Vulnerability Summary for the Week of August 27, 2018
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) [National Vulnerability Database] (NVD). In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.[hyperlink: https://nvd.nist.gov/vuln/search]
High Vulnerabilities
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
There were no high vulnerabilities recorded this week. |
Medium Vulnerabilities
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
There were no medium vulnerabilities recorded this week. |
Low Vulnerabilities
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
There were no low vulnerabilities recorded this week. |
Severity Not Yet Assigned
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
apache -- perl | mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes. | 2018-08-26 | not yet calculated | CVE-2011-2767 MISC MISC |
google -- chrome | Out-of-bounds Write in the QUIC networking stack in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to gain code execution via a malicious server. | 2018-08-28 | not yet calculated | CVE-2017-15407 REDHAT MISC MISC GENTOO DEBIAN |
google -- chrome | A stack buffer overflow in V8 in Google Chrome prior to 62.0.3202.75 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. | 2018-08-28 | not yet calculated | CVE-2017-15406 MISC MISC |
google -- chrome_skia | Heap buffer overflow in Skia in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 2018-08-28 | not yet calculated | CVE-2017-15409 REDHAT MISC MISC GENTOO DEBIAN |
google -- chrome_omnibox | Heap buffer overflow in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file that is mishandled by PDFium. | 2018-08-28 | not yet calculated | CVE-2017-15408 REDHAT MISC MISC GENTOO DEBIAN |
google -- chrome_pdfium | Use after free in PDFium in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | 2018-08-28 | not yet calculated | CVE-2017-15410 REDHAT MISC MISC GENTOO DEBIAN |
google -- chrome_libxml2 | Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 2018-08-28 | not yet calculated | %3 |
google -- chrome_pdfium | Use after free in PDFium in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | 2018-08-28 | not yet calculated | CVE-2017-15411 REDHAT MISC MISC GENTOO DEBIAN |
google -- chrome | A stack buffer overflow in NumberingSystem in International Components for Unicode (ICU) for C/C++ before 60.2, as used in V8 in Google Chrome prior to 62.0.3202.75 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 2018-08-28 | not yet calculated | CVE-2017-15396 MISC BID REDHAT MISC MISC GENTOO DEBIAN |
google -- chrome | A use after free in V8 in Google Chrome prior to 62.0.3202.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 2018-08-28 | not yet calculated | CVE-2017-15399 BID REDHAT MISC MISC GENTOO DEBIAN |
google -- chrome | A stack buffer overflow in the QUIC networking stack in Google Chrome prior to 62.0.3202.89 allowed a remote attacker to gain code execution via a malicious server. | 2018-08-28 | not yet calculated | CVE-2017-15398 BID REDHAT MISC MISC GENTOO DEBIAN |
ibm -- ibmcloud_orchestrator | A vulnerability has been identified in IBM Cloud Orchestrator 2.3, 2.3.0.1, 2.4, and 2.4.0.1 that could allow an attacker after authentication to enumerate valid users of the system. IBM X-Force ID: 109394. | 2018-08-30 | not yet calculated | CVE-2016-0205 XF CONFIRM |
ibm -- openpages_grc_platform | IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 could allow a local user to obtain sensitive information when a previous user has logged out of the system but neglected to close their browser. IBM X-Force ID: 110303. | 2018-08-30 | not yet calculated | CVE-2016-0234 CONFIRM XF |
ibm -- urbancode | IBM UrbanCode Deploy 6.0 through 6.2.2.1 could allow an authenticated user to read sensitive information due to UCD REST endpoints not properly authorizing users when determining who can read data. IBM X-Force ID: 112119. | 2018-08-30 | not yet calculated | CVE-2016-0373 CONFIRM XF |
lansweeper -- lansweeper | Lansweeper 4.x through 6.x before 6.0.0.48 allows attackers to execute arbitrary code on the administrator's workstation via a crafted Windows service. | 2018-08-27 | not yet calculated | CVE-2015-9264 MISC |
openstack -- cinder | A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants. | 2018-08-27 | not yet calculated | CVE-2017-15139 CONFIRM MISC |
phpmyfaq -- captcha | phpMyFAQ before 2.8.13 allows remote attackers to bypass the CAPTCHA protection mechanism by replaying the request. | 2018-08-28 | not yet calculated | CVE-2014-6050 MISC CONFIRM |
phpmyfaq -- phpmyfaq | Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyFAQ before 2.8.13 allow remote attackers to hijack the authentication of unspecified users for requests that (1) delete active users by leveraging improper validation of CSRF tokens or that (2) delete open questions, (3) activate users, (4) publish FAQs, (5) add or delete Glossary, (6) add or delete FAQ news, or (7) add or delete comments or add votes by leveraging lack of a CSRF token. | 2018-08-28 | not yet calculated | CVE-2014-6046 MISC CONFIRM |
phpmyfaq -- phpmyfaq | phpMyFAQ before 2.8.13 allows remote authenticated users with certain permissions to read arbitrary attachments by leveraging incorrect "download an attachment" permission checks. | 2018-08-28 | not yet calculated | CVE-2014-6047 MISC CONFIRM |
phpmyfaq -- phpmyfaq | phpMyFAQ before 2.8.13 allows remote authenticated users with admin privileges to bypass authorization via a crafted instance ID parameter. | 2018-08-28 | not yet calculated | CVE-2014-6049 MISC CONFIRM |
phpmyfaq -- phpmyfaq | phpMyFAQ before 2.8.13 allows remote attackers to read arbitrary attachments via a direct request. | 2018-08-28 | not yet calculated | CVE-2014-6048 MISC CONFIRM |
phpmyfaq -- phpmyfaq | SQL injection vulnerability in phpMyFAQ before 2.8.13 allows remote authenticated users with certain permissions to execute arbitrary SQL commands via vectors involving the restore function. | 2018-08-28 | not yet calculated | CVE-2014-6045 MISC CONFIRM |
post2file.php -- uptime_monitoring_station | An issue was discovered in post2file.php in Up.Time Monitoring Station 7.5.0 (build 16) and 7.4.0 (build 13). It allows an attacker to upload an arbitrary file, such as a .php file that can execute arbitrary OS commands. | 2018-08-27 | not yet calculated | CVE-2015-9263 MISC EXPLOIT-DB MISC |
umbraco -- umbraco | Umbraco before 7.2.0 has a remote PHP code execution vulnerability because Umbraco.Web.UI/config/umbracoSettings.Release.config does not block the upload of .php files. | 2018-08-27 | not yet calculated | CVE-2014-10074 MISC MISC |
wordpress -- wordpress | Cross-site scripting (XSS) vulnerability in the Wordfence Security plugin before 5.1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the val parameter to whois.php. | 2018-08-28 | not yet calculated | CVE-2014-4932 MISC CONFIRM |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.