE-2018-18890
  Gravedad: NonePublicado: 31/10/2018Last revised: 31/10/2018Descripción: *** Pendiente de traducción *** MiniCMS 1.10 allows full path disclosure via /mc-admin/post.php?state=delete&delete= with an invalid filename. ... read more
• CVE-2018-18887
  Gravedad: NonePublicado: 31/10/2018Last revised: 31/10/2018Descripción: *** Pendiente de traducción *** S-CMS PHP 1.0 has SQL injection in member/member_news.php via the type parameter (aka the $N_type field). ... read more
• CVE-2018-18888
  Gravedad: NonePublicado: 31/10/2018Last revised: 31/10/2018Descripción: *** Pendiente de traducción *** An issue was discovered in laravelCMS through 2018-04-02. appHttpControllersBackendProfileController.php allows upload of arbitrary PHP files because the file extension is ... read more
• CVE-2018-18891
  Gravedad: NonePublicado: 31/10/2018Last revised: 31/10/2018Descripción: *** Pendiente de traducción *** MiniCMS 1.10 allows file deletion via /mc-admin/post.php?state=delete&delete= because the authentication check occurs too late. ... read more
• Cyber warrant officer leads West Point research program for protecting critical U.S. infrastructure
  A major project to explore employment of the total Army force to defend the nation's critical infrastructure from cyber attack developed by the Army Cyber Institute (ACI) at the U.S. ... read more
• Fr. Sauter AG CASE Suite
  This advisory includes mitigations for an improper restriction of XML External Entity Reference vulnerability in Fr. Sauter AG's CASE Suite software. ... read more
• Circontrol CirCarLife
  This advisory includes mitigations for authentication bypass using an alternate path or channel and insufficiently protected credentials vulnerabilities in Circontrol’s CirCarLife, an electric vehicle charging station. ... read more
• AVEVA InduSoft Web Studio and InTouch Edge HMI (formerly InTouch Machine Edition)
  This advisory includes mitigations for stack-based buffer overflow and empty password in configuration file vulnerabilities in AVEVA’s InduSoft Web Studio and InTouch Edge HMI (formerly InTouch Machine Edition) products. ... read more
• Schneider Electric Software Update (SESU)
  This advisory includes mitigations for a DLL hijacking vulnerability in the Schneider Electric Software Update (SESU). ... read more
• VU#317277: Texas Instrument Microcontrollers CC2640 and CC2650 are vulnerable to variable and heap overflow.
  Vulnerability Note VU#317277 Texas Instrument Microcontrollers CC2640 and CC2650 are vulnerable to variable and heap overflow. Original Release date: 01 Nov 2018 | Last revised: 01 Nov 2018 Overview Texas ... read more
• ST18-006: Website Security
  Original release date: November 01, 2018 What is website security?Website security refers to the protection of personal and organizational public-facing websites from cyberattacks.Why should I care about website security?Cyberattacks against ... read more
• CVE-2018-14660
  A flaw was found in glusterfs server through versions 4.1.4 and 3.1.2 which allowed repeated usage of GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this flaw to create multiple ... read more
• CVE-2018-3977
  An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.3. A specially crafted XCF image can cause a heap overflow, resulting in code execution. An attacker ... read more
• CVE-2018-3910
  An exploitable code execution vulnerability exists in the cloud OTA setup functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted SSID can cause a command injection, resulting in code ... read more