CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 3CVE-2018-16156 – PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2018-16156
In PaperStream IP (TWAIN) 1.42.0.5685 (Service Update 7), the FJTWSVIC service running with SYSTEM privilege processes unauthenticated messages received over the FjtwMkic_Fjicube_32 named pipe. One of these message processing functions attempts to dynamically load the UninOldIS.dll library and executes an exported function named ChangeUninstallString. The default install does not contain this library and therefore if any DLL with that name exists in any directory listed in the PATH variable, it can be used to escalate to SYSTEM level privilege. En PaperStream IP (TWAIN) 1.42.0.5685 (Service Update 7), el servicio FJTWSVIC que se ejecuta con el privilegio de SYSTEM procesa los mensajes no autenticados recibidos a través de la tubería con nombre FjtwMkic_Fjicube_32. Una de estas funciones de procesamiento de mensajes intenta cargar dinámicamente la biblioteca UninOldIS.dll y ejecuta una función exportada llamada ChangeUninstallString. • https://www.exploit-db.com/exploits/49382 https://github.com/securifera/CVE-2018-16156-Exploit http://packetstormsecurity.com/files/160832/PaperStream-IP-TWAIN-1.42.0.5685-Local-Privilege-Escalation.html https://www.securifera.com/advisories/cve-2018-16156 • CWE-426: Untrusted Search Path •
CVSS: 9.6EPSS: 0%CPEs: 4EXPL: 1CVE-2019-9835
https://notcve.org/view.php?id=CVE-2019-9835
The receiver (aka bridge) component of Fujitsu Wireless Keyboard Set LX901 GK900 devices allows Keystroke Injection. This occurs because it accepts unencrypted 2.4 GHz packets, even though all legitimate communication uses AES encryption. El componente del recibidor (también conocido como bridge) de los dispositivos Fujitsu Wireless Keyboard Set LX901 y GK900 permite la inyección de pulsaciones de tecla. Esto ocurre porque acepta paquetes de 2.4 GHz sin cifrar, incluso aunque todas las comunicaciones legítimas emplean el cifrado AES. • http://www.securityfocus.com/bid/107440 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-033.txt •
CVSS: 5.9EPSS: 0%CPEs: 55EXPL: 3CVE-2019-6111 – OpenSSH SCP Client - Write Arbitrary Files
https://notcve.org/view.php?id=CVE-2019-6111
An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file). • https://www.exploit-db.com/exploits/46516 https://www.exploit-db.com/exploits/46193 http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00058.html http://www.openwall.com/lists/oss-security/2019/04/18/1 http://www.openwall.com/lists/oss-security/2022/08/02/1 http://www.securityfocus.com/bid/106741 https://access.redhat.com/errata/RHSA-2019:3702 https://bugzilla.redhat.com/show_bug.cgi?id=1677794 https://cert-portal.siemens.com/productcert/pdf/ssa-412672&# • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 0%CPEs: 51EXPL: 0CVE-2019-6109 – openssh: Missing character encoding in progress display allows for spoofing of scp client output
https://notcve.org/view.php?id=CVE-2019-6109
An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c. Se ha descubierto un problema en OpenSSH 7.9. Debido a la falta de cifrado de caracteres en la pantalla de progreso, un servidor malicioso (o atacante Man-in-the-Middle) puede emplear nombres de objeto manipulados para manipular la salida del cliente, por ejemplo, empleando códigos de control de ANSI para ocultar los archivos adicionales que se están transfiriendo. • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00058.html https://access.redhat.com/errata/RHSA-2019:3702 https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c https://lists.debian.org/debian-lts-announce/2019/03/msg00030.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W3YVQ2BPTOVDCFDVNC2GGF5P5ISFG37G https:// • CWE-116: Improper Encoding or Escaping of Output CWE-451: User Interface (UI) Misrepresentation of Critical Information •
CVSS: 5.3EPSS: 0%CPEs: 56EXPL: 0CVE-2018-20685 – openssh: scp client improper directory name validation
https://notcve.org/view.php?id=CVE-2018-20685
In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side. En OpenSSH 7.9, scp.c en el cliente scp permite que los servidores SSH omitan las restricciones de acceso planeadas mediante un nombre de archivo "." o un nombre de archivo vacío. El impacto consiste en modificar los permisos del directorio objetivo en el lado del cliente. • http://www.securityfocus.com/bid/106531 https://access.redhat.com/errata/RHSA-2019:3702 https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/scp.c.diff?r1=1.197&r2=1.198&f=h https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2 https://lists.debian.org/debian-lts-announce/2019/03/msg00030.html https://security.gentoo.org/glsa/201903-16 https://security.gentoo.org/glsa/202007- • CWE-20: Improper Input Validation CWE-863: Incorrect Authorization •