The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Fedora

computer vulnerability bulletin 26908

XStatic-jquery-ui: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of XStatic-jquery-ui, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora.
Severity: 2/4.
Creation date: 06/08/2018.
Identifiers: FEDORA-2018-2d2179e7d0, FEDORA-2018-f972c1b36e, VIGILANCE-VUL-26908.

Description of the vulnerability

The XStatic-jquery-ui product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of XStatic-jquery-ui, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2018-13049

GLPI: SQL injection via inc/search.class.php

Synthesis of the vulnerability

An attacker can use a SQL injection via inc/search.class.php of GLPI, in order to read or alter data.
Impacted products: Fedora.
Severity: 2/4.
Creation date: 16/07/2018.
Identifiers: CVE-2018-13049, FEDORA-2018-c766d7c0f0, FEDORA-2018-cdccabb23d, VIGILANCE-VUL-26744.

Description of the vulnerability

The GLPI product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection via inc/search.class.php of GLPI, in order to read or alter data.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2018-0618

Mailman: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Mailman, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, Fedora, openSUSE Leap, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 02/07/2018.
Identifiers: CVE-2018-0618, DLA-1442-1, DLA-1442-2, DSA-4246-1, FEDORA-2018-f8fd4c5798, JVN#00846677, openSUSE-SU-2018:1858-1, VIGILANCE-VUL-26594.

Description of the vulnerability

The Mailman product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Mailman, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2017-7656

Eclipse Jetty: information disclosure via HTTP/0.9 Request Smuggling

Synthesis of the vulnerability

An attacker can use a vulnerability via HTTP/0.9 Request Smuggling of Eclipse Jetty, in order to obtain sensitive information.
Impacted products: Debian, Jetty, Fedora, SnapManager.
Severity: 2/4.
Creation date: 26/06/2018.
Identifiers: CVE-2017-7656, DSA-4278-1, FEDORA-2018-48b73ed393, FEDORA-2018-93a507fd0f, NTAP-20181014-0001, VIGILANCE-VUL-26533.

Description of the vulnerability

The Eclipse Jetty product offers a web service.

However, an attacker can bypass access restrictions to data.

An attacker can therefore use a vulnerability via HTTP/0.9 Request Smuggling of Eclipse Jetty, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2018-11627

Sinatra: Cross Site Scripting via Bad Request

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Bad Request of Sinatra, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora.
Severity: 2/4.
Creation date: 25/06/2018.
Identifiers: CVE-2018-11627, FEDORA-2018-0b17e1e529, FEDORA-2018-3f61c5cf7c, VIGILANCE-VUL-26509.

Description of the vulnerability

The Sinatra product offers a web service.

However, it does not filter received data via Bad Request before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Bad Request of Sinatra, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2018-12581

phpMyAdmin: Cross Site Scripting via Designer Feature

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Designer Feature of phpMyAdmin, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora, openSUSE Leap, phpMyAdmin, SUSE Linux Enterprise Desktop, SLES, WindRiver Linux.
Severity: 2/4.
Creation date: 22/06/2018.
Identifiers: CERTFR-2018-AVI-300, CVE-2018-12581, FEDORA-2018-68349e3094, openSUSE-SU-2018:1806-1, openSUSE-SU-2018:1809-1, PMASA-2018-3, VIGILANCE-VUL-26499.

Description of the vulnerability

The phpMyAdmin product offers a web service.

However, it does not filter received data via Designer Feature before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Designer Feature of phpMyAdmin, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2018-12232

Linux kernel: NULL pointer dereference via sock_close/sockfs_setattr

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced via sock_close/sockfs_setattr of the Linux kernel, in order to trigger a denial of service.
Impacted products: Fedora, Linux, Ubuntu.
Severity: 1/4.
Creation date: 13/06/2018.
Identifiers: CERTFR-2018-AVI-408, CERTFR-2018-AVI-413, CVE-2018-12232, FEDORA-2018-bb7aab12cb, USN-3752-1, USN-3752-2, USN-3752-3, VIGILANCE-VUL-26414.

Description of the vulnerability

The Noyau Linux product offers a web service.

However, it does not check if a pointer is NULL, before using it.

An attacker can therefore force a NULL pointer to be dereferenced via sock_close/sockfs_setattr of the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert 26101

CKEditor: Cross Site Scripting via Enhanced Image

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Enhanced Image of CKEditor, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora.
Severity: 2/4.
Creation date: 11/05/2018.
Identifiers: FEDORA-2018-107dbc8cf4, FEDORA-2018-1361f39801, FEDORA-2018-e29c7d10da, VIGILANCE-VUL-26101.

Description of the vulnerability

The CKEditor product offers a web service.

However, it does not filter received data via Enhanced Image before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Enhanced Image of CKEditor, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2018-7033

Slurm: SQL injection via SlurmDBD

Synthesis of the vulnerability

An attacker can use a SQL injection via SlurmDBD of Slurm, in order to read or alter data.
Impacted products: Debian, Fedora.
Severity: 2/4.
Creation date: 28/03/2018.
Identifiers: CVE-2018-7033, DLA-1367-1, DLA-1437-1, DLA-1437-2, DSA-4254-1, FEDORA-2018-df1a571a34, VIGILANCE-VUL-25671.

Description of the vulnerability

The Slurm product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection via SlurmDBD of Slurm, in order to read or alter data.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2018-7563

GLPI: Cross Site Scripting via front/preference.php

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via front/preference.php of GLPI, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora.
Severity: 2/4.
Creation date: 28/03/2018.
Identifiers: CVE-2018-7563, FEDORA-2018-1b67b3a3a3, FEDORA-2018-b0f6a5bdbc, VIGILANCE-VUL-25669.

Description of the vulnerability

The GLPI product offers a web service.

However, it does not filter received data via front/preference.php before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via front/preference.php of GLPI, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Fedora: