Browse All

AirWatch Agent for iOS versions before 5.8.1 have a data protection vulnerability where files and keychain entries (secure storage for sensitive data like passwords) are not encrypted, leaving them exposed to unauthorized access. This means an attacker with access to a device could potentially read sensitive information stored by the app.

CVE-2017-2627 is a security flaw in Red Hat OpenStack Enterprise 10 and 11 where the sudoers file (a configuration file that controls who can run privileged commands) is too permissive. It allows directory traversal attacks (bypassing folder restrictions using '..' to access unauthorized directories) for the mistral user and grants full passwordless root access to the validations user, creating serious security risks.

CVE-2018-13435 is a vulnerability in LINE version 8.8.0 for iOS where the Passcode feature (a security lock using a numeric code) can be bypassed through runtime manipulation (changing how the app behaves while it's running), allowing someone to disable passcode authentication. However, the vendor has stated this is not a realistic concern for their security model since it only affects jailbroken iOS devices (phones where the operating system's protections have been intentionally removed).

The LINE app version 8.8.0 for iOS had a flaw in how it checked fingerprints for login. An attacker could bypass fingerprint authentication (authentication bypass, where someone gains access without proper verification) by tricking the system into accepting any fingerprint, because the app didn't use proper security protections. However, the LINE company stated this flaw only matters on jailbroken iPhones (devices where the iOS security system has been compromised), which they don't consider a serious threat.

CVE-2017-7464 is a vulnerability in JBoss EAP 7.0's XML parsing component that allows attackers to exploit XXE flaws (XXE is XML External Entity injection, a technique where malicious XML input tricks a parser into revealing sensitive data or accessing internal systems). An attacker who can provide XML content for the system to parse could cause denial of service (making the system unavailable), SSRF (server-side request forgery, where the server is tricked into making requests to unintended targets), or leak sensitive information.

CVE-2018-13555 is an integer overflow (a bug where a number gets too large and wraps around to an incorrect value) in the mintToken function of JaxBox, an Ethereum token smart contract (a self-executing program on the blockchain). This vulnerability allows the contract owner to arbitrarily change any user's account balance to any value they want.

CVE-2018-13108 is a local root jailbreak vulnerability (a flaw that lets attackers gain the highest level of system access) affecting all ADB broadband gateways and routers using the Epicentro platform. Attackers exploiting this vulnerability can extract sensitive data like VoIP credentials (phone service login information) or launch attacks against the ISP's internal network.

CVE-2017-7465 is a code injection vulnerability in JBoss EAP 7.0's XSLT processing (a language for transforming XML documents). An attacker who can provide XSLT content for the system to process could execute arbitrary code (run commands they shouldn't be able to run) on the affected server.

A security flaw in Dropbox version 100.2 for iOS allows attackers to bypass fingerprint authentication (TouchID, which uses biometric scanning) by manipulating the authentication system to always return 'true' rather than actually verifying the user's fingerprint. The vulnerability exists because the app doesn't use proper protection mechanisms to ensure the fingerprint validation is genuine, though Dropbox stated this is not a concern for their security model since it only affects jailbroken devices (iPhones that have been modified to remove Apple's security restrictions).

CVE-2018-6968 is a remote code execution vulnerability (where an attacker can run malicious code on a system they don't own) in VMware AirWatch Agent for Android before version 8.2 and Windows Mobile before version 6.5.2. A malicious administrator could exploit the File Manager feature to create and run unauthorized files in the app's sandbox (an isolated storage area) and publicly accessible directories like SD cards.

CVE-2018-5314 is a command injection vulnerability (a security flaw where an attacker can run unauthorized system commands) in Citrix NetScaler ADC and NetScaler Gateway versions 11.0, 11.1, and 12.0, as well as certain NetScaler Load Balancing instances. Remote attackers can exploit this vulnerability through an SSH login prompt to execute system commands or read files they shouldn't have access to.

CVE-2017-14868 is a vulnerability in Restlet Framework versions before 2.3.11 that allows attackers to read any file from a server using an XXE attack (XML external entity injection, where an attacker tricks the system into loading files from the server by embedding malicious XML code) when the SimpleXMLProvider component is used in REST API requests. This affects applications using the Jax-rs extension of the framework.

Apache CXF (a framework for building web services) has a vulnerability where specially crafted message attachment headers can crash or disable a web service through a DoS attack (denial of service, temporarily making a service unavailable). This affects both JAX-WS and JAX-RS (two different specifications for web services) that use CXF.

TRITON AP-EMAIL version 8.2 before 8.2 IB has a security flaw where it does not properly restrict file access in an unspecified directory, meaning unauthorized users might be able to read or access files they shouldn't be able to. The vulnerability is caused by improper input validation (failure to check that incoming data is safe before using it).