The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Fedora

computer vulnerability note CVE-2018-8032

Apache AXIS: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Apache AXIS, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 23/08/2018.
Identifiers: CVE-2018-8032, FEDORA-2018-8a85ed2f10, openSUSE-SU-2018:3218-1, SUSE-SU-2018:3118-1, SUSE-SU-2018:3119-1, SUSE-SU-2018:3121-1, VIGILANCE-VUL-27069.

Description of the vulnerability

The Apache AXIS product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Apache AXIS, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2018-15605

phpMyAdmin: Cross Site Scripting via File Import Warning Messages

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via File Import Warning Messages of phpMyAdmin, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora, openSUSE Leap, phpMyAdmin, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 22/08/2018.
Identifiers: CERTFR-2018-AVI-404, CVE-2018-15605, FEDORA-2018-f2b24ce26e, openSUSE-SU-2018:2523-1, openSUSE-SU-2018:2525-1, openSUSE-SU-2018:2525-2, PMASA-2018-5, VIGILANCE-VUL-27059.

Description of the vulnerability

The phpMyAdmin product offers a web service.

However, it does not filter received data via warning messages before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via File Import Warning Messages of phpMyAdmin, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin 26908

XStatic-jquery-ui: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of XStatic-jquery-ui, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora.
Severity: 2/4.
Creation date: 06/08/2018.
Identifiers: FEDORA-2018-2d2179e7d0, FEDORA-2018-f972c1b36e, VIGILANCE-VUL-26908.

Description of the vulnerability

The XStatic-jquery-ui product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of XStatic-jquery-ui, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2018-13049

GLPI: SQL injection via inc/search.class.php

Synthesis of the vulnerability

An attacker can use a SQL injection via inc/search.class.php of GLPI, in order to read or alter data.
Impacted products: Fedora.
Severity: 2/4.
Creation date: 16/07/2018.
Identifiers: CVE-2018-13049, FEDORA-2018-c766d7c0f0, FEDORA-2018-cdccabb23d, VIGILANCE-VUL-26744.

Description of the vulnerability

The GLPI product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection via inc/search.class.php of GLPI, in order to read or alter data.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2018-0618

Mailman: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Mailman, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, Fedora, openSUSE Leap, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 02/07/2018.
Identifiers: CVE-2018-0618, DLA-1442-1, DLA-1442-2, DSA-4246-1, FEDORA-2018-f8fd4c5798, JVN#00846677, openSUSE-SU-2018:1858-1, VIGILANCE-VUL-26594.

Description of the vulnerability

The Mailman product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Mailman, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2017-7656

Eclipse Jetty: information disclosure via HTTP/0.9 Request Smuggling

Synthesis of the vulnerability

An attacker can use a vulnerability via HTTP/0.9 Request Smuggling of Eclipse Jetty, in order to obtain sensitive information.
Impacted products: Debian, Jetty, Fedora, SnapManager, Puppet.
Severity: 2/4.
Creation date: 26/06/2018.
Identifiers: CVE-2017-7656, DSA-4278-1, FEDORA-2018-48b73ed393, FEDORA-2018-93a507fd0f, NTAP-20181014-0001, VIGILANCE-VUL-26533.

Description of the vulnerability

The Eclipse Jetty product offers a web service.

However, an attacker can bypass access restrictions to data.

An attacker can therefore use a vulnerability via HTTP/0.9 Request Smuggling of Eclipse Jetty, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2018-11627

Sinatra: Cross Site Scripting via Bad Request

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Bad Request of Sinatra, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora.
Severity: 2/4.
Creation date: 25/06/2018.
Identifiers: CVE-2018-11627, FEDORA-2018-0b17e1e529, FEDORA-2018-3f61c5cf7c, VIGILANCE-VUL-26509.

Description of the vulnerability

The Sinatra product offers a web service.

However, it does not filter received data via Bad Request before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Bad Request of Sinatra, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2018-12581

phpMyAdmin: Cross Site Scripting via Designer Feature

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Designer Feature of phpMyAdmin, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora, openSUSE Leap, phpMyAdmin, SUSE Linux Enterprise Desktop, SLES, WindRiver Linux.
Severity: 2/4.
Creation date: 22/06/2018.
Identifiers: CERTFR-2018-AVI-300, CVE-2018-12581, FEDORA-2018-68349e3094, openSUSE-SU-2018:1806-1, openSUSE-SU-2018:1809-1, PMASA-2018-3, VIGILANCE-VUL-26499.

Description of the vulnerability

The phpMyAdmin product offers a web service.

However, it does not filter received data via Designer Feature before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Designer Feature of phpMyAdmin, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2018-12232

Linux kernel: NULL pointer dereference via sock_close/sockfs_setattr

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced via sock_close/sockfs_setattr of the Linux kernel, in order to trigger a denial of service.
Impacted products: Fedora, Linux, RHEL, Ubuntu.
Severity: 1/4.
Creation date: 13/06/2018.
Identifiers: CERTFR-2018-AVI-408, CERTFR-2018-AVI-413, CVE-2018-12232, FEDORA-2018-bb7aab12cb, RHSA-2018:2948-01, USN-3752-1, USN-3752-2, USN-3752-3, VIGILANCE-VUL-26414.

Description of the vulnerability

The Noyau Linux product offers a web service.

However, it does not check if a pointer is NULL, before using it.

An attacker can therefore force a NULL pointer to be dereferenced via sock_close/sockfs_setattr of the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert 26101

CKEditor: Cross Site Scripting via Enhanced Image

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Enhanced Image of CKEditor, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora.
Severity: 2/4.
Creation date: 11/05/2018.
Identifiers: FEDORA-2018-107dbc8cf4, FEDORA-2018-1361f39801, FEDORA-2018-e29c7d10da, VIGILANCE-VUL-26101.

Description of the vulnerability

The CKEditor product offers a web service.

However, it does not filter received data via Enhanced Image before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Enhanced Image of CKEditor, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Fedora: