Weekly Vulnerabilities Reports > February 5 to 11, 2018

Overview

318 new vulnerabilities reported during this period, including 28 critical vulnerabilities and 67 high severity vulnerabilities. This weekly summary report vulnerabilities in 344 products from 142 vendors including Debian, Google, Quest, Jiangmin, and Cisco. Vulnerabilities are notably categorized as "Improper Input Validation", "Cross-site Scripting", "SQL Injection", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Information Exposure".

  • 264 reported vulnerabilities are remotely exploitables.
  • 26 reported vulnerabilities have public exploit available.
  • 112 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 262 reported vulnerabilities are exploitable by an anonymous user.
  • Debian has the most reported vulnerabilities, with 37 reported vulnerabilities.
  • Google has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

28 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-02-09 CVE-2018-1000043 Securityonion OS Command Injection vulnerability in Securityonion Squert

Security Onion Solutions Squert version 1.0.1 through 1.6.7 contains a CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) vulnerability in .inc/callback.php that can result in execution of OS Commands.

10.0
2018-02-09 CVE-2018-1000042 Securityonion OS Command Injection vulnerability in Securityonion Squert

Security Onion Solutions Squert version 1.3.0 through 1.6.7 contains a CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) vulnerability in .inc/callback.php that can result in execution of OS Commands.

10.0
2018-02-09 CVE-2018-6825 Omninova USE of Hard-Coded Credentials vulnerability in Omninova Vobot Firmware

An issue was discovered on VOBOT CLOCK before 0.99.30 devices.

10.0
2018-02-08 CVE-2012-2166 IBM USE of Hard-Coded Credentials vulnerability in IBM products

IBM XIV Storage System 2810-A14 and 2812-A14 devices before level 10.2.4.e-2 and 2810-114 and 2812-114 devices before level 11.1.1 have hardcoded passwords for unspecified accounts, which allows remote attackers to gain user access via unknown vectors.

10.0
2018-02-08 CVE-2018-1163 Quest Unspecified vulnerability in Quest Netvault Backup 11.2.0.13

This vulnerability allows remote attackers to bypass authentication on vulnerable installations of Quest NetVault Backup 11.2.0.13.

10.0
2018-02-08 CVE-2018-1161 Quest Improper Input Validation vulnerability in Quest Netvault Backup 11.2.0.13

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.2.0.13.

10.0
2018-02-08 CVE-2018-0514 Futomi OS Command Injection vulnerability in Futomi MP Form Mail CGI

MP Form Mail CGI eCommerce Edition Ver 2.0.13 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.

10.0
2018-02-08 CVE-2018-0125 Cisco Improper Input Validation vulnerability in Cisco Rv132W Firmware and Rv134W Firmware

A vulnerability in the web interface of the Cisco RV132W ADSL2+ Wireless-N VPN and RV134W VDSL2 Wireless-AC VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code and gain full control of an affected system, including issuing commands with root privileges.

10.0
2018-02-07 CVE-2018-6823 Mailbutler Unspecified vulnerability in Mailbutler Shimo

In the VPN client in Mailbutler Shimo before 4.1.5.1 on macOS, the com.feingeist.shimo.helper tool LaunchDaemon implements an unprotected XPC service that can be abused to execute scripts as root.

10.0
2018-02-07 CVE-2018-6822 Purevpn Unspecified vulnerability in Purevpn

In PureVPN 6.0.1 on macOS, HelperTool LaunchDaemon implements an unprotected XPC service that can be abused to execute system commands as root.

10.0
2018-02-06 CVE-2018-4877 Adobe
Apple
Linux
Microsoft
Redhat
Google
USE After Free vulnerability in Adobe Flash Player

A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161.

10.0
2018-02-06 CVE-2018-6289 Kaspersky Injection vulnerability in Kaspersky Secure Mail Gateway 1.1

Configuration file injection leading to Code Execution as Root in Kaspersky Secure Mail Gateway version 1.1.

10.0
2018-02-06 CVE-2018-6569 West Wind Improper Authentication vulnerability in West-Wind web Connection

West Wind Web Server 6.x does not require authentication for /ADMIN.ASP.

10.0
2018-02-08 CVE-2013-3553 Nitropdf Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Nitropdf Nitro PRO and Nitro Reader

Nitro Pro 7.5.0.22 and earlier and Nitro Reader 2.5.0.36 and earlier allow remote attackers to execute arbitrary code via a crafted PDF file.

9.3
2018-02-08 CVE-2013-3552 Nitropdf Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Nitropdf Nitro PRO and Nitro Reader

Nitro Pro 7.5.0.29 and earlier and Nitro Reader 2.5.0.45 and earlier allow remote attackers to execute arbitrary code via a crafted PDF file.

9.3
2018-02-08 CVE-2013-2830 Sumatrapdfreader USE After Free vulnerability in Sumatrapdfreader Sumatrapdf

Use-after-free vulnerability in SumatraPDF Reader 2.x before 2.2.1 allows remote attackers to execute arbitrary code via a crafted PDF file.

9.3
2018-02-08 CVE-2012-5360 Ffmpeg Improper Input Validation vulnerability in Ffmpeg

Libavcodec in FFmpeg before 0.11 allows remote attackers to execute arbitrary code via a crafted QT file.

9.3
2018-02-08 CVE-2012-5359 Ffmpeg Improper Input Validation vulnerability in Ffmpeg

Libavcodec in FFmpeg before 0.11 allows remote attackers to execute arbitrary code via a crafted ASF file.

9.3
2018-02-07 CVE-2017-15400 Google Crlf Injection vulnerability in Google Chrome OS

Insufficient restriction of IPP filters in CUPS in Google Chrome OS prior to 62.0.3202.74 allowed a remote attacker to execute a command with the same privileges as the cups daemon via a crafted PPD file, aka a printer zeroconfig CRLF issue.

9.3
2018-02-06 CVE-2014-5280 Boot2Docker Cross-Site Request Forgery (CSRF) vulnerability in Boot2Docker

boot2docker 1.2 and earlier allows attackers to conduct cross-site request forgery (CSRF) attacks by leveraging Docker daemons enabling TCP connections without TLS authentication.

9.3
2018-02-05 CVE-2018-6651 Uncurl Project
Parsecgaming
Cross-Site Request Forgery (CSRF) vulnerability in multiple products

In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions.

9.3
2018-02-05 CVE-2015-1418 Freebsd Information Exposure vulnerability in Freebsd 10.1/10.2

The do_ed_script function in pch.c in GNU patch through 2.7.6, and patch in FreeBSD 10.1 before 10.1-RELEASE-p17, 10.2 before 10.2-BETA2-p3, 10.2-RC1 before 10.2-RC1-p2, and 0.2-RC2 before 10.2-RC2-p1, allows remote attackers to execute arbitrary commands via a crafted patch file, because a '!' character can be passed to the ed program.

9.3
2018-02-05 CVE-2015-1416 Freebsd Permissions, Privileges, and Access Controls vulnerability in Freebsd 10.0/10.1/10.2

Larry Wall's patch; patch in FreeBSD 10.2-RC1 before 10.2-RC1-p1, 10.2 before 10.2-BETA2-p2, and 10.1 before 10.1-RELEASE-p16; Bitrig; GNU patch before 2.2.5; and possibly other patch variants allow remote attackers to execute arbitrary shell commands via a crafted patch file.

9.3
2018-02-05 CVE-2018-6461 March Hare
Microsoft
Untrusted Search Path vulnerability in March-Hare Wincvs

March Hare WINCVS before 2.8.01 build 6610, and CVS Suite before 2009R2 build 6610, contains an Insecure Library Loading vulnerability in the wincvs2.exe or wincvs.exe file, which may allow local users to gain privileges via a Trojan horse Python or TCL DLL file in the current working directory.

9.3
2018-02-09 CVE-2018-1000019 Open EMR OS Command Injection vulnerability in Open-Emr Openemr 5.0.0

OpenEMR version 5.0.0 contains a OS Command Injection vulnerability in fax_dispatch.php that can result in OS command injection by an authenticated attacker with any role.

9.0
2018-02-06 CVE-2017-17996 Flexense Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Flexense Syncbreeze

A buffer overflow vulnerability in "Add command" functionality exists in Flexense SyncBreeze Enterprise <= 10.3.14.

9.0
2018-02-06 CVE-2014-5279 Boot2Docker Improper Access Control vulnerability in Boot2Docker

The Docker daemon managed by boot2docker 1.2 and earlier improperly enables unauthenticated TCP connections by default, which makes it easier for remote attackers to gain privileges or execute arbitrary code from children containers.

9.0
2018-02-05 CVE-2018-5796 Extremewireless Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Extremewireless Wing

An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3.

9.0

67 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-02-08 CVE-2018-1162 Quest Unspecified vulnerability in Quest Netvault Backup 11.2.0.13

This vulnerability allows remote attackers to create a denial-of-service condition on vulnerable installations of Quest NetVault Backup 11.2.0.13.

8.5
2018-02-08 CVE-2018-0117 Cisco Improper Input Validation vulnerability in Cisco ASR 5000 Firmware and ASR 5500 Firmware

A vulnerability in the ingress packet processing functionality of the Cisco Virtualized Packet Core-Distributed Instance (VPC-DI) Software could allow an unauthenticated, remote attacker to cause both control function (CF) instances on an affected system to reload, resulting in a denial of service (DoS) condition.

7.8
2018-02-08 CVE-2018-0512 Iodata OS Command Injection vulnerability in Iodata products

Devices with IP address setting tool "MagicalFinder" provided by I-O DATA DEVICE, INC.

7.7
2018-02-09 CVE-2018-6826 Omninova Unspecified vulnerability in Omninova Vobot Firmware

An issue was discovered on VOBOT CLOCK before 0.99.30 devices.

7.6
2018-02-08 CVE-2014-8985 Microsoft Buffer Errors vulnerability in Microsoft Internet Explorer 11

Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2810, CVE-2014-2811, CVE-2014-2822, CVE-2014-2823, CVE-2014-4057, and CVE-2014-4145.

7.6
2018-02-08 CVE-2014-4145 Microsoft Buffer Errors vulnerability in Microsoft Internet Explorer 11

Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2810, CVE-2014-2811, CVE-2014-2822, CVE-2014-2823, CVE-2014-4057, and CVE-2014-8985.

7.6
2018-02-08 CVE-2014-4112 Microsoft Buffer Errors vulnerability in Microsoft Internet Explorer 11

Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0304.

7.6
2018-02-08 CVE-2014-4066 Microsoft Buffer Errors vulnerability in Microsoft Internet Explorer 11

Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2787, CVE-2014-2790, CVE-2014-2802, and CVE-2014-2806.

7.6
2018-02-11 CVE-2018-6892 Cloudme Buffer Errors vulnerability in Cloudme Sync 1.10.9

An issue was discovered in CloudMe before 1.11.0.

7.5
2018-02-11 CVE-2017-18174 Linux Double Free vulnerability in Linux Kernel

In the Linux kernel before 4.7, the amd_gpio_remove function in drivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function, leading to a double free.

7.5
2018-02-09 CVE-2018-1000059 Validformbuilder Deserialization of Untrusted Data vulnerability in Validformbuilder Validform Builder 4.5.4

ValidFormBuilder version 4.5.4 contains a PHP Object Injection vulnerability in Valid Form unserialize method that can result in Possible to execute unauthorised system commands remotely and disclose file contents in file system.

7.5
2018-02-09 CVE-2018-1000044 Securityonion SQL Injection vulnerability in Securityonion Squert

Security Onion Solutions Squert version 1.1.1 through 1.6.7 contains a SQL Injection vulnerability in .inc/callback.php that can result in execution of SQL commands.

7.5
2018-02-09 CVE-2018-3601 Trendmicro Improper Authentication vulnerability in Trendmicro Control Manager 6.0

A password hash usage authentication bypass vulnerability in Trend Micro Control Manager 6.0 could allow a remote attacker to bypass authentication on vulnerable installations.

7.5
2018-02-08 CVE-2018-6789 Exim
Debian
Canonical
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1.

7.5
2018-02-08 CVE-2011-4889 IBM 7PK - Security Features vulnerability in IBM Websphere Application Server

The javax.naming.directory.AttributeInUseException class in the Virtual Member Manager in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.43, 7.0 before 7.0.0.21, and 8.0 before 8.0.0.2 does not properly update passwords on a configuration using Tivoli Directory Server, which might allow remote attackers to gain access to an application by leveraging knowledge of an old password.

7.5
2018-02-08 CVE-2017-17659 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17658 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17657 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17656 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17655 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17654 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17653 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17652 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17425 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17424 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17423 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17422 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17421 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17420 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17419 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17418 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17417 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17416 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17415 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17414 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17413 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2017-17412 Quest SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12.

7.5
2018-02-08 CVE-2018-6836 Wireshark Release of Invalid Pointer OR Reference vulnerability in Wireshark

The netmonrec_comment_destroy function in wiretap/netmon.c in Wireshark through 2.4.4 performs a free operation on an uninitialized memory address, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.

7.5
2018-02-08 CVE-2018-6835 Etherpad Improper Input Validation vulnerability in Etherpad

node/hooks/express/apicalls.js in Etherpad Lite before v1.6.3 mishandles JSONP, which allows remote attackers to bypass intended access restrictions.

7.5
2018-02-07 CVE-2017-12472 CCN Lite Null Pointer Dereference vulnerability in Ccn-Lite

ccnl-ext-mgmt.c in CCN-lite before 2.00 allows context-dependent attackers to have unspecified impact by leveraging missing NULL pointer checks after ccnl_malloc.

7.5
2018-02-07 CVE-2017-12471 CCN Lite Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Ccn-Lite

The cnb_parse_lev function in CCN-lite before 2.00 allows context-dependent attackers to have unspecified impact by leveraging failure to check for out-of-bounds conditions, which triggers an invalid read in the hexdump function.

7.5
2018-02-07 CVE-2017-12470 CCN Lite Integer Overflow OR Wraparound vulnerability in Ccn-Lite

Integer overflow in the ndn_parse_sequence function in CCN-lite before 2.00 allows context-dependent attackers to have unspecified impact via vectors involving the typ and vallen variables.

7.5
2018-02-07 CVE-2017-12469 CCN Lite Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Ccn-Lite

Buffer overflow in util/ccnl-common.c in CCN-lite before 2.00 allows context-dependent attackers to have unspecified impact by leveraging incorrect memory allocation.

7.5
2018-02-07 CVE-2017-12468 CCN Lite Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Ccn-Lite

Buffer overflow in ccn-lite-ccnb2xml.c in CCN-lite before 2.00 allows context-dependent attackers to have unspecified impact via vectors involving the vallen and len variables.

7.5
2018-02-07 CVE-2017-12466 CCN Lite Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Ccn-Lite

CCN-lite before 2.00 allows context-dependent attackers to have unspecified impact via vectors related to ssl_halen when running ccn-lite-sim, which trigger an out-of-bounds access.

7.5
2018-02-07 CVE-2017-12465 CCN Lite Integer Overflow OR Wraparound vulnerability in Ccn-Lite

Multiple integer overflows in CCN-lite before 2.00 allow context-dependent attackers to have unspecified impact via vectors involving the (1) vallen variable in the iottlv_parse_sequence function or (2) typ, vallen and i variables in the localrpc_parse function.

7.5
2018-02-06 CVE-2018-4878 Adobe
Apple
Linux
Microsoft
Redhat
Google
USE After Free vulnerability in Adobe Flash Player

A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161.

7.5
2018-02-06 CVE-2018-6758 Unbit Out-Of-Bounds Write vulnerability in Unbit Uwsgi

The uwsgi_expand_path function in core/utils.c in Unbit uWSGI through 2.0.15 has a stack-based buffer overflow via a large directory length.

7.5
2018-02-06 CVE-2016-3957 Web2Py Deserialization of Untrusted Data vulnerability in Web2Py

The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key.

7.5
2018-02-06 CVE-2016-3953 Web2Py USE of Hard-Coded Credentials vulnerability in Web2Py

The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function.

7.5
2018-02-06 CVE-2017-17663 Acme Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Acme Mini Httpd and Thttpd

The htpasswd implementation of mini_httpd before v1.28 and of thttpd before v2.28 is affected by a buffer overflow that can be exploited remotely to perform code execution.

7.5
2018-02-06 CVE-2017-6199 Sandstorm Improper Authentication vulnerability in Sandstorm

A remote attacker could bypass the Sandstorm organization restriction before build 0.203 via a comma in an email-address field.

7.5
2018-02-06 CVE-2017-7525 Fasterxml
Debian
Apache
Netapp
Redhat
Oracle
Deserialization of Untrusted Data vulnerability in multiple products

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

7.5
2018-02-06 CVE-2017-15095 Fasterxml
Debian
Redhat
Deserialization of Untrusted Data vulnerability in multiple products

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

7.5
2018-02-06 CVE-2016-6813 Apache KEY Management Errors vulnerability in Apache Cloudstack

Apache CloudStack 4.1 to 4.8.1.0 and 4.9.0.0 contain an API call designed to allow a user to register for the developer API.

7.5
2018-02-05 CVE-2018-6609 JSP Tickets Project SQL Injection vulnerability in JSP Tickets Project JSP Tickets 1.1

SQL Injection exists in the JSP Tickets 1.1 component for Joomla! via the ticketcode parameter in a ticketlist edit action, or the id parameter in a statuslist (or prioritylist) edit action.

7.5
2018-02-05 CVE-2018-6605 ZH Baidumap Project SQL Injection vulnerability in ZH Baidumap Project ZH Baidumap 3.0.0.1

SQL Injection exists in the Zh BaiduMap 3.0.0.1 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request.

7.5
2018-02-05 CVE-2018-6604 ZH Yandexmap Project SQL Injection vulnerability in ZH Yandexmap Project ZH Yandexmap 6.2.1.0

SQL Injection exists in the Zh YandexMap 6.2.1.0 component for Joomla! via the id parameter in a task=getPlacemarkDetails request.

7.5
2018-02-05 CVE-2018-6582 ZH Googlemap Project SQL Injection vulnerability in ZH Googlemap Project ZH Googlemap 8.4.0.0

SQL Injection exists in the Zh GoogleMap 8.4.0.0 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request.

7.5
2018-02-05 CVE-2018-6624 Omron Forced Browsing vulnerability in Omron NS Series Firmware

OMRON NS devices 1.1 through 1.3 allow remote attackers to bypass authentication via a direct request to the .html file for a specific screen, as demonstrated by monitor.html.

7.5
2018-02-05 CVE-2018-5442 Fujielectric Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Fujielectric V-Server VPR Firmware

A Stack-based Buffer Overflow issue was discovered in Fuji Electric V-Server VPR 4.0.1.0 and prior.

7.5
2018-02-05 CVE-2015-4412 Bson Project Resource Exhaustion vulnerability in Bson Project Bson 3.0.3

BSON injection vulnerability in the legal? function in BSON (bson-ruby) gem before 3.0.4 for Ruby allows remote attackers to cause a denial of service (resource consumption) or inject arbitrary data via a crafted string.

7.5
2018-02-07 CVE-2017-1692 IBM Unspecified vulnerability in IBM AIX

IBM AIX 5.3, 6.1, 7.1, and 7.2 contains an unspecified vulnerability that would allow a locally authenticated user to obtain root level privileges.

7.2
2018-02-07 CVE-2018-6791 KDE
Debian
OS Command Injection vulnerability in multiple products

An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0.

7.2
2018-02-06 CVE-2018-6290 Kaspersky Unspecified vulnerability in Kaspersky Secure Mail Gateway 1.1

Local Privilege Escalation in Kaspersky Secure Mail Gateway version 1.1.

7.2
2018-02-06 CVE-2017-6279 Google Out-Of-Bounds Write vulnerability in Google Android

NVIDIA libnvmmlite_audio.so contains an elevation of privilege vulnerability when running in media server which may cause an out of bounds write and could lead to local code execution in a privileged process.

7.2
2018-02-06 CVE-2017-6258 Google Out-Of-Bounds Write vulnerability in Google Android

NVIDIA libnvmmlite_audio.so contains an elevation of privilege vulnerability when running in media server which may cause an out of bounds write and could lead to local code execution in a privileged process.

7.2

202 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-02-09 CVE-2015-1862 Abrt Project Race Condition vulnerability in Abrt Project Abrt

The crash reporting feature in Abrt allows local users to gain privileges by leveraging an execve by root after a chroot into a user-specified directory in a namedspaced environment.

6.9
2018-02-06 CVE-2018-5457 Vyaire
Microsoft
Uncontrolled Search Path Element vulnerability in Vyaire Carefusion Upgrade Utility 2.0.2.2

A uncontrolled search path element issue was discovered in Vyaire Medical CareFusion Upgrade Utility used with Windows XP systems, Versions 2.0.2.2 and prior versions.

6.9
2018-02-09 CVE-2018-1000053 Limesurvey Cross-Site Request Forgery (CSRF) vulnerability in Limesurvey 3.0.0

LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can result in CSRF causing LimeSurvey admins to delete all their themes, rendering the website unusable.

6.8
2018-02-09 CVE-2018-1000051 Artifex
Debian
USE After Free vulnerability in multiple products

Artifex Mupdf version 1.12.0 contains a Use After Free vulnerability in fz_keep_key_storable that can result in DOS / Possible code execution.

6.8
2018-02-09 CVE-2018-1000050 STB Vorbis Project Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in STB Vorbis Project STB Vorbis

Sean Barrett stb_vorbis version 1.12 and earlier contains a Buffer Overflow vulnerability in All vorbis decoding paths.

6.8
2018-02-09 CVE-2018-1000048 Nasa Deserialization of Untrusted Data vulnerability in Nasa Rtretrievalframework 1.0

NASA RtRetrievalFramework version v1.0 contains a CWE-502 vulnerability in Data retrieval functionality of RtRetrieval framework that can result in remote code execution.

6.8
2018-02-09 CVE-2018-1000047 Nasa Deserialization of Untrusted Data vulnerability in Nasa Kodiak 1.0

NASA Kodiak version v1.0 contains a CWE-502 vulnerability in Kodiak library's data processing function that can result in remote code execution.

6.8
2018-02-09 CVE-2018-1000046 Nasa Deserialization of Untrusted Data vulnerability in Nasa Pyblock

NASA Pyblock version v1.0 - v1.3 contains a CWE-502 vulnerability in Radar data parsing library that can result in remote code execution.

6.8
2018-02-09 CVE-2018-1000045 Nasa Deserialization of Untrusted Data vulnerability in Nasa Singledop 1.0

NASA Singledop version v1.0 contains a CWE-502 vulnerability in NASA Singledop library (Weather data) that can result in remote code execution.

6.8
2018-02-09 CVE-2018-1000035 Unzip Project Out-Of-Bounds Write vulnerability in Unzip Project Unzip 5.51/5.52/6.0

A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.

6.8
2018-02-09 CVE-2018-1000032 Info ZIP Out-Of-Bounds Write vulnerability in Info-Zip Unzip 6.10C22

A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service or to possibly achieve code execution.

6.8
2018-02-09 CVE-2018-1000031 Info ZIP Out-Of-Bounds Write vulnerability in Info-Zip Unzip 6.10C22

A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service or to possibly achieve code execution.

6.8
2018-02-09 CVE-2018-1000026 Linux
Canonical
Redhat
Debian
Improper Input Validation vulnerability in multiple products

Linux Linux kernel version at least v4.8 onwards, probably well before contains a Insufficient input validation vulnerability in bnx2x network card driver that can result in DoS: Network card firmware assertion takes card off-line.

6.8
2018-02-09 CVE-2018-1000025 Firebase Admin SDK FOR PHP Project Incorrect Permission Assignment FOR Critical Resource vulnerability in Firebase Admin SDK FOR PHP Project Firebase Admin SDK FOR PHP

Jerome Gamez Firebase Admin SDK for PHP version from 3.2.0 to 3.8.0 contains a Incorrect Access Control vulnerability in src/Firebase/Auth/IdTokenVerifier.php does not verify for token signature that can result in JWT with any email address and user ID could be forged from an actual token, or from thin air.

6.8
2018-02-09 CVE-2018-1000021 GIT SCM Improper Input Validation vulnerability in Git-Scm GIT

GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE.

6.8
2018-02-09 CVE-2018-1307 Apache XXE vulnerability in Apache Juddi

In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks.

6.8
2018-02-09 CVE-2018-6827 Omninova Improper Certificate Validation vulnerability in Omninova Vobot Firmware

VOBOT CLOCK before 0.99.30 devices do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information, and consequently execute arbitrary code, via a crafted certificate, as demonstrated by leveraging a hardcoded --no-check-certificate Wget option.

6.8
2018-02-08 CVE-2018-0517 Kddi Untrusted Search Path vulnerability in Kddi Anshin NET Security

Untrusted search path vulnerability in Anshin net security for Windows Version 16.0.1.44 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

6.8
2018-02-07 CVE-2017-5133 Google
Debian
Out-Of-Bounds Write vulnerability in Google Chrome

Off-by-one read/write on the heap in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to corrupt memory and possibly leak information and potentially execute code via a crafted PDF file.

6.8
2018-02-07 CVE-2017-5132 Google
Debian
Buffer Errors vulnerability in Google Chrome

Inappropriate implementation in V8 in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, aka incorrect WebAssembly stack manipulation.

6.8
2018-02-07 CVE-2017-5131 Google
Debian
Integer Overflow OR Wraparound vulnerability in Google Chrome

An integer overflow in Skia in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, aka an out-of-bounds write.

6.8
2018-02-07 CVE-2017-5130 Google
Debian
Xmlsoft
Out-Of-Bounds Write vulnerability in Google Chrome

An integer overflow in xmlmemory.c in libxml2 before 2.9.5, as used in Google Chrome prior to 62.0.3202.62 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted XML file.

6.8
2018-02-07 CVE-2017-5129 Google
Debian
USE After Free vulnerability in Google Chrome

A use after free in WebAudio in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.

6.8
2018-02-07 CVE-2017-5128 Google
Debian
Buffer Errors vulnerability in Google Chrome

Heap buffer overflow in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, related to WebGL.

6.8
2018-02-07 CVE-2017-5127 Google
Debian
USE After Free vulnerability in Google Chrome

Use after free in PDFium in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

6.8
2018-02-07 CVE-2017-5126 Google
Debian
USE After Free vulnerability in Google Chrome

A use after free in PDFium in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

6.8
2018-02-07 CVE-2017-5125 Google
Debian
Buffer Errors vulnerability in Google Chrome

Heap buffer overflow in Skia in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2018-02-07 CVE-2017-15393 Google
Debian
Exposure of Resource TO Wrong Sphere vulnerability in Google Chrome

Insufficient Policy Enforcement in Devtools remote debugging in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to obtain access to remote debugging functionality via a crafted HTML page, aka a Referer leak.

6.8
2018-02-07 CVE-2017-15388 Google
Debian
Out-Of-Bounds Read vulnerability in Google Chrome

Iteration through non-finite points in Skia in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.

6.8
2018-02-07 CVE-2017-15387 Google
Debian
Unspecified vulnerability in Google Chrome

Insufficient enforcement of Content Security Policy in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to open javascript: URL windows when they should not be allowed to via a crafted HTML page.

6.8
2018-02-07 CVE-2018-1366 IBM Unspecified vulnerability in IBM Content Navigator

IBM Content Navigator 2.0 and 3.0 is vulnerable to Comma Separated Value (CSV) Injection.

6.8
2018-02-07 CVE-2017-17552 Zohocorp Cross-Site Request Forgery (CSRF) vulnerability in Zohocorp Manageengine Admanager Plus

/LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted.

6.8
2018-02-07 CVE-2017-12412 CCN Lite Infinite Loop vulnerability in Ccn-Lite

ccn-lite-ccnb2xml in CCN-lite before 2.0.0 allows context-dependent attackers to have unspecified impact via a crafted file, which triggers infinite recursion and a stack overflow.

6.8
2018-02-07 CVE-2016-6169 Foxitsoftware Buffer Errors vulnerability in Foxitsoftware Foxit Reader and Phantompdf

Heap-based buffer overflow in Foxit Reader and PhantomPDF 7.3.4.311 and earlier on Windows allows remote attackers to cause a denial of service (memory corruption and application crash) or potentially execute arbitrary code via the Bezier data in a crafted PDF file.

6.8
2018-02-07 CVE-2016-6168 Foxitsoftware USE After Free vulnerability in Foxitsoftware Foxit Reader and Phantompdf

Use-after-free vulnerability in Foxit Reader and PhantomPDF 7.3.4.311 and earlier on Windows allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via a crafted PDF file.

6.8
2018-02-07 CVE-2018-6799 Graphicsmagick
Debian
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

The AcquireCacheNexus function in magick/pixel_cache.c in GraphicsMagick before 1.3.28 allows remote attackers to cause a denial of service (heap overwrite) or possibly have unspecified other impact via a crafted image file, because a pixel staging area is not used.

6.8
2018-02-06 CVE-2018-6767 Wavpack
Debian
Canonical
Out-Of-Bounds Read vulnerability in multiple products

A stack-based buffer over-read in the ParseRiffHeaderConfig function of cli/riff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service attack or possibly have unspecified other impact via a maliciously crafted RF64 file.

6.8
2018-02-06 CVE-2017-6198 Sandstorm Resource Exhaustion vulnerability in Sandstorm

The Supervisor in Sandstorm doesn't set and enforce the resource limits of a process.

6.8
2018-02-06 CVE-2018-6288 Kaspersky Cross-Site Request Forgery (CSRF) vulnerability in Kaspersky Secure Mail Gateway 1.1

Cross-site Request Forgery leading to Administrative account takeover in Kaspersky Secure Mail Gateway version 1.1.

6.8
2018-02-06 CVE-2018-6467 Flickrrss Project Cross-Site Request Forgery (CSRF) vulnerability in Flickrrss Project Flickrrss 5.3.1

The flickrRSS plugin 5.3.1 for WordPress has CSRF via wp-admin/options-general.php.

6.8
2018-02-06 CVE-2018-6654 Grammarly Origin Validation Error vulnerability in Grammarly 20180202

The Grammarly extension before 2018-02-02 for Chrome allows remote attackers to discover authentication tokens via an 'action: "user"' request to iframe.gr_-ifr, because the exposure of these tokens is not restricted to any specific web site.

6.8
2018-02-05 CVE-2017-9414 Subsonic Cross-Site Request Forgery (CSRF) vulnerability in Subsonic 6.1.1

Cross-site request forgery (CSRF) vulnerability in the Subscribe to Podcast feature in Subsonic 6.1.1 allows remote attackers to hijack the authentication of unspecified victims for requests that conduct cross-site scripting (XSS) attacks or possibly have unspecified other impact via the name parameter to playerSettings.view.

6.8
2018-02-05 CVE-2015-4179 Codestyling Localization Project Cross-Site Request Forgery (CSRF) vulnerability in Codestyling Localization Project Codestyling Localization

Multiple cross-site request forgery (CSRF) vulnerabilities in the Codestyling Localization plugin 1.99.30 and earlier for Wordpress.

6.8
2018-02-08 CVE-2018-0122 Cisco OS Command Injection vulnerability in Cisco Staros 21.3.0.67664

A vulnerability in the CLI of the Cisco StarOS operating system for Cisco ASR 5000 Series Aggregation Services Routers could allow an authenticated, local attacker to overwrite system files that are stored in the flash memory of an affected system.

6.6
2018-02-09 CVE-2018-1000058 Jenkins Deserialization of Untrusted Data vulnerability in Jenkins Pipeline Supporting Apis 2.15/2.16/2.17

Jenkins Pipeline: Supporting APIs Plugin 2.17 and earlier have an arbitrary code execution due to incomplete sandbox protection: Methods related to Java deserialization like readResolve implemented in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code.

6.5
2018-02-09 CVE-2018-1000056 Jenkins Server-Side Request Forgery (SSRF) vulnerability in Jenkins Junit

Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.

6.5
2018-02-09 CVE-2018-1000055 Jenkins Server-Side Request Forgery (SSRF) vulnerability in Jenkins Android Lint 2.5

Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.

6.5
2018-02-09 CVE-2018-1000054 Jenkins Server-Side Request Forgery (SSRF) vulnerability in Jenkins CCM

Jenkins CCM Plugin 3.1 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.

6.5
2018-02-09 CVE-2018-3607 Trendmicro SQL Injection vulnerability in Trendmicro Control Manager 6.0

XXXTreeNode method SQL injection remote code execution (RCE) vulnerabilities in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations.

6.5
2018-02-09 CVE-2018-3606 Trendmicro SQL Injection vulnerability in Trendmicro Control Manager 6.0

XXXStatusXXX, XXXSummary, TemplateXXX and XXXCompliance method SQL injection remote code execution (RCE) vulnerabilities in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations.

6.5
2018-02-09 CVE-2018-3605 Trendmicro SQL Injection vulnerability in Trendmicro Control Manager 6.0

TopXXX, ViolationXXX, and IncidentXXX method SQL injection remote code execution (RCE) vulnerabilities in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations.

6.5
2018-02-09 CVE-2018-3604 Trendmicro SQL Injection vulnerability in Trendmicro Control Manager 6.0

GetXXX method SQL injection remote code execution (RCE) vulnerabilities in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations.

6.5
2018-02-09 CVE-2018-3603 Trendmicro SQL Injection vulnerability in Trendmicro Control Manager 6.0

A CGGIServlet SQL injection remote code execution (RCE) vulnerability in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations.

6.5
2018-02-09 CVE-2018-3602 Trendmicro SQL Injection vulnerability in Trendmicro Control Manager 6.0

An AdHocQuery_Processor SQL injection remote code execution (RCE) vulnerability in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations.

6.5
2018-02-08 CVE-2017-15914 Borgbackup Unspecified vulnerability in Borgbackup Borg 1.1.0/1.1.1/1.1.2

Incorrect implementation of access controls allows remote users to override repository restrictions in Borg servers 1.1.x before 1.1.3.

6.5
2018-02-08 CVE-2018-0119 Cisco Unspecified vulnerability in Cisco Conference Director 20170830

A vulnerability in certain authentication controls in the account services of Cisco Spark could allow an authenticated, remote attacker to interact with and view information on an affected device that would normally be prohibited.

6.5
2018-02-08 CVE-2018-0113 Cisco Improper Input Validation vulnerability in Cisco Unified Computing System Central Software 1.5(1C)

A vulnerability in an operations script of Cisco UCS Central could allow an authenticated, remote attacker to execute arbitrary shell commands with the privileges of the daemon user.

6.5
2018-02-07 CVE-2018-6792 Saifor SQL Injection vulnerability in Saifor Cvms HUB 1.3.1

Multiple SQL injection vulnerabilities in Saifor CVMS HUB 1.3.1 allow an authenticated user to execute arbitrary SQL commands via multiple parameters to the /cvms-hub/privado/seccionesmib/secciones.xhtml resource.

6.5
2018-02-05 CVE-2017-15536 Cloudera Improper Privilege Management vulnerability in Cloudera Data Science Workbench

An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.x before 1.2.0.

6.5
2018-02-09 CVE-2018-1000034 Info ZIP Out-Of-Bounds Read vulnerability in Info-Zip Unzip 6.10C22

An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service and read sensitive memory.

6.4
2018-02-09 CVE-2018-1000033 Info ZIP Out-Of-Bounds Read vulnerability in Info-Zip Unzip 6.10C22

An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service and read sensitive memory.

6.4
2018-02-08 CVE-2018-0116 Cisco Improper Authentication vulnerability in Cisco Mobility Services Engine 13.0.0/13.1.0/14.0.0

A vulnerability in the RADIUS authentication module of Cisco Policy Suite could allow an unauthenticated, remote attacker to be authorized as a subscriber without providing a valid password; however, the attacker must provide a valid username.

6.4
2018-02-08 CVE-2017-6227 Brocade Unspecified vulnerability in Brocade Fabric OS

A vulnerability in the IPv6 stack on Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) versions before 7.4.2b, 8.1.2 and 8.2.0 could allow an attacker to cause a denial of service (CPU consumption and device hang) condition by sending crafted Router Advertisement (RA) messages to a targeted system.

6.1
2018-02-06 CVE-2018-6788 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x2208C0.

6.1
2018-02-06 CVE-2018-6787 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x221808.

6.1
2018-02-06 CVE-2018-6786 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220840.

6.1
2018-02-06 CVE-2018-6785 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008254.

6.1
2018-02-06 CVE-2018-6784 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A00824C.

6.1
2018-02-06 CVE-2018-6783 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A00825C.

6.1
2018-02-06 CVE-2018-6782 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A0081DC.

6.1
2018-02-06 CVE-2018-6781 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008264.

6.1
2018-02-06 CVE-2018-6780 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A0081E4.

6.1
2018-02-06 CVE-2018-6779 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008240.

6.1
2018-02-06 CVE-2018-6778 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008268.

6.1
2018-02-06 CVE-2018-6777 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220400.

6.1
2018-02-06 CVE-2018-6776 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A00813C.

6.1
2018-02-06 CVE-2018-6775 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x990081C8.

6.1
2018-02-06 CVE-2018-6774 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008088.

6.1
2018-02-06 CVE-2018-6773 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008084.

6.1
2018-02-06 CVE-2018-6772 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x99008208.

6.1
2018-02-06 CVE-2018-6771 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x99008224.

6.1
2018-02-06 CVE-2018-6770 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x99008210.

6.1
2018-02-06 CVE-2018-6769 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x99008020.

6.1
2018-02-06 CVE-2018-6768 Jiangmin Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100

In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008090.

6.1
2018-02-05 CVE-2018-6633 Micropoint Improper Input Validation vulnerability in Micropoint Proactive Defense 2.0.20266.0146

In Micropoint proactive defense software 2.0.20266.0146, the driver file (mp110005.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x80000038.

6.1
2018-02-05 CVE-2018-6632 Micropoint Improper Input Validation vulnerability in Micropoint Proactive Defense 2.0.20266.0146

In Micropoint proactive defense software 2.0.20266.0146, the driver file (mp110005.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x80000110.

6.1
2018-02-05 CVE-2018-6631 Micropoint Improper Input Validation vulnerability in Micropoint Proactive Defense 2.0.20266.0146

In Micropoint proactive defense software 2.0.20266.0146, the driver file (mp110009.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x80000170.

6.1
2018-02-05 CVE-2018-6630 Micropoint Improper Input Validation vulnerability in Micropoint Proactive Defense 2.0.20266.0146

In Micropoint proactive defense software 2.0.20266.0146, the driver file (mp110005.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x8000014c.

6.1
2018-02-05 CVE-2018-6629 Micropoint Improper Input Validation vulnerability in Micropoint Proactive Defense 2.0.20266.0146

In Micropoint proactive defense software 2.0.20266.0146, the driver file (mp110005.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x80000118.

6.1
2018-02-05 CVE-2018-6628 Micropoint Improper Input Validation vulnerability in Micropoint Proactive Defense 2.0.20266.0146

In Micropoint proactive defense software 2.0.20266.0146, the driver file (mp110005.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x8000010c.

6.1
2018-02-05 CVE-2018-6627 Watchdogdevelopment Improper Input Validation vulnerability in Watchdogdevelopment Anti-Malware 2.74.186.150

In WatchDog Anti-Malware 2.74.186.150, the driver file (ZAMGUARD32.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x80002054.

6.1
2018-02-05 CVE-2018-6626 Micropoint Improper Input Validation vulnerability in Micropoint Proactive Defense 2.0.20266.0146

In Micropoint proactive defense software 2.0.20266.0146, the driver file (mp110005.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x80000035.

6.1
2018-02-05 CVE-2018-6625 Watchdogdevelopment Improper Input Validation vulnerability in Watchdogdevelopment Anti-Malware 2.74.186.150

In WatchDog Anti-Malware 2.74.186.150, the driver file (ZAMGUARD32.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x80002010.

6.1
2018-02-09 CVE-2018-1000049 Nanopool Improper Input Validation vulnerability in Nanopool Claymore Dual Miner

Nanopool Claymore Dual Miner version 7.3 and earlier contains a remote code execution vulnerability by abusing the miner API.

6.0
2018-02-09 CVE-2018-6508 Puppet USE of Externally-Controlled Format String vulnerability in Puppet 2017.3.0/2017.3.1/2017.3.2

Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks.

6.0
2018-02-05 CVE-2018-6635 Avaya Inadequate Encryption Strength vulnerability in Avaya Aura

System Manager in Avaya Aura before 7.1.2 does not properly use SSL in conjunction with authentication, which allows remote attackers to bypass intended Remote Method Invocation (RMI) restrictions, aka SMGR-26896.

6.0
2018-02-09 CVE-2018-1000028 Linux Improper Privilege Management vulnerability in Linux Kernel

Linux kernel version after commit bdcf0a423ea1 - 4.15-rc4+, 4.14.8+, 4.9.76+, 4.4.111+ contains a Incorrect Access Control vulnerability in NFS server (nfsd) that can result in remote users reading or writing files they should not be able to via NFS.

5.8
2018-02-07 CVE-2017-15397 Google Missing Encryption of Sensitive Data vulnerability in Google Chrome OS

Inappropriate implementation in ChromeVox in Google Chrome OS prior to 62.0.3202.74 allowed a remote attacker in a privileged network position to observe or tamper with certain cleartext HTTP requests by leveraging that position.

5.8
2018-02-06 CVE-2018-6656 Zblogcn Cross-Site Request Forgery (CSRF) vulnerability in Zblogcn Z-Blogphp 1.5.1

Z-BlogPHP 1.5.1 has CSRF via zb_users/plugin/AppCentre/app_del.php, as demonstrated by deleting files and directories.

5.8
2018-02-09 CVE-2017-0911 Twitter Improper Authentication vulnerability in Twitter KIT

Twitter Kit for iOS versions 3.0 to 3.2.1 is vulnerable to a callback verification flaw in the "Login with Twitter" component allowing an attacker to provide alternate credentials.

5.5
2018-02-06 CVE-2017-6201 Sandstorm Server-Side Request Forgery (SSRF) vulnerability in Sandstorm

A Server Side Request Forgery vulnerability exists in the install app process in Sandstorm before build 0.203.

5.5
2018-02-06 CVE-2014-5282 Docker Improper Input Validation vulnerability in Docker

Docker before 1.3 does not properly validate image IDs, which allows remote attackers to redirect to another image through the loading of untrusted images via 'docker load'.

5.5
2018-02-09 CVE-2018-1000060 Sensu Information Exposure Through LOG Files vulnerability in Sensu Core

Sensu, Inc.

5.0
2018-02-09 CVE-2018-1000052 FMT USE of Externally-Controlled Format String vulnerability in FMT

fmtlib version prior to version 4.1.0 (before commit 0555cea5fc0bf890afe0071a558e44625a34ba85) contains a Memory corruption (SIGSEGV), CWE-134 vulnerability in fmt::print() library function that can result in Denial of Service.

5.0
2018-02-09 CVE-2018-1000027 Squid Cache
Debian
Canonical
Null Pointer Dereference vulnerability in multiple products

The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in Denial of Service to all clients of the proxy.

5.0
2018-02-09 CVE-2018-1000024 Squid Cache
Debian
Canonical
The Squid Software Foundation Squid HTTP Caching Proxy version 3.0 to 3.5.27, 4.0 to 4.0.22 contains a Incorrect Pointer Handling vulnerability in ESI Response Processing that can result in Denial of Service for all clients using the proxy..
5.0
2018-02-09 CVE-2018-1000023 Insight Bitpay Improper Input Validation vulnerability in Insight.Bitpay Insight-Api

Bitpay/insight-api Insight-api version 5.0.0 and earlier contains a CWE-20: input validation vulnerability in transaction broadcast endpoint that can result in Full Path Disclosure.

5.0
2018-02-09 CVE-2018-6871 Libreoffice
Debian
Canonical
Redhat
LibreOffice before 5.4.5 and 6.x before 6.0.1 allows remote attackers to read arbitrary files via =WEBSERVICE calls in a document, which use the COM.MICROSOFT.WEBSERVICE function.
5.0
2018-02-09 CVE-2016-10712 PHP
Canonical
Improper Input Validation vulnerability in PHP

In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of the return values of stream_get_meta_data can be controlled if the input can be controlled (e.g., during file uploads).

5.0
2018-02-08 CVE-2018-6644 Sblim Project Null Pointer Dereference vulnerability in Sblim Project Small Footprint CIM Broker 1.4.9

SBLIM Small Footprint CIM Broker (SFCB) 1.4.9 has a null pointer (DoS) vulnerability via a crafted POST request to the /cimom URI.

5.0
2018-02-08 CVE-2018-6180 Themashabrand Improper Authentication vulnerability in Themashabrand Online Voting Platform 1.0

A flaw in the profile section of Online Voting System 1.0 allows an unauthenticated user to set an arbitrary password for other accounts.

5.0
2018-02-08 CVE-2012-3331 IBM Information Exposure vulnerability in IBM Sametime

IBM Sametime allows remote attackers to obtain sensitive information from the Sametime Log database via a direct request to STLOG.NSF.

5.0
2018-02-08 CVE-2018-6846 Zblogcn Information Exposure vulnerability in Zblogcn Z-Blogphp 1.5.1

Z-BlogPHP 1.5.1 allows remote attackers to discover the full path via a direct request to zb_system/function/lib/upload.php.

5.0
2018-02-08 CVE-2018-0138 Cisco Protection Mechanism Failure vulnerability in Cisco Firepower Threat Defense

A vulnerability in the detection engine of Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass file policies that are configured to block files transmitted to an affected device via the BitTorrent protocol.

5.0
2018-02-08 CVE-2018-0137 Cisco Allocation of Resources Without Limits OR Throttling vulnerability in Cisco Prime Network 4.3(0.0)Pp6/4.3(2.0)Pp1

A vulnerability in the TCP throttling process of Cisco Prime Network could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

5.0
2018-02-08 CVE-2018-0134 Cisco Information Exposure Through Discrepancy vulnerability in Cisco Mobility Services Engine 13.0.0/13.1.0

A vulnerability in the RADIUS authentication module of Cisco Policy Suite could allow an unauthenticated, remote attacker to determine whether a subscriber username is valid.

5.0
2018-02-08 CVE-2018-0132 Cisco Buffer Errors vulnerability in Cisco Carrier Routing System 5.3.0.Rout

A vulnerability in the forwarding information base (FIB) code of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause inconsistency between the routing information base (RIB) and the FIB, resulting in a denial of service (DoS) condition.

5.0
2018-02-08 CVE-2018-0127 Cisco Missing Authentication FOR Critical Function vulnerability in Cisco Rv132W Firmware and Rv134W Firmware

A vulnerability in the web interface of Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an unauthenticated, remote attacker to view configuration parameters for an affected device, which could lead to the disclosure of confidential information.

5.0
2018-02-07 CVE-2018-6829 Gnupg USE of A Broken OR Risky Cryptographic Algorithm vulnerability in Gnupg Libgcrypt

cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack).

5.0
2018-02-07 CVE-2018-1388 IBM Information Exposure vulnerability in IBM Websphere MQ

GSKit V7 may disclose side channel information via discrepancies between valid and invalid PKCS#1 padding.

5.0
2018-02-07 CVE-2017-12473 CCN Lite Improper Input Validation vulnerability in Ccn-Lite

ccnl_ccntlv_bytes2pkt in CCN-lite allows context-dependent attackers to cause a denial of service (application crash) via vectors involving packets with "wrong L values."

5.0
2018-02-07 CVE-2017-12467 CCN Lite Missing Release of Resource After Effective Lifetime vulnerability in Ccn-Lite

Memory leak in CCN-lite before 2.00 allows context-dependent attackers to cause a denial of service (memory consumption) by leveraging failure to allocate memory for the comp or complen structure member.

5.0
2018-02-07 CVE-2017-12464 CCN Lite Null Pointer Dereference vulnerability in Ccn-Lite

ccn-lite-valid.c in CCN-lite before 2.00 allows context-dependent attackers to cause a denial of service (NULL pointer dereference) via vectors involving the keyfile variable.

5.0
2018-02-07 CVE-2017-12463 CCN Lite Missing Release of Resource After Effective Lifetime vulnerability in Ccn-Lite

Memory leak in the ccnl_app_RX function in ccnl-uapi.c in CCN-lite before 2.00 allows context-dependent attackers to cause a denial of service (memory consumption) via vectors involving an envelope_s structure pointer when the packet format is unknown.

5.0
2018-02-07 CVE-2018-6794 Suricata IDS
Debian
Protection Mechanism Failure vulnerability in multiple products

Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c.

5.0
2018-02-07 CVE-2018-6790 KDE Information Exposure vulnerability in KDE Plasma-Workspace

An issue was discovered in KDE Plasma Workspace before 5.12.0.

5.0
2018-02-06 CVE-2018-1299 Apache Path Traversal vulnerability in Apache Allura

In Apache Allura before 1.8.0, unauthenticated attackers may retrieve arbitrary files through the Allura web application.

5.0
2018-02-06 CVE-2018-6389 Wordpress Resource Exhaustion vulnerability in Wordpress

In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.

5.0
2018-02-05 CVE-2018-6610 Jlike Project Information Exposure vulnerability in Jlike Project Jlike 1.0

Information Leakage exists in the jLike 1.0 component for Joomla! via a task=getUserByCommentId request.

5.0
2018-02-05 CVE-2018-5794 Extremewireless Improper Authentication vulnerability in Extremewireless Wing

An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3.

5.0
2018-02-05 CVE-2018-5789 Extremewireless XXE vulnerability in Extremewireless Wing

An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3.

5.0
2018-02-05 CVE-2018-5788 Extremewireless Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Extremewireless Wing

An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3.

5.0
2018-02-05 CVE-2018-5787 Extremenetworks Out-Of-Bounds Write vulnerability in Extremenetworks Extremewireless Wing

An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3.

5.0
2018-02-05 CVE-2018-6188 Djangoproject
Canonical
Information Exposure vulnerability in multiple products

django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.

5.0
2018-02-09 CVE-2014-8171 Linux
Redhat
Resource Management Errors vulnerability in multiple products

The memory resource controller (aka memcg) in the Linux kernel allows local users to cause a denial of service (deadlock) by spawning new processes within a memory-constrained cgroup.

4.9
2018-02-08 CVE-2018-0123 Cisco Path Traversal vulnerability in Cisco IOS and IOS XE

A Path Traversal vulnerability in the diagnostic shell for Cisco IOS and IOS XE Software could allow an authenticated, local attacker to use certain diagnostic shell commands that can overwrite system files.

4.9
2018-02-07 CVE-2018-6574 Golang
Debian
Redhat
Code Injection vulnerability in multiple products

Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.

4.6
2018-02-07 CVE-2017-17482 HP Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in HP Openvms

An issue was discovered in OpenVMS through V8.4-2L2 on Alpha and through V8.4-2L1 on IA64, and VAX/VMS 4.0 and later.

4.6
2018-02-11 CVE-2018-6891 Ladela Cross-Site Scripting vulnerability in Ladela Bookly

Bookly #1 WordPress Booking Plugin Lite before 14.5 has XSS via a jQuery.ajax request to ng-payment_details_dialog.js.

4.3
2018-02-09 CVE-2018-1000041 Gnome
Debian
GNOME librsvg version before commit c6ddf2ed4d768fd88adbea2b63f575cd523022ea contains a Improper input validation vulnerability in rsvg-io.c that can result in the victim's Windows username and NTLM password hash being leaked to remote attackers through SMB.
4.3
2018-02-09 CVE-2018-1000029 Elsa Project Cross-Site Scripting vulnerability in Elsa Project Elsa 2Cc17F1

mcholste Enterprise Log Search and Archive (ELSA) version revision 1205, commit 2cc17f1 and earlier contains a Cross Site Scripting (XSS) vulnerability in index view (/) that can result in .

4.3
2018-02-09 CVE-2018-1000020 Open EMR Cross-Site Scripting vulnerability in Open-Emr Openemr 5.0.0

OpenEMR version 5.0.0 contains a Cross Site Scripting (XSS) vulnerability in open-flash-chart.swf and _posteddata.php that can result in .

4.3
2018-02-09 CVE-2017-1000508 Invoiceplane Cross-Site Scripting vulnerability in Invoiceplane

Invoice Plane version 1.5.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in Client's details that can result in execution of javascript code .

4.3
2018-02-09 CVE-2017-1000506 Mautic Cross-Site Scripting vulnerability in Mautic

Mautic version 2.11.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in Company's name that can result in denial of service and execution of javascript code.

4.3
2018-02-09 CVE-2018-5307 Sonatype Cross-Site Scripting vulnerability in Sonatype Nexus Repository Manager

Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 2.x before 2.14.6 allow remote attackers to inject arbitrary web script or HTML via (1) the repoId or (2) format parameter to service/siesta/healthcheck/healthCheckFileDetail/.../index.html; (3) the filename in the "File Upload" functionality of the Staging Upload; (4) the username when creating a new user; or (5) the IQ Server URL field in the IQ Server Connection functionality.

4.3
2018-02-09 CVE-2018-5306 Sonatype Cross-Site Scripting vulnerability in Sonatype Nexus Repository Manager

Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 3.x before 3.8 allow remote attackers to inject arbitrary web script or HTML via (1) the repoId or (2) format parameter to service/siesta/healthcheck/healthCheckFileDetail/.../index.html; (3) the filename in the "File Upload" functionality of the Staging Upload; (4) the username when creating a new user; or (5) the IQ Server URL field in the IQ Server Connection functionality.

4.3
2018-02-09 CVE-2014-3219 Fishshell
Fedoraproject
Link Following vulnerability in multiple products

fish before 2.1.1 allows local users to write to arbitrary files via a symlink attack on (1) /tmp/fishd.log.%s, (2) /tmp/.pac-cache.$USER, (3) /tmp/.yum-cache.$USER, or (4) /tmp/.rpm-cache.$USER.

4.3
2018-02-09 CVE-2012-6347 Fortinet Cross-Site Scripting vulnerability in Fortinet Fortidb

Multiple cross-site scripting (XSS) vulnerabilities in Java number format exception handling in FortiGate FortiDB before 4.4.2 allow remote attackers to inject arbitrary web script or HTML via the conversationContext parameter to (1) admin/auditTrail.jsf, (2) mapolicymgmt/targetsMonitorView.jsf, (3) vascan/globalsummary.jsf, (4) vaerrorlog/vaErrorLog.jsf, (5) database/listTargetGroups.jsf, (6) sysconfig/listSystemInfo.jsf, (7) vascan/list.jsf, (8) network/router.jsf, (9) mapolicymgmt/editPolicyProfile.jsf, or (10) mapolicymgmt/maPolicyMasterList.jsf.

4.3
2018-02-09 CVE-2012-6346 Fortinet Cross-Site Scripting vulnerability in Fortinet Fortiweb

Multiple cross-site scripting (XSS) vulnerabilities in FortiWeb before 4.4.4 allow remote attackers to inject arbitrary web script or HTML via the (1) redir or (2) mkey parameter to waf/pcre_expression/validate.

4.3
2018-02-09 CVE-2018-6876 Imagemagick
Libfpx Project
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

The OLEProperty class in ole/oleprop.cpp in libfpx 1.3.1-10, as used in ImageMagick 7.0.7-22 Q16 and other products, allows remote attackers to cause a denial of service (stack-based buffer under-read) via a crafted bmp image.

4.3
2018-02-09 CVE-2018-1401 IBM Cross-Site Scripting vulnerability in IBM Websphere Portal 8.0.0.0/8.5.0.0/9.0.0.0

IBM WebSphere Portal 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting.

4.3
2018-02-09 CVE-2017-1761 IBM Cross-Site Scripting vulnerability in IBM Websphere Portal

IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting.

4.3
2018-02-09 CVE-2018-1298 Apache Improper Input Validation vulnerability in Apache Qpid Broker-J 7.0.0

A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0 in functionality for authentication of connections for AMQP protocols 0-8, 0-9, 0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used.

4.3
2018-02-09 CVE-2018-6872 GNU Out-Of-Bounds Read vulnerability in GNU Binutils 2.30

The elf_parse_notes function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (out-of-bounds read and segmentation violation) via a note with a large alignment.

4.3
2018-02-09 CVE-2018-6869 Zziplib Project
Debian
Canonical
Allocation of Resources Without Limits OR Throttling vulnerability in multiple products

In ZZIPlib 0.13.68, there is an uncontrolled memory allocation and a crash in the __zzip_parse_root_directory function of zzip/zip.c.

4.3
2018-02-08 CVE-2015-2329 Woocommerce Cross-Site Scripting vulnerability in Woocommerce

Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted order.

4.3
2018-02-08 CVE-2012-0941 Fortinet Cross-Site Scripting vulnerability in Fortinet Fortios

Multiple cross-site scripting (XSS) vulnerabilities in Fortinet FortiGate UTM WAF appliances with FortiOS 4.3.x before 4.3.6 allow remote attackers to inject arbitrary web script or HTML via vectors involving the (1) Endpoint Monitor, (2) Dialup List, or (3) Log&Report Display modules, or the fields_sorted_opt parameter to (4) user/auth/list or (5) endpointcompliance/app_detect/predefined_sig_list.

4.3
2018-02-08 CVE-2017-6225 Brocade Cross-Site Scripting vulnerability in Brocade Fabric OS

Cross-site scripting (XSS) vulnerability in the web-based management interface of Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) versions before 7.4.2b, 8.1.2 and 8.2.0 could allow remote attackers to execute arbitrary code or access sensitive browser-based information.

4.3
2018-02-08 CVE-2018-5550 Epson Cross-Site Scripting vulnerability in Epson Airprint

Versions of Epson AirPrint released prior to January 19, 2018 contain a reflective cross-site scripting (XSS) vulnerability, which can allow untrusted users on the network to hijack a session cookie or perform other reflected XSS attacks on a currently logged-on user.

4.3
2018-02-08 CVE-2018-0513 Mtssb MT Systems Cross-Site Scripting vulnerability in Mtssb.Mt-Systems Simple Booking

Cross-site scripting vulnerability in MTS Simple Booking C, MTS Simple Booking Business version 1.28.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2018-02-08 CVE-2018-6834 Etherpad Cross-Site Scripting vulnerability in Etherpad Lite

static/js/pad_utils.js in Etherpad Lite before v1.6.3 has XSS via window.location.href.

4.3
2018-02-08 CVE-2018-0129 Cisco Cross-Site Scripting vulnerability in Cisco Data Center Analytics Framework 1.0

A vulnerability in the web-based management interface of Cisco Data Center Analytics Framework could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

4.3
2018-02-08 CVE-2018-0128 Cisco Cross-Site Scripting vulnerability in Cisco Data Center Analytics Framework

A vulnerability in the web-based management interface of Cisco Data Center Analytics Framework could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

4.3
2018-02-07 CVE-2017-5124 Google
Debian
Cross-Site Scripting vulnerability in Google Chrome

Incorrect application of sandboxing in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted MHTML page.

4.3
2018-02-07 CVE-2017-15395 Google
Debian
USE After Free vulnerability in Google Chrome

A use after free in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, aka an ImageCapture NULL pointer dereference.

4.3
2018-02-07 CVE-2017-15394 Google
Debian
Improper Input Validation vulnerability in Google Chrome

Insufficient Policy Enforcement in Extensions in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to perform domain spoofing in permission dialogs via IDN homographs in a crafted Chrome Extension.

4.3
2018-02-07 CVE-2017-15391 Google
Debian
Unspecified vulnerability in Google Chrome

Insufficient Policy Enforcement in Extensions in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to access Extension pages without authorisation via a crafted HTML page.

4.3
2018-02-07 CVE-2017-15390 Google
Debian
Improper Input Validation vulnerability in Google Chrome

Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name.

4.3
2018-02-07 CVE-2017-15389 Google
Debian
Improper Input Validation vulnerability in Google Chrome

An insufficient watchdog timer in navigation in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

4.3
2018-02-07 CVE-2017-15386 Google
Debian
Improper Input Validation vulnerability in Google Chrome

Incorrect implementation in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

4.3
2018-02-07 CVE-2018-6824 Cozy Cross-Site Scripting vulnerability in Cozy 2.0

Cozy version 2 has XSS allowing remote attackers to obtain administrative access via JavaScript code in the url parameter to the /api/proxy URI, as demonstrated by an XMLHttpRequest call with an 'email:"attacker@example.com"' request, which can be followed by a password reset.

4.3
2018-02-07 CVE-2016-2541 Audacityteam Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Audacityteam Audacity

Audacity before 2.1.2 allows remote attackers to cause a denial of service (memory corruption and application crash) via a crafted MP2 file.

4.3
2018-02-07 CVE-2016-2540 Audacityteam Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Audacityteam Audacity

Audacity before 2.1.2 allows remote attackers to cause a denial of service (memory corruption and application crash) via a crafted FORMATCHUNK structure.

4.3
2018-02-07 CVE-2018-6806 Marked 2 Project Information Exposure vulnerability in Marked 2 Project Marked 2

Marked 2 through 2.5.11 allows remote attackers to read arbitrary files via a crafted HTML document that triggers a redirect to an x-marked://preview?text= URL.

4.3
2018-02-07 CVE-2018-6603 Promise Injection vulnerability in Promise Webpam Proe

Promise Technology WebPam Pro-E devices allow remote attackers to conduct XSS, HTTP Response Splitting, and CRLF Injection attacks via JavaScript code in a PHPSESSID cookie.

4.3
2018-02-06 CVE-2018-6759 GNU Improper Input Validation vulnerability in GNU Binutils 2.30

The bfd_get_debug_link_info_1 function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, has an unchecked strnlen operation.

4.3
2018-02-06 CVE-2016-7394 Tiki Cross-Site Scripting vulnerability in Tiki Tikiwiki Cms/Groupware

tiki wiki cms groupware <=15.2 has a xss vulnerability, allow attackers steal user's cookie.

4.3
2018-02-06 CVE-2015-3618 Nagios Cross-Site Scripting vulnerability in Nagios Business Process Intelligence

Cross-site scripting (XSS) vulnerability in Nagios Business Process Intelligence (BPI) before 2.3.4 allows remote attackers to inject arbitrary web script or HTML via vectors involving index.php.

4.3
2018-02-06 CVE-2018-6291 Kaspersky Cross-Site Scripting vulnerability in Kaspersky Secure Mail Gateway 1.1

WebConsole Cross-Site Scripting in Kaspersky Secure Mail Gateway version 1.1.

4.3
2018-02-06 CVE-2018-6469 Flickrrss Project Cross-Site Scripting vulnerability in Flickrrss Project Flickrrss 5.3.1

A cross-site scripting (XSS) vulnerability in flickrRSS.php in the flickrRSS plugin 5.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the flickrRSS_tags parameter to wp-admin/options-general.php.

4.3
2018-02-06 CVE-2018-6468 Flickrrss Project Cross-Site Scripting vulnerability in Flickrrss Project Flickrrss 5.3.1

A cross-site scripting (XSS) vulnerability in flickrRSS.php in the flickrRSS plugin 5.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the flickrRSS_id parameter to wp-admin/options-general.php.

4.3
2018-02-06 CVE-2018-6466 Flickrrss Project Cross-Site Scripting vulnerability in Flickrrss Project Flickrrss 5.3.1

A cross-site scripting (XSS) vulnerability in flickrRSS.php in the flickrRSS plugin 5.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the flickrRSS_set parameter to wp-admin/options-general.php.

4.3
2018-02-06 CVE-2017-6169 F5 Improper Input Validation vulnerability in F5 Big-Ip Policy Enforcement Manager

In versions 13.0.0, 12.0.0-12.1.3, or 11.6.0-11.6.2, an F5 BIG-IP virtual server using the URL categorization feature may cause the Traffic Management Microkernel (TMM) to produce a core file when it receives malformed URLs during categorization.

4.3
2018-02-05 CVE-2018-6621 Ffmpeg
Debian
Out-Of-Bounds Read vulnerability in multiple products

The decode_frame function in libavcodec/utvideodec.c in FFmpeg through 3.2 allows remote attackers to cause a denial of service (out of array read) via a crafted AVI file.

4.3
2018-02-05 CVE-2018-5793 Extremewireless Out-Of-Bounds Write vulnerability in Extremewireless Wing

An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3.

4.3
2018-02-05 CVE-2018-5792 Extremewireless Out-Of-Bounds Write vulnerability in Extremewireless Wing

An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3.

4.3
2018-02-05 CVE-2018-5791 Extremewireless Out-Of-Bounds Write vulnerability in Extremewireless Wing

An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3.

4.3
2018-02-09 CVE-2018-1000057 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Credentials Binding

Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs.

4.0
2018-02-09 CVE-2018-3600 Trendmicro XXE vulnerability in Trendmicro Control Manager 6.0

A external entity processing information disclosure (XXE) vulnerability in Trend Micro Control Manager 6.0 could allow a remote attacker to disclose sensitive information on vulnerable installations.

4.0
2018-02-09 CVE-2017-10690 Puppet
Redhat
Improper Privilege Management vulnerability in multiple products

In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from.

4.0
2018-02-09 CVE-2018-1052 Postgresql Information Exposure vulnerability in Postgresql 10.0/10.1

Memory disclosure vulnerability in table partitioning was found in postgresql 10.x before 10.2, allowing an authenticated attacker to read arbitrary bytes of server memory via purpose-crafted insert to a partitioned table.

4.0
2018-02-08 CVE-2017-7351 Project Redcap SQL Injection vulnerability in Project-Redcap Redcap

A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing substring to SendITController:upload.

4.0
2018-02-08 CVE-2018-0140 Cisco Forced Browsing vulnerability in Cisco products

A vulnerability in the spam quarantine of Cisco Email Security Appliance and Cisco Content Security Management Appliance could allow an authenticated, remote attacker to download any message from the spam quarantine by modifying browser string information.

4.0
2018-02-08 CVE-2018-0135 Cisco Improper Input Validation vulnerability in Cisco Unified Communications Manager 11.0(1.24075.1)

A vulnerability in Cisco Unified Communications Manager could allow an authenticated, remote attacker to access sensitive information on an affected system.

4.0
2018-02-08 CVE-2018-0120 Cisco SQL Injection vulnerability in Cisco Unified Communications Manager 11.5(1.13900.52)

A vulnerability in the web framework of Cisco Unified Communications Manager could allow an authenticated, remote attacker to conduct an SQL injection attack against an affected system.

4.0
2018-02-07 CVE-2017-15392 Google
Debian
Improper Input Validation vulnerability in Google Chrome

Insufficient data validation in V8 in Google Chrome prior to 62.0.3202.62 allowed an attacker who can write to the Windows Registry to potentially exploit heap corruption via a crafted Windows Registry entry, related to PlatformIntegration.

4.0
2018-02-07 CVE-2017-1785 IBM Information Exposure vulnerability in IBM API Connect

IBM API Connect 5.0.7 and 5.0.8 could allow an authenticated remote user to modify query parameters to obtain sensitive information.

4.0
2018-02-06 CVE-2017-6200 Sandstorm Information Exposure vulnerability in Sandstorm

Sandstorm before build 0.203 allows remote attackers to read any specified file under /etc or /run via the sandbox backup function.

4.0
2018-02-06 CVE-2013-4317 Apache Information Exposure vulnerability in Apache Cloudstack 4.1.0/4.1.1

In Apache CloudStack 4.1.0 and 4.1.1, when calling the CloudStack API call listProjectAccounts as a regular, non-administrative user, the user is able to see information for accounts other than their own.

4.0
2018-02-05 CVE-2015-5674 Freebsd Improper Input Validation vulnerability in Freebsd 10.1/10.2/9.3

The routed daemon in FreeBSD 9.3 before 9.3-RELEASE-p22, 10.2-RC2 before 10.2-RC2-p1, 10.2-RC1 before 10.2-RC1-p2, 10.2 before 10.2-BETA2-p3, and 10.1 before 10.1-RELEASE-p17 allows remote authenticated users to cause a denial of service (assertion failure and daemon exit) via a query from a network that is not directly connected.

4.0
2018-02-05 CVE-2015-4461 Efrontlearning Path Traversal vulnerability in Efrontlearning Efront

Absolute path traversal vulnerability in eFront CMS 3.6.15.4 and earlier allows remote Professor users to obtain sensitive information via a full pathname in the other parameter.

4.0
2018-02-05 CVE-2018-5795 Extremewireless Unspecified vulnerability in Extremewireless Wing

An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3.

4.0

21 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-02-09 CVE-2018-1368 IBM Improper Privilege Management vulnerability in IBM Security Guardium Database Activity Monitor 9.0/9.1/9.5

IBM Security Guardium Database Activity Monitor 9.0, 9.1, and 9.5 could allow a local user with low privileges to view report pages and perform some actions that only an admin should be performing, so there is risk that someone not authorized can change things that they are not suppose to.

3.6
2018-02-09 CVE-2018-1000062 Wondercms Cross-Site Scripting vulnerability in Wondercms 2.4.0

WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File Upload through SVG vulnerability in uploadFileAction(), 'svg' => 'image/svg+xml' that can result in An attacker can execute arbitrary script on an unsuspecting user's browser.

3.5
2018-02-09 CVE-2017-1000510 Croogo Cross-Site Scripting vulnerability in Croogo 2.3.117G6F82E6C

Croogo version 2.3.1-17-g6f82e6c contains a Cross Site Scripting (XSS) vulnerability in Page name that can result in execution of javascript code.

3.5
2018-02-09 CVE-2017-1000509 Dolibarr Cross-Site Scripting vulnerability in Dolibarr 6.0.2

Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) vulnerability in Product details that can result in execution of javascript code.

3.5
2018-02-09 CVE-2017-1000507 Cnvs Cross-Site Scripting vulnerability in Cnvs Canvas 3.4.2

Canvs Canvas version 3.4.2 contains a Cross Site Scripting (XSS) vulnerability in User's details that can result in denial of service and execution of javascript code.

3.5
2018-02-09 CVE-2018-6878 HOT Scripts Clone Project Cross-Site Scripting vulnerability in HOT Scripts Clone Project HOT Scripts Clone 3.1

Cross Site Scripting (XSS) exists in the review section in PHP Scripts Mall Hot Scripts Clone Script Classified 3.1 via the title or description field.

3.5
2018-02-08 CVE-2018-6844 Mybb Cross-Site Scripting vulnerability in Mybb 1.8.14

MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen.

3.5
2018-02-07 CVE-2018-6796 Multilanguage Real Estate MLM Script Project Cross-Site Scripting vulnerability in Multilanguage Real Estate MLM Script Project Multilanguage Real Estate MLM Script 3.0

PHP Scripts Mall Multilanguage Real Estate MLM Script 3.0 has Stored XSS via every profile input field.

3.5
2018-02-07 CVE-2018-6795 Naukri Clone Script Project Cross-Site Scripting vulnerability in Naukri Clone Script Project Naukri Clone Script 3.0.3

PHP Scripts Mall Naukri Clone Script 3.0.3 has Stored XSS via every profile input field.

3.5
2018-02-07 CVE-2018-6655 Doctor Search Script Project Cross-Site Scripting vulnerability in Doctor Search Script Project Doctor Search Script 1.0.2

PHP Scripts Mall Doctor Search Script 1.0.2 has Stored XSS via an arbitrary profile field.

3.5
2018-02-07 CVE-2018-1382 IBM Cross-Site Scripting vulnerability in IBM API Connect

IBM API Connect 5.0.0.0 is vulnerable to cross-site scripting.

3.5
2018-02-06 CVE-2015-3619 Virtuemart Cross-Site Scripting vulnerability in Virtuemart

Cross-site scripting (XSS) vulnerability in assets/js/vm2admin.js in the VirtueMart component before 3.0.8 for Joomla! allows remote attackers to inject arbitrary web script or HTML via vectors involving a "double encode combination of first_name, last_name and company."

3.5
2018-02-09 CVE-2018-1053 Postgresql
Debian
Canonical
Redhat
Incorrect Permission Assignment FOR Critical Resource vulnerability in multiple products

In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files.

3.3
2018-02-08 CVE-2018-1000030 Python
Canonical
USE After Free vulnerability in multiple products

Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free.

3.3
2018-02-05 CVE-2018-5797 Extremenetworks USE of Hard-Coded Credentials vulnerability in Extremenetworks Extremewireless Wing

An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3.

3.3
2018-02-05 CVE-2018-5790 Extremewireless Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Extremewireless Wing

An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3.

2.9
2018-02-09 CVE-2018-1000022 Electrum Missing Authorization vulnerability in Electrum Bitcoin Wallet

Electrum Technologies GmbH Electrum Bitcoin Wallet version prior to version 3.0.5 contains a Missing Authorization vulnerability in JSONRPC interface that can result in Bitcoin theft, if the user's wallet is not password protected.

2.6
2018-02-09 CVE-2017-10689 Puppet
Canonical
Redhat
Improper Privilege Management vulnerability in multiple products

In previous versions of Puppet Agent it was possible to install a module with world writable permissions.

2.1
2018-02-06 CVE-2016-3954 Web2Py Information Exposure vulnerability in Web2Py

web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status.

2.1
2018-02-06 CVE-2016-3952 Web2Py Credentials Management vulnerability in Web2Py

web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify.

2.1
2018-02-06 CVE-2015-4400 Ring Credentials Management vulnerability in Ring Firmware

Ring (formerly DoorBot) video doorbells allow remote attackers to obtain sensitive information about the wireless network configuration by pressing the set up button and leveraging an API in the GainSpan Wi-Fi module.

2.1