Archive by Author

CVE-2018-10235

POSCMS 3.2.10 allows remote attackers to execute arbitrary PHP code via the diymodulemembercontrollersadminSetting.php ‘index’ function because an attacker can control the value of $cache[‘setting’][‘ucssocfg’] in diymodulemembermodelsMember_model.php and write this code into the api/ucsso/config.php file.

Leave a comment Continue Reading →

CVE-2018-3842

An exploitable use of an uninitialized pointer vulnerability exists in the JavaScript engine in Foxit PDF Reader version 9.0.1.1049. A specially crafted PDF document can lead to a dereference of an uninitialized pointer which, if under attacker control, can result in arbitrary code execution. An attacker needs to trick the user to open a malicious […]

Leave a comment Continue Reading →

CVE-2018-10236

POSCMS 3.2.18 allows remote attackers to execute arbitrary PHP code via the diydayruicontrollersadminSyscontroller.php ‘add’ function because an attacker can control the value of $data[‘name’] with no restrictions, and this value is written to the FCPATH.$file file.

Leave a comment Continue Reading →

CVE-2018-3843

An exploitable type confusion vulnerability exists in the way Foxit PDF Reader version 9.0.1.1049 parses files with associated file annotations. A specially crafted PDF document can lead to an object of invalid type to be dereferenced, which can potentially lead to sensitive memory disclosure, and possibly to arbitrary code execution. An attacker needs to trick […]

Leave a comment Continue Reading →

CVE-2018-10230

Zend Debugger in Zend Server before 9.1.3 has XSS, aka ZSR-2455.

Leave a comment Continue Reading →

CVE-2018-8118

A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory, aka “Internet Explorer Memory Corruption Vulnerability.” This affects Internet Explorer 11, Internet Explorer 10.

Leave a comment Continue Reading →

CVE-2018-9861

Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element.

Leave a comment Continue Reading →

CVE-2018-7899

The Mali Driver of Huawei Berkeley-AL20 and Berkeley-BD smart phones with software Berkeley-AL20 8.0.0.105(C00), 8.0.0.111(C00), 8.0.0.112D(C00), 8.0.0.116(C00), 8.0.0.119(C00), 8.0.0.119D(C00), 8.0.0.122(C00), 8.0.0.132(C00), 8.0.0.132D(C00), 8.0.0.142(C00), 8.0.0.151(C00), Berkeley-BD 1.0.0.21, 1.0.0.22, 1.0.0.23, 1.0.0.24, 1.0.0.26, 1.0.0.29 has a double free vulnerability. An attacker can trick a user to install a malicious application and exploit this vulnerability when in the exception […]

Leave a comment Continue Reading →

CVE-2017-3776

Lenovo Help Android mobile app versions earlier than 6.1.2.0327 allowed information to be transmitted over an HTTP channel, permitting others observing the channel to potentially see this information.

Leave a comment Continue Reading →

CVE-2017-3774

A stack overflow vulnerability was discovered within the web administration service in Integrated Management Module 2 (IMM2) earlier than version 4.70 used in some Lenovo servers and earlier than version 6.60 used in some IBM servers. An attacker providing a crafted user ID and password combination can cause a portion of the authentication routine to […]

Leave a comment Continue Reading →