CVE-2018-6323

CVE: CVE-2018-6323
Published: 2018-01-26T08:29Z
Vendor: gnu
Products: binutils
Versions: 2.29.1,
Description Language: en
Description: The elf_object_p function in elfcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, has an unsigned integer overflow because bfd_size_type multiplication is not used. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
References:
http://www.securityfocus.com/bid/102821
https://sourceware.org/bugzilla/show_bug.cgi?id=22746
https://www.exploit-db.com/exploits/44035/

CVE-2018-6015

CVE: CVE-2018-6015
Published: 2018-01-26T20:29Z
Description Language: en
Description: An issue was discovered in the “Email Subscribers & Newsletters” plugin before 3.4.8 for WordPress. Sending an HTTP POST request to a URI with /?es=export at the end, and adding option=view_all_subscribers in the body, allows downloading of a CSV data file with all subscriber data.
References:
https://blog.threatpress.com/vulnerability-email-subscribers-plugin/

Email Subscribers & Newsletters


https://www.exploit-db.com/exploits/43872/

CVE-2018-5750

CVE: CVE-2018-5750
Published: 2018-01-26T19:29Z
Vendor: linux
Products: linux_kernel
Versions: 4.14.15,
Description Language: en
Description: The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.
References:
http://www.securitytracker.com/id/1040319
https://patchwork.kernel.org/patch/10174835/
https://www.debian.org/security/2018/dsa-4120

CVE-2018-1342

CVE: CVE-2018-1342
Published: 2018-01-26T02:29Z
Vendor: netiq
Products: access_manager
Versions: 4.3, 4.4,
Description Language: en
Description: A Vulnerability exists on Admin Console where an attacker can upload files to the Admin Console server, and potentially execute them. This impacts NetIQ Access Manager versions 4.3 and 4.4 as well as the Administrative console.
References:
https://www.novell.com/support/kb/doc.php?id=7022444

CVE-2018-1000017

CVE: CVE-2018-1000017
Published: 2018-01-26T02:29Z
Description Language: en
Description: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-1142857. Reason: This candidate is effectively a reservation duplicate of CVE-2015-1142857, originally it was thought that an incomplete fix occurred and a second CVE was needed, however this does not appear to be the case. Notes: All CVE users should reference CVE-2015-1142857 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
References:

CVE-2018-0507

CVE: CVE-2018-0507
Published: 2018-01-26T16:29Z
Vendor: ntt-east
Products: flet’s_virus_clear_easy_setup_&_application_tool
Versions: 11,
flet’s_virus_clear_v6_easy_setup_&_application_tool
Versions: 11,
Description Language: en
Description: Untrusted search path vulnerability in FLET’S VIRUS CLEAR Easy Setup & Application Tool ver.11 and earlier versions, FLET’S VIRUS CLEAR v6 Easy Setup & Application Tool ver.11 and earlier versions allow an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
References:
https://jvn.jp/en/jp/JVN26255241/index.html

CVE-2018-0506

CVE: CVE-2018-0506
Published: 2018-01-26T16:29Z
Vendor: nootka_project
Products: nootka
Versions: 1.4.4,
Description Language: en
Description: Nootka 1.4.4 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.
References:
https://jvn.jp/en/jp/JVN10103841/index.html

CVE-2018-6315

CVE: CVE-2018-6315
Published: 2018-01-25T22:29Z
Vendor: libming
Products: libming
Versions: 0.4.8,
Description Language: en
Description: The outputSWF_TEXT_RECORD function (util/outputscript.c) in libming through 0.4.8 is vulnerable to an integer overflow and resultant out-of-bounds read, which may allow attackers to cause a denial of service or unspecified other impact via a crafted SWF file.
References:
http://www.securityfocus.com/bid/102828
https://github.com/libming/libming/issues/101

CVE-2018-6313

CVE: CVE-2018-6313
Published: 2018-01-25T22:29Z
Vendor: wbce
Products: wbce_cms
Versions: 1.3.1,
Description Language: en
Description: Cross-site scripting (XSS) in WBCE CMS 1.3.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the Modify Page screen, a different issue than CVE-2017-2118.
References:
https://github.com/imsebao/404team/blob/master/wbce_cms_xss.md

CVE-2018-6308

CVE: CVE-2018-6308
Published: 2018-01-25T08:29Z
Vendor: sugarcrm
Products: sugarcrm
Versions: 6.5.26,
Description Language: en
Description: Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\Campaigns\Tracker.php and modules\Campaigns\utils.php, the default_currency_name parameter to modules\Configurator\controller.php and modules\Currencies\Currency.php, the duplicate parameter to modules\Contacts\ShowDuplicates.php, the mergecur parameter to modules\Currencies\index.php and modules\Opportunities\Opportunity.php, and the load_signed_id parameter to modules\Documents\Document.php.
References:
http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf