Weekly Vulnerabilities Reports > February 5 to 11, 2018
Overview
318 new vulnerabilities reported during this period, including 30 critical vulnerabilities and 84 high severity vulnerabilities. This weekly summary report vulnerabilities in 329 products from 142 vendors including Debian, Quest, Google, Jiangmin, and Cisco. Vulnerabilities are notably categorized as "Improper Input Validation", "Cross-site Scripting", "SQL Injection", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Information Exposure".
- 262 reported vulnerabilities are remotely exploitables.
- 26 reported vulnerabilities have public exploit available.
- 110 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 259 reported vulnerabilities are exploitable by an anonymous user.
- Debian has the most reported vulnerabilities, with 37 reported vulnerabilities.
- Redhat has the most reported critical vulnerabilities, with 3 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
30 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-02-09 | CVE-2018-1000043 | Securityonion | OS Command Injection vulnerability in Securityonion Squert Security Onion Solutions Squert version 1.0.1 through 1.6.7 contains a CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) vulnerability in .inc/callback.php that can result in execution of OS Commands. | 10.0 |
2018-02-09 | CVE-2018-1000042 | Securityonion | OS Command Injection vulnerability in Securityonion Squert Security Onion Solutions Squert version 1.3.0 through 1.6.7 contains a CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) vulnerability in .inc/callback.php that can result in execution of OS Commands. | 10.0 |
2018-02-09 | CVE-2018-6825 | Omninova | Use of Hard-coded Credentials vulnerability in Omninova Vobot Firmware An issue was discovered on VOBOT CLOCK before 0.99.30 devices. | 10.0 |
2018-02-08 | CVE-2012-2166 | IBM | Use of Hard-coded Credentials vulnerability in IBM products IBM XIV Storage System 2810-A14 and 2812-A14 devices before level 10.2.4.e-2 and 2810-114 and 2812-114 devices before level 11.1.1 have hardcoded passwords for unspecified accounts, which allows remote attackers to gain user access via unknown vectors. | 10.0 |
2018-02-08 | CVE-2018-1163 | Quest | Unspecified vulnerability in Quest Netvault Backup 11.2.0.13 This vulnerability allows remote attackers to bypass authentication on vulnerable installations of Quest NetVault Backup 11.2.0.13. | 10.0 |
2018-02-08 | CVE-2018-1161 | Quest | Improper Input Validation vulnerability in Quest Netvault Backup 11.2.0.13 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.2.0.13. | 10.0 |
2018-02-08 | CVE-2018-0514 | Futomi | OS Command Injection vulnerability in Futomi MP Form Mail CGI MP Form Mail CGI eCommerce Edition Ver 2.0.13 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors. | 10.0 |
2018-02-07 | CVE-2018-6823 | Mailbutler | Unspecified vulnerability in Mailbutler Shimo In the VPN client in Mailbutler Shimo before 4.1.5.1 on macOS, the com.feingeist.shimo.helper tool LaunchDaemon implements an unprotected XPC service that can be abused to execute scripts as root. | 10.0 |
2018-02-07 | CVE-2018-6822 | Purevpn | Unspecified vulnerability in Purevpn In PureVPN 6.0.1 on macOS, HelperTool LaunchDaemon implements an unprotected XPC service that can be abused to execute system commands as root. | 10.0 |
2018-02-06 | CVE-2018-4877 | Adobe Redhat | Use After Free vulnerability in multiple products A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. | 10.0 |
2018-02-06 | CVE-2018-6289 | Kaspersky | Injection vulnerability in Kaspersky Secure Mail Gateway 1.1 Configuration file injection leading to Code Execution as Root in Kaspersky Secure Mail Gateway version 1.1. | 10.0 |
2018-02-06 | CVE-2018-6569 | West Wind | Improper Authentication vulnerability in West-Wind web Connection West Wind Web Server 6.x does not require authentication for /ADMIN.ASP. | 10.0 |
2018-02-08 | CVE-2018-6789 | Exim Debian Canonical | Classic Buffer Overflow vulnerability in multiple products An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. | 9.8 |
2018-02-08 | CVE-2018-6836 | Wireshark | Release of Invalid Pointer or Reference vulnerability in Wireshark The netmonrec_comment_destroy function in wiretap/netmon.c in Wireshark through 2.4.4 performs a free operation on an uninitialized memory address, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. | 9.8 |
2018-02-08 | CVE-2018-0125 | Cisco | Improper Input Validation vulnerability in Cisco Rv132W Firmware and Rv134W Firmware A vulnerability in the web interface of the Cisco RV132W ADSL2+ Wireless-N VPN and RV134W VDSL2 Wireless-AC VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code and gain full control of an affected system, including issuing commands with root privileges. | 9.8 |
2018-02-06 | CVE-2017-7525 | Fasterxml Debian Netapp Redhat Oracle | Incomplete Blacklist vulnerability in multiple products A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. | 9.8 |
2018-02-06 | CVE-2017-15095 | Fasterxml Debian Redhat Netapp Oracle | Deserialization of Untrusted Data vulnerability in multiple products A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. | 9.8 |
2018-02-06 | CVE-2016-6813 | Apache | Unspecified vulnerability in Apache Cloudstack Apache CloudStack 4.1 to 4.8.1.0 and 4.9.0.0 contain an API call designed to allow a user to register for the developer API. | 9.8 |
2018-02-08 | CVE-2013-3553 | Nitropdf | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Nitropdf Nitro PRO and Nitro Reader Nitro Pro 7.5.0.22 and earlier and Nitro Reader 2.5.0.36 and earlier allow remote attackers to execute arbitrary code via a crafted PDF file. | 9.3 |
2018-02-08 | CVE-2013-3552 | Nitropdf | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Nitropdf Nitro PRO and Nitro Reader Nitro Pro 7.5.0.29 and earlier and Nitro Reader 2.5.0.45 and earlier allow remote attackers to execute arbitrary code via a crafted PDF file. | 9.3 |
2018-02-08 | CVE-2013-2830 | Sumatrapdfreader | Use After Free vulnerability in Sumatrapdfreader Sumatrapdf Use-after-free vulnerability in SumatraPDF Reader 2.x before 2.2.1 allows remote attackers to execute arbitrary code via a crafted PDF file. | 9.3 |
2018-02-08 | CVE-2012-5360 | Ffmpeg | Improper Input Validation vulnerability in Ffmpeg Libavcodec in FFmpeg before 0.11 allows remote attackers to execute arbitrary code via a crafted QT file. | 9.3 |
2018-02-08 | CVE-2012-5359 | Ffmpeg | Improper Input Validation vulnerability in Ffmpeg Libavcodec in FFmpeg before 0.11 allows remote attackers to execute arbitrary code via a crafted ASF file. | 9.3 |
2018-02-05 | CVE-2018-6651 | Uncurl Project Parsecgaming | Cross-Site Request Forgery (CSRF) vulnerability in multiple products In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions. | 9.3 |
2018-02-05 | CVE-2015-1418 | Freebsd | Information Exposure vulnerability in Freebsd 10.1/10.2 The do_ed_script function in pch.c in GNU patch through 2.7.6, and patch in FreeBSD 10.1 before 10.1-RELEASE-p17, 10.2 before 10.2-BETA2-p3, 10.2-RC1 before 10.2-RC1-p2, and 0.2-RC2 before 10.2-RC2-p1, allows remote attackers to execute arbitrary commands via a crafted patch file, because a '!' character can be passed to the ed program. | 9.3 |
2018-02-05 | CVE-2015-1416 | Freebsd | Permissions, Privileges, and Access Controls vulnerability in Freebsd 10.0/10.1/10.2 Larry Wall's patch; patch in FreeBSD 10.2-RC1 before 10.2-RC1-p1, 10.2 before 10.2-BETA2-p2, and 10.1 before 10.1-RELEASE-p16; Bitrig; GNU patch before 2.2.5; and possibly other patch variants allow remote attackers to execute arbitrary shell commands via a crafted patch file. | 9.3 |
2018-02-05 | CVE-2018-6461 | March Hare Microsoft | Untrusted Search Path vulnerability in March-Hare Wincvs March Hare WINCVS before 2.8.01 build 6610, and CVS Suite before 2009R2 build 6610, contains an Insecure Library Loading vulnerability in the wincvs2.exe or wincvs.exe file, which may allow local users to gain privileges via a Trojan horse Python or TCL DLL file in the current working directory. | 9.3 |
2018-02-09 | CVE-2018-1000019 | Open EMR | OS Command Injection vulnerability in Open-Emr Openemr 5.0.0 OpenEMR version 5.0.0 contains a OS Command Injection vulnerability in fax_dispatch.php that can result in OS command injection by an authenticated attacker with any role. | 9.0 |
2018-02-06 | CVE-2017-17996 | Flexense | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Flexense Syncbreeze A buffer overflow vulnerability in "Add command" functionality exists in Flexense SyncBreeze Enterprise <= 10.3.14. | 9.0 |
2018-02-05 | CVE-2018-5796 | Extremewireless | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Extremewireless Wing An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. | 9.0 |
84 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-02-07 | CVE-2017-5133 | Google Debian | Out-of-bounds Write vulnerability in multiple products Off-by-one read/write on the heap in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to corrupt memory and possibly leak information and potentially execute code via a crafted PDF file. | 8.8 |
2018-02-07 | CVE-2017-5132 | Google Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Inappropriate implementation in V8 in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, aka incorrect WebAssembly stack manipulation. | 8.8 |
2018-02-07 | CVE-2017-5131 | Google Debian | Integer Overflow or Wraparound vulnerability in multiple products An integer overflow in Skia in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, aka an out-of-bounds write. | 8.8 |
2018-02-07 | CVE-2017-5129 | Google Debian | Use After Free vulnerability in multiple products A use after free in WebAudio in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. | 8.8 |
2018-02-07 | CVE-2017-5128 | Google Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Heap buffer overflow in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, related to WebGL. | 8.8 |
2018-02-07 | CVE-2017-5127 | Google Debian | Use After Free vulnerability in multiple products Use after free in PDFium in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | 8.8 |
2018-02-07 | CVE-2017-5126 | Google Debian | Use After Free vulnerability in multiple products A use after free in PDFium in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | 8.8 |
2018-02-07 | CVE-2017-5125 | Google Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Heap buffer overflow in Skia in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2018-02-07 | CVE-2017-15393 | Google Debian | Exposure of Resource to Wrong Sphere vulnerability in multiple products Insufficient Policy Enforcement in Devtools remote debugging in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to obtain access to remote debugging functionality via a crafted HTML page, aka a Referer leak. | 8.8 |
2018-02-07 | CVE-2017-15388 | Google Debian | Out-of-bounds Read vulnerability in multiple products Iteration through non-finite points in Skia in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. | 8.8 |
2018-02-07 | CVE-2017-15387 | Google Debian | Insufficient enforcement of Content Security Policy in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to open javascript: URL windows when they should not be allowed to via a crafted HTML page. | 8.8 |
2018-02-07 | CVE-2018-6799 | Graphicsmagick Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products The AcquireCacheNexus function in magick/pixel_cache.c in GraphicsMagick before 1.3.28 allows remote attackers to cause a denial of service (heap overwrite) or possibly have unspecified other impact via a crafted image file, because a pixel staging area is not used. | 8.8 |
2018-02-06 | CVE-2014-5280 | Boot2Docker | Cross-Site Request Forgery (CSRF) vulnerability in Boot2Docker boot2docker 1.2 and earlier allows attackers to conduct cross-site request forgery (CSRF) attacks by leveraging Docker daemons enabling TCP connections without TLS authentication. | 8.8 |
2018-02-06 | CVE-2014-5279 | Boot2Docker | Improper Access Control vulnerability in Boot2Docker The Docker daemon managed by boot2docker 1.2 and earlier improperly enables unauthenticated TCP connections by default, which makes it easier for remote attackers to gain privileges or execute arbitrary code from children containers. | 8.8 |
2018-02-08 | CVE-2018-1162 | Quest | Unspecified vulnerability in Quest Netvault Backup 11.2.0.13 This vulnerability allows remote attackers to create a denial-of-service condition on vulnerable installations of Quest NetVault Backup 11.2.0.13. | 8.5 |
2018-02-06 | CVE-2014-5282 | Docker | Improper Input Validation vulnerability in Docker Docker before 1.3 does not properly validate image IDs, which allows remote attackers to redirect to another image through the loading of untrusted images via 'docker load'. | 8.1 |
2018-02-08 | CVE-2018-0117 | Cisco | Improper Input Validation vulnerability in Cisco ASR 5000 Firmware and ASR 5500 Firmware A vulnerability in the ingress packet processing functionality of the Cisco Virtualized Packet Core-Distributed Instance (VPC-DI) Software could allow an unauthenticated, remote attacker to cause both control function (CF) instances on an affected system to reload, resulting in a denial of service (DoS) condition. | 7.8 |
2018-02-07 | CVE-2017-15400 | CRLF Injection vulnerability in Google Chrome OS Insufficient restriction of IPP filters in CUPS in Google Chrome OS prior to 62.0.3202.74 allowed a remote attacker to execute a command with the same privileges as the cups daemon via a crafted PPD file, aka a printer zeroconfig CRLF issue. | 7.8 | |
2018-02-07 | CVE-2018-6574 | Golang Debian Redhat | Code Injection vulnerability in multiple products Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. | 7.8 |
2018-02-07 | CVE-2017-17482 | HP | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in HP Openvms 4.0/8.42L1 An issue was discovered in OpenVMS through V8.4-2L2 on Alpha and through V8.4-2L1 on IA64, and VAX/VMS 4.0 and later. | 7.8 |
2018-02-09 | CVE-2018-1000026 | Linux Canonical Redhat Debian | Improper Input Validation vulnerability in multiple products Linux Linux kernel version at least v4.8 onwards, probably well before contains a Insufficient input validation vulnerability in bnx2x network card driver that can result in DoS: Network card firmware assertion takes card off-line. | 7.7 |
2018-02-08 | CVE-2018-0512 | Iodata | OS Command Injection vulnerability in Iodata products Devices with IP address setting tool "MagicalFinder" provided by I-O DATA DEVICE, INC. | 7.7 |
2018-02-09 | CVE-2018-6826 | Omninova | Unspecified vulnerability in Omninova Vobot Firmware An issue was discovered on VOBOT CLOCK before 0.99.30 devices. | 7.6 |
2018-02-08 | CVE-2014-8985 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Internet Explorer 11 Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2810, CVE-2014-2811, CVE-2014-2822, CVE-2014-2823, CVE-2014-4057, and CVE-2014-4145. | 7.6 |
2018-02-08 | CVE-2014-4145 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Internet Explorer 11 Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2810, CVE-2014-2811, CVE-2014-2822, CVE-2014-2823, CVE-2014-4057, and CVE-2014-8985. | 7.6 |
2018-02-08 | CVE-2014-4112 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Internet Explorer 11 Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0304. | 7.6 |
2018-02-08 | CVE-2014-4066 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Internet Explorer 11 Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2787, CVE-2014-2790, CVE-2014-2802, and CVE-2014-2806. | 7.6 |
2018-02-11 | CVE-2018-6892 | Cloudme | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cloudme Sync 1.10.9 An issue was discovered in CloudMe before 1.11.0. | 7.5 |
2018-02-11 | CVE-2017-18174 | Linux | Double Free vulnerability in Linux Kernel In the Linux kernel before 4.7, the amd_gpio_remove function in drivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function, leading to a double free. | 7.5 |
2018-02-09 | CVE-2018-1000059 | Validformbuilder | Deserialization of Untrusted Data vulnerability in Validformbuilder Validform Builder 4.5.4 ValidFormBuilder version 4.5.4 contains a PHP Object Injection vulnerability in Valid Form unserialize method that can result in Possible to execute unauthorised system commands remotely and disclose file contents in file system. | 7.5 |
2018-02-09 | CVE-2018-1000044 | Securityonion | SQL Injection vulnerability in Securityonion Squert Security Onion Solutions Squert version 1.1.1 through 1.6.7 contains a SQL Injection vulnerability in .inc/callback.php that can result in execution of SQL commands. | 7.5 |
2018-02-09 | CVE-2018-3601 | Trendmicro | Improper Authentication vulnerability in Trendmicro Control Manager 6.0 A password hash usage authentication bypass vulnerability in Trend Micro Control Manager 6.0 could allow a remote attacker to bypass authentication on vulnerable installations. | 7.5 |
2018-02-09 | CVE-2016-10712 | PHP Canonical | Improper Input Validation vulnerability in multiple products In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of the return values of stream_get_meta_data can be controlled if the input can be controlled (e.g., during file uploads). | 7.5 |
2018-02-08 | CVE-2011-4889 | IBM | 7PK - Security Features vulnerability in IBM Websphere Application Server The javax.naming.directory.AttributeInUseException class in the Virtual Member Manager in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.43, 7.0 before 7.0.0.21, and 8.0 before 8.0.0.2 does not properly update passwords on a configuration using Tivoli Directory Server, which might allow remote attackers to gain access to an application by leveraging knowledge of an old password. | 7.5 |
2018-02-08 | CVE-2017-17659 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17658 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17657 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17656 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17655 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17654 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17653 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17652 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17425 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17424 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17423 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17422 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17421 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17420 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17419 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17418 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17417 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17416 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17415 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17414 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17413 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2017-17412 | Quest | SQL Injection vulnerability in Quest Netvault Backup 11.3.0.12 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. | 7.5 |
2018-02-08 | CVE-2018-6835 | Etherpad | Improper Input Validation vulnerability in Etherpad node/hooks/express/apicalls.js in Etherpad Lite before v1.6.3 mishandles JSONP, which allows remote attackers to bypass intended access restrictions. | 7.5 |
2018-02-07 | CVE-2017-12472 | CCN Lite | NULL Pointer Dereference vulnerability in Ccn-Lite ccnl-ext-mgmt.c in CCN-lite before 2.00 allows context-dependent attackers to have unspecified impact by leveraging missing NULL pointer checks after ccnl_malloc. | 7.5 |
2018-02-07 | CVE-2017-12471 | CCN Lite | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ccn-Lite The cnb_parse_lev function in CCN-lite before 2.00 allows context-dependent attackers to have unspecified impact by leveraging failure to check for out-of-bounds conditions, which triggers an invalid read in the hexdump function. | 7.5 |
2018-02-07 | CVE-2017-12470 | CCN Lite | Integer Overflow or Wraparound vulnerability in Ccn-Lite Integer overflow in the ndn_parse_sequence function in CCN-lite before 2.00 allows context-dependent attackers to have unspecified impact via vectors involving the typ and vallen variables. | 7.5 |
2018-02-07 | CVE-2017-12469 | CCN Lite | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ccn-Lite Buffer overflow in util/ccnl-common.c in CCN-lite before 2.00 allows context-dependent attackers to have unspecified impact by leveraging incorrect memory allocation. | 7.5 |
2018-02-07 | CVE-2017-12468 | CCN Lite | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ccn-Lite Buffer overflow in ccn-lite-ccnb2xml.c in CCN-lite before 2.00 allows context-dependent attackers to have unspecified impact via vectors involving the vallen and len variables. | 7.5 |
2018-02-07 | CVE-2017-12466 | CCN Lite | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ccn-Lite CCN-lite before 2.00 allows context-dependent attackers to have unspecified impact via vectors related to ssl_halen when running ccn-lite-sim, which trigger an out-of-bounds access. | 7.5 |
2018-02-07 | CVE-2017-12465 | CCN Lite | Integer Overflow or Wraparound vulnerability in Ccn-Lite Multiple integer overflows in CCN-lite before 2.00 allow context-dependent attackers to have unspecified impact via vectors involving the (1) vallen variable in the iottlv_parse_sequence function or (2) typ, vallen and i variables in the localrpc_parse function. | 7.5 |
2018-02-06 | CVE-2018-4878 | Adobe Redhat | Use After Free vulnerability in multiple products A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. | 7.5 |
2018-02-06 | CVE-2018-1299 | Apache | Path Traversal vulnerability in Apache Allura In Apache Allura before 1.8.0, unauthenticated attackers may retrieve arbitrary files through the Allura web application. | 7.5 |
2018-02-06 | CVE-2018-6758 | Unbit | Out-of-bounds Write vulnerability in Unbit Uwsgi The uwsgi_expand_path function in core/utils.c in Unbit uWSGI through 2.0.15 has a stack-based buffer overflow via a large directory length. | 7.5 |
2018-02-06 | CVE-2016-3957 | Web2Py | Deserialization of Untrusted Data vulnerability in Web2Py The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key. | 7.5 |
2018-02-06 | CVE-2016-3953 | Web2Py | Use of Hard-coded Credentials vulnerability in Web2Py The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function. | 7.5 |
2018-02-06 | CVE-2017-17663 | Acme | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Acme Mini Httpd and Thttpd The htpasswd implementation of mini_httpd before v1.28 and of thttpd before v2.28 is affected by a buffer overflow that can be exploited remotely to perform code execution. | 7.5 |
2018-02-06 | CVE-2017-6199 | Sandstorm | Improper Authentication vulnerability in Sandstorm A remote attacker could bypass the Sandstorm organization restriction before build 0.203 via a comma in an email-address field. | 7.5 |
2018-02-05 | CVE-2018-6609 | JSP Tickets Project | SQL Injection vulnerability in JSP Tickets Project JSP Tickets 1.1 SQL Injection exists in the JSP Tickets 1.1 component for Joomla! via the ticketcode parameter in a ticketlist edit action, or the id parameter in a statuslist (or prioritylist) edit action. | 7.5 |
2018-02-05 | CVE-2018-6605 | ZH Baidumap Project | SQL Injection vulnerability in ZH Baidumap Project ZH Baidumap 3.0.0.1 SQL Injection exists in the Zh BaiduMap 3.0.0.1 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request. | 7.5 |
2018-02-05 | CVE-2018-6604 | ZH Yandexmap Project | SQL Injection vulnerability in ZH Yandexmap Project ZH Yandexmap 6.2.1.0 SQL Injection exists in the Zh YandexMap 6.2.1.0 component for Joomla! via the id parameter in a task=getPlacemarkDetails request. | 7.5 |
2018-02-05 | CVE-2018-6582 | ZH Googlemap Project | SQL Injection vulnerability in ZH Googlemap Project ZH Googlemap 8.4.0.0 SQL Injection exists in the Zh GoogleMap 8.4.0.0 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request. | 7.5 |
2018-02-05 | CVE-2018-6624 | Omron | Forced Browsing vulnerability in Omron NS Series Firmware OMRON NS devices 1.1 through 1.3 allow remote attackers to bypass authentication via a direct request to the .html file for a specific screen, as demonstrated by monitor.html. | 7.5 |
2018-02-05 | CVE-2018-5442 | Fujielectric | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Fujielectric V-Server VPR Firmware A Stack-based Buffer Overflow issue was discovered in Fuji Electric V-Server VPR 4.0.1.0 and prior. | 7.5 |
2018-02-05 | CVE-2015-4412 | Bson Project | Resource Exhaustion vulnerability in Bson Project Bson 3.0.3 BSON injection vulnerability in the legal? function in BSON (bson-ruby) gem before 3.0.4 for Ruby allows remote attackers to cause a denial of service (resource consumption) or inject arbitrary data via a crafted string. | 7.5 |
2018-02-07 | CVE-2017-15397 | Missing Encryption of Sensitive Data vulnerability in Google Chrome OS Inappropriate implementation in ChromeVox in Google Chrome OS prior to 62.0.3202.74 allowed a remote attacker in a privileged network position to observe or tamper with certain cleartext HTTP requests by leveraging that position. | 7.4 | |
2018-02-07 | CVE-2017-1692 | IBM | Unspecified vulnerability in IBM AIX IBM AIX 5.3, 6.1, 7.1, and 7.2 contains an unspecified vulnerability that would allow a locally authenticated user to obtain root level privileges. | 7.2 |
2018-02-07 | CVE-2018-6791 | KDE Debian | OS Command Injection vulnerability in multiple products An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0. | 7.2 |
2018-02-06 | CVE-2018-6290 | Kaspersky | Unspecified vulnerability in Kaspersky Secure Mail Gateway 1.1 Local Privilege Escalation in Kaspersky Secure Mail Gateway version 1.1. | 7.2 |
2018-02-06 | CVE-2017-6279 | Out-of-bounds Write vulnerability in Google Android NVIDIA libnvmmlite_audio.so contains an elevation of privilege vulnerability when running in media server which may cause an out of bounds write and could lead to local code execution in a privileged process. | 7.2 | |
2018-02-06 | CVE-2017-6258 | Out-of-bounds Write vulnerability in Google Android NVIDIA libnvmmlite_audio.so contains an elevation of privilege vulnerability when running in media server which may cause an out of bounds write and could lead to local code execution in a privileged process. | 7.2 |
184 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-02-09 | CVE-2015-1862 | Abrt Project | Race Condition vulnerability in Abrt Project Abrt The crash reporting feature in Abrt allows local users to gain privileges by leveraging an execve by root after a chroot into a user-specified directory in a namedspaced environment. | 6.9 |
2018-02-06 | CVE-2018-5457 | Vyaire Microsoft | Uncontrolled Search Path Element vulnerability in Vyaire Carefusion Upgrade Utility 2.0.2.2 A uncontrolled search path element issue was discovered in Vyaire Medical CareFusion Upgrade Utility used with Windows XP systems, Versions 2.0.2.2 and prior versions. | 6.9 |
2018-02-09 | CVE-2018-1000053 | Limesurvey | Cross-Site Request Forgery (CSRF) vulnerability in Limesurvey 3.0.0 LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can result in CSRF causing LimeSurvey admins to delete all their themes, rendering the website unusable. | 6.8 |
2018-02-09 | CVE-2018-1000051 | Artifex Debian | Use After Free vulnerability in multiple products Artifex Mupdf version 1.12.0 contains a Use After Free vulnerability in fz_keep_key_storable that can result in DOS / Possible code execution. | 6.8 |
2018-02-09 | CVE-2018-1000050 | STB Vorbis Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in STB Vorbis Project STB Vorbis Sean Barrett stb_vorbis version 1.12 and earlier contains a Buffer Overflow vulnerability in All vorbis decoding paths. | 6.8 |
2018-02-09 | CVE-2018-1000048 | Nasa | Deserialization of Untrusted Data vulnerability in Nasa Rtretrievalframework 1.0 NASA RtRetrievalFramework version v1.0 contains a CWE-502 vulnerability in Data retrieval functionality of RtRetrieval framework that can result in remote code execution. | 6.8 |
2018-02-09 | CVE-2018-1000047 | Nasa | Deserialization of Untrusted Data vulnerability in Nasa Kodiak 1.0 NASA Kodiak version v1.0 contains a CWE-502 vulnerability in Kodiak library's data processing function that can result in remote code execution. | 6.8 |
2018-02-09 | CVE-2018-1000046 | Nasa | Deserialization of Untrusted Data vulnerability in Nasa Pyblock NASA Pyblock version v1.0 - v1.3 contains a CWE-502 vulnerability in Radar data parsing library that can result in remote code execution. | 6.8 |
2018-02-09 | CVE-2018-1000045 | Nasa | Deserialization of Untrusted Data vulnerability in Nasa Singledop 1.0 NASA Singledop version v1.0 contains a CWE-502 vulnerability in NASA Singledop library (Weather data) that can result in remote code execution. | 6.8 |
2018-02-09 | CVE-2018-1000035 | Unzip Project | Out-of-bounds Write vulnerability in Unzip Project Unzip 5.51/5.52/6.0 A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution. | 6.8 |
2018-02-09 | CVE-2018-1000032 | Info ZIP | Out-of-bounds Write vulnerability in Info-Zip Unzip 6.10C22 A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service or to possibly achieve code execution. | 6.8 |
2018-02-09 | CVE-2018-1000031 | Info ZIP | Out-of-bounds Write vulnerability in Info-Zip Unzip 6.10C22 A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service or to possibly achieve code execution. | 6.8 |
2018-02-09 | CVE-2018-1000025 | Firebase Admin SDK FOR PHP Project | Incorrect Permission Assignment for Critical Resource vulnerability in Firebase Admin SDK FOR PHP Project Firebase Admin SDK FOR PHP Jerome Gamez Firebase Admin SDK for PHP version from 3.2.0 to 3.8.0 contains a Incorrect Access Control vulnerability in src/Firebase/Auth/IdTokenVerifier.php does not verify for token signature that can result in JWT with any email address and user ID could be forged from an actual token, or from thin air. | 6.8 |
2018-02-09 | CVE-2018-1000021 | GIT SCM | Improper Input Validation vulnerability in Git-Scm GIT GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. | 6.8 |
2018-02-09 | CVE-2018-1307 | Apache | XXE vulnerability in Apache Juddi In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. | 6.8 |
2018-02-09 | CVE-2018-6827 | Omninova | Improper Certificate Validation vulnerability in Omninova Vobot Firmware VOBOT CLOCK before 0.99.30 devices do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information, and consequently execute arbitrary code, via a crafted certificate, as demonstrated by leveraging a hardcoded --no-check-certificate Wget option. | 6.8 |
2018-02-08 | CVE-2018-0517 | Kddi | Untrusted Search Path vulnerability in Kddi Anshin NET Security Untrusted search path vulnerability in Anshin net security for Windows Version 16.0.1.44 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | 6.8 |
2018-02-07 | CVE-2017-5130 | Google Debian Xmlsoft | Out-of-bounds Write vulnerability in multiple products An integer overflow in xmlmemory.c in libxml2 before 2.9.5, as used in Google Chrome prior to 62.0.3202.62 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted XML file. | 6.8 |
2018-02-07 | CVE-2018-1366 | IBM | Unspecified vulnerability in IBM Content Navigator IBM Content Navigator 2.0 and 3.0 is vulnerable to Comma Separated Value (CSV) Injection. | 6.8 |
2018-02-07 | CVE-2017-17552 | Zohocorp | Cross-Site Request Forgery (CSRF) vulnerability in Zohocorp Manageengine Admanager Plus /LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted. | 6.8 |
2018-02-07 | CVE-2017-12412 | CCN Lite | Infinite Loop vulnerability in Ccn-Lite ccn-lite-ccnb2xml in CCN-lite before 2.0.0 allows context-dependent attackers to have unspecified impact via a crafted file, which triggers infinite recursion and a stack overflow. | 6.8 |
2018-02-07 | CVE-2016-6169 | Foxitsoftware | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Foxitsoftware Foxit Reader and Phantompdf Heap-based buffer overflow in Foxit Reader and PhantomPDF 7.3.4.311 and earlier on Windows allows remote attackers to cause a denial of service (memory corruption and application crash) or potentially execute arbitrary code via the Bezier data in a crafted PDF file. | 6.8 |
2018-02-07 | CVE-2016-6168 | Foxitsoftware | Use After Free vulnerability in Foxitsoftware Foxit Reader and Phantompdf Use-after-free vulnerability in Foxit Reader and PhantomPDF 7.3.4.311 and earlier on Windows allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via a crafted PDF file. | 6.8 |
2018-02-06 | CVE-2018-6767 | Wavpack Debian Canonical | Out-of-bounds Read vulnerability in multiple products A stack-based buffer over-read in the ParseRiffHeaderConfig function of cli/riff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service attack or possibly have unspecified other impact via a maliciously crafted RF64 file. | 6.8 |
2018-02-06 | CVE-2017-6198 | Sandstorm | Resource Exhaustion vulnerability in Sandstorm The Supervisor in Sandstorm doesn't set and enforce the resource limits of a process. | 6.8 |
2018-02-06 | CVE-2018-6288 | Kaspersky | Cross-Site Request Forgery (CSRF) vulnerability in Kaspersky Secure Mail Gateway 1.1 Cross-site Request Forgery leading to Administrative account takeover in Kaspersky Secure Mail Gateway version 1.1. | 6.8 |
2018-02-06 | CVE-2018-6467 | Flickrrss Project | Cross-Site Request Forgery (CSRF) vulnerability in Flickrrss Project Flickrrss 5.3.1 The flickrRSS plugin 5.3.1 for WordPress has CSRF via wp-admin/options-general.php. | 6.8 |
2018-02-06 | CVE-2018-6654 | Grammarly | Origin Validation Error vulnerability in Grammarly 20180202 The Grammarly extension before 2018-02-02 for Chrome allows remote attackers to discover authentication tokens via an 'action: "user"' request to iframe.gr_-ifr, because the exposure of these tokens is not restricted to any specific web site. | 6.8 |
2018-02-05 | CVE-2017-9414 | Subsonic | Cross-Site Request Forgery (CSRF) vulnerability in Subsonic 6.1.1 Cross-site request forgery (CSRF) vulnerability in the Subscribe to Podcast feature in Subsonic 6.1.1 allows remote attackers to hijack the authentication of unspecified victims for requests that conduct cross-site scripting (XSS) attacks or possibly have unspecified other impact via the name parameter to playerSettings.view. | 6.8 |
2018-02-05 | CVE-2015-4179 | Codestyling Localization Project | Cross-Site Request Forgery (CSRF) vulnerability in Codestyling Localization Project Codestyling Localization Multiple cross-site request forgery (CSRF) vulnerabilities in the Codestyling Localization plugin 1.99.30 and earlier for Wordpress. | 6.8 |
2018-02-08 | CVE-2018-0122 | Cisco | OS Command Injection vulnerability in Cisco Staros 21.3.0.67664 A vulnerability in the CLI of the Cisco StarOS operating system for Cisco ASR 5000 Series Aggregation Services Routers could allow an authenticated, local attacker to overwrite system files that are stored in the flash memory of an affected system. | 6.6 |
2018-02-09 | CVE-2018-1000058 | Jenkins | Deserialization of Untrusted Data vulnerability in Jenkins Pipeline Supporting Apis 2.15/2.16/2.17 Jenkins Pipeline: Supporting APIs Plugin 2.17 and earlier have an arbitrary code execution due to incomplete sandbox protection: Methods related to Java deserialization like readResolve implemented in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. | 6.5 |
2018-02-09 | CVE-2018-1000056 | Jenkins | Server-Side Request Forgery (SSRF) vulnerability in Jenkins Junit Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. | 6.5 |
2018-02-09 | CVE-2018-1000055 | Jenkins | Server-Side Request Forgery (SSRF) vulnerability in Jenkins Android Lint 2.5 Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. | 6.5 |
2018-02-09 | CVE-2018-1000054 | Jenkins | Server-Side Request Forgery (SSRF) vulnerability in Jenkins CCM Jenkins CCM Plugin 3.1 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. | 6.5 |
2018-02-09 | CVE-2018-3607 | Trendmicro | SQL Injection vulnerability in Trendmicro Control Manager 6.0 XXXTreeNode method SQL injection remote code execution (RCE) vulnerabilities in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations. | 6.5 |
2018-02-09 | CVE-2018-3606 | Trendmicro | SQL Injection vulnerability in Trendmicro Control Manager 6.0 XXXStatusXXX, XXXSummary, TemplateXXX and XXXCompliance method SQL injection remote code execution (RCE) vulnerabilities in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations. | 6.5 |
2018-02-09 | CVE-2018-3605 | Trendmicro | SQL Injection vulnerability in Trendmicro Control Manager 6.0 TopXXX, ViolationXXX, and IncidentXXX method SQL injection remote code execution (RCE) vulnerabilities in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations. | 6.5 |
2018-02-09 | CVE-2018-3604 | Trendmicro | SQL Injection vulnerability in Trendmicro Control Manager 6.0 GetXXX method SQL injection remote code execution (RCE) vulnerabilities in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations. | 6.5 |
2018-02-09 | CVE-2018-3603 | Trendmicro | SQL Injection vulnerability in Trendmicro Control Manager 6.0 A CGGIServlet SQL injection remote code execution (RCE) vulnerability in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations. | 6.5 |
2018-02-09 | CVE-2018-3602 | Trendmicro | SQL Injection vulnerability in Trendmicro Control Manager 6.0 An AdHocQuery_Processor SQL injection remote code execution (RCE) vulnerability in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations. | 6.5 |
2018-02-08 | CVE-2017-15914 | Borgbackup | Unspecified vulnerability in Borgbackup Borg 1.1.0/1.1.1/1.1.2 Incorrect implementation of access controls allows remote users to override repository restrictions in Borg servers 1.1.x before 1.1.3. | 6.5 |
2018-02-08 | CVE-2018-0140 | Cisco | Forced Browsing vulnerability in Cisco products A vulnerability in the spam quarantine of Cisco Email Security Appliance and Cisco Content Security Management Appliance could allow an authenticated, remote attacker to download any message from the spam quarantine by modifying browser string information. | 6.5 |
2018-02-08 | CVE-2018-0119 | Cisco | Unspecified vulnerability in Cisco Conference Director 20170830 A vulnerability in certain authentication controls in the account services of Cisco Spark could allow an authenticated, remote attacker to interact with and view information on an affected device that would normally be prohibited. | 6.5 |
2018-02-08 | CVE-2018-0113 | Cisco | Improper Input Validation vulnerability in Cisco Unified Computing System Central Software 1.5(1C) A vulnerability in an operations script of Cisco UCS Central could allow an authenticated, remote attacker to execute arbitrary shell commands with the privileges of the daemon user. | 6.5 |
2018-02-07 | CVE-2017-15395 | Google Debian | Use After Free vulnerability in multiple products A use after free in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, aka an ImageCapture NULL pointer dereference. | 6.5 |
2018-02-07 | CVE-2017-15394 | Google Debian | Improper Input Validation vulnerability in multiple products Insufficient Policy Enforcement in Extensions in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to perform domain spoofing in permission dialogs via IDN homographs in a crafted Chrome Extension. | 6.5 |
2018-02-07 | CVE-2017-15391 | Google Debian | Insufficient Policy Enforcement in Extensions in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to access Extension pages without authorisation via a crafted HTML page. | 6.5 |
2018-02-07 | CVE-2017-15390 | Google Debian | Improper Input Validation vulnerability in multiple products Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name. | 6.5 |
2018-02-07 | CVE-2017-15389 | Google Debian | Improper Input Validation vulnerability in multiple products An insufficient watchdog timer in navigation in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 6.5 |
2018-02-07 | CVE-2017-15386 | Google Debian | Improper Input Validation vulnerability in multiple products Incorrect implementation in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 6.5 |
2018-02-07 | CVE-2018-6792 | Saifor | SQL Injection vulnerability in Saifor Cvms HUB 1.3.1 Multiple SQL injection vulnerabilities in Saifor CVMS HUB 1.3.1 allow an authenticated user to execute arbitrary SQL commands via multiple parameters to the /cvms-hub/privado/seccionesmib/secciones.xhtml resource. | 6.5 |
2018-02-05 | CVE-2017-15536 | Cloudera | Improper Privilege Management vulnerability in Cloudera Data Science Workbench An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.x before 1.2.0. | 6.5 |
2018-02-09 | CVE-2018-1000034 | Info ZIP | Out-of-bounds Read vulnerability in Info-Zip Unzip 6.10C22 An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service and read sensitive memory. | 6.4 |
2018-02-09 | CVE-2018-1000033 | Info ZIP | Out-of-bounds Read vulnerability in Info-Zip Unzip 6.10C22 An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service and read sensitive memory. | 6.4 |
2018-02-08 | CVE-2018-0116 | Cisco | Improper Authentication vulnerability in Cisco Mobility Services Engine 13.0.0/13.1.0/14.0.0 A vulnerability in the RADIUS authentication module of Cisco Policy Suite could allow an unauthenticated, remote attacker to be authorized as a subscriber without providing a valid password; however, the attacker must provide a valid username. | 6.4 |
2018-02-11 | CVE-2018-6891 | Booking WP Plugin | Cross-site Scripting vulnerability in Booking-Wp-Plugin Bookly Bookly #1 WordPress Booking Plugin Lite before 14.5 has XSS via a jQuery.ajax request to ng-payment_details_dialog.js. | 6.1 |
2018-02-08 | CVE-2017-6227 | Broadcom Brocade | A vulnerability in the IPv6 stack on Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) versions before 7.4.2b, 8.1.2 and 8.2.0 could allow an attacker to cause a denial of service (CPU consumption and device hang) condition by sending crafted Router Advertisement (RA) messages to a targeted system. | 6.1 |
2018-02-07 | CVE-2017-5124 | Google Debian | Cross-site Scripting vulnerability in multiple products Incorrect application of sandboxing in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted MHTML page. | 6.1 |
2018-02-06 | CVE-2018-6788 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x2208C0. | 6.1 |
2018-02-06 | CVE-2018-6787 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x221808. | 6.1 |
2018-02-06 | CVE-2018-6786 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220840. | 6.1 |
2018-02-06 | CVE-2018-6785 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008254. | 6.1 |
2018-02-06 | CVE-2018-6784 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A00824C. | 6.1 |
2018-02-06 | CVE-2018-6783 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A00825C. | 6.1 |
2018-02-06 | CVE-2018-6782 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A0081DC. | 6.1 |
2018-02-06 | CVE-2018-6781 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008264. | 6.1 |
2018-02-06 | CVE-2018-6780 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A0081E4. | 6.1 |
2018-02-06 | CVE-2018-6779 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008240. | 6.1 |
2018-02-06 | CVE-2018-6778 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008268. | 6.1 |
2018-02-06 | CVE-2018-6777 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220400. | 6.1 |
2018-02-06 | CVE-2018-6776 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A00813C. | 6.1 |
2018-02-06 | CVE-2018-6775 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x990081C8. | 6.1 |
2018-02-06 | CVE-2018-6774 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008088. | 6.1 |
2018-02-06 | CVE-2018-6773 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008084. | 6.1 |
2018-02-06 | CVE-2018-6772 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x99008208. | 6.1 |
2018-02-06 | CVE-2018-6771 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x99008224. | 6.1 |
2018-02-06 | CVE-2018-6770 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x99008210. | 6.1 |
2018-02-06 | CVE-2018-6769 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x99008020. | 6.1 |
2018-02-06 | CVE-2018-6768 | Jiangmin | Improper Input Validation vulnerability in Jiangmin Antivirus 16.0.0.100 In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008090. | 6.1 |
2018-02-05 | CVE-2018-6633 | Micropoint | Improper Input Validation vulnerability in Micropoint Proactive Defense 2.0.20266.0146 In Micropoint proactive defense software 2.0.20266.0146, the driver file (mp110005.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x80000038. | 6.1 |
2018-02-05 | CVE-2018-6632 | Micropoint | Improper Input Validation vulnerability in Micropoint Proactive Defense 2.0.20266.0146 In Micropoint proactive defense software 2.0.20266.0146, the driver file (mp110005.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x80000110. | 6.1 |
2018-02-05 | CVE-2018-6631 | Micropoint | Improper Input Validation vulnerability in Micropoint Proactive Defense 2.0.20266.0146 In Micropoint proactive defense software 2.0.20266.0146, the driver file (mp110009.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x80000170. | 6.1 |
2018-02-05 | CVE-2018-6630 | Micropoint | Improper Input Validation vulnerability in Micropoint Proactive Defense 2.0.20266.0146 In Micropoint proactive defense software 2.0.20266.0146, the driver file (mp110005.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x8000014c. | 6.1 |
2018-02-05 | CVE-2018-6629 | Micropoint | Improper Input Validation vulnerability in Micropoint Proactive Defense 2.0.20266.0146 In Micropoint proactive defense software 2.0.20266.0146, the driver file (mp110005.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x80000118. | 6.1 |
2018-02-05 | CVE-2018-6628 | Micropoint | Improper Input Validation vulnerability in Micropoint Proactive Defense 2.0.20266.0146 In Micropoint proactive defense software 2.0.20266.0146, the driver file (mp110005.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x8000010c. | 6.1 |
2018-02-05 | CVE-2018-6627 | Watchdogdevelopment | Improper Input Validation vulnerability in Watchdogdevelopment Anti-Malware 2.74.186.150 In WatchDog Anti-Malware 2.74.186.150, the driver file (ZAMGUARD32.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x80002054. | 6.1 |
2018-02-05 | CVE-2018-6626 | Micropoint | Improper Input Validation vulnerability in Micropoint Proactive Defense 2.0.20266.0146 In Micropoint proactive defense software 2.0.20266.0146, the driver file (mp110005.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x80000035. | 6.1 |
2018-02-05 | CVE-2018-6625 | Watchdogdevelopment | Improper Input Validation vulnerability in Watchdogdevelopment Anti-Malware 2.74.186.150 In WatchDog Anti-Malware 2.74.186.150, the driver file (ZAMGUARD32.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x80002010. | 6.1 |
2018-02-09 | CVE-2018-1000049 | Nanopool | Improper Input Validation vulnerability in Nanopool Claymore Dual Miner Nanopool Claymore Dual Miner version 7.3 and earlier contains a remote code execution vulnerability by abusing the miner API. | 6.0 |
2018-02-09 | CVE-2018-6508 | Puppet | Use of Externally-Controlled Format String vulnerability in Puppet Enterprise 2017.3.0/2017.3.1/2017.3.2 Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks. | 6.0 |
2018-02-05 | CVE-2018-6635 | Avaya | Inadequate Encryption Strength vulnerability in Avaya Aura System Manager in Avaya Aura before 7.1.2 does not properly use SSL in conjunction with authentication, which allows remote attackers to bypass intended Remote Method Invocation (RMI) restrictions, aka SMGR-26896. | 6.0 |
2018-02-09 | CVE-2018-1298 | Apache | Improper Input Validation vulnerability in Apache Qpid Broker-J 7.0.0 A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0 in functionality for authentication of connections for AMQP protocols 0-8, 0-9, 0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. | 5.9 |
2018-02-09 | CVE-2018-1000028 | Linux | Improper Privilege Management vulnerability in Linux Kernel Linux kernel version after commit bdcf0a423ea1 - 4.15-rc4+, 4.14.8+, 4.9.76+, 4.4.111+ contains a Incorrect Access Control vulnerability in NFS server (nfsd) that can result in remote users reading or writing files they should not be able to via NFS. | 5.8 |
2018-02-06 | CVE-2018-6656 | Zblogcn | Cross-Site Request Forgery (CSRF) vulnerability in Zblogcn Z-Blogphp 1.5.1 Z-BlogPHP 1.5.1 has CSRF via zb_users/plugin/AppCentre/app_del.php, as demonstrated by deleting files and directories. | 5.8 |
2018-02-09 | CVE-2017-0911 | Improper Authentication vulnerability in Twitter KIT Twitter Kit for iOS versions 3.0 to 3.2.1 is vulnerable to a callback verification flaw in the "Login with Twitter" component allowing an attacker to provide alternate credentials. | 5.5 | |
2018-02-09 | CVE-2014-8171 | Linux Redhat | Resource Management Errors vulnerability in multiple products The memory resource controller (aka memcg) in the Linux kernel allows local users to cause a denial of service (deadlock) by spawning new processes within a memory-constrained cgroup. | 5.5 |
2018-02-09 | CVE-2018-6872 | GNU | Out-of-bounds Read vulnerability in GNU Binutils 2.30 The elf_parse_notes function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (out-of-bounds read and segmentation violation) via a note with a large alignment. | 5.5 |
2018-02-06 | CVE-2017-6201 | Sandstorm | Server-Side Request Forgery (SSRF) vulnerability in Sandstorm A Server Side Request Forgery vulnerability exists in the install app process in Sandstorm before build 0.203. | 5.5 |
2018-02-09 | CVE-2017-1000509 | Dolibarr | Cross-site Scripting vulnerability in Dolibarr Erp/Crm 6.0.2 Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) vulnerability in Product details that can result in execution of javascript code. | 5.4 |
2018-02-09 | CVE-2018-1000060 | Sensu | Information Exposure Through Log Files vulnerability in Sensu Core Sensu, Inc. | 5.0 |
2018-02-09 | CVE-2018-1000052 | FMT | Use of Externally-Controlled Format String vulnerability in FMT fmtlib version prior to version 4.1.0 (before commit 0555cea5fc0bf890afe0071a558e44625a34ba85) contains a Memory corruption (SIGSEGV), CWE-134 vulnerability in fmt::print() library function that can result in Denial of Service. | 5.0 |
2018-02-09 | CVE-2018-1000027 | Squid Cache Debian Canonical | NULL Pointer Dereference vulnerability in multiple products The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in Denial of Service to all clients of the proxy. | 5.0 |
2018-02-09 | CVE-2018-1000024 | Squid Cache Debian Canonical | The Squid Software Foundation Squid HTTP Caching Proxy version 3.0 to 3.5.27, 4.0 to 4.0.22 contains a Incorrect Pointer Handling vulnerability in ESI Response Processing that can result in Denial of Service for all clients using the proxy.. | 5.0 |
2018-02-09 | CVE-2018-1000023 | Insight Bitpay | Improper Input Validation vulnerability in Insight.Bitpay Insight-Api Bitpay/insight-api Insight-api version 5.0.0 and earlier contains a CWE-20: input validation vulnerability in transaction broadcast endpoint that can result in Full Path Disclosure. | 5.0 |
2018-02-09 | CVE-2018-6871 | Libreoffice Debian Canonical Redhat | LibreOffice before 5.4.5 and 6.x before 6.0.1 allows remote attackers to read arbitrary files via =WEBSERVICE calls in a document, which use the COM.MICROSOFT.WEBSERVICE function. | 5.0 |
2018-02-08 | CVE-2018-6644 | Sblim Project | NULL Pointer Dereference vulnerability in Sblim Project Small Footprint CIM Broker 1.4.9 SBLIM Small Footprint CIM Broker (SFCB) 1.4.9 has a null pointer (DoS) vulnerability via a crafted POST request to the /cimom URI. | 5.0 |
2018-02-08 | CVE-2018-6180 | Themashabrand | Improper Authentication vulnerability in Themashabrand Online Voting Platform 1.0 A flaw in the profile section of Online Voting System 1.0 allows an unauthenticated user to set an arbitrary password for other accounts. | 5.0 |
2018-02-08 | CVE-2012-3331 | IBM | Information Exposure vulnerability in IBM Sametime IBM Sametime allows remote attackers to obtain sensitive information from the Sametime Log database via a direct request to STLOG.NSF. | 5.0 |
2018-02-08 | CVE-2018-6846 | Zblogcn | Information Exposure vulnerability in Zblogcn Z-Blogphp 1.5.1 Z-BlogPHP 1.5.1 allows remote attackers to discover the full path via a direct request to zb_system/function/lib/upload.php. | 5.0 |
2018-02-08 | CVE-2018-0138 | Cisco | Protection Mechanism Failure vulnerability in Cisco Firepower Threat Defense A vulnerability in the detection engine of Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass file policies that are configured to block files transmitted to an affected device via the BitTorrent protocol. | 5.0 |
2018-02-08 | CVE-2018-0137 | Cisco | Allocation of Resources Without Limits or Throttling vulnerability in Cisco Prime Network 4.3(0.0)Pp6/4.3(2.0)Pp1 A vulnerability in the TCP throttling process of Cisco Prime Network could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 5.0 |
2018-02-08 | CVE-2018-0134 | Cisco | Information Exposure Through Discrepancy vulnerability in Cisco Mobility Services Engine 13.0.0/13.1.0 A vulnerability in the RADIUS authentication module of Cisco Policy Suite could allow an unauthenticated, remote attacker to determine whether a subscriber username is valid. | 5.0 |
2018-02-08 | CVE-2018-0132 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco Carrier Routing System 5.3.0.Rout A vulnerability in the forwarding information base (FIB) code of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause inconsistency between the routing information base (RIB) and the FIB, resulting in a denial of service (DoS) condition. | 5.0 |
2018-02-08 | CVE-2018-0127 | Cisco | Missing Authentication for Critical Function vulnerability in Cisco Rv132W Firmware and Rv134W Firmware A vulnerability in the web interface of Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an unauthenticated, remote attacker to view configuration parameters for an affected device, which could lead to the disclosure of confidential information. | 5.0 |
2018-02-07 | CVE-2018-6829 | Gnupg | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Gnupg Libgcrypt cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). | 5.0 |
2018-02-07 | CVE-2018-1388 | IBM | Information Exposure vulnerability in IBM Websphere MQ GSKit V7 may disclose side channel information via discrepancies between valid and invalid PKCS#1 padding. | 5.0 |
2018-02-07 | CVE-2017-12473 | CCN Lite | Improper Input Validation vulnerability in Ccn-Lite ccnl_ccntlv_bytes2pkt in CCN-lite allows context-dependent attackers to cause a denial of service (application crash) via vectors involving packets with "wrong L values." | 5.0 |
2018-02-07 | CVE-2017-12467 | CCN Lite | Missing Release of Resource after Effective Lifetime vulnerability in Ccn-Lite Memory leak in CCN-lite before 2.00 allows context-dependent attackers to cause a denial of service (memory consumption) by leveraging failure to allocate memory for the comp or complen structure member. | 5.0 |
2018-02-07 | CVE-2017-12464 | CCN Lite | NULL Pointer Dereference vulnerability in Ccn-Lite ccn-lite-valid.c in CCN-lite before 2.00 allows context-dependent attackers to cause a denial of service (NULL pointer dereference) via vectors involving the keyfile variable. | 5.0 |
2018-02-07 | CVE-2017-12463 | CCN Lite | Missing Release of Resource after Effective Lifetime vulnerability in Ccn-Lite Memory leak in the ccnl_app_RX function in ccnl-uapi.c in CCN-lite before 2.00 allows context-dependent attackers to cause a denial of service (memory consumption) via vectors involving an envelope_s structure pointer when the packet format is unknown. | 5.0 |
2018-02-07 | CVE-2018-6794 | Suricata IDS Debian | Protection Mechanism Failure vulnerability in multiple products Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. | 5.0 |
2018-02-07 | CVE-2018-6790 | KDE | Information Exposure vulnerability in KDE Plasma-Workspace An issue was discovered in KDE Plasma Workspace before 5.12.0. | 5.0 |
2018-02-06 | CVE-2018-6389 | Wordpress | Resource Exhaustion vulnerability in Wordpress In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times. | 5.0 |
2018-02-05 | CVE-2018-6610 | Jlike Project | Information Exposure vulnerability in Jlike Project Jlike 1.0 Information Leakage exists in the jLike 1.0 component for Joomla! via a task=getUserByCommentId request. | 5.0 |
2018-02-05 | CVE-2018-5794 | Extremewireless | Improper Authentication vulnerability in Extremewireless Wing An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. | 5.0 |
2018-02-05 | CVE-2018-5789 | Extremewireless | XXE vulnerability in Extremewireless Wing An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. | 5.0 |
2018-02-05 | CVE-2018-5788 | Extremewireless | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Extremewireless Wing An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. | 5.0 |
2018-02-05 | CVE-2018-5787 | Extremenetworks | Out-of-bounds Write vulnerability in Extremenetworks Extremewireless Wing An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. | 5.0 |
2018-02-05 | CVE-2018-6188 | Djangoproject Canonical | Information Exposure vulnerability in multiple products django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive. | 5.0 |
2018-02-08 | CVE-2018-0123 | Cisco | Path Traversal vulnerability in Cisco IOS and IOS XE A Path Traversal vulnerability in the diagnostic shell for Cisco IOS and IOS XE Software could allow an authenticated, local attacker to use certain diagnostic shell commands that can overwrite system files. | 4.9 |
2018-02-09 | CVE-2018-1000041 | Gnome Debian | GNOME librsvg version before commit c6ddf2ed4d768fd88adbea2b63f575cd523022ea contains a Improper input validation vulnerability in rsvg-io.c that can result in the victim's Windows username and NTLM password hash being leaked to remote attackers through SMB. | 4.3 |
2018-02-09 | CVE-2018-1000029 | Elsa Project | Cross-site Scripting vulnerability in Elsa Project Elsa 2Cc17F1 mcholste Enterprise Log Search and Archive (ELSA) version revision 1205, commit 2cc17f1 and earlier contains a Cross Site Scripting (XSS) vulnerability in index view (/) that can result in . | 4.3 |
2018-02-09 | CVE-2018-1000020 | Open EMR | Cross-site Scripting vulnerability in Open-Emr Openemr 5.0.0 OpenEMR version 5.0.0 contains a Cross Site Scripting (XSS) vulnerability in open-flash-chart.swf and _posteddata.php that can result in . | 4.3 |
2018-02-09 | CVE-2017-1000508 | Invoiceplane | Cross-site Scripting vulnerability in Invoiceplane Invoice Plane version 1.5.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in Client's details that can result in execution of javascript code . | 4.3 |
2018-02-09 | CVE-2017-1000506 | Mautic | Cross-site Scripting vulnerability in Mautic Mautic version 2.11.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in Company's name that can result in denial of service and execution of javascript code. | 4.3 |
2018-02-09 | CVE-2018-5307 | Sonatype | Cross-site Scripting vulnerability in Sonatype Nexus Repository Manager Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 2.x before 2.14.6 allow remote attackers to inject arbitrary web script or HTML via (1) the repoId or (2) format parameter to service/siesta/healthcheck/healthCheckFileDetail/.../index.html; (3) the filename in the "File Upload" functionality of the Staging Upload; (4) the username when creating a new user; or (5) the IQ Server URL field in the IQ Server Connection functionality. | 4.3 |
2018-02-09 | CVE-2018-5306 | Sonatype | Cross-site Scripting vulnerability in Sonatype Nexus Repository Manager Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 3.x before 3.8 allow remote attackers to inject arbitrary web script or HTML via (1) the repoId or (2) format parameter to service/siesta/healthcheck/healthCheckFileDetail/.../index.html; (3) the filename in the "File Upload" functionality of the Staging Upload; (4) the username when creating a new user; or (5) the IQ Server URL field in the IQ Server Connection functionality. | 4.3 |
2018-02-09 | CVE-2014-3219 | Fishshell Fedoraproject | Link Following vulnerability in multiple products fish before 2.1.1 allows local users to write to arbitrary files via a symlink attack on (1) /tmp/fishd.log.%s, (2) /tmp/.pac-cache.$USER, (3) /tmp/.yum-cache.$USER, or (4) /tmp/.rpm-cache.$USER. | 4.3 |
2018-02-09 | CVE-2012-6347 | Fortinet | Cross-site Scripting vulnerability in Fortinet Fortidb Multiple cross-site scripting (XSS) vulnerabilities in Java number format exception handling in FortiGate FortiDB before 4.4.2 allow remote attackers to inject arbitrary web script or HTML via the conversationContext parameter to (1) admin/auditTrail.jsf, (2) mapolicymgmt/targetsMonitorView.jsf, (3) vascan/globalsummary.jsf, (4) vaerrorlog/vaErrorLog.jsf, (5) database/listTargetGroups.jsf, (6) sysconfig/listSystemInfo.jsf, (7) vascan/list.jsf, (8) network/router.jsf, (9) mapolicymgmt/editPolicyProfile.jsf, or (10) mapolicymgmt/maPolicyMasterList.jsf. | 4.3 |
2018-02-09 | CVE-2012-6346 | Fortinet | Cross-site Scripting vulnerability in Fortinet Fortiweb Multiple cross-site scripting (XSS) vulnerabilities in FortiWeb before 4.4.4 allow remote attackers to inject arbitrary web script or HTML via the (1) redir or (2) mkey parameter to waf/pcre_expression/validate. | 4.3 |
2018-02-09 | CVE-2018-6876 | Imagemagick Libfpx Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products The OLEProperty class in ole/oleprop.cpp in libfpx 1.3.1-10, as used in ImageMagick 7.0.7-22 Q16 and other products, allows remote attackers to cause a denial of service (stack-based buffer under-read) via a crafted bmp image. | 4.3 |
2018-02-09 | CVE-2018-1401 | IBM | Cross-site Scripting vulnerability in IBM Websphere Portal 8.0.0.0/8.5.0.0/9.0.0.0 IBM WebSphere Portal 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. | 4.3 |
2018-02-09 | CVE-2017-1761 | IBM | Cross-site Scripting vulnerability in IBM Websphere Portal IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. | 4.3 |
2018-02-09 | CVE-2018-6869 | Zziplib Project Debian Canonical | Allocation of Resources Without Limits or Throttling vulnerability in multiple products In ZZIPlib 0.13.68, there is an uncontrolled memory allocation and a crash in the __zzip_parse_root_directory function of zzip/zip.c. | 4.3 |
2018-02-08 | CVE-2015-2329 | Woocommerce | Cross-site Scripting vulnerability in Woocommerce Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted order. | 4.3 |
2018-02-08 | CVE-2012-0941 | Fortinet | Cross-site Scripting vulnerability in Fortinet Fortios Multiple cross-site scripting (XSS) vulnerabilities in Fortinet FortiGate UTM WAF appliances with FortiOS 4.3.x before 4.3.6 allow remote attackers to inject arbitrary web script or HTML via vectors involving the (1) Endpoint Monitor, (2) Dialup List, or (3) Log&Report Display modules, or the fields_sorted_opt parameter to (4) user/auth/list or (5) endpointcompliance/app_detect/predefined_sig_list. | 4.3 |
2018-02-08 | CVE-2017-6225 | Broadcom Brocade | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in the web-based management interface of Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) versions before 7.4.2b, 8.1.2 and 8.2.0 could allow remote attackers to execute arbitrary code or access sensitive browser-based information. | 4.3 |
2018-02-08 | CVE-2018-5550 | Epson | Cross-site Scripting vulnerability in Epson Airprint Versions of Epson AirPrint released prior to January 19, 2018 contain a reflective cross-site scripting (XSS) vulnerability, which can allow untrusted users on the network to hijack a session cookie or perform other reflected XSS attacks on a currently logged-on user. | 4.3 |
2018-02-08 | CVE-2018-0513 | Mtssb MT Systems | Cross-site Scripting vulnerability in Mtssb.Mt-Systems Simple Booking Cross-site scripting vulnerability in MTS Simple Booking C, MTS Simple Booking Business version 1.28.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2018-02-08 | CVE-2018-6834 | Etherpad | Cross-site Scripting vulnerability in Etherpad Lite static/js/pad_utils.js in Etherpad Lite before v1.6.3 has XSS via window.location.href. | 4.3 |
2018-02-08 | CVE-2018-0129 | Cisco | Cross-site Scripting vulnerability in Cisco Data Center Analytics Framework 1.0 A vulnerability in the web-based management interface of Cisco Data Center Analytics Framework could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. | 4.3 |
2018-02-08 | CVE-2018-0128 | Cisco | Cross-site Scripting vulnerability in Cisco Data Center Analytics Framework A vulnerability in the web-based management interface of Cisco Data Center Analytics Framework could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. | 4.3 |
2018-02-07 | CVE-2017-15392 | Google Debian | Improper Input Validation vulnerability in multiple products Insufficient data validation in V8 in Google Chrome prior to 62.0.3202.62 allowed an attacker who can write to the Windows Registry to potentially exploit heap corruption via a crafted Windows Registry entry, related to PlatformIntegration. | 4.3 |
2018-02-07 | CVE-2018-6824 | Cozy | Cross-site Scripting vulnerability in Cozy 2.0 Cozy version 2 has XSS allowing remote attackers to obtain administrative access via JavaScript code in the url parameter to the /api/proxy URI, as demonstrated by an XMLHttpRequest call with an 'email:"[email protected]"' request, which can be followed by a password reset. | 4.3 |
2018-02-07 | CVE-2016-2541 | Audacityteam | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Audacityteam Audacity Audacity before 2.1.2 allows remote attackers to cause a denial of service (memory corruption and application crash) via a crafted MP2 file. | 4.3 |
2018-02-07 | CVE-2016-2540 | Audacityteam | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Audacityteam Audacity Audacity before 2.1.2 allows remote attackers to cause a denial of service (memory corruption and application crash) via a crafted FORMATCHUNK structure. | 4.3 |
2018-02-07 | CVE-2018-6806 | Marked 2 Project | Information Exposure vulnerability in Marked 2 Project Marked 2 Marked 2 through 2.5.11 allows remote attackers to read arbitrary files via a crafted HTML document that triggers a redirect to an x-marked://preview?text= URL. | 4.3 |
2018-02-07 | CVE-2018-6603 | Promise | Injection vulnerability in Promise Webpam Proe Promise Technology WebPam Pro-E devices allow remote attackers to conduct XSS, HTTP Response Splitting, and CRLF Injection attacks via JavaScript code in a PHPSESSID cookie. | 4.3 |
2018-02-06 | CVE-2018-6759 | GNU | Improper Input Validation vulnerability in GNU Binutils 2.30 The bfd_get_debug_link_info_1 function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, has an unchecked strnlen operation. | 4.3 |
2018-02-06 | CVE-2016-7394 | Tiki | Cross-site Scripting vulnerability in Tiki Tikiwiki Cms/Groupware tiki wiki cms groupware <=15.2 has a xss vulnerability, allow attackers steal user's cookie. | 4.3 |
2018-02-06 | CVE-2015-3618 | Nagios | Cross-site Scripting vulnerability in Nagios Business Process Intelligence Cross-site scripting (XSS) vulnerability in Nagios Business Process Intelligence (BPI) before 2.3.4 allows remote attackers to inject arbitrary web script or HTML via vectors involving index.php. | 4.3 |
2018-02-06 | CVE-2018-6291 | Kaspersky | Cross-site Scripting vulnerability in Kaspersky Secure Mail Gateway 1.1 WebConsole Cross-Site Scripting in Kaspersky Secure Mail Gateway version 1.1. | 4.3 |
2018-02-06 | CVE-2018-6469 | Flickrrss Project | Cross-site Scripting vulnerability in Flickrrss Project Flickrrss 5.3.1 A cross-site scripting (XSS) vulnerability in flickrRSS.php in the flickrRSS plugin 5.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the flickrRSS_tags parameter to wp-admin/options-general.php. | 4.3 |
2018-02-06 | CVE-2018-6468 | Flickrrss Project | Cross-site Scripting vulnerability in Flickrrss Project Flickrrss 5.3.1 A cross-site scripting (XSS) vulnerability in flickrRSS.php in the flickrRSS plugin 5.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the flickrRSS_id parameter to wp-admin/options-general.php. | 4.3 |
2018-02-06 | CVE-2018-6466 | Flickrrss Project | Cross-site Scripting vulnerability in Flickrrss Project Flickrrss 5.3.1 A cross-site scripting (XSS) vulnerability in flickrRSS.php in the flickrRSS plugin 5.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the flickrRSS_set parameter to wp-admin/options-general.php. | 4.3 |
2018-02-06 | CVE-2017-6169 | F5 | Improper Input Validation vulnerability in F5 Big-Ip Policy Enforcement Manager In versions 13.0.0, 12.0.0-12.1.3, or 11.6.0-11.6.2, an F5 BIG-IP virtual server using the URL categorization feature may cause the Traffic Management Microkernel (TMM) to produce a core file when it receives malformed URLs during categorization. | 4.3 |
2018-02-05 | CVE-2018-6621 | Ffmpeg Debian | Out-of-bounds Read vulnerability in multiple products The decode_frame function in libavcodec/utvideodec.c in FFmpeg through 3.2 allows remote attackers to cause a denial of service (out of array read) via a crafted AVI file. | 4.3 |
2018-02-05 | CVE-2018-5793 | Extremewireless | Out-of-bounds Write vulnerability in Extremewireless Wing An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. | 4.3 |
2018-02-05 | CVE-2018-5792 | Extremewireless | Out-of-bounds Write vulnerability in Extremewireless Wing An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. | 4.3 |
2018-02-05 | CVE-2018-5791 | Extremewireless | Out-of-bounds Write vulnerability in Extremewireless Wing An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. | 4.3 |
2018-02-09 | CVE-2018-1000057 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Credentials Binding Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs. | 4.0 |
2018-02-09 | CVE-2018-3600 | Trendmicro | XXE vulnerability in Trendmicro Control Manager 6.0 A external entity processing information disclosure (XXE) vulnerability in Trend Micro Control Manager 6.0 could allow a remote attacker to disclose sensitive information on vulnerable installations. | 4.0 |
2018-02-09 | CVE-2017-10690 | Puppet Redhat | Improper Privilege Management vulnerability in multiple products In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. | 4.0 |
2018-02-09 | CVE-2018-1052 | Postgresql | Information Exposure vulnerability in Postgresql 10.0/10.1 Memory disclosure vulnerability in table partitioning was found in postgresql 10.x before 10.2, allowing an authenticated attacker to read arbitrary bytes of server memory via purpose-crafted insert to a partitioned table. | 4.0 |
2018-02-08 | CVE-2017-7351 | Vanderbilt | SQL Injection vulnerability in Vanderbilt Redcap 7.0.0 A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing substring to SendITController:upload. | 4.0 |
2018-02-08 | CVE-2018-0135 | Cisco | Improper Input Validation vulnerability in Cisco Unified Communications Manager 11.0(1.24075.1) A vulnerability in Cisco Unified Communications Manager could allow an authenticated, remote attacker to access sensitive information on an affected system. | 4.0 |
2018-02-08 | CVE-2018-0120 | Cisco | SQL Injection vulnerability in Cisco Unified Communications Manager 11.5(1.13900.52) A vulnerability in the web framework of Cisco Unified Communications Manager could allow an authenticated, remote attacker to conduct an SQL injection attack against an affected system. | 4.0 |
2018-02-07 | CVE-2017-1785 | IBM | Information Exposure vulnerability in IBM API Connect IBM API Connect 5.0.7 and 5.0.8 could allow an authenticated remote user to modify query parameters to obtain sensitive information. | 4.0 |
2018-02-06 | CVE-2017-6200 | Sandstorm | Information Exposure vulnerability in Sandstorm Sandstorm before build 0.203 allows remote attackers to read any specified file under /etc or /run via the sandbox backup function. | 4.0 |
2018-02-06 | CVE-2013-4317 | Apache | Information Exposure vulnerability in Apache Cloudstack 4.1.0/4.1.1 In Apache CloudStack 4.1.0 and 4.1.1, when calling the CloudStack API call listProjectAccounts as a regular, non-administrative user, the user is able to see information for accounts other than their own. | 4.0 |
2018-02-05 | CVE-2015-5674 | Freebsd | Improper Input Validation vulnerability in Freebsd 10.1/10.2/9.3 The routed daemon in FreeBSD 9.3 before 9.3-RELEASE-p22, 10.2-RC2 before 10.2-RC2-p1, 10.2-RC1 before 10.2-RC1-p2, 10.2 before 10.2-BETA2-p3, and 10.1 before 10.1-RELEASE-p17 allows remote authenticated users to cause a denial of service (assertion failure and daemon exit) via a query from a network that is not directly connected. | 4.0 |
2018-02-05 | CVE-2015-4461 | Efrontlearning | Path Traversal vulnerability in Efrontlearning Efront Absolute path traversal vulnerability in eFront CMS 3.6.15.4 and earlier allows remote Professor users to obtain sensitive information via a full pathname in the other parameter. | 4.0 |
2018-02-05 | CVE-2018-5795 | Extremewireless | Unspecified vulnerability in Extremewireless Wing An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. | 4.0 |
20 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-02-09 | CVE-2018-1368 | IBM | Improper Privilege Management vulnerability in IBM Security Guardium Database Activity Monitor 9.0/9.1/9.5 IBM Security Guardium Database Activity Monitor 9.0, 9.1, and 9.5 could allow a local user with low privileges to view report pages and perform some actions that only an admin should be performing, so there is risk that someone not authorized can change things that they are not suppose to. | 3.6 |
2018-02-09 | CVE-2018-1000062 | Wondercms | Cross-site Scripting vulnerability in Wondercms 2.4.0 WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File Upload through SVG vulnerability in uploadFileAction(), 'svg' => 'image/svg+xml' that can result in An attacker can execute arbitrary script on an unsuspecting user's browser. | 3.5 |
2018-02-09 | CVE-2017-1000510 | Croogo | Cross-site Scripting vulnerability in Croogo 2.3.117G6F82E6C Croogo version 2.3.1-17-g6f82e6c contains a Cross Site Scripting (XSS) vulnerability in Page name that can result in execution of javascript code. | 3.5 |
2018-02-09 | CVE-2017-1000507 | Cnvs | Cross-site Scripting vulnerability in Cnvs Canvas 3.4.2 Canvs Canvas version 3.4.2 contains a Cross Site Scripting (XSS) vulnerability in User's details that can result in denial of service and execution of javascript code. | 3.5 |
2018-02-09 | CVE-2018-6878 | HOT Scripts Clone Project | Cross-site Scripting vulnerability in HOT Scripts Clone Project HOT Scripts Clone 3.1 Cross Site Scripting (XSS) exists in the review section in PHP Scripts Mall Hot Scripts Clone Script Classified 3.1 via the title or description field. | 3.5 |
2018-02-08 | CVE-2018-6844 | Mybb | Cross-site Scripting vulnerability in Mybb 1.8.14 MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen. | 3.5 |
2018-02-07 | CVE-2018-6796 | Multilanguage Real Estate MLM Script Project | Cross-site Scripting vulnerability in Multilanguage Real Estate MLM Script Project Multilanguage Real Estate MLM Script 3.0 PHP Scripts Mall Multilanguage Real Estate MLM Script 3.0 has Stored XSS via every profile input field. | 3.5 |
2018-02-07 | CVE-2018-6795 | Naukri Clone Script Project | Cross-site Scripting vulnerability in Naukri Clone Script Project Naukri Clone Script 3.0.3 PHP Scripts Mall Naukri Clone Script 3.0.3 has Stored XSS via every profile input field. | 3.5 |
2018-02-07 | CVE-2018-6655 | Doctor Search Script Project | Cross-site Scripting vulnerability in Doctor Search Script Project Doctor Search Script 1.0.2 PHP Scripts Mall Doctor Search Script 1.0.2 has Stored XSS via an arbitrary profile field. | 3.5 |
2018-02-07 | CVE-2018-1382 | IBM | Cross-site Scripting vulnerability in IBM API Connect IBM API Connect 5.0.0.0 is vulnerable to cross-site scripting. | 3.5 |
2018-02-06 | CVE-2015-3619 | Virtuemart | Cross-site Scripting vulnerability in Virtuemart Cross-site scripting (XSS) vulnerability in assets/js/vm2admin.js in the VirtueMart component before 3.0.8 for Joomla! allows remote attackers to inject arbitrary web script or HTML via vectors involving a "double encode combination of first_name, last_name and company." | 3.5 |
2018-02-09 | CVE-2018-1053 | Postgresql Debian Canonical Redhat | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files. | 3.3 |
2018-02-08 | CVE-2018-1000030 | Python Canonical | Use After Free vulnerability in multiple products Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. | 3.3 |
2018-02-05 | CVE-2018-5797 | Extremenetworks | Use of Hard-coded Credentials vulnerability in Extremenetworks Extremewireless Wing An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. | 3.3 |
2018-02-05 | CVE-2018-5790 | Extremewireless | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Extremewireless Wing An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. | 2.9 |
2018-02-09 | CVE-2018-1000022 | Electrum | Missing Authorization vulnerability in Electrum Bitcoin Wallet Electrum Technologies GmbH Electrum Bitcoin Wallet version prior to version 3.0.5 contains a Missing Authorization vulnerability in JSONRPC interface that can result in Bitcoin theft, if the user's wallet is not password protected. | 2.6 |
2018-02-09 | CVE-2017-10689 | Puppet Canonical Redhat | Improper Privilege Management vulnerability in multiple products In previous versions of Puppet Agent it was possible to install a module with world writable permissions. | 2.1 |
2018-02-06 | CVE-2016-3954 | Web2Py | Information Exposure vulnerability in Web2Py web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. | 2.1 |
2018-02-06 | CVE-2016-3952 | Web2Py | Credentials Management vulnerability in Web2Py web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify. | 2.1 |
2018-02-06 | CVE-2015-4400 | Ring | Credentials Management vulnerability in Ring Firmware Ring (formerly DoorBot) video doorbells allow remote attackers to obtain sensitive information about the wireless network configuration by pressing the set up button and leveraging an API in the GainSpan Wi-Fi module. | 2.1 |