Atlassian Jira Server and Data Center is vulnerable to a server-side template injection in various resources. This vulnerability was introduced in version 4.4.x and affects versions as recent as 8.2.2 (released on 13 June 2019). CVE-2019–11581 has been assigned to track this vulnerability. Thousands of Jira Servers are potentially affected by this vulnerability and may … Continue reading “Atlassian Jira Server Template Injection Vulnerability”
Tag: RCE
Oracle WebLogic Deserialization Remote Code Execution Vulnerability (CVE-2019-2729)
Recently a highly critical remote code execution vulnerability has been discovered in Oracle WebLogic application servers. On June 15, KnownSec 404 Team shared an advisory, according to them, the new vulnerability bypasses the latest Weblogic patch (CVE-2019-2725). An unauthenticated, remote attacker can send a crafted HTTP request to execute arbitrary commands on the Weblogic Servers. … Continue reading “Oracle WebLogic Deserialization Remote Code Execution Vulnerability (CVE-2019-2729)”
Windows Kernel Elevation of Privilege Vulnerability: CVE-2018-8611
An elevation of privilege vulnerability in the Kernel Transaction Manager (KTM) driver . It is exploited via a race condition that occurs when file transaction in the kernel mode are not handled properly. Successful exploitation can lead to remote code execution on the target via browsers. it can be leveraged sandbox escape in browsers. CVE-2018-8611 has been assigned … Continue reading “Windows Kernel Elevation of Privilege Vulnerability: CVE-2018-8611”
BLEEDINGBIT Vulnerability
Two critical vulnerabilities have been discovered in BLE (Bluetooth Low Energy) chips manufactured by Texas Instruments (TI). The vulnerabilities have been named BLEEDINGBIT. As this vulnerability affects the BLE chips, any device using said hardware is a potential target for exploitation. The following CVEs have been assigned to track BLEEDINGBIT vulnerability. BLEEDINGBIT RCE vulnerability (CVE-2018-16986) BLEEDINGBIT … Continue reading “BLEEDINGBIT Vulnerability”
Cisco Webex Update Service Command Injection Vulnerability : CVE-2018-15442
A command injection vulnerability has been disclosed in Cisco Webex. Upon successful exploitation an attacker can execute arbitrary commands on the target machine. The vulnerability has been assigned CVE-2018-15442. The vulnerability has been named ‘WebExec‘. Cisco has addressed this issue in cisco-sa-20181024-webex-injection. The issue affects All Cisco Webex Meetings Desktop App releases prior to 33.6.0. … Continue reading “Cisco Webex Update Service Command Injection Vulnerability : CVE-2018-15442”
Apache Struts 2 namespace Remote Code Execution Vulnerability: CVE-2018-11776
A remote code execution vulnerability was discovered in Apache Struts 2. The vulnerability in being tracked via CVE-2018-11776. Upon successful exploitation an attacker can gain remote execution on the target and ultimately take over the target machine. The issue affect all versions of Apache Struts 2, possibly even fixed versions where the settings are mis-configured. Apache has … Continue reading “Apache Struts 2 namespace Remote Code Execution Vulnerability: CVE-2018-11776”
VBScript Engine Use-After-Free Vulnerability : CVE-2018-8373
A use-after-free (UAF) vulnerability has been discovered in the Windows VBScript engine. Upon successful exploitation an attacker can achieve remote code execution on the target. CVE-2018-8373 has been assigned to track this vulnerability. CVE-2018-8373 is being exploited in the wild similar to CVE-2018-8174. The issue affects Internet explorer 9-11 unless VBScript is disabled by default. … Continue reading “VBScript Engine Use-After-Free Vulnerability : CVE-2018-8373”
Oracle WebLogic Deserialization Vulnerability : CVE-2018-2893
A deserialization vulnerability in Oracle WebLogic has been disclosed by multiple 3rd party researchers and organizations. The vulnerability allows unauthenticated attackers to compromise WebLogic server via T3 protocol. The affected component is WLS Core components. Upon successful exploitation an attacker can take over the target server via remote code execution .CVE-2018-2893 has been assigned to … Continue reading “Oracle WebLogic Deserialization Vulnerability : CVE-2018-2893”
Git RCE Vulnerability : CVE-2018-11235
A remote code execution in Git has been discovered. CVE-2018-11235 has been assigned to track this vulnerability. Git 2.17.1 and Git for Windows 2.17.1 (2) address this vulnerability. Vulnerability submodule “names” from .gitmodule files are appended to $GIT_DIR/modules for on-disk repository paths. When we git clone a repository not all configuration files and hooks are received from … Continue reading “Git RCE Vulnerability : CVE-2018-11235”
Internet Explorer VBScript Use-After-Free Vulnerability: CVE-2018-8174
A Zero-Day vulnerability in VBScript was disclosed to Microsoft. The vulnerability was discovered as an active attack in the wild. The bug is in the VBScript engine used in Windows. Its classified as a Use-After-Free (UAF) vulnerability. CVE-2017-8174 is assigned to track this bug. Currently attackers are exploiting this vulnerability to execute shellcode and PowerShell … Continue reading “Internet Explorer VBScript Use-After-Free Vulnerability: CVE-2018-8174”