diff options
author | Mark Felder <feld@FreeBSD.org> | 2018-09-11 16:10:30 +0000 |
---|---|---|
committer | Mark Felder <feld@FreeBSD.org> | 2018-09-11 16:10:30 +0000 |
commit | 6f6f767d3c044ff3a22b1e4420ea39f589c95798 (patch) | |
tree | c06319ed8dcd1196aff4cee41a5020642a7846ef /security | |
parent | 2b20bd1e65ae23c6178cffaecd896d6514c436d1 (diff) | |
download | ports-6f6f767d3c044ff3a22b1e4420ea39f589c95798.tar.gz ports-6f6f767d3c044ff3a22b1e4420ea39f589c95798.zip |
Notes
Diffstat (limited to 'security')
-rw-r--r-- | security/vuxml/vuln.xml | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 33e3903c8f92..5634b054fc10 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,43 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="337960ec-b5dc-11e8-ac58-a4badb2f4699"> + <topic>Plex Media Server -- Information Disclosure Vulnerability</topic> + <affects> + <package> + <name>plexmediaserver</name> + <range><lt>1.13.5.5332</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Chris reports:</p> + <blockquote cite="https://seclists.org/fulldisclosure/2018/Aug/1"> + <p>The XML parsing engine for Plex Media Server's SSDP/UPNP + functionality is vulnerable to an XML External Entity + Processing (XXE) attack. Unauthenticated attackers on the same LAN can + use this vulnerability to:</p> + <li> + <ul>Access arbitrary files from the filesystem with the same permission as + the user account running Plex.</ul> + <ul>Initiate SMB connections to capture NetNTLM challenge/response and + crack to clear-text password.</ul> + <ul>Initiate SMB connections to relay NetNTLM challenge/response and + achieve Remote Command Execution in Windows domains.</ul> + </li> + </blockquote> + </body> + </description> + <references> + <url>https://seclists.org/fulldisclosure/2018/Aug/1</url> + <cvename>CVE-2018-13415</cvename> + </references> + <dates> + <discovery>2018-08-01</discovery> + <entry>2018-09-11</entry> + </dates> + </vuln> + <vuln vid="f00acdec-b59f-11e8-805d-001e2a3f778d"> <topic>X11 Session -- SDDM allows unauthorised unlocking</topic> <affects> |