Archive for July, 2019

CVE-2019-10187 (moodle)

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to.
Source: NIST
CVE-2019-10187 (moodle)

CVE-2019-10188 (moodle)

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in a quiz group could modify group overrides for other groups in the same quiz.
Source: NIST
CVE-2019-10188 (moodle)

CVE-2019-10189 (moodle)

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in an assignment group could modify group overrides for other groups in the same assignment.
Source: NIST
CVE-2019-10189 (moodle)

CVE-2019-10198

An authentication bypass vulnerability was discovered in foreman-tasks before 0.15.7. Previously, commit tasks were searched through find_resource, which performed authorization checks. After the change to Foreman, an unauthenticated user can view the details of a task through the web UI or API, if they can discover or guess the UUID of the task.
Source: NIST
CVE-2019-10198

CVE-2019-14456

Opengear console server firmware releases prior to 4.5.0 have a stored XSS vulnerability related to serial port logging. If a malicious user of an external system (connected to a serial port on an Opengear console server) sends crafted text to a serial port (that has logging enabled), the text will be replayed when the logs are viewed. Exploiting this vulnerability requires access to the serial port and/or console server.
Source: NIST
CVE-2019-14456

CVE-2019-14459

nfdump 1.6.17 and earlier is affected by an integer overflow in the function Process_ipfix_template_withdraw in ipfix.c that can be abused in order to crash the process remotely (denial of service).
Source: NIST
CVE-2019-14459

CVE-2019-12797

A clone version of an ELM327 OBD2 Bluetooth device has a hardcoded PIN, leading to arbitrary commands to an OBD-II bus of a vehicle, as demonstrated by turning off the vehicle’s lights.
Source: NIST
CVE-2019-12797

Apple Device Management Firm Jamf Acquires Digita Security

Digita Security’s Apple Mac endpoint protection solutions will join Jamf’s MDM suite for iOS and MacOS.
Source: DarkReading
Apple Device Management Firm Jamf Acquires Digita Security

CVE-2019-3960

Unrestricted upload of file with dangerous type in WallacePOS 1.4.3 allows a remote, authenticated attacker to execute arbitrary code by uploading a malicious PHP file.
Source: NIST
CVE-2019-3960

CVE-2019-3958

Insufficient output sanitization in WallacePOS 1.4.3 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks via a crafted sales transaction.
Source: NIST
CVE-2019-3958