Weekly Vulnerabilities Reports > March 19 to 25, 2018
Overview
265 new vulnerabilities reported during this period, including 23 critical vulnerabilities and 46 high severity vulnerabilities. This weekly summary report vulnerabilities in 221 products from 115 vendors including IBM, Debian, Gitlab, Windows Optimization Master Project, and Iobit. Vulnerabilities are notably categorized as "Improper Input Validation", "Cross-site Scripting", "Out-of-bounds Read", "Path Traversal", and "Cross-Site Request Forgery (CSRF)".
- 199 reported vulnerabilities are remotely exploitables.
- 16 reported vulnerabilities have public exploit available.
- 80 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 214 reported vulnerabilities are exploitable by an anonymous user.
- IBM has the most reported vulnerabilities, with 20 reported vulnerabilities.
- AMD has the most reported critical vulnerabilities, with 7 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
23 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-03-22 | CVE-2018-0541 | Tinyftp Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Tinyftp Project Tinyftp 0.52 Buffer overflow in Tiny FTP Daemon Ver0.52d allows an attacker to cause a denial-of-service (DoS) condition or execute arbitrary code via unspecified vectors. | 10.0 |
2018-03-22 | CVE-2018-0539 | QQQ Systems Project | OS Command Injection vulnerability in QQQ Systems Project QQQ Systems 2.24 QQQ SYSTEMS version 2.24 allows an attacker to execute arbitrary commands via unspecified vectors. | 10.0 |
2018-03-20 | CVE-2018-5768 | Tendacn | Use of Hard-coded Credentials vulnerability in Tendacn Ac15 Firmware A remote, unauthenticated attacker can gain remote code execution on the the Tenda AC15 router with a specially crafted password parameter for the COOKIE header. | 10.0 |
2018-03-20 | CVE-2017-14002 | GE | Use of Hard-coded Credentials vulnerability in GE Infinia Hawkeye 4 Firmware GE Infinia/Infinia with Hawkeye 4 medical imaging systems all current versions are affected these devices use default or hard-coded credentials. | 10.0 |
2018-03-20 | CVE-2018-5770 | Tendacn | Insecure Default Initialization of Resource vulnerability in Tendacn Ac15 Firmware An issue was discovered on Tenda AC15 devices. | 10.0 |
2018-03-19 | CVE-2018-7445 | Mikrotik | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mikrotik Routeros A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. | 10.0 |
2018-03-19 | CVE-2018-5551 | Docutracinc | Use of Hard-coded Credentials vulnerability in Docutracinc Dtisqlinstaller Versions of DocuTrac QuicDoc and Office Therapy that ship with DTISQLInstaller.exe version 1.6.4.0 and prior contain three credentials with known passwords: QDMaster, OTMaster, and sa. | 10.0 |
2018-03-24 | CVE-2018-8967 | Zzcms | SQL Injection vulnerability in Zzcms 8.2 An issue was discovered in zzcms 8.2. | 9.8 |
2018-03-23 | CVE-2018-1000140 | Rsyslog Debian Canonical Redhat | Out-of-bounds Write vulnerability in multiple products rsyslog librelp version 1.2.14 and earlier contains a Buffer Overflow vulnerability in the checking of x509 certificates from a peer that can result in Remote code execution. | 9.8 |
2018-03-20 | CVE-2018-8088 | QOS Redhat Oracle | org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. | 9.8 |
2018-03-23 | CVE-2017-15325 | Huawei | Integer Overflow or Wraparound vulnerability in Huawei products The Bdat driver of Prague smart phones with software versions earlier than Prague-AL00AC00B211, versions earlier than Prague-AL00BC00B211, versions earlier than Prague-AL00CC00B211, versions earlier than Prague-TL00AC01B211, versions earlier than Prague-TL10AC01B211 has integer overflow vulnerability due to the lack of parameter validation. | 9.3 |
2018-03-22 | CVE-2018-5504 | F5 | Unspecified vulnerability in F5 products In some circumstances, the Traffic Management Microkernel (TMM) does not properly handle certain malformed Websockets requests/responses, which allows remote attackers to cause a denial-of-service (DoS) or possible remote code execution on the F5 BIG-IP system running versions 13.0.0 - 13.1.0.3 or 12.1.0 - 12.1.3.1. | 9.3 |
2018-03-22 | CVE-2018-8936 | AMD | Unspecified vulnerability in AMD products The AMD EPYC Server, Ryzen, Ryzen Pro, and Ryzen Mobile processor chips allow Platform Security Processor (PSP) privilege escalation. | 9.3 |
2018-03-22 | CVE-2018-8935 | AMD | Unspecified vulnerability in AMD Ryzen Firmware and Ryzen PRO Firmware The Promontory chipset, as used in AMD Ryzen and Ryzen Pro platforms, has a backdoor in the ASIC, aka CHIMERA-HW. | 9.3 |
2018-03-22 | CVE-2018-8934 | AMD | Unspecified vulnerability in AMD Ryzen Firmware and Ryzen PRO Firmware The Promontory chipset, as used in AMD Ryzen and Ryzen Pro platforms, has a backdoor in firmware, aka CHIMERA-FW. | 9.3 |
2018-03-22 | CVE-2018-8933 | AMD | Incorrect Permission Assignment for Critical Resource vulnerability in AMD Epyc Server Firmware The AMD EPYC Server processor chips have insufficient access control for protected memory regions, aka FALLOUT-1, FALLOUT-2, and FALLOUT-3. | 9.3 |
2018-03-22 | CVE-2018-8932 | AMD | Incorrect Permission Assignment for Critical Resource vulnerability in AMD Ryzen Firmware and Ryzen PRO Firmware The AMD Ryzen and Ryzen Pro processor chips have insufficient access control for the Secure Processor, aka RYZENFALL-2, RYZENFALL-3, and RYZENFALL-4. | 9.3 |
2018-03-22 | CVE-2018-8931 | AMD | Incorrect Permission Assignment for Critical Resource vulnerability in AMD products The AMD Ryzen, Ryzen Pro, and Ryzen Mobile processor chips have insufficient access control for the Secure Processor, aka RYZENFALL-1. | 9.3 |
2018-03-22 | CVE-2018-8930 | AMD | Unspecified vulnerability in AMD products The AMD EPYC Server, Ryzen, Ryzen Pro, and Ryzen Mobile processor chips have insufficient enforcement of Hardware Validated Boot, aka MASTERKEY-1, MASTERKEY-2, and MASTERKEY-3. | 9.3 |
2018-03-20 | CVE-2017-17320 | Huawei | Double Free vulnerability in Huawei Mate 9 PRO Firmware Lonal00Bc00B139D/Lonal00Bc00B229/Lonl29Dc721B188 Huawei Mate 9 Pro smartphones with software of LON-AL00BC00B139D, LON-AL00BC00B229, LON-L29DC721B188 have a memory double free vulnerability. | 9.3 |
2018-03-22 | CVE-2017-0935 | UI | Improper Privilege Management vulnerability in UI Edgeos 1.9.1/1.9.1.1 Ubiquiti Networks EdgeOS version 1.9.1.1 and prior suffer from an Improper Privilege Management vulnerability due to the lack of protection of the file system leading to sensitive information being exposed. | 9.0 |
2018-03-22 | CVE-2017-0934 | Ubnt | Improper Privilege Management vulnerability in Ubnt Edgeos Ubiquiti Networks EdgeOS version 1.9.1 and prior suffer from an Improper Privilege Management vulnerability due to the lack of protection of the file system leading to sensitive information being exposed. | 9.0 |
2018-03-22 | CVE-2017-0932 | Ubnt | Improper Privilege Management vulnerability in Ubnt Edgeos Ubiquiti Networks EdgeOS version 1.9.1.1 and prior suffer from an Improper Privilege Management vulnerability due to the lack of validation on the input of the Feature functionality. | 9.0 |
46 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-03-25 | CVE-2018-8817 | Wampserver | Cross-Site Request Forgery (CSRF) vulnerability in Wampserver Wampserver before 3.1.3 has CSRF in add_vhost.php. | 8.8 |
2018-03-25 | CVE-2018-9009 | Libming Debian | Use After Free vulnerability in multiple products In libming 0.4.8, there is a use-after-free in the decompileJUMP function of the decompile.c file. | 8.8 |
2018-03-24 | CVE-2017-17751 | Bose | Unspecified vulnerability in Bose Soundtouch Bose SoundTouch devices allows remote attackers to achieve remote control via a crafted web site that uses the WebSocket Protocol. | 8.8 |
2018-03-22 | CVE-2018-8905 | Libtiff Debian Canonical Redhat | Out-of-bounds Write vulnerability in multiple products In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps. | 8.8 |
2018-03-21 | CVE-2018-1345 | Netiq | Unspecified vulnerability in Netiq Imanager 2.7.7 NetIQ iManager, versions prior to 3.1, under some circumstances could be susceptible to an elevation of privilege attack. | 8.8 |
2018-03-20 | CVE-2011-3178 | Opensuse | Code Injection vulnerability in Opensuse Open Build Service In the web ui of the openbuildservice before 2.3.0 a code injection of the project rebuildtimes statistics could be used by authorized attackers to execute shellcode. | 8.8 |
2018-03-20 | CVE-2018-8811 | Alkacon | Cross-Site Request Forgery (CSRF) vulnerability in Alkacon Opencms 10.5.3 Cross-site request forgery (CSRF) vulnerability in system/workplace/admin/accounts/user_role.jsp in OpenCMS 10.5.3 allows remote attackers to hijack the authentication of administrative users for requests that perform privilege escalation. | 8.8 |
2018-03-21 | CVE-2018-1344 | Netiq | Unspecified vulnerability in Netiq Imanager 2.7.7 Addresses potential communication downgrade attack in NetIQ iManager versions prior to 3.1 | 8.6 |
2018-03-22 | CVE-2017-0933 | Ubnt | Cross-Site Request Forgery (CSRF) vulnerability in Ubnt Edgeos Ubiquiti Networks EdgeOS version 1.9.1 and prior suffer from a Cross-Site Request Forgery (CSRF) vulnerability. | 8.5 |
2018-03-22 | CVE-2018-5509 | F5 | Improper Input Validation vulnerability in F5 products On F5 BIG-IP versions 13.0.0 or 12.1.0 - 12.1.3.1, when a specifically configured virtual server receives traffic of an undisclosed nature, TMM will crash and take the configured failover action, potentially causing a denial of service. | 7.8 |
2018-03-21 | CVE-2018-3710 | Gitlab Debian | Path Traversal vulnerability in multiple products Gitlab Community and Enterprise Editions version 10.3.3 is vulnerable to an Insecure Temporary File in the project import component resulting remote code execution. | 7.8 |
2018-03-20 | CVE-2018-8822 | Linux Canonical Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c in the Linux kernel through 4.15.11, and in drivers/staging/ncpfs/ncplib_kernel.c in the Linux kernel 4.16-rc through 4.16-rc6, could be exploited by malicious NCPFS servers to crash the kernel or execute code. | 7.8 |
2018-03-20 | CVE-2018-5717 | NCR | Out-of-bounds Write vulnerability in NCR S2 Dispenser Controller Firmware Memory write mechanism in NCR S2 Dispenser controller before firmware version 0x0108 allows an unauthenticated user to upgrade or downgrade the firmware of the device, including to older versions with known vulnerabilities. | 7.8 |
2018-03-20 | CVE-2017-17668 | NCR | Incorrect Authorization vulnerability in NCR S1 Dispenser Controller Firmware Memory write mechanism in NCR S1 Dispenser controller before firmware version 0x0156 allows an unauthenticated user to upgrade or downgrade the firmware of the device, including to older versions with known vulnerabilities. | 7.8 |
2018-03-24 | CVE-2018-8971 | Gitlab Debian | Improper Input Validation vulnerability in Gitlab The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x before 10.5.6 has an incorrect omniauth-auth0 configuration, leading to signing in unintended users. | 7.5 |
2018-03-24 | CVE-2018-8969 | Zzcms | Path Traversal vulnerability in Zzcms 8.2 An issue was discovered in zzcms 8.2. | 7.5 |
2018-03-24 | CVE-2018-8968 | Zzcms | Path Traversal vulnerability in Zzcms 8.2 An issue was discovered in zzcms 8.2. | 7.5 |
2018-03-24 | CVE-2018-8966 | Zzcms | Code Injection vulnerability in Zzcms 8.2 An issue was discovered in zzcms 8.2. | 7.5 |
2018-03-24 | CVE-2018-8965 | Zzcms | Path Traversal vulnerability in Zzcms 8.2 An issue was discovered in zzcms 8.2. | 7.5 |
2018-03-23 | CVE-2018-1000141 | I Librarian | Improper Privilege Management vulnerability in I-Librarian I Librarian I, Librarian version 4.9 and earlier contains an Incorrect Access Control vulnerability in ajaxdiscussion.php that can result in any users gaining unauthorized access (read, write and delete) to project discussions. | 7.5 |
2018-03-23 | CVE-2017-17736 | Kentico | Forced Browsing vulnerability in Kentico CMS Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attackers to obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard. | 7.5 |
2018-03-23 | CVE-2018-1207 | Dell | Code Injection vulnerability in Dell EMC Idrac7 and EMC Idrac8 Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability which could be used to execute remote code. | 7.5 |
2018-03-22 | CVE-2018-8944 | Phpok | Unrestricted Upload of File with Dangerous Type vulnerability in PHPok 4.8.338 PHPOK 4.8.338 has an arbitrary file upload vulnerability. | 7.5 |
2018-03-22 | CVE-2018-8943 | Phpshe | SQL Injection vulnerability in PHPshe 1.6 There is a SQL injection in the PHPSHE 1.6 userbank parameter. | 7.5 |
2018-03-22 | CVE-2018-7532 | Geutebrueck | Improper Authentication vulnerability in Geutebrueck G-Cam/Efd-2250 Firmware and Topfd-2125 Firmware Unauthentication vulnerabilities have been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which may allow remote code execution. | 7.5 |
2018-03-22 | CVE-2018-7520 | Geutebrueck | Improper Access Control vulnerability in Geutebrueck G-Cam/Efd-2250 Firmware and Topfd-2125 Firmware An improper access control vulnerability has been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which could allow a full configuration download, including passwords. | 7.5 |
2018-03-22 | CVE-2018-7516 | Geutebrueck | Server-Side Request Forgery (SSRF) vulnerability in Geutebrueck G-Cam/Efd-2250 Firmware and Topfd-2125 Firmware A server-side request forgery vulnerability has been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which could lead to proxied network scans. | 7.5 |
2018-03-22 | CVE-2017-1789 | IBM | Code Injection vulnerability in IBM Tivoli Monitoring IBM Tivoli Monitoring V6 6.2.3 and 6.3.0 could allow an unauthenticated user to remotely execute code through unspecified methods. | 7.5 |
2018-03-22 | CVE-2014-4912 | Frog CMS Project | Unrestricted Upload of File with Dangerous Type vulnerability in Frog CMS Project Frog CMS 0.9.5 An Arbitrary File Upload issue was discovered in Frog CMS 0.9.5 due to lack of extension validation. | 7.5 |
2018-03-21 | CVE-2017-0916 | Gitlab Debian | Improper Input Validation vulnerability in Gitlab Gitlab Community Edition version 10.3 is vulnerable to a lack of input validation in the system_hook_push queue through web hook component resulting in remote code execution. | 7.5 |
2018-03-21 | CVE-2017-0915 | Gitlab Debian | Improper Input Validation vulnerability in Gitlab Gitlab Community Edition version 10.2.4 is vulnerable to a lack of input validation in the GitlabProjectsImportService resulting in remote code execution. | 7.5 |
2018-03-21 | CVE-2018-8073 | Yiiframework | Code Injection vulnerability in Yiiframework YII Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension. | 7.5 |
2018-03-21 | CVE-2018-7269 | Yiiframework | SQL Injection vulnerability in Yiiframework YII The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input. | 7.5 |
2018-03-21 | CVE-2018-1346 | Netiq | Unspecified vulnerability in Netiq Edirectory Addresses denial of service attack to eDirectory versions prior to 9.1. | 7.5 |
2018-03-20 | CVE-2014-3990 | Opencart | Server-Side Request Forgery (SSRF) vulnerability in Opencart The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitrary code via a crafted serialized PHP object, related to the quantity parameter in an update request. | 7.5 |
2018-03-20 | CVE-2018-8828 | Kamailio Debian | Off-by-one Error vulnerability in multiple products A Buffer Overflow issue was discovered in Kamailio before 4.4.7, 5.0.x before 5.0.6, and 5.1.x before 5.1.2. | 7.5 |
2018-03-20 | CVE-2017-14008 | GE | Use of Hard-coded Credentials vulnerability in GE Centricity Pacs Ra1000 GE Centricity PACS RA1000, diagnostic image analysis, all current versions are affected these devices use default or hard-coded credentials. | 7.5 |
2018-03-20 | CVE-2017-14006 | GE | Use of Hard-coded Credentials vulnerability in GE Xeleris GE Xeleris versions 1.0,1.1,2.1,3.0,3.1, medical imaging systems, all current versions are affected, these devices use default or hard-coded credentials. | 7.5 |
2018-03-20 | CVE-2017-14004 | GE | Use of Hard-coded Credentials vulnerability in GE Gemnet License Server GE GEMNet License server (EchoServer) all current versions are affected these devices use default or hard-coded credentials. | 7.5 |
2018-03-20 | CVE-2017-8176 | Huawei | Unspecified vulnerability in Huawei Iptv STB Firmware Huawei IPTV STB with earlier than IPTV STB V100R003C01LMYTa6SPC001 versions has an authentication bypass vulnerability. | 7.5 |
2018-03-19 | CVE-2018-7262 | Redhat Fedoraproject | NULL Pointer Dereference vulnerability in multiple products In Ceph before 12.2.3 and 13.x through 13.0.1, the rgw_civetweb.cc RGWCivetWeb::init_env function in radosgw doesn't handle malformed HTTP headers properly, allowing for denial of service. | 7.5 |
2018-03-19 | CVE-2014-2652 | Unify | SQL Injection vulnerability in Unify Openscape Deployment Service 7.0 SQL injection vulnerability in OpenScape Deployment Service (DLS) before 6.x and 7.x before R1.11.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 7.5 |
2018-03-23 | CVE-2018-7502 | Beckhoff | Improper Input Validation vulnerability in Beckhoff Twincat and Twincat C++ Kernel drivers in Beckhoff TwinCAT 3.1 Build 4022.4, TwinCAT 2.11 R3 2259, and TwinCAT 3.1 lack proper validation of user-supplied pointer values. | 7.2 |
2018-03-20 | CVE-2017-5736 | Intel | Improper Privilege Management vulnerability in Intel Software Guard Extensions Platform Software Component An elevation of privilege in Intel Software Guard Extensions Platform Software Component before 1.9.105.42329 allows a local attacker to execute arbitrary code as administrator. | 7.2 |
2018-03-20 | CVE-2017-17319 | Huawei | Information Exposure vulnerability in Huawei P9 Firmware Huawei P9 smartphones with the versions before EVA-AL10C00B399SP02 have an information disclosure vulnerability. | 7.1 |
2018-03-20 | CVE-2018-8821 | Jungo | Improper Input Validation vulnerability in Jungo Windriver windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers to cause a denial of service (BSOD) via a crafted .exe file. | 7.1 |
167 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-03-19 | CVE-2018-1171 | Joyent Oracle | Out-of-bounds Write vulnerability in multiple products This vulnerability allows local attackers to escalate privileges on vulnerable installations of Joyent SmartOS release-20170803-20170803T064301Z. | 6.9 |
2018-03-25 | CVE-2018-8979 | Open Audit | Cross-Site Request Forgery (CSRF) vulnerability in Open-Audit 2.1 Open-AudIT Professional 2.1 has CSRF, as demonstrated by modifying a user account or inserting XSS sequences via the credentials URI. | 6.8 |
2018-03-24 | CVE-2018-8972 | Creditwestbank | Cross-Site Request Forgery (CSRF) vulnerability in Creditwestbank Cwcms Creditwest Bank CMS Project (aka CWCMS) through 2017-07-28 has CSRF in the functionality for updating the site configuration, which allows remote attackers to inject arbitrary PHP code, as demonstrated by a PHP shell that calls eval on request parameters. | 6.8 |
2018-03-23 | CVE-2018-8960 | Imagemagick Canonical | Out-of-bounds Read vulnerability in multiple products The ReadTIFFImage function in coders/tiff.c in ImageMagick 7.0.7-26 Q16 does not properly restrict memory allocation, leading to a heap-based buffer over-read. | 6.8 |
2018-03-23 | CVE-2018-1000137 | I Librarian | Cross-Site Request Forgery (CSRF) vulnerability in I-Librarian I Librarian I, Librarian version 4.8 and earlier contains a Cross site Request Forgery (CSRF) vulnerability in users.php that can result in the password of the admin being forced to be changed without the administrator's knowledge. | 6.8 |
2018-03-23 | CVE-2018-1000136 | Electronjs | Improper Input Validation vulnerability in Electronjs Electron Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. | 6.8 |
2018-03-22 | CVE-2018-7524 | Geutebrueck | Cross-Site Request Forgery (CSRF) vulnerability in Geutebrueck G-Cam/Efd-2250 Firmware and Topfd-2125 Firmware A cross-site request forgery vulnerability has been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which may allow an unauthorized user to be added to the system. | 6.8 |
2018-03-22 | CVE-2017-16242 | Meco | Improper Authentication vulnerability in Meco USB Memory Stick With Fingerprint Firwmare An issue was discovered on MECO USB Memory Stick with Fingerprint MECOZiolsamDE601 devices. | 6.8 |
2018-03-22 | CVE-2018-0552 | Securebrain | Untrusted Search Path vulnerability in Securebrain Phishwall Client Untrusted search path vulnerability in The installer of PhishWall Client Firefox and Chrome edition for Windows Ver. | 6.8 |
2018-03-22 | CVE-2018-0540 | VIX Project | Untrusted Search Path vulnerability in VIX Project VIX 2.21.148.0 Untrusted search path vulnerability in ViX version 2.21.148.0 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | 6.8 |
2018-03-21 | CVE-2018-1230 | Pivotal Software | Cross-Site Request Forgery (CSRF) vulnerability in Pivotal Software Spring Batch Admin Pivotal Spring Batch Admin, all versions, does not contain cross site request forgery protection. | 6.8 |
2018-03-21 | CVE-2018-8074 | Yiiframework | Code Injection vulnerability in Yiiframework YII Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension. | 6.8 |
2018-03-20 | CVE-2018-8881 | Nasm Canonical | Out-of-bounds Read vulnerability in multiple products Netwide Assembler (NASM) 2.13.02rc2 has a heap-based buffer over-read in the function tokenize in asm/preproc.c, related to an unterminated string. | 6.8 |
2018-03-20 | CVE-2014-1457 | Openwebanalytics | Cross-Site Request Forgery (CSRF) vulnerability in Openwebanalytics Open web Analytics Open Web Analytics (OWA) before 1.5.6 improperly generates random nonce values, which makes it easier for remote attackers to bypass a CSRF protection mechanism by leveraging knowledge of an OWA user name. | 6.8 |
2018-03-20 | CVE-2018-7511 | Eaton | Improper Input Validation vulnerability in Eaton Elcsoft 1.00.08/2.4.01 In Eaton ELCSoft versions 2.04.02 and prior, there are multiple cases where specially crafted files could cause a buffer overflow which, in turn, may allow remote execution of arbitrary code. | 6.8 |
2018-03-20 | CVE-2018-8804 | Imagemagick Canonical | Double Free vulnerability in multiple products WriteEPTImage in coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote attackers to cause a denial of service (MagickCore/memory.c double free and application crash) or possibly have unspecified other impact via a crafted file. | 6.8 |
2018-03-19 | CVE-2014-2550 | Disable Comments | Cross-Site Request Forgery (CSRF) vulnerability in Disable Comments Disable Comments Project Cross-site request forgery (CSRF) vulnerability in the Disable Comments plugin before 1.0.4 for WordPress allows remote attackers to hijack the authentication of administrators for requests that enable comments via a request to the disable_comments_settings page to wp-admin/options-general.php. | 6.8 |
2018-03-19 | CVE-2014-2274 | Subscribe TO Comments Reloaded Project | Cross-Site Request Forgery (CSRF) vulnerability in Subscribe TO Comments Reloaded Project Subscribe TO Comments Reloaded Cross-site request forgery (CSRF) vulnerability in the Subscribe To Comments Reloaded plugin before 140219 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via a request to the subscribe-to-comments-reloaded/options/index.php page to wp-admin/admin.php. | 6.8 |
2018-03-20 | CVE-2018-4844 | Siemens | Improper Privilege Management vulnerability in Siemens Simatic Wincc OA UI A vulnerability has been identified in SIMATIC WinCC OA UI for Android (All versions < V3.15.10), SIMATIC WinCC OA UI for iOS (All versions < V3.15.10). | 6.7 |
2018-03-25 | CVE-2018-9018 | Graphicsmagick Debian | Divide By Zero vulnerability in multiple products In GraphicsMagick 1.3.28, there is a divide-by-zero in the ReadMNGImage function of coders/png.c. | 6.5 |
2018-03-25 | CVE-2018-8976 | Exiv2 Debian Redhat | Out-of-bounds Read vulnerability in multiple products In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial of service (image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted file. | 6.5 |
2018-03-22 | CVE-2017-16772 | Synology | Improper Input Validation vulnerability in Synology Photo Station Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUpload in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote authenticated users to execute arbitrary codes via the prog_id parameter. | 6.5 |
2018-03-22 | CVE-2018-5225 | Atlassian | Link Following vulnerability in Atlassian Bitbucket In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13.0 through 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (the fixed version for 5.6.x), 5.7.0 before 5.7.3 (the fixed version for 5.7.x), and 5.8.0 before 5.8.2 (the fixed version for 5.8.x), allows authenticated users to gain remote code execution using the in browser editing feature via editing a symbolic link within a repository. | 6.5 |
2018-03-22 | CVE-2017-17743 | Ucopia | Improper Authentication vulnerability in Ucopia Wireless Appliance Firmware Improper input sanitization within the restricted administration shell on UCOPIA Wireless Appliance devices before 4.4.20, 5.0.x before 5.0.19, and 5.1.x before 5.1.11 allows authenticated remote attackers to escape the shell and escalate their privileges by uploading a .bashrc file containing the /bin/sh string. | 6.5 |
2018-03-21 | CVE-2017-0926 | Gitlab Debian | Incorrect Authorization vulnerability in Gitlab Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login. | 6.5 |
2018-03-21 | CVE-2017-0918 | Gitlab Debian | Path Traversal vulnerability in Gitlab Gitlab Community Edition version 10.3 is vulnerable to a path traversal issue in the GitLab CI runner component resulting in remote code execution. | 6.5 |
2018-03-20 | CVE-2014-4928 | Invisionpower Invisioncommunity | SQL Injection vulnerability in Invisioncommunity Invision Power Board SQL injection vulnerability in Invision Power Board (aka IPB or IP.Board) before 3.4.6 allows remote attackers to execute arbitrary SQL commands via the cId parameter. | 6.5 |
2018-03-20 | CVE-2018-1321 | Apache | Improper Input Validation vulnerability in Apache Syncope An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to file read, file write, and code execution. | 6.5 |
2018-03-20 | CVE-2017-8187 | Huawei | Improper Privilege Management vulnerability in Huawei Fusionsphere Openstack Firmware V100R006C00Spc102(Nfv) Huawei FusionSphere OpenStack V100R006C00SPC102(NFV) has a privilege escalation vulnerability. | 6.5 |
2018-03-20 | CVE-2017-17215 | Huawei | Improper Input Validation vulnerability in Huawei Hg532 Firmware Huawei HG532 with some customized versions has a remote code execution vulnerability. | 6.5 |
2018-03-20 | CVE-2018-4843 | Siemens | Improper Input Validation vulnerability in Siemens products A vulnerability has been identified in SIMATIC S7-400 CPU 414-3 PN/DP V7 (All versions < V7.0.3), SIMATIC S7-400 CPU 414F-3 PN/DP V7 (All versions < V7.0.3), SIMATIC S7-400 CPU 416-3 PN/DP V7 (All versions < V7.0.3), SIMATIC S7-400 CPU 416F-3 PN/DP V7 (All versions < V7.0.3), SIMATIC CP 343-1 (incl. | 6.5 |
2018-03-19 | CVE-2018-1195 | Cloudfoundry | Insufficient Session Expiration vulnerability in Cloudfoundry Cf-Release In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. | 6.5 |
2018-03-19 | CVE-2018-6843 | Kentico | SQL Injection vulnerability in Kentico CMS Kentico 10 before 10.0.50 and 11 before 11.0.3 has SQL injection in the administration interface. | 6.5 |
2018-03-23 | CVE-2018-1000138 | I Librarian | Server-Side Request Forgery (SSRF) vulnerability in I-Librarian I Librarian I, Librarian version 4.8 and earlier contains a SSRF vulnerability in "url" parameter of getFromWeb in functions.php that can result in the attacker abusing functionality on the server to read or update internal resources. | 6.4 |
2018-03-22 | CVE-2018-7528 | Geutebrueck | SQL Injection vulnerability in Geutebrueck G-Cam/Efd-2250 Firmware and Topfd-2125 Firmware An SQL injection vulnerability has been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which may allow an attacker to alter stored data. | 6.4 |
2018-03-22 | CVE-2018-1426 | IBM Linux Microsoft | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in IBM DB2 IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. | 6.4 |
2018-03-25 | CVE-2018-9007 | Iobit | Improper Input Validation vulnerability in Iobit Advanced Systemcare Ultimate 11.0.1.58 In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_x86.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c4060c4. | 6.1 |
2018-03-25 | CVE-2018-9006 | Iobit | Improper Input Validation vulnerability in Iobit Advanced Systemcare Ultimate 11.0.1.58 In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_win7_x64.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c402004. | 6.1 |
2018-03-25 | CVE-2018-9005 | Iobit | Improper Input Validation vulnerability in Iobit Advanced Systemcare Ultimate 11.0.1.58 In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_win7_x64.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c4060d0. | 6.1 |
2018-03-25 | CVE-2018-9004 | Iobit | Improper Input Validation vulnerability in Iobit Advanced Systemcare Ultimate 11.0.1.58 In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_x86.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c4060d0. | 6.1 |
2018-03-25 | CVE-2018-9003 | Iobit | Improper Input Validation vulnerability in Iobit Advanced Systemcare Ultimate 11.0.1.58 In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_x86.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c402000. | 6.1 |
2018-03-25 | CVE-2018-9002 | Iobit | Improper Input Validation vulnerability in Iobit Advanced Systemcare Ultimate 11.0.1.58 In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_win7_x64.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c4060cc. | 6.1 |
2018-03-25 | CVE-2018-9001 | Iobit | Improper Input Validation vulnerability in Iobit Advanced Systemcare Ultimate 11.0.1.58 In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_win7_x64.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c402000. | 6.1 |
2018-03-25 | CVE-2018-9000 | Iobit | Improper Input Validation vulnerability in Iobit Advanced Systemcare Ultimate 11.0.1.58 In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_x86.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c402004. | 6.1 |
2018-03-25 | CVE-2018-8999 | Iobit | Improper Input Validation vulnerability in Iobit Advanced Systemcare Ultimate 11.0.1.58 In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_win7_x64.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c4060c4. | 6.1 |
2018-03-25 | CVE-2018-8998 | Iobit | Improper Input Validation vulnerability in Iobit Advanced Systemcare Ultimate 11.0.1.58 In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_x86.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c4060cc. | 6.1 |
2018-03-25 | CVE-2018-8997 | Windows Optimization Master Project | Improper Input Validation vulnerability in Windows Optimization Master Project Windows Optimization Master 7.99.13.604 In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf1002004. | 6.1 |
2018-03-25 | CVE-2018-8996 | Windows Optimization Master Project | Improper Input Validation vulnerability in Windows Optimization Master Project Windows Optimization Master 7.99.13.604 In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf1002007. | 6.1 |
2018-03-25 | CVE-2018-8995 | Windows Optimization Master Project | Improper Input Validation vulnerability in Windows Optimization Master Project Windows Optimization Master 7.99.13.604 In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf1002002. | 6.1 |
2018-03-25 | CVE-2018-8994 | Windows Optimization Master Project | Improper Input Validation vulnerability in Windows Optimization Master Project Windows Optimization Master 7.99.13.604 In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf1002003. | 6.1 |
2018-03-25 | CVE-2018-8993 | Windows Optimization Master Project | Improper Input Validation vulnerability in Windows Optimization Master Project Windows Optimization Master 7.99.13.604 In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf1002001. | 6.1 |
2018-03-25 | CVE-2018-8992 | Windows Optimization Master Project | Improper Input Validation vulnerability in Windows Optimization Master Project Windows Optimization Master 7.99.13.604 In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf1002005. | 6.1 |
2018-03-25 | CVE-2018-8991 | Windows Optimization Master Project | Improper Input Validation vulnerability in Windows Optimization Master Project Windows Optimization Master 7.99.13.604 In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf1002009. | 6.1 |
2018-03-25 | CVE-2018-8990 | Windows Optimization Master Project | Improper Input Validation vulnerability in Windows Optimization Master Project Windows Optimization Master 7.99.13.604 In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf1002010. | 6.1 |
2018-03-25 | CVE-2018-8989 | Windows Optimization Master Project | Improper Input Validation vulnerability in Windows Optimization Master Project Windows Optimization Master 7.99.13.604 In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf1002006. | 6.1 |
2018-03-25 | CVE-2018-8988 | Windows Optimization Master Project | Improper Input Validation vulnerability in Windows Optimization Master Project Windows Optimization Master 7.99.13.604 In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf1002008. | 6.1 |
2018-03-22 | CVE-2018-8904 | Windows Optimization Master Project | Improper Input Validation vulnerability in Windows Optimization Master Project Windows Optimization Master 7.99.13.604 In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf1002000. | 6.1 |
2018-03-22 | CVE-2018-8896 | 2345 Security Guard Project | Improper Input Validation vulnerability in 2345 Security Guard Project 2345 Security Guard 3.6 In 2345 Security Guard 3.6, the driver file (2345DumpBlock.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x00222044. | 6.1 |
2018-03-22 | CVE-2018-8895 | 2345 Security Guard Project | Improper Input Validation vulnerability in 2345 Security Guard Project 2345 Security Guard 3.6 In 2345 Security Guard 3.6, the driver file (2345DumpBlock.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x00222040. | 6.1 |
2018-03-22 | CVE-2018-8894 | 2345 Security Guard Project | Improper Input Validation vulnerability in 2345 Security Guard Project 2345 Security Guard 3.6 In 2345 Security Guard 3.6, the driver file (2345BdPcSafe.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x00222108. | 6.1 |
2018-03-21 | CVE-2018-1347 | Netiq | Cross-site Scripting vulnerability in Netiq Imanager 2.7.7 The administrative web interface in NetIQ iManager, versions prior to 3.1, are vulnerable to reflected cross site scripting. | 6.1 |
2018-03-20 | CVE-2018-8876 | 2345 Security Guard Project | Improper Input Validation vulnerability in 2345 Security Guard Project 2345 Security Guard 3.6 In 2345 Security Guard 3.6, the driver file (2345Wrath.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x00222098. | 6.1 |
2018-03-20 | CVE-2018-8875 | 2345 Security Guard Project | Improper Input Validation vulnerability in 2345 Security Guard Project 2345 Security Guard 3.6 In 2345 Security Guard 3.6, the driver file (2345Wrath.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x0022209c. | 6.1 |
2018-03-20 | CVE-2018-8874 | 2345 Security Guard Project | Improper Input Validation vulnerability in 2345 Security Guard Project 2345 Security Guard 3.6 In 2345 Security Guard 3.6, the driver file (2345Wrath.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x00222054. | 6.1 |
2018-03-20 | CVE-2018-8873 | 2345 Security Guard Project | Improper Input Validation vulnerability in 2345 Security Guard Project 2345 Security Guard 3.6 In 2345 Security Guard 3.6, the driver file (2345NetFirewall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x00222040. | 6.1 |
2018-03-19 | CVE-2018-1197 | Pivotal Software | Incorrect Permission Assignment for Critical Resource vulnerability in Pivotal Software Windows Stemcells In Windows Stemcells versions prior to 1200.14, apps running inside containers in Windows on Google Cloud Platform are able to access the metadata endpoint. | 6.0 |
2018-03-19 | CVE-2014-4024 | F5 | Information Exposure vulnerability in F5 products SSL virtual servers in F5 BIG-IP systems 10.x before 10.2.4 HF9, 11.x before 11.2.1 HF12, 11.3.0 before HF10, 11.4.0 before HF8, 11.4.1 before HF5, 11.5.0 before HF5, and 11.5.1 before HF5, when used with third-party Secure Sockets Layer (SSL) accelerator cards, might allow remote attackers to have unspecified impact via a timing side-channel attack. | 5.9 |
2018-03-24 | CVE-2018-8970 | Openbsd | Improper Certificate Validation vulnerability in Openbsd Libressl 2.7.0 The int_x509_param_set_hosts function in lib/libcrypto/x509/x509_vpm.c in LibreSSL 2.7.0 before 2.7.1 does not support a certain special case of a zero name length, which causes silent omission of hostname verification, and consequently allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.8 |
2018-03-19 | CVE-2014-2675 | WP Html Sitemap Project | Cross-Site Request Forgery (CSRF) vulnerability in Wp-Html-Sitemap Project Wp-Html-Sitemap 1.2 Cross-site request forgery (CSRF) vulnerability in inc/AdminPage.php in the WP HTML Sitemap plugin 1.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete the sitemap via a request to the wp-html-sitemap page in wp-admin/options-general.php. | 5.8 |
2018-03-25 | CVE-2018-8975 | Netpbm Project | Out-of-bounds Read vulnerability in Netpbm Project Netpbm The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask. | 5.5 |
2018-03-23 | CVE-2018-8949 | Misp Project | Exposed Dangerous Method or Function vulnerability in Misp-Project Misp An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. | 5.5 |
2018-03-19 | CVE-2018-1221 | Cloudfoundry | Improper Input Validation vulnerability in Cloudfoundry Cf-Deployment In cf-deployment before 1.14.0 and routing-release before 0.172.0, the Cloud Foundry Gorouter mishandles WebSocket requests for AWS Application Load Balancers (ALBs) and some other HTTP-aware Load Balancers. | 5.5 |
2018-03-24 | CVE-2017-17750 | Bose | Cross-site Scripting vulnerability in Bose Soundtouch Bose SoundTouch devices allow XSS via a crafted public playlist from Spotify. | 5.4 |
2018-03-24 | CVE-2017-17749 | Bose | Cross-site Scripting vulnerability in Bose Soundtouch Bose SoundTouch devices allow XSS via crafted song data from a music service, as demonstrated by Pandora. | 5.4 |
2018-03-19 | CVE-2018-8732 | Wampserver | Cross-site Scripting vulnerability in Wampserver 3.1.1 Cross-site scripting (XSS) vulnerability in WampServer 3.1.1 allows remote attackers to inject arbitrary web script or HTML via the virtual_del parameter. | 5.4 |
2018-03-25 | CVE-2018-9014 | Dsmall Project | Information Exposure vulnerability in Dsmall Project Dsmall 20180320 dsmall v20180320 allows physical path leakage via a public/index.php/home/predeposit/index.html?pdr_sn= request. | 5.0 |
2018-03-25 | CVE-2018-8947 | Laravel LOG Viewer Project | Cleartext Storage of Sensitive Information vulnerability in Laravel LOG Viewer Project Laravel LOG Viewer rap2hpoutre Laravel Log Viewer before v0.13.0 relies on Base64 encoding for l, dl, and del requests, which makes it easier for remote attackers to bypass intended access restrictions, as demonstrated by reading arbitrary files via a dl request. | 5.0 |
2018-03-25 | CVE-2018-7719 | Acrolinx Microsoft | Path Traversal vulnerability in Acrolinx Server Acrolinx Server before 5.2.5 on Windows allows Directory Traversal. | 5.0 |
2018-03-23 | CVE-2018-1211 | Dell | Path Traversal vulnerability in Dell EMC Idrac7 and EMC Idrac8 Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain a path traversal vulnerability in its Web server's URI parser which could be used to obtain specific sensitive data without authentication. | 5.0 |
2018-03-22 | CVE-2018-5503 | F5 | Improper Input Validation vulnerability in F5 Big-Ip Policy Enforcement Manager On F5 BIG-IP versions 13.0.0 - 13.1.0.3 or 12.0.0 - 12.1.3.1, TMM may restart when processing a specifically crafted page through a virtual server with an associated PEM policy that has content insertion as an action. | 5.0 |
2018-03-22 | CVE-2018-5502 | F5 | Improper Certificate Validation vulnerability in F5 products On F5 BIG-IP versions 13.0.0 - 13.1.0.3, attackers may be able to disrupt services on the BIG-IP system with maliciously crafted client certificate. | 5.0 |
2018-03-22 | CVE-2018-0542 | Webproxy Project | Path Traversal vulnerability in Webproxy Project Webproxy 1.7.8 Directory traversal vulnerability in WebProxy version 1.7.8 allows an attacker to read arbitrary files via unspecified vectors. | 5.0 |
2018-03-22 | CVE-2017-1788 | IBM | Unspecified vulnerability in IBM Websphere Application Server IBM WebSphere Application Server 9 installations using Form Login could allow a remote attacker to conduct spoofing attacks. | 5.0 |
2018-03-22 | CVE-2016-9711 | IBM | Information Exposure vulnerability in IBM Cognos Analytics 11.0.0 IBM Predictive Solutions Foundation (IBM Cognos Analytics 11.0) reveals sensitive information in detailed error messages that could aid an attacker in further attacks against the system. | 5.0 |
2018-03-22 | CVE-2018-8909 | Wire | Path Traversal vulnerability in Wire The Wire application before 2018-03-07 for Android allows attackers to write to pathnames outside of the downloads directory via a ../ in a filename of a received file, related to AssetService.scala. | 5.0 |
2018-03-21 | CVE-2017-0922 | Gitlab | Incorrect Authorization vulnerability in Gitlab Gitlab Enterprise Edition version 10.3 is vulnerable to an authorization bypass issue in the GitLab Projects::BoardsController component resulting in an information disclosure on any board object. | 5.0 |
2018-03-21 | CVE-2017-0914 | Gitlab | SQL Injection vulnerability in Gitlab Gitlab Community and Enterprise Editions version 10.1, 10.2, and 10.2.4 are vulnerable to a SQL injection in the MilestoneFinder component resulting in disclosure of all data in a GitLab instance's database. | 5.0 |
2018-03-20 | CVE-2018-1294 | Apache | Improper Input Validation vulnerability in Apache Commons Email If a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called "Bounce Address", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated. | 5.0 |
2018-03-20 | CVE-2018-1000135 | Gnome Canonical | Information Exposure vulnerability in multiple products GNOME NetworkManager version 1.10.2 and earlier contains a Information Exposure (CWE-200) vulnerability in DNS resolver that can result in Private DNS queries leaked to local network's DNS servers, while on VPN. | 5.0 |
2018-03-19 | CVE-2014-2674 | Ajax Pagination Project | Path Traversal vulnerability in Ajax-Pagination Project Ajax-Pagination 1.1 Directory traversal vulnerability in the Ajax Pagination (twitter Style) plugin 1.1 for WordPress allows remote attackers to read arbitrary files via a .. | 5.0 |
2018-03-19 | CVE-2018-1218 | Dell | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dell EMC Networker In Dell EMC NetWorker versions prior to 9.2.1.1, versions prior to 9.1.1.6, 9.0.x, and versions prior to 8.2.4.11, the 'nsrd' daemon causes a buffer overflow condition when handling certain messages. | 5.0 |
2018-03-19 | CVE-2018-8761 | Yxcms | Unspecified vulnerability in Yxcms 1.4.7 protected\apps\member\controller\shopcarController.php in Yxcms building system (compatible cell phone) v1.4.7 has a logic flaw allowing attackers to modify a price, before form submission, by observing data in a packet capture. | 5.0 |
2018-03-19 | CVE-2018-7422 | Siteeditor | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Siteeditor Site Editor 1.0.0/1.1.0/1.1.1 A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php, aka absolute path traversal. | 5.0 |
2018-03-19 | CVE-2015-5350 | Cloudfoundry | Improper Access Control vulnerability in Cloudfoundry Garden 0.22.0/0.329.0 In Garden versions 0.22.0-0.329.0, a vulnerability has been discovered in the garden-linux nstar executable that allows access to files on the host system. | 5.0 |
2018-03-19 | CVE-2014-3626 | Grails | Path Traversal vulnerability in Grails Resources The Grails Resource Plugin often has to exchange URIs for resources with other internal components. | 5.0 |
2018-03-21 | CVE-2017-18241 | Linux Debian Canonical | NULL Pointer Dereference vulnerability in Linux Kernel fs/f2fs/segment.c in the Linux kernel before 4.13 allows local users to cause a denial of service (NULL pointer dereference and panic) by using a noflush_merge option that triggers a NULL value for a flush_cmd_control data structure. | 4.9 |
2018-03-19 | CVE-2017-18240 | Collectd | Improper Input Validation vulnerability in Collectd The Gentoo app-admin/collectd package before 5.7.2-r1 sets the ownership of PID file directory to the collectd account, which might allow local users to kill arbitrary processes by leveraging access to this account for PID file modification before a root script sends a SIGKILL (when the service is stopped). | 4.9 |
2018-03-22 | CVE-2018-5349 | Heimdalsecurity | Incorrect Permission Assignment for Critical Resource vulnerability in Heimdalsecurity Heimdal 2.2.190 A vulnerability has been found in Heimdal PRO v2.2.190, but it is most likely also present in Heimdal FREE and Heimdal CORP. | 4.6 |
2018-03-22 | CVE-2017-1677 | IBM Linux Microsoft | Deserialization of Untrusted Data vulnerability in IBM DB2 IBM Data Server Driver for JDBC and SQLJ (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) deserializes the contents of /tmp/connlicj.bin which leads to object injection and potentially arbitrary code execution depending on the classpath. | 4.6 |
2018-03-21 | CVE-2016-10717 | Malwarebytes | 7PK - Security Features vulnerability in Malwarebytes Anti-Malware 2.2.1 A vulnerability in the encryption and permission implementation of Malwarebytes Anti-Malware consumer version 2.2.1 and prior (fixed in 3.0.4) allows an attacker to take control of the whitelisting feature (exclusions.dat under %SYSTEMDRIVE%\ProgramData) to permit execution of unauthorized applications including malware and malicious websites. | 4.6 |
2018-03-21 | CVE-2018-7525 | Omron | NULL Pointer Dereference vulnerability in Omron Cx-Supervisor 3.5 In Omron CX-Supervisor Versions 3.30 and prior, processing a malformed packet by a certain executable may cause an untrusted pointer dereference vulnerability. | 4.6 |
2018-03-21 | CVE-2018-7523 | Omron | Double Free vulnerability in Omron Cx-Supervisor 3.5 In Omron CX-Supervisor Versions 3.30 and prior, parsing malformed project files may cause a double free vulnerability. | 4.6 |
2018-03-21 | CVE-2018-7521 | Omron | Use After Free vulnerability in Omron Cx-Supervisor 3.5 In Omron CX-Supervisor Versions 3.30 and prior, use after free vulnerabilities can be exploited when CX Supervisor parses a specially crafted project file. | 4.6 |
2018-03-21 | CVE-2018-7519 | Omron | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Omron Cx-Supervisor 3.5 In Omron CX-Supervisor Versions 3.30 and prior, parsing malformed project files may cause a heap-based buffer overflow. | 4.6 |
2018-03-21 | CVE-2018-7517 | Omron | Out-of-bounds Write vulnerability in Omron Cx-Supervisor 3.5 In Omron CX-Supervisor Versions 3.30 and prior, parsing malformed project files may cause an out of bounds vulnerability. | 4.6 |
2018-03-21 | CVE-2018-7515 | Omron | NULL Pointer Dereference vulnerability in Omron Cx-Supervisor 3.5 In Omron CX-Supervisor Versions 3.30 and prior, access of uninitialized pointer vulnerabilities can be exploited when CX Supervisor indirectly calls an initialized pointer when parsing malformed packets. | 4.6 |
2018-03-21 | CVE-2018-7513 | Omron | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Omron Cx-Supervisor 3.5 In Omron CX-Supervisor Versions 3.30 and prior, parsing malformed project files may cause a stack-based buffer overflow. | 4.6 |
2018-03-20 | CVE-2018-8883 | Nasm | Out-of-bounds Read vulnerability in Nasm Netwide Assembler 2.13.02 Netwide Assembler (NASM) 2.13.02rc2 has a buffer over-read in the parse_line function in asm/parser.c via uncontrolled access to nasm_reg_flags. | 4.6 |
2018-03-20 | CVE-2018-8882 | Nasm | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Nasm Netwide Assembler 2.13.02 Netwide Assembler (NASM) 2.13.02rc2 has a stack-based buffer under-read in the function ieee_shr in asm/float.c via a large shift value. | 4.6 |
2018-03-20 | CVE-2014-1215 | Coreftp | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Coreftp Core FTP 1.2 Multiple buffer overflows in Core FTP Server before 1.2 build 508 allow local users to gain privileges via vectors related to reading data from config.dat and Windows Registry. | 4.6 |
2018-03-19 | CVE-2014-5443 | Seafile | Permissions, Privileges, and Access Controls vulnerability in Seafile Server Seafile Server before 3.1.2 and Server Professional Edition before 3.1.0 allow local users to gain privileges via vectors related to ccnet handling user accounts. | 4.6 |
2018-03-22 | CVE-2018-5731 | Heimdalsecurity | Improper Input Validation vulnerability in Heimdalsecurity Heimdal 2.2.190 An issue was discovered in Heimdal PRO 2.2.190. | 4.4 |
2018-03-20 | CVE-2018-1141 | Tenable | Incorrect Permission Assignment for Critical Resource vulnerability in Tenable Nessus When installing Nessus to a directory outside of the default location, Nessus versions prior to 7.0.3 did not enforce secure permissions for sub-directories. | 4.4 |
2018-03-25 | CVE-2018-9016 | Dsmall Project | Cross-site Scripting vulnerability in Dsmall Project Dsmall 20180320 dsmall v20180320 allows XSS via the main page search box at the public/index.php/home URI. | 4.3 |
2018-03-25 | CVE-2018-8977 | Exiv2 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Exiv2 0.26 In Exiv2 0.26, the Exiv2::Internal::printCsLensFFFF function in canonmn_int.cpp allows remote attackers to cause a denial of service (invalid memory access) via a crafted file. | 4.3 |
2018-03-24 | CVE-2018-8973 | Otcms | Cross-site Scripting vulnerability in Otcms 3.20 OTCMS 3.20 allows XSS by adding a keyword or link to an article, as demonstrated by an admin/keyWord_deal.php?mudi=add request. | 4.3 |
2018-03-24 | CVE-2015-9257 | BMC | Cross-site Scripting vulnerability in BMC Remedy Action Request System BMC Remedy Action Request (AR) System 9.0 before 9.0.00 Service Pack 2 hot fix 1 has persistent XSS. | 4.3 |
2018-03-23 | CVE-2018-8964 | Libming | Use After Free vulnerability in Libming 0.4.8 In libming 0.4.8, the decompileDELETE function of decompile.c has a use-after-free. | 4.3 |
2018-03-23 | CVE-2018-8963 | Libming | Use After Free vulnerability in Libming 0.4.8 In libming 0.4.8, the decompileGETVARIABLE function of decompile.c has a use-after-free. | 4.3 |
2018-03-23 | CVE-2018-8962 | Libming | Use After Free vulnerability in Libming 0.4.8 In libming 0.4.8, the decompileSingleArgBuiltInFunctionCall function of decompile.c has a use-after-free. | 4.3 |
2018-03-23 | CVE-2018-8961 | Libming | Use After Free vulnerability in Libming 0.4.8 In libming 0.4.8, the decompilePUSHPARAM function of decompile.c has a use-after-free. | 4.3 |
2018-03-23 | CVE-2018-1000139 | I Librarian | Cross-site Scripting vulnerability in I-Librarian I Librarian I, Librarian version 4.8 and earlier contains a Cross Site Scripting (XSS) vulnerability in "id" parameter in stable.php that can result in an attacker using the XSS to send a malicious script to an unsuspecting user. | 4.3 |
2018-03-23 | CVE-2017-18247 | Libav | NULL Pointer Dereference vulnerability in Libav 12.2 The av_audio_fifo_size function in libavutil/audio_fifo.c in Libav 12.2 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted media file. | 4.3 |
2018-03-23 | CVE-2017-18246 | Libav | Out-of-bounds Read vulnerability in Libav 12.2 The pcm_encode_frame function in libavcodec/pcm.c in Libav 12.2 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted media file. | 4.3 |
2018-03-23 | CVE-2017-18245 | Libav | Out-of-bounds Read vulnerability in Libav 12.2 The mpc8_probe function in libavformat/mpc8.c in Libav 12.2 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted audio file. | 4.3 |
2018-03-23 | CVE-2018-8948 | Misp Project | Cross-site Scripting vulnerability in Misp-Project Misp In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP module. | 4.3 |
2018-03-23 | CVE-2017-15326 | Huawei | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Huawei Dbs3900 TDD LTE Firmware V100R003C00/V100R004C10 DBS3900 TDD LTE V100R003C00, V100R004C10 have a weak encryption algorithm security vulnerability. | 4.3 |
2018-03-22 | CVE-2018-8945 | GNU Redhat | Improper Input Validation vulnerability in multiple products The bfd_section_from_shdr function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (segmentation fault) via a large attribute section. | 4.3 |
2018-03-22 | CVE-2017-18244 | Libav | Out-of-bounds Read vulnerability in Libav 12.2 The stereo_processing function in libavcodec/aacps.c in Libav 12.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted aac file, related to ff_ps_apply. | 4.3 |
2018-03-22 | CVE-2017-18243 | Libav | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Libav 12.2 The unpack_parse_unit function in libavcodec/dirac_parser.c in Libav 12.2 allows remote attackers to cause a denial of service (segmentation fault) via a crafted file. | 4.3 |
2018-03-22 | CVE-2017-18242 | Libav | Out-of-bounds Read vulnerability in Libav 12.2 The apply_dependent_coupling function in libavcodec/aacdec.c in Libav 12.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted aac file. | 4.3 |
2018-03-22 | CVE-2018-7512 | Geutebrueck | Cross-site Scripting vulnerability in Geutebrueck G-Cam/Efd-2250 Firmware and Topfd-2125 Firmware A cross-site scripting vulnerability has been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which may allow remote code execution. | 4.3 |
2018-03-22 | CVE-2018-5505 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP versions 13.1.0 - 13.1.0.3, when ASM and AVR are both provisioned, TMM may restart while processing DNS requests when the virtual server is configured with a DNS profile and the Protocol setting is set to TCP. | 4.3 |
2018-03-22 | CVE-2017-16771 | Synology | Cross-site Scripting vulnerability in Synology Photo Station Cross-site scripting (XSS) vulnerability in Log Viewer in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote attackers to inject arbitrary web script or HTML via the username parameter. | 4.3 |
2018-03-22 | CVE-2018-0538 | QQQ Systems Project | Cross-site Scripting vulnerability in QQQ Systems Project QQQ Systems 2.24 Cross-site scripting vulnerability in QQQ SYSTEMS ver2.24 allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2018-03-22 | CVE-2018-0537 | QQQ Systems Project | Cross-site Scripting vulnerability in QQQ Systems Project QQQ Systems 2.24 Cross-site scripting vulnerability in QQQ SYSTEMS ver2.24 allows an attacker to inject arbitrary web script or HTML via quiz_op.cgi. | 4.3 |
2018-03-22 | CVE-2018-0536 | QQQ Systems Project | Cross-site Scripting vulnerability in QQQ Systems Project QQQ Systems 2.24 Cross-site scripting vulnerability in QQQ SYSTEMS ver2.24 allows an attacker to inject arbitrary web script or HTML via quiz.cgi. | 4.3 |
2018-03-22 | CVE-2018-0535 | PHP 2Chbbs Project | Cross-site Scripting vulnerability in PHP 2Chbbs Project PHP 2Chbbs Bbs18C Cross-site scripting vulnerability in PHP 2chBBS version bbs18c allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2018-03-22 | CVE-2018-0534 | Arsenol Project | Cross-site Scripting vulnerability in Arsenol Project Arsenol 0.5 Cross-site scripting vulnerability in ArsenoL Version 0.5 allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2018-03-22 | CVE-2018-8899 | Identityserver | Cross-site Scripting vulnerability in Identityserver Identityserver4 IdentityServer IdentityServer4 1.x before 1.5.3 and 2.x before 2.1.3 does not encode the redirect URI on the authorization response page, which might lead to XSS in some configurations. | 4.3 |
2018-03-22 | CVE-2018-8906 | Dsmall Project | Cross-site Scripting vulnerability in Dsmall Project Dsmall 20180320 dsmall v20180320 has XSS via a crafted street address to public/index.php/home/memberaddress/index.html, which is mishandled at public/index.php/home/memberaddress/edit/address_id/2.html. | 4.3 |
2018-03-21 | CVE-2018-1229 | Pivotal Software | Cross-site Scripting vulnerability in Pivotal Software Spring Batch Admin Pivotal Spring Batch Admin, all versions, contains a stored XSS vulnerability in the file upload feature. | 4.3 |
2018-03-21 | CVE-2017-0924 | Gitlab | Cross-site Scripting vulnerability in Gitlab Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the labels component resulting in persistent cross site scripting. | 4.3 |
2018-03-21 | CVE-2017-0923 | Gitlab | Cross-site Scripting vulnerability in Gitlab Gitlab Community Edition version 9.1 is vulnerable to lack of input validation in the IPython notebooks component resulting in persistent cross site scripting. | 4.3 |
2018-03-21 | CVE-2017-0917 | Gitlab Debian | Improper Input Validation vulnerability in multiple products Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the CI job component resulting in persistent cross site scripting. | 4.3 |
2018-03-20 | CVE-2014-2032 | Maradns Project Deadwood Project | Improper Input Validation vulnerability in multiple products Deadwood before 2.3.09, 3.x before 3.2.05, and as used in MaraDNS before 1.4.14 and 2.x before 2.0.09, allow remote attackers to cause a denial of service (out-of-bounds read and crash) by leveraging permission to perform recursive queries against Deadwood, related to missing input validation. | 4.3 |
2018-03-20 | CVE-2014-2031 | Maradns Project Deadwood Project | Out-of-bounds Read vulnerability in multiple products Deadwood before 2.3.09, 3.x before 3.2.05, and as used in MaraDNS before 1.4.14 and 2.x before 2.0.09, allow remote attackers to cause a denial of service (out-of-bounds read and crash) by leveraging permission to perform recursive queries against Deadwood, related to a logic error. | 4.3 |
2018-03-20 | CVE-2017-17307 | Huawei | Out-of-bounds Read vulnerability in Huawei Vns-L21 Firmware Vnsl21Autc555B141 Some Huawei Smartphones with software of VNS-L21AUTC555B141 have an out-of-bounds read vulnerability. | 4.3 |
2018-03-20 | CVE-2017-17306 | Huawei | Out-of-bounds Read vulnerability in Huawei Vns-L21 Firmware Some Huawei Smartphones with software of VNS-L21AUTC555B141, VNS-L21C10B160, VNS-L21C66B160, VNS-L21C703B140 have an array out-of-bounds read vulnerability. | 4.3 |
2018-03-20 | CVE-2017-14191 | Fortinet | Unspecified vulnerability in Fortinet Fortiweb An Improper Access Control vulnerability in Fortinet FortiWeb 5.6.0 up to but not including 6.1.0 under "Signed Security Mode", allows attacker to bypass the signed user cookie protection by removing the FortiWeb own protection session cookie. | 4.3 |
2018-03-20 | CVE-2018-8810 | Radare | Out-of-bounds Read vulnerability in Radare Radare2 2.4.0 In radare2 2.4.0, there is a heap-based buffer over-read in the get_ivar_list_t function of mach0_classes.c. | 4.3 |
2018-03-20 | CVE-2018-8809 | Radare | Out-of-bounds Read vulnerability in Radare Radare2 2.4.0 In radare2 2.4.0, there is a heap-based buffer over-read in the dalvik_op function of anal_dalvik.c. | 4.3 |
2018-03-20 | CVE-2018-8808 | Radare | Out-of-bounds Read vulnerability in Radare Radare2 2.4.0 In radare2 2.4.0, there is a heap-based buffer over-read in the r_asm_disassemble function of asm.c. | 4.3 |
2018-03-20 | CVE-2018-8807 | Libming | Use After Free vulnerability in Libming 0.4.8 In libming 0.4.8, these is a use-after-free in the function decompileCALLFUNCTION of decompile.c. | 4.3 |
2018-03-20 | CVE-2018-8806 | Libming | Use After Free vulnerability in Libming 0.4.8 In libming 0.4.8, there is a use-after-free in the decompileArithmeticOp function of decompile.c. | 4.3 |
2018-03-20 | CVE-2018-8805 | Yxcms | Cross-site Scripting vulnerability in Yxcms 1.4.7 Yxcms building system (compatible cell phone) v1.4.7 has XSS via the content parameter to protected\apps\default\view\default\extend_guestbook.php or protected\apps\default\view\mobile\extend_guestbook.php in an index.php?r=default/column/index&col=guestbook request. | 4.3 |
2018-03-19 | CVE-2018-5233 | Getgrav | Cross-site Scripting vulnerability in Getgrav Grav CMS Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools. | 4.3 |
2018-03-19 | CVE-2014-2297 | Videowhisper | Cross-site Scripting vulnerability in Videowhisper Live Streaming Integration 4.29.6 Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhisper Live Streaming Integration plugin 4.29.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) n parameter to ls/htmlchat.php or (2) bgcolor parameter to ls/index.php. | 4.3 |
2018-03-19 | CVE-2018-1196 | Vmware | Link Following vulnerability in VMWare Spring Boot Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. | 4.3 |
2018-03-25 | CVE-2018-9010 | Intelbras | Path Traversal vulnerability in Intelbras Tip200 Firmware and Tip200Lite Firmware Intelbras TELEFONE IP TIP200/200 LITE 60.0.75.29 devices allow remote authenticated admins to read arbitrary files via the /cgi-bin/cgiServer.exx page parameter, aka absolute path traversal. | 4.0 |
2018-03-23 | CVE-2017-1602 | IBM | Files or Directories Accessible to External Parties vulnerability in IBM products IBM RSA DM (IBM Rational Collaborative Lifecycle Management 5.0 and 6.0) could allow an authenticated user to access settings that they should not be able to using a specially crafted URL. | 4.0 |
2018-03-23 | CVE-2017-1524 | IBM | Information Exposure vulnerability in IBM products IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management 5.0 and 6.0) could allow an authenticated user to obtain sensitive information from a specially crafted HTTP request that could be used to aid future attacks. | 4.0 |
2018-03-22 | CVE-2017-0920 | Gitlab | Incorrect Authorization vulnerability in Gitlab GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab instance. | 4.0 |
2018-03-21 | CVE-2017-0927 | Gitlab | Incorrect Authorization vulnerability in Gitlab Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the deployment keys component resulting in unauthorized use of deployment keys by guest users. | 4.0 |
2018-03-21 | CVE-2017-0925 | Gitlab Debian | Cleartext Transmission of Sensitive Information vulnerability in Gitlab Gitlab Enterprise Edition version 10.1.0 is vulnerable to an insufficiently protected credential issue in the project service integration API endpoint resulting in an information disclosure of plaintext password. | 4.0 |
2018-03-20 | CVE-2015-7461 | IBM | Resource Management Errors vulnerability in IBM Connections XML external entity (XXE) vulnerability in IBM Connections 3.0.1.1 and earlier, 4.0, 4.5, and 5.0 before CR4 allows remote authenticated users to cause a denial of service (memory consumption) via crafted XML data. | 4.0 |
2018-03-20 | CVE-2018-1322 | Apache | Information Exposure vulnerability in Apache Syncope An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters. | 4.0 |
29 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-03-22 | CVE-2018-1448 | IBM Linux Microsoft | Unspecified vulnerability in IBM DB2 IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1 (includes DB2 Connect Server) contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the DB2 instance owner. | 3.6 |
2018-03-19 | CVE-2014-2885 | Truecrypt Project | Information Exposure vulnerability in Truecrypt Project Truecrypt 7.1 Multiple integer overflows in TrueCrypt 7.1a allow local users to (1) obtain sensitive information via vectors involving a crafted item->OriginalLength value in the MainThreadProc function in EncryptedIoQueue.c or (2) cause a denial of service (memory consumption) via vectors involving large StartingOffset and Length values in the ProcessVolumeDeviceControlIrp function in Ntdriver.c. | 3.6 |
2018-03-25 | CVE-2018-8978 | Open Audit | Cross-site Scripting vulnerability in Open-Audit 2.1 Open-AudIT Professional 2.1 has XSS via a crafted src attribute of an IMG element within a URI. | 3.5 |
2018-03-25 | CVE-2018-9017 | Dsmall Project | Cross-site Scripting vulnerability in Dsmall Project Dsmall 20180320 dsmall v20180320 allows XSS via the member search box at the public/index.php/home/membersnsfriend/findlist.html URI. | 3.5 |
2018-03-25 | CVE-2018-9015 | Dsmall Project | Cross-site Scripting vulnerability in Dsmall Project Dsmall 20180320 dsmall v20180320 allows XSS via the public/index.php/home/predeposit/index.html pdr_sn parameter (aka the CMS search box). | 3.5 |
2018-03-23 | CVE-2018-8957 | Covercms Project | Cross-site Scripting vulnerability in Covercms Project Covercms 1.1.6 CoverCMS v1.1.6 has XSS via the fourth input box to index.php, related to admina/mconfigs.inc.php. | 3.5 |
2018-03-23 | CVE-2018-1429 | IBM | Cross-site Scripting vulnerability in IBM MQ Appliance IBM MQ Appliance 9.0.1, 9.0.2, 9.0.3, amd 9.0.4 is vulnerable to cross-site scripting. | 3.5 |
2018-03-23 | CVE-2017-1762 | IBM | Cross-site Scripting vulnerability in IBM products IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management 5.0 and 6.0) is vulnerable to cross-site scripting. | 3.5 |
2018-03-23 | CVE-2017-1655 | IBM | Cross-site Scripting vulnerability in IBM products IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management 5.0 and 6.0) is vulnerable to cross-site scripting. | 3.5 |
2018-03-23 | CVE-2017-1629 | IBM | Cross-site Scripting vulnerability in IBM products IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management 5.0 and 6.0) is vulnerable to cross-site scripting. | 3.5 |
2018-03-22 | CVE-2018-8942 | Xiuno BBS Project | Cross-site Scripting vulnerability in Xiuno BBS Project Xiuno BBS 4.0.0 Xiuno BBS 4.0.0 has XSS in the adminpage sitename parameter. | 3.5 |
2018-03-22 | CVE-2018-8903 | Open Audit | Cross-site Scripting vulnerability in Open-Audit 2.1 Open-AudIT Professional 2.1 allows XSS via the Name or Description field on the Credentials screen. | 3.5 |
2018-03-22 | CVE-2017-18094 | Atlassian | Cross-site Scripting vulnerability in Atlassian Crucible and Fisheye Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allow remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the base path setting of a configured file system repository. | 3.5 |
2018-03-20 | CVE-2018-8832 | Enhavo | Cross-site Scripting vulnerability in Enhavo 0.4.0 enhavo 0.4.0 has XSS via a user-group that contains executable JavaScript code in the user-group name. | 3.5 |
2018-03-20 | CVE-2015-7460 | IBM | Cross-site Scripting vulnerability in IBM Connections Cross-site scripting (XSS) vulnerability in IBM Connections 3.0.1.1 and earlier, 4.0, 4.5, and 5.0 before CR4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 3.5 |
2018-03-20 | CVE-2015-7459 | IBM | Cross-site Scripting vulnerability in IBM Connections Cross-site scripting (XSS) vulnerability in IBM Connections 3.0.1.1 and earlier, 4.0, 4.5, and 5.0 before CR4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 3.5 |
2018-03-20 | CVE-2015-7458 | IBM | Cross-site Scripting vulnerability in IBM Connections Cross-site scripting (XSS) vulnerability in IBM Connections 3.0.1.1 and earlier, 4.0, 4.5, and 5.0 before CR4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 3.5 |
2018-03-20 | CVE-2014-1665 | Owncloud | Cross-site Scripting vulnerability in Owncloud Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file. | 3.5 |
2018-03-20 | CVE-2018-8815 | Alkacon | Cross-site Scripting vulnerability in Alkacon Opencms 10.5.3 Cross-site scripting (XSS) vulnerability in the gallery function in Alkacon OpenCMS 10.5.3 allows remote attackers to inject arbitrary web script or HTML via a malicious SVG image. | 3.5 |
2018-03-19 | CVE-2018-6842 | Kentico | Cross-site Scripting vulnerability in Kentico CMS Kentico 10 before 10.0.50 and 11 before 11.0.3 has XSS in which a crafted URL results in improper construction of a system page. | 3.5 |
2018-03-20 | CVE-2018-5438 | Philips | Insufficient Session Expiration vulnerability in Philips Intellispace Cardiovascular Philips ISCV application prior to version 2.3.0 has an insufficient session expiration vulnerability where an attacker could reuse the session of a previously logged in user. | 3.3 |
2018-03-22 | CVE-2018-1428 | IBM Linux Microsoft | Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM DB2 IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 2.1 |
2018-03-22 | CVE-2018-1427 | IBM Linux Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in IBM DB2 IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) contains several environment variables that a local attacker could overflow and cause a denial of service. | 2.1 |
2018-03-22 | CVE-2017-1571 | IBM Linux Microsoft | Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM DB2 IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 2.1 |
2018-03-20 | CVE-2015-7449 | IBM | Information Exposure vulnerability in IBM products IBM Rational Collaborative Lifecycle Management (CLM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Quality Manager (RQM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Team Concert (RTC) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Requirements Composer (RRC) 4.0.x before 4.0.7 iFix10; Rational DOORS Next Generation (RDNG) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Engineering Lifecycle Manager (RELM) 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7 before iFix1, 5.0.x before 5.0.2 iFix1, and 6.0.x before 6.0.2; Rational Rhapsody Design Manager (Rhapsody DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Software Architect Design Manager (RSA DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2 allow local users to obtain sensitive information by leveraging weak encryption. | 2.1 |
2018-03-19 | CVE-2014-5450 | Zarafa | Information Exposure vulnerability in Zarafa Collaboration Platform 4.1 Zarafa Collaboration Platform 4.1 uses world-readable permissions for /etc/zarafa/license, which allows local users to obtain sensitive information by reading license files. | 2.1 |
2018-03-19 | CVE-2014-2884 | Truecrypt Project | Improper Access Control vulnerability in Truecrypt Project Truecrypt 7.1 The ProcessVolumeDeviceControlIrp function in Ntdriver.c in TrueCrypt 7.1a allows local users to bypass access restrictions and obtain sensitive information about arbitrary files via a (1) TC_IOCTL_OPEN_TEST or (2) TC_IOCTL_GET_SYSTEM_DRIVE_CONFIG IOCTL call. | 2.1 |
2018-03-19 | CVE-2018-5552 | Docutracinc | Use of Hard-coded Credentials vulnerability in Docutracinc Dtisqlinstaller Versions of DocuTrac QuicDoc and Office Therapy that ship with DTISQLInstaller.exe version 1.6.4.0 and prior contains a hard-coded cryptographic salt, "S@l+&pepper". | 2.1 |
2018-03-20 | CVE-2018-3626 | Intel Microsoft Linux | Information Exposure vulnerability in Intel SGX SDK Edger8r tool in the Intel SGX SDK before version 2.1.2 (Linux) and 1.9.6 (Windows) may generate code that is susceptible to a side channel potentially allowing a local user to access unauthorized information. | 1.9 |