The OpenType ATMFD.DLL kernel-mode font driver on Windows has an undocumented "escape" interface, handled by the standard DrvEscape and DrvFontManagement functions implemented by the module. The interface is very similar to Buffered IOCTL in nature, and handles 13 different operation codes in the numerical range of 0x2502 to 0x2514. It is accessible to user-mode applications through an exported (but not documented) gdi32!NamedEscape function, which internally invokes the NtGdiExtEscape syscall.
e5ec99dd5f0ff5dc50fbd672fb369b25b1475f0428bbe0cafb6446272f611616
The Microsoft Windows kernel pool address is leaked via an undocumented GetFontData feature in ATMFD.
4ae4fb5d8cbd507e3447721fd51082bffd9323c200e7877477655e1aa4e15c0f
The enlightened lockdown policy check for COM Class instantiation can be bypassed in Scriptlet hosts leading to arbitrary code execution on a system with UMCI enabled (e.g. Device Guard).
0a5bddd8f4ee903a132da519d294e7d062747a20ed0b075e6bb7f8fecc61a6ff
CA Identity Governance version 12.6 suffers from a cross site scripting vulnerability.
aad777eb35b7f0095b61e0b61482090142d26c18db84ef8693c72377ea6cf30b
Many Vivotek IP cameras suffer from a remote stack overflow vulnerability. Device models include CC8160, CC8370, CC8371, CD8371, FD8166A, FD8166A, FD8166A-N, FD8167A, FD8167A, FD8167AS, FD8167AS, FD8169A, FD8169A, FD8169A, FD8169AS, FD8169AS, FD816B, FD816B, FD816BA, FD816BA, FD816C, FD816C, FD816CA, FD816CA, FD816D, FD8177, FD8179, FD8182, FD8182, FD8182-F1, FD8365A_v2, FD8367A, FD8367A, FD8369A, FD8369A, FD836B, FD836BA, FD836D, FD8377, FD8379, FD8382, FD9171, FD9181, FD9371, FD9381, FE8174_v2, FE8181_v2, FE8182, FE8374_v2, FE8381_v2, FE9181, FE9182, FE9381, FE9382, IB8367A, IB8369A, IB836B, IB836BA, IB836D, IB8377, IB8379, IB8382, IB9371, IB9381, IP8166, IP9171, IP9181, IZ9361, MD8563, MD8564, MD8565, SD9161, SD9361, SD9362, SD9363, SD9364, SD9365, SD9366, and VC8101.
71b66ef8a75c88f47a5fd31b62fc8f98a8a75e48182e0b0e2d2cae1901cc3693
Anti-Virus solutions are split into several different components (an unprivileged user mode part, a privileged user mode part and a kernel component). Logically the different systems talk to each other. By abusing NTFS directory junctions it is possible from the unprivileged user mode part ("the UI") to restore files from the virus quarantine with the permissions of the privileged user mode part ("Windows service"). This may results in a privileged file write vulnerability.
7e5e2eeec5863b5ec1f6f099ae65481e3ec78f2df7b81c96f35a7b5b269bbcd5
Red Hat Security Advisory 2017-3200-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket could use this flaw to elevate their privileges on the system.
2ed8a67f11427e2d2b9d276e27f1f3887b343d36c2da2af2fbeeaf1a4deb0cdc
Red Hat Security Advisory 2017-3221-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix: A null pointer dereference flaw was found in libgd. An attacker could use a specially-crafted .gd2 file to cause an application linked with libgd to crash, leading to denial of service. An integer overflow flaw, leading to a heap-based buffer overflow was found in the way libgd read some specially-crafted gd2 files. A remote attacker could use this flaw to crash an application compiled with libgd or in certain cases execute arbitrary code with the privileges of the user running that application.
c46af562f56ec06eef4a10c3f008756691db8bca10ed5bafc3dbe1b14013cd5a
Red Hat Security Advisory 2017-3226-01 - Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log. Security Fix: A permissions flaw was found in redis, which sets weak permissions on certain files and directories that could potentially contain sensitive information. A local, unprivileged user could possibly use this flaw to access unauthorized system information.
d243d613a6b1e17c1814b834795370d8cf1a9d36c92a3a15a61331bb3068238a
Red Hat Security Advisory 2017-3222-01 - The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update upgrades Flash Player to version 27.0.0.187. Security Fix: This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities, detailed in the Adobe Security Bulletin listed in the References section, could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content.
7354d0085314c302225bad8692adcdb2b9de57ae2c7d179a1230d71ab35d8f54
Ulterius Server version prior to 1.9.5.0 suffer from a directory traversal vulnerability.
6cab2996d076aebf02646c924bcd8e6c8185e37ed027569c27bf457101d55e27
Allworx Server Manager versions 6x, 6x12, and 48x suffer from multiple cross site scripting vulnerabilities.
88af8cdcdd96c920dc9e23ca1fa08d58d77df2da164b57775e168335b6c5be46
This Microsoft bulletin summary holds information regarding Microsoft security updates for November, 2017.
becb9e788458f3cbc095293872a02785357f6f1c7e04f6cf57e69eae8c093b84
Red Hat Security Advisory 2017-3216-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.18 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.17, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix: It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.
c6839de8a7da1f314e91840d5a632b506a67a6e3f704330ce58b280c3242fb70
Red Hat Security Advisory 2017-3220-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.18 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.17, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix: It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.
e4a78fc5dd316852065b2ffb1f78fd8359e8375e643906abe6ce03614baf20d7
Red Hat Security Advisory 2017-3217-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.18 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.17, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix: It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.
642456f59d91ec99fa56c6667d3563e8e85ea2d34721d5ebfd28da86dbaa2c01
Red Hat Security Advisory 2017-3219-01 - The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services Elastic Compute Cloud. With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.18. Security Fix: It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.
4fbc9b62148f904eb99306f68c91d1356ebb1fa47fc1cd572011cf324db88987
Red Hat Security Advisory 2017-3218-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.18 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.17, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix: It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.
982adb962a8420d4182204aa1ef9af6c92b8c6ecc8970c607eb72cbcf87ccf48
Dup Scout Enterprise version 10.0.18 'Login' buffer overflow exploit.
bfcefabba134afcd83732d02efecadeec8b935e44a63f63793cf3af30cd26ba4