CVE-2018-1188
published 2018-03-26CVE-2018-1188: Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, and versions 7.2.1.x is affected by a cross-site scripting…
PriorityP423medium4.8CVSS 3.0
AVNACLPRHUIRSCCLILAN
EXPLOIT
EPSS
1.90%
77.1th percentile
Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, and versions 7.2.1.x is affected by a cross-site scripting vulnerability in the Authorization Providers page within the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dell | emc_isilon | 7.2.1.0 – 7.2.1.6 | — |
| dell | emc_isilon | 8.0.0.0 – 8.0.0.6 | — |
| dell | emc_isilon | 8.0.1.0 – 8.0.1.2 | — |
| dell | emc_isilon | 8.1.0.0 – 8.1.0.1 | — |
| dell_emc | isilon_onefs | — | — |
| electron | electron | >= 1.7.0 < 1.7.16 | 1.7.16 |
| electron | electron | >= 1.8.0 < 1.8.8 | 1.8.8 |
| electron | electron | >= 2.0.0 < 2.0.8 | 2.0.8 |
| electron | electron | >= 3.0.0-beta.1 < 3.0.0-beta.7 | 3.0.0-beta.7 |
CVSS provenance
nvdv3.04.8MEDIUMCVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x8vm-x4jp-2234: Dell EMC Isilon versions between 8
ghsa_unreviewed·2022-05-14
CVE-2018-1188 [MEDIUM] CWE-79 GHSA-x8vm-x4jp-2234: Dell EMC Isilon versions between 8
Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, and versions 7.2.1.x is affected by a cross-site scripting vulnerability in the Authorization Providers page within the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website.
GHSA
The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins
ghsa·2018-10-17
CVE-2018-8014 [CRITICAL] CWE-1188 The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins
The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
GHSA
Electron webPreferences vulnerability can be used to perform remote code execution
ghsa·2018-08-23
CVE-2018-15685 [HIGH] CWE-1188 Electron webPreferences vulnerability can be used to perform remote code execution
Electron webPreferences vulnerability can be used to perform remote code execution
GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a webPreferences vulnerability that can be leveraged to perform remote code execution.
More information to determine if you are impacted can be found on the [electron blog](https://electronjs.org/blog/web-preferences-fix).
## Recommendation
Upgrade Electron to >=3.0.0-beta.7, >=2.0.8, >=1.8.8, or >=1.7.16.
No detection rules found.
Bugzilla
CVE-2018-2790 OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969)
bugzilla·2018-04-17·CVSS 3.1
CVE-2018-2790 [LOW] CVE-2018-2790 OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969)
CVE-2018-2790 OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969)
It was discovered that the Security component of OpenJDK did not correctly perform merging of multiple sections for the same file listed in the JAR archive file manifest. An attacker could possibly use this flaw to alter certain attributes specified in the manifest without changing archive signature.
Discussion:
Public now via Oracle CPU April 2018:
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixJAVA
The issue was fixed in Oracle JDK 10.0.1, 8u171, 7u181, and 6u191.
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2018:1188 https://access.redhat.com/errata/RHSA-2018:1188
---
This issue has been addressed
Bugzilla
CVE-2018-2815 OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757)
bugzilla·2018-04-14·CVSS 5.3
CVE-2018-2815 [MEDIUM] CVE-2018-2815 OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757)
CVE-2018-2815 OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757)
It was discovered that the implementation of the StubIORImpl class in the Serialization component of OpenJDK did not limit the amount of memory allocated when creating object instance from a serialized form. A specially-crafted input could cause a Java application to use an excessive amount of memory when deserialized.
Discussion:
Public now via Oracle CPU April 2018:
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixJAVA
The issue was fixed in Oracle JDK 10.0.1, 8u171, 7u181, and 6u191.
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2018:1188 https://access.redhat.com/errata/RHSA-2018:
Bugzilla
CVE-2018-2798 OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989)
bugzilla·2018-04-14·CVSS 5.3
CVE-2018-2798 [MEDIUM] CVE-2018-2798 OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989)
CVE-2018-2798 OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989)
It was discovered that the implementation of the Container class in the AWT component of OpenJDK did not limit the amount of memory allocated when creating object instance from a serialized form. A specially-crafted input could cause a Java application to use an excessive amount of memory when deserialized.
Discussion:
Public now via Oracle CPU April 2018:
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixJAVA
The issue was fixed in Oracle JDK 10.0.1, 8u171, 7u181, and 6u191.
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2018:1188 https://access.redhat.com/errata/RHSA-2018:1188
---
This issue ha
http://seclists.org/fulldisclosure/2018/Mar/50http://www.securityfocus.com/bid/103033https://www.coresecurity.com/advisories/dell-emc-isilon-onefs-multiple-vulnerabilitieshttps://www.exploit-db.com/exploits/44039/http://seclists.org/fulldisclosure/2018/Mar/50http://www.securityfocus.com/bid/103033https://www.coresecurity.com/advisories/dell-emc-isilon-onefs-multiple-vulnerabilitieshttps://www.exploit-db.com/exploits/44039/
2018-03-26
Published