Weekly Vulnerabilities Reports > May 28 to June 3, 2018
Overview
378 new vulnerabilities reported during this period, including 97 critical vulnerabilities and 41 high severity vulnerabilities. This weekly summary report vulnerabilities in 357 products from 239 vendors including Quest, Canonical, IBM, Espruino, and F5. Vulnerabilities are notably categorized as "Cryptographic Issues", "OS Command Injection", "Cross-site Scripting", "Information Exposure", and "Improper Input Validation".
- 356 reported vulnerabilities are remotely exploitables.
- 21 reported vulnerabilities have public exploit available.
- 139 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 281 reported vulnerabilities are exploitable by an anonymous user.
- Quest has the most reported vulnerabilities, with 63 reported vulnerabilities.
- Quest has the most reported critical vulnerabilities, with 10 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
97 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-06-01 | CVE-2018-3757 | PDF Image Project | OS Command Injection vulnerability in Pdf-Image Project Pdf-Image 2.0.0 Command injection exists in pdf-image v2.0.0 due to an unescaped string parameter. | 10.0 |
2018-06-01 | CVE-2018-11652 | Cirt NET | Improper Neutralization of Formula Elements in a CSV File vulnerability in Cirt.Net Nikto CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report. | 10.0 |
2018-05-31 | CVE-2016-10546 | Pouchdb | Code Injection vulnerability in Pouchdb An arbitrary code injection vector was found in PouchDB 6.0.4 and lesser via the map/reduce functions used in PouchDB temporary views and design documents. | 10.0 |
2018-05-31 | CVE-2016-10532 | Console IO Project | Improper Authentication vulnerability in Console-Io Project Console-Io console-io is a module that allows users to implement a web console in their application. | 10.0 |
2018-05-31 | CVE-2018-11138 | Quest | OS Command Injection vulnerability in Quest Kace System Management Appliance 8.0.318 The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system. | 10.0 |
2018-05-31 | CVE-2018-9318 | BMW | Protection Mechanism Failure vulnerability in BMW Telematics Control Unit Firmware The Telematics Control Unit (aka Telematic Communication Box or TCB), when present on BMW vehicles produced in 2012 through 2018, allows a remote attack via a cellular network. | 10.0 |
2018-05-31 | CVE-2018-9311 | BMW | Protection Mechanism Failure vulnerability in BMW Telematics Control Unit Firmware The Telematics Control Unit (aka Telematic Communication Box or TCB), when present on BMW vehicles produced in 2012 through 2018, allows a remote attack via a cellular network. | 10.0 |
2018-05-29 | CVE-2018-1235 | EMC | OS Command Injection vulnerability in EMC Recoverpoint and Recoverpoint for Virtual Machines Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contain a command injection vulnerability. | 10.0 |
2018-06-02 | CVE-2018-11682 | Lutron | Use of Hard-coded Credentials vulnerability in Lutron products Default and unremovable support credentials allow attackers to gain total super user control of an IoT device through a TELNET session to products using the Stanza Lutron integration protocol Revision M to Revision Y. | 9.8 |
2018-06-02 | CVE-2018-11681 | Lutron | Use of Hard-coded Credentials vulnerability in Lutron products Default and unremovable support credentials (user:nwk password:nwk2) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the RadioRA 2 Lutron integration protocol Revision M to Revision Y. | 9.8 |
2018-06-02 | CVE-2018-11629 | Lutron | Use of Hard-coded Credentials vulnerability in Lutron products Default and unremovable support credentials (user:lutron password:integration) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the HomeWorks QS Lutron integration protocol Revision M to Revision Y. | 9.8 |
2018-06-01 | CVE-2018-3746 | Pdfinfojs Project | OS Command Injection vulnerability in Pdfinfojs Project Pdfinfojs The pdfinfojs NPM module versions <= 0.3.6 has a command injection vulnerability that allows an attacker to execute arbitrary commands on the victim's machine. | 9.8 |
2018-05-31 | CVE-2016-10541 | Shell Quote Project | Code Injection vulnerability in Shell-Quote Project Shell-Quote The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. | 9.8 |
2018-05-29 | CVE-2018-3744 | Html Pages Project | Path Traversal vulnerability in Html-Pages Project Html-Pages 2.0.7 The html-pages node module contains a path traversal vulnerabilities that allows an attacker to read any file from the server with cURL. | 9.8 |
2018-06-01 | CVE-2016-10634 | Scalajs Standalone BIN Project | Cryptographic Issues vulnerability in Scalajs-Standalone-Bin Project Scalajs-Standalone-Bin scala-standalone-bin is a Binary wrapper for ScalaJS. | 9.3 |
2018-06-01 | CVE-2016-10633 | Dwebp BIN Project | Cryptographic Issues vulnerability in Dwebp-Bin Project Dwebp-Bin dwebp-bin is a dwebp node.js wrapper that convert WebP into PNG. | 9.3 |
2018-06-01 | CVE-2016-10632 | APK Parser2 Project | Cryptographic Issues vulnerability in Apk-Parser2 Project Apk-Parser2 0.1.0/0.1.1 apk-parser2 is a module which extracts Android Manifest info from an APK file. | 9.3 |
2018-06-01 | CVE-2016-10631 | Jvminstall Project | Cryptographic Issues vulnerability in Jvminstall Project Jvminstall jvminstall is a module for downloading and unpacking jvm to local system. | 9.3 |
2018-06-01 | CVE-2016-10629 | NW With ARM Project | Cryptographic Issues vulnerability in Nw-With-Arm Project Nw-With-Arm 0.12.2 nw-with-arm is a NW Installer including ARM-Build. | 9.3 |
2018-06-01 | CVE-2016-10628 | Selenium Wrapper Project | Cryptographic Issues vulnerability in Selenium-Wrapper Project Selenium-Wrapper selenium-wrapper is a selenium server wrapper, including installation and chrome webdriver. | 9.3 |
2018-06-01 | CVE-2016-10626 | Mystem3 Project | Cryptographic Issues vulnerability in Mystem3 Project Mystem3 mystem3 is a NodeJS wrapper for the Yandex MyStem 3. | 9.3 |
2018-06-01 | CVE-2016-10625 | Headless Browser Lite Project | Cryptographic Issues vulnerability in Headless-Browser-Lite Project Headless-Browser-Lite headless-browser-lite is a minimal npm installer for phantomjs and slimerjs with no external dependencies. | 9.3 |
2018-06-01 | CVE-2016-10624 | Selenium Chromedriver Project | Cryptographic Issues vulnerability in Selenium-Chromedriver Project Selenium-Chromedriver selenium-chromedriver is a simple utility for downloading the Selenium Webdriver for Google Chrome selenium-chromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. | 9.3 |
2018-06-01 | CVE-2016-10623 | Macaca Chromedriver ZXA Project | Cryptographic Issues vulnerability in Macaca-Chromedriver-Zxa Project Macaca-Chromedriver-Zxa macaca-chromedriver-zxa is a Node.js wrapper for the selenium chromedriver. | 9.3 |
2018-06-01 | CVE-2016-10622 | Nodeschnaps Project | Cryptographic Issues vulnerability in Nodeschnaps Project Nodeschnaps nodeschnaps is a NodeJS compatibility layer for Java (Rhino). | 9.3 |
2018-06-01 | CVE-2016-10621 | Fibjs Project | Cryptographic Issues vulnerability in Fibjs Project Fibjs fibjs is a runtime for javascript applictions built on google v8 JS. | 9.3 |
2018-06-01 | CVE-2016-10620 | Atom Node Module Installer Project | Cryptographic Issues vulnerability in Atom-Node-Module-Installer Project Atom-Node-Module-Installer atom-node-module-installer installs node modules for atom-shell applications. | 9.3 |
2018-06-01 | CVE-2016-10617 | Box2D Native Project | Cryptographic Issues vulnerability in Box2D-Native Project Box2D-Native box2d-native downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. | 9.3 |
2018-06-01 | CVE-2016-10615 | Curses Project | Cryptographic Issues vulnerability in Curses Project Curses curses is bindings for the native curses library, a full featured console IO library. | 9.3 |
2018-06-01 | CVE-2016-10614 | Httpsync Project | Cryptographic Issues vulnerability in Httpsync Project Httpsync httpsync is a port of libcurl to node.js. | 9.3 |
2018-06-01 | CVE-2016-10612 | Dalekjs | Cryptographic Issues vulnerability in Dalekjs dalek-browser-ie-canary is Internet Explorer bindings for DalekJS. | 9.3 |
2018-06-01 | CVE-2016-10609 | Chromedriver126 Project Linux | Cryptographic Issues vulnerability in Chromedriver126 Project Chromedriver126 chromedriver126 is chromedriver version 1.26 for linux OS. | 9.3 |
2018-06-01 | CVE-2016-10608 | Getrobot | Cryptographic Issues vulnerability in Getrobot Robot-Js robot-js is a module for native system automation for node.js. | 9.3 |
2018-06-01 | CVE-2016-10607 | Openframe Glslviewer Project | Cryptographic Issues vulnerability in Openframe-Glslviewer Project Openframe-Glslviewer openframe-glsviewer is a Openframe extension which adds support for shaders via glslViewer. | 9.3 |
2018-06-01 | CVE-2016-10606 | Grunt Webdriver Qunit Project | Cryptographic Issues vulnerability in Grunt-Webdriver-Qunit Project Grunt-Webdriver-Qunit grunt-webdriver-qunit is a grunt plugin to run qunit with webdriver in grunt grunt-webdriver-qunit downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. | 9.3 |
2018-06-01 | CVE-2016-10605 | Dalekjs | Cryptographic Issues vulnerability in Dalekjs dalek-browser-ie is Internet Explorer bindings for DalekJS. | 9.3 |
2018-06-01 | CVE-2016-10604 | Dalekjs | Cryptographic Issues vulnerability in Dalekjs dalek-browser-chrome is Google Chrome bindings for DalekJS. | 9.3 |
2018-06-01 | CVE-2016-10603 | AIR SDK Project | Cryptographic Issues vulnerability in Air-Sdk Project Air-Sdk air-sdk is a NPM wrapper for the Adobe AIR SDK. | 9.3 |
2018-06-01 | CVE-2016-10602 | Haxe | Cryptographic Issues vulnerability in Haxe haxe is a cross-platform toolkit haxe downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. | 9.3 |
2018-06-01 | CVE-2016-10600 | Webrtc | Cryptographic Issues vulnerability in Webrtc Webrtc-Native webrtc-native uses WebRTC from chromium project. | 9.3 |
2018-06-01 | CVE-2016-10599 | Node Sauce Connect Project | Cryptographic Issues vulnerability in Node-Sauce-Connect Project Node-Sauce-Connect 0.1.0/0.1.1 sauce-connect is a Node.js wrapper over the SauceLabs SauceConnect.jar program for establishing a secure tunnel for intranet testing. | 9.3 |
2018-06-01 | CVE-2016-10595 | JDF Sass Project | Cryptographic Issues vulnerability in Jdf-Sass Project Jdf-Sass jdf-sass is a fork from node-sass, jdf use only. | 9.3 |
2018-06-01 | CVE-2016-10588 | Nwjs | Cryptographic Issues vulnerability in Nwjs NW nw is an installer for nw.js. | 9.3 |
2018-06-01 | CVE-2016-10587 | Wasdk Project | Cryptographic Issues vulnerability in Wasdk Project Wasdk wasdk is a toolkit for creating WebAssembly modules. | 9.3 |
2018-06-01 | CVE-2016-10585 | Libxl Project | Cryptographic Issues vulnerability in Libxl Project Libxl libxl provides Node bindings for the libxl library for reading and writing excel (XLS and XLSX) spreadsheets. | 9.3 |
2018-06-01 | CVE-2016-10583 | Openlayers | Cryptographic Issues vulnerability in Openlayers Closure-Util closure-utils is Utilities for Closure Library based projects. | 9.3 |
2018-06-01 | CVE-2016-10582 | Closurecompiler Project | Cryptographic Issues vulnerability in Closurecompiler Project Closurecompiler closurecompiler is a Closure Compiler for node.js. | 9.3 |
2018-06-01 | CVE-2016-10581 | Appgyver | Cryptographic Issues vulnerability in Appgyver Steroids Steroids is PhoneGap on Steroids, providing native UI elements, multiple WebViews and enhancements for better developer productivity. | 9.3 |
2018-06-01 | CVE-2016-10580 | Nodewebkit Project | Cryptographic Issues vulnerability in Nodewebkit Project Nodewebkit nodewebkit is an installer for node-webkit. | 9.3 |
2018-06-01 | CVE-2016-10576 | Fuseki Project | Cryptographic Issues vulnerability in Fuseki Project Fuseki 1.0.0 Fuseki server wrapper and management API in fuseki before 1.0.1 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. | 9.3 |
2018-06-01 | CVE-2016-10575 | Hakatashi | Cryptographic Issues vulnerability in Hakatashi Kindlegen Kindlegen is a simple Node.js wrapper of the official kindlegen program. | 9.3 |
2018-06-01 | CVE-2016-10574 | APK Parser3 Project | Cryptographic Issues vulnerability in Apk-Parser3 Project Apk-Parser3 0.1.1/0.1.2 apk-parser3 is a module to extract Android Manifest info from an APK file. | 9.3 |
2018-06-01 | CVE-2018-11551 | NCH | Untrusted Search Path vulnerability in NCH Axon PBX 2.02 AXON PBX 2.02 contains a DLL hijacking vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. | 9.3 |
2018-05-31 | CVE-2016-10572 | Mongodb Instance Project | Cryptographic Issues vulnerability in Mongodb-Instance Project Mongodb-Instance 0.0.1/0.0.2 mongodb-instance before 0.0.3 installs mongodb locally. | 9.3 |
2018-05-31 | CVE-2016-10571 | Bkjs Wand Project | Cryptographic Issues vulnerability in Bkjs-Wand Project Bkjs-Wand bkjs-wand is imagemagick wand support for node.js and backendjs bkjs-wand versions lower than 0.3.2 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. | 9.3 |
2018-05-31 | CVE-2016-10569 | Embedza Project | Cryptographic Issues vulnerability in Embedza Project Embedza embedza is a module to create HTML snippets/embeds from URLs using info from oEmbed, Open Graph, meta tags. | 9.3 |
2018-05-31 | CVE-2016-10562 | Iedriver Project | Cryptographic Issues vulnerability in Iedriver Project Iedriver iedriver is an NPM wrapper for Selenium IEDriver. | 9.3 |
2018-05-31 | CVE-2016-10560 | Galenframework | Cryptographic Issues vulnerability in Galenframework Galenframework-Cli galenframework-cli is the node wrapper for the Galen Framework. | 9.3 |
2018-05-29 | CVE-2017-16003 | Windows Build Tools Project | Missing Encryption of Sensitive Data vulnerability in Windows-Build-Tools Project Windows-Build-Tools windows-build-tools is a module for installing C++ Build Tools for Windows using npm. | 9.3 |
2018-05-29 | CVE-2016-10698 | Mystem FIX Project | Cryptographic Issues vulnerability in Mystem-Fix Project Mystem-Fix 0.0.4/0.0.5 mystem-fix is a node.js wrapper for MyStem morphology text analyzer by Yandex.ru mystem-fix downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. | 9.3 |
2018-05-29 | CVE-2016-10682 | Massif Project | Cryptographic Issues vulnerability in Massif Project Massif 0.0.11 massif is a Phantomjs fork massif downloads resources over HTTP, which leaves it vulnerable to MITM attacks. | 9.3 |
2018-05-29 | CVE-2016-10681 | Robotwebtools | Cryptographic Issues vulnerability in Robotwebtools Roslibjs roslib-socketio - The standard ROS Javascript Library fork for add support to socket.io roslib-socketio downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. | 9.3 |
2018-05-29 | CVE-2016-10679 | Selenium Standalone Painful Project | Cryptographic Issues vulnerability in Selenium-Standalone-Painful Project Selenium-Standalone-Painful 2.39.02.7.0 selenium-standalone-painful installs a start-selenium command line to start a standalone selenium server with chrome-driver. | 9.3 |
2018-05-29 | CVE-2016-10674 | Limbus Buildgen Project | Cryptographic Issues vulnerability in Limbus-Buildgen Project Limbus-Buildgen 0.1.0 limbus-buildgen is a "build anywhere" build system. | 9.3 |
2018-05-29 | CVE-2016-10666 | Yandex | Cryptographic Issues vulnerability in Yandex Tomita-Parser 0.0.1/0.0.2/0.0.3 tomita-parser is a Node wrapper for Yandex Tomita Parser tomita-parser downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. | 9.3 |
2018-05-29 | CVE-2016-10659 | Macchina | Cryptographic Issues vulnerability in Macchina Poco poco - The POCO libraries, downloads source file resources used for compilation over HTTP, which leaves it vulnerable to MITM attacks. | 9.3 |
2018-05-29 | CVE-2016-10658 | Native Opencv Project | Cryptographic Issues vulnerability in Native-Opencv Project Native-Opencv 3.0.0 native-opencv is the OpenCV library installed via npm native-opencv downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. | 9.3 |
2018-05-29 | CVE-2016-10650 | Shutterstock | Cryptographic Issues vulnerability in Shutterstock Ntfserver ntfserver is a Network Testing Framework Server. | 9.3 |
2018-05-29 | CVE-2016-10635 | Broccoli Closure Project | Cryptographic Issues vulnerability in Broccoli-Closure Project Broccoli-Closure 1.0.0/1.2.0/1.3.0 broccoli-closure is a Closure compiler plugin for Broccoli. | 9.3 |
2018-05-29 | CVE-2016-10627 | Scala BIN Project | Cryptographic Issues vulnerability in Scala-Bin Project Scala-Bin scala-bin is a binary wrapper for Scala. | 9.3 |
2018-05-29 | CVE-2016-10611 | Strider Sauce Project | Cryptographic Issues vulnerability in Strider-Sauce Project Strider-Sauce strider-sauce is Sauce Labs / Selenium support for Strider. | 9.3 |
2018-05-29 | CVE-2016-10601 | Uxebu | Cryptographic Issues vulnerability in Uxebu Webdrvr webdrvr is a npm wrapper for Selenium Webdriver including Chromedriver / IEDriver / IOSDriver / Ghostdriver. | 9.3 |
2018-05-29 | CVE-2016-10593 | Interactivebrokers | Cryptographic Issues vulnerability in Interactivebrokers Ibapi ibapi is an Interactive Brokers API addon for NodeJS. | 9.3 |
2018-05-29 | CVE-2016-10591 | Prince Project | Cryptographic Issues vulnerability in Prince Project Prince 1.4.4/1.4.5 Prince is a Node API for executing XML/HTML to PDF renderer PrinceXML via prince(1) CLI. | 9.3 |
2018-05-29 | CVE-2016-10590 | CUE SDK Node Project | Cryptographic Issues vulnerability in Cue-Sdk-Node Project Cue-Sdk-Node cue-sdk-node is a Corsair Cue SDK wrapper for node.js. | 9.3 |
2018-05-29 | CVE-2016-10589 | Spunjs | Cryptographic Issues vulnerability in Spunjs Selenium-Binaries selenium-binaries downloads Selenium related binaries for your OS. | 9.3 |
2018-05-29 | CVE-2016-10586 | Macacajs | Cryptographic Issues vulnerability in Macacajs Macaca-Chromedriver macaca-chromedriver is a Node.js wrapper for the selenium chromedriver. | 9.3 |
2018-05-29 | CVE-2016-10584 | Dalekjs | Cryptographic Issues vulnerability in Dalekjs dalek-browser-chrome-canary provides Google Chrome bindings for DalekJS. | 9.3 |
2018-05-29 | CVE-2016-10573 | Baryton Saxophone Project | Cryptographic Issues vulnerability in Baryton-Saxophone Project Baryton-Saxophone 2.48.2/2.50.1/2.53.0 baryton-saxophone is a module to install and launch Selenium Server for Mac, Linux and Windows. | 9.3 |
2018-05-29 | CVE-2016-10570 | Pngcrush Installer Project | Cryptographic Issues vulnerability in Pngcrush-Installer Project Pngcrush-Installer pngcrush-installer is an installer for Pngcrush. | 9.3 |
2018-05-29 | CVE-2016-10567 | Product Monitor Project | Cryptographic Issues vulnerability in Product-Monitor Project Product-Monitor product-monitor is a HTML/JavaScript template for monitoring a product by encouraging product developers to gather all the information about the status of a product, including live monitoring, statistics, endpoints, and test results into one place. | 9.3 |
2018-05-29 | CVE-2016-10566 | Install NW Project | Cryptographic Issues vulnerability in Install-Nw Project Install-Nw install-nw is a module which quickly and robustly installs and caches NW.js. | 9.3 |
2018-05-29 | CVE-2016-10559 | Groupon | Cryptographic Issues vulnerability in Groupon Selenium-Download selenium-download downloads the latest versions of the selenium standalone server and the chromedriver. | 9.3 |
2018-05-29 | CVE-2016-10558 | Aerospike | Cryptographic Issues vulnerability in Aerospike aerospike is an Aerospike add-on module for Node.js. | 9.3 |
2018-05-29 | CVE-2018-3745 | Atob Project | Out-of-bounds Read vulnerability in Atob Project Atob atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below. | 9.1 |
2018-06-02 | CVE-2018-11194 | Quest | Incorrect Permission Assignment for Critical Resource vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 6 of 6). | 9.0 |
2018-06-02 | CVE-2018-11193 | Quest | Incorrect Permission Assignment for Critical Resource vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 5 of 6). | 9.0 |
2018-06-02 | CVE-2018-11192 | Quest | Incorrect Permission Assignment for Critical Resource vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 4 of 6). | 9.0 |
2018-06-02 | CVE-2018-11191 | Quest | Incorrect Permission Assignment for Critical Resource vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 3 of 6). | 9.0 |
2018-06-02 | CVE-2018-11190 | Quest | Improper Privilege Management vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 2 of 6). | 9.0 |
2018-06-02 | CVE-2018-11189 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 1 of 6). | 9.0 |
2018-06-01 | CVE-2018-7951 | Huawei | Code Injection vulnerability in Huawei products The iBMC (Intelligent Baseboard Management Controller) of some Huawei servers have a JSON injection vulnerability due to insufficient input validation. | 9.0 |
2018-06-01 | CVE-2018-7950 | Huawei | Code Injection vulnerability in Huawei products The iBMC (Intelligent Baseboard Management Controller) of some Huawei servers have a JSON injection vulnerability due to insufficient input validation. | 9.0 |
2018-05-31 | CVE-2018-11139 | Quest | OS Command Injection vulnerability in Quest Kace System Management Appliance 8.0.318 The '/common/ajax_email_connection_test.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by any authenticated user and can be abused to execute arbitrary commands on the system. | 9.0 |
2018-05-31 | CVE-2018-11134 | Quest | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Quest Kace System Management Appliance 8.0.318 In order to perform actions that requires higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue managed that runs with root privileges and only allows a set of commands. | 9.0 |
2018-05-31 | CVE-2018-11132 | Quest | OS Command Injection vulnerability in Quest Kace System Management Appliance 8.0.318 In order to perform actions that require higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue that runs daemonized with root privileges and only allows a set of commands to be executed. | 9.0 |
2018-05-31 | CVE-2018-11220 | Bitmain | Unspecified vulnerability in Bitmain products Bitmain Antminer D3, L3+, and S9 devices allow Remote Command Execution via the system restore function. | 9.0 |
41 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-05-31 | CVE-2018-11135 | Quest | Unspecified vulnerability in Quest Kace System Management Appliance 8.0.318 The script '/adminui/error_details.php' in the Quest KACE System Management Appliance 8.0.318 allows authenticated users to conduct PHP object injection attacks. | 8.8 |
2018-05-28 | CVE-2018-11516 | Videolan | Use After Free vulnerability in Videolan VLC Media Player 3.0.0/3.0.1 The vlc_demux_chained_Delete function in input/demux_chained.c in VideoLAN VLC media player 3.0.1 allows remote attackers to cause a denial of service (heap corruption and application crash) or possibly have unspecified other impact via a crafted .swf file. | 8.8 |
2018-06-01 | CVE-2016-10598 | Arrayfire JS Project | Cryptographic Issues vulnerability in Arrayfire-Js Project Arrayfire-Js arrayfire-js is a module for ArrayFire for the Node.js platform. | 8.5 |
2018-05-30 | CVE-2018-11556 | Littlecms | Out-of-bounds Write vulnerability in Littlecms Little CMS 2.9 tificc in Little CMS 2.9 has an out-of-bounds write in the cmsPipelineCheckAndRetreiveStages function in cmslut.c in liblcms2.a via a crafted TIFF file. | 7.8 |
2018-05-30 | CVE-2018-11555 | Littlecms | Out-of-bounds Write vulnerability in Littlecms Little CMS 2.9 tificc in Little CMS 2.9 has an out-of-bounds write in the PrecalculatedXFORM function in cmsxform.c in liblcms2.a via a crafted TIFF file. | 7.8 |
2018-05-29 | CVE-2016-7076 | Sudo Project | Command Injection vulnerability in Sudo Project Sudo sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument. | 7.8 |
2018-05-28 | CVE-2018-11506 | Linux Canonical Debian | Out-of-bounds Write vulnerability in multiple products The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux kernel through 4.16.12 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact because sense buffers have different sizes at the CDROM layer and the SCSI layer, as demonstrated by a CDROMREADMODE2 ioctl call. | 7.8 |
2018-06-02 | CVE-2018-11143 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 1 of 46). | 7.5 |
2018-06-01 | CVE-2016-1000338 | Bouncycastle Redhat Canonical Netapp | Improper Verification of Cryptographic Signature vulnerability in multiple products In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. | 7.5 |
2018-05-31 | CVE-2016-10554 | Sequelizejs | SQL Injection vulnerability in Sequelizejs Sequelize sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. | 7.5 |
2018-05-31 | CVE-2016-10553 | Sequelizejs | SQL Injection vulnerability in Sequelizejs Sequelize sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. | 7.5 |
2018-05-31 | CVE-2016-10550 | Sequelizejs | SQL Injection vulnerability in Sequelizejs Sequelize sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the `limit` or `order` parameters, a malicious user can put in their own SQL statements. | 7.5 |
2018-05-31 | CVE-2018-11141 | Quest | Path Traversal vulnerability in Quest Kace System Management Appliance 8.0.318 The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the '/adminui/advisory.php' script in the Quest KACE System Management Virtual Appliance 8.0.318 can be abused to write and delete files respectively via Directory Traversal. | 7.5 |
2018-05-31 | CVE-2018-11140 | Quest | SQL Injection vulnerability in Quest Kace System Management Appliance 8.0.318 The 'reportID' parameter received by the '/common/run_report.php' script in the Quest KACE System Management Appliance 8.0.318 is not sanitized, leading to SQL injection (in particular, an error-based type). | 7.5 |
2018-05-31 | CVE-2018-11136 | Quest | SQL Injection vulnerability in Quest Kace System Management Appliance 8.0.318 The 'orgID' parameter received by the '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is not sanitized, leading to SQL injection (in particular, a blind time-based type). | 7.5 |
2018-05-31 | CVE-2018-11576 | Miniupnp Project | Out-of-bounds Read vulnerability in Miniupnp Project Ngiflib 0.4 ngiflib.c in MiniUPnP ngiflib 0.4 has a heap-based buffer over-read in GifIndexToTrueColor. | 7.5 |
2018-05-31 | CVE-2018-11575 | Miniupnp Project | Out-of-bounds Write vulnerability in Miniupnp Project Ngiflib 0.4 ngiflib.c in MiniUPnP ngiflib 0.4 has a stack-based buffer overflow in DecodeGifImg. | 7.5 |
2018-05-30 | CVE-2018-11482 | TP Link | Use of Hard-coded Credentials vulnerability in Tp-Link products /usr/lib/lua/luci/websys.lua on TP-LINK IPC TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4 devices has a hardcoded zMiVw8Kw0oxKXL0 password. | 7.5 |
2018-05-29 | CVE-2018-11547 | Md4C Project | Out-of-bounds Read vulnerability in Md4C Project Md4C 0.2.5 md_is_link_reference_definition_helper in md4c 0.2.5 has a heap-based buffer over-read because md_is_link_label mishandles loop termination. | 7.5 |
2018-05-29 | CVE-2018-11546 | Md4C Project | Out-of-bounds Read vulnerability in Md4C Project Md4C 0.2.5 md4c 0.2.5 has a heap-based buffer over-read because md_is_named_entity_contents has an off-by-one error. | 7.5 |
2018-05-29 | CVE-2018-11545 | Md4C Project | Out-of-bounds Write vulnerability in Md4C Project Md4C 0.2.5 md4c 0.2.5 has a heap-based buffer overflow in md_merge_lines because md_is_link_label mishandles the case of a link label composed solely of backslash escapes. | 7.5 |
2018-05-29 | CVE-2018-3734 | Stattic Project | Path Traversal vulnerability in Stattic Project Stattic 0.2.3 stattic node module suffers from a Path Traversal vulnerability due to lack of validation of path, which allows a malicious user to read content of any file with known path. | 7.5 |
2018-05-29 | CVE-2018-3733 | Crud File Server Project | Path Traversal vulnerability in Crud-File-Server Project Crud-File-Server crud-file-server node module before 0.9.0 suffers from a Path Traversal vulnerability due to incorrect validation of url, which allows a malicious user to read content of any file with known path. | 7.5 |
2018-05-29 | CVE-2018-10466 | Zohocorp | SQL Injection vulnerability in Zohocorp Manageengine Adaudit Plus Zoho ManageEngine ADAudit Plus before 5.0.0 build 5100 allows blind SQL Injection. | 7.5 |
2018-05-29 | CVE-2016-10551 | Balderdash | SQL Injection vulnerability in Balderdash Waterline-Sequel 0.5.0 waterline-sequel is a module that helps generate SQL statements for Waterline apps Any user input that goes into Waterline's `like`, `contains`, `startsWith`, or `endsWith` will end up in waterline-sequel with the potential for malicious code. | 7.5 |
2018-05-29 | CVE-2016-10525 | Dwyl | Improper Authentication vulnerability in Dwyl Hapi-Auth-Jwt2 When attempting to allow authentication mode `try` in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass authentication. | 7.5 |
2018-05-29 | CVE-2015-9244 | Mysqljs | SQL Injection vulnerability in Mysqljs Mysql Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not escaped with `mysql.escape()` which could lead to SQL Injection. | 7.5 |
2018-05-29 | CVE-2015-9235 | Auth0 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Auth0 Jsonwebtoken In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family). | 7.5 |
2018-05-29 | CVE-2018-5241 | Broadcom | Unspecified vulnerability in Broadcom Advanced Secure Gateway and Symantec Proxysg Symantec Advanced Secure Gateway (ASG) 6.6 and 6.7, and ProxySG 6.5, 6.6, and 6.7 are susceptible to a SAML authentication bypass vulnerability. | 7.5 |
2018-05-29 | CVE-2018-11536 | Md4C Project | Out-of-bounds Write vulnerability in Md4C Project Md4C md4c before 0.2.5 has a heap-based buffer overflow because md_split_simple_pairing_mark mishandles splits. | 7.5 |
2018-05-29 | CVE-2018-11535 | Sitemakin | SQL Injection vulnerability in Sitemakin Slac 1.0 An issue was discovered in SITEMAKIN SLAC (Site Login and Access Control) v1.0. | 7.5 |
2018-05-29 | CVE-2018-11531 | Exiv2 Debian Canonical | Out-of-bounds Write vulnerability in multiple products Exiv2 0.26 has a heap-based buffer overflow in getData in preview.cpp. | 7.5 |
2018-05-29 | CVE-2018-11528 | Wuzhicms | SQL Injection vulnerability in Wuzhicms Wuzhi CMS 4.1.0 WUZHI CMS 4.1.0 has SQL Injection via an api/sms_check.php?param= URI. | 7.5 |
2018-05-29 | CVE-2018-11523 | Nuuo | Unrestricted Upload of File with Dangerous Type vulnerability in Nuuo Nvrmini 2 Firmware upload.php on NUUO NVRmini 2 devices allows Arbitrary File Upload, such as upload of .php files. | 7.5 |
2018-05-28 | CVE-2018-11309 | Membermouse | SQL Injection vulnerability in Membermouse Blind SQL injection in coupon_code in the MemberMouse plugin 2.2.8 and prior for WordPress allows an unauthenticated attacker to dump the WordPress MySQL database via an applyCoupon action in an admin-ajax.php request. | 7.5 |
2018-05-31 | CVE-2018-6552 | Apport Project Canonical | Unspecified vulnerability in Apport Project Apport Apport does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion, possibly gain root privileges, or escape from containers. | 7.2 |
2018-05-31 | CVE-2018-9322 | BMW | Protection Mechanism Failure vulnerability in BMW Head Unit HU NBT Firmware The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series vehicles produced in 2012 through 2018 allows local attacks involving the USB or OBD-II interface. | 7.2 |
2018-05-31 | CVE-2018-9320 | BMW | Protection Mechanism Failure vulnerability in BMW Head Unit HU NBT Firmware The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series vehicles produced in 2012 through 2018 allows a local attack when a USB device is plugged in. | 7.2 |
2018-05-31 | CVE-2018-9314 | BMW | Protection Mechanism Failure vulnerability in BMW Head Unit HU NBT Firmware The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series vehicles produced in 2012 through 2018 allows an attack by an attacker who has direct physical access. | 7.2 |
2018-05-31 | CVE-2018-9312 | BMW | Protection Mechanism Failure vulnerability in BMW Head Unit HU NBT Firmware The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series vehicles produced in 2012 through 2018 allows a local attack when a USB device is plugged in. | 7.2 |
2018-05-29 | CVE-2018-6964 | Vmware Linux | Unspecified vulnerability in VMWare Horizon Client VMware Horizon Client for Linux (4.x before 4.8.0 and prior) contains a local privilege escalation vulnerability due to insecure usage of SUID binary. | 7.2 |
218 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-06-02 | CVE-2018-11679 | Cmseasy | Cross-Site Request Forgery (CSRF) vulnerability in Cmseasy 6.0 An issue was discovered in CmsEasy 6.1_20180508. | 6.8 |
2018-06-01 | CVE-2018-11538 | Searchblox | Cross-Site Request Forgery (CSRF) vulnerability in Searchblox 8.6.6 servlet/UserServlet in SearchBlox 8.6.6 has CSRF via the u_name, u_passwd1, u_passwd2, role, and X-XSRF-TOKEN POST parameters because of CSRF Token Bypass. | 6.8 |
2018-06-01 | CVE-2016-10619 | Pennyworth Project | Cryptographic Issues vulnerability in Pennyworth Project Pennyworth pennyworth is a natural language templating engine. | 6.8 |
2018-06-01 | CVE-2016-10618 | Node Browser Project | Cryptographic Issues vulnerability in Node-Browser Project Node-Browser 0.0.1/0.0.2/0.0.3 node-browser is a wrapper webdriver by nodejs. | 6.8 |
2018-06-01 | CVE-2016-10616 | Openframe Image Project | Cryptographic Issues vulnerability in Openframe-Image Project Openframe-Image openframe-image is an Openframe extension which adds support for images via fbi. | 6.8 |
2018-06-01 | CVE-2016-10610 | Unicode | Cryptographic Issues vulnerability in Unicode Unicode-Json unicode-json is a unicode lookup table. | 6.8 |
2018-06-01 | CVE-2016-10596 | Imageoptim Project | Cryptographic Issues vulnerability in Imageoptim Project Imageoptim imageoptim is a Node.js wrapper for some images compression algorithms. | 6.8 |
2018-06-01 | CVE-2016-10594 | Ipip Project | Cryptographic Issues vulnerability in Ipip Project Ipip ipip is a Node.js module to query geolocation information for an IP or domain, based on database by ipip.net. | 6.8 |
2018-06-01 | CVE-2016-10592 | Jser Stat Project | Cryptographic Issues vulnerability in Jser-Stat Project Jser-Stat jser-stat is a JSer.info stat library. | 6.8 |
2018-06-01 | CVE-2016-10579 | Chromedriver Project | Cryptographic Issues vulnerability in Chromedriver Project Chromedriver Chromedriver is an NPM wrapper for selenium ChromeDriver. | 6.8 |
2018-06-01 | CVE-2018-11671 | Njtech | Cross-Site Request Forgery (CSRF) vulnerability in Njtech Greencms 2.3.0603 An issue was discovered in GreenCMS v2.3.0603. | 6.8 |
2018-06-01 | CVE-2018-11670 | Njtech | Cross-Site Request Forgery (CSRF) vulnerability in Njtech Greencms 2.3.0603 An issue was discovered in GreenCMS v2.3.0603. | 6.8 |
2018-05-31 | CVE-2016-10565 | Cnpmjs | Cryptographic Issues vulnerability in Cnpmjs Operadriver 0.2.1/0.2.2 operadriver is a Opera Driver for Selenium. | 6.8 |
2018-05-31 | CVE-2016-10564 | APK Parser Project | Cryptographic Issues vulnerability in Apk-Parser Project Apk-Parser apk-parser is a tool to extract Android Manifest info from an APK file. | 6.8 |
2018-05-31 | CVE-2016-10563 | Ipfs | Cryptographic Issues vulnerability in Ipfs Go-Ipfs-Dep During the installation process, the go-ipfs-deps module before 0.4.4 insecurely downloads resources over HTTP. | 6.8 |
2018-05-31 | CVE-2016-10557 | Appium | Cryptographic Issues vulnerability in Appium Appium-Chromedriver appium-chromedriver is a Node.js wrapper around Chromedriver. | 6.8 |
2018-05-31 | CVE-2016-10529 | Droppy Project | Cross-Site Request Forgery (CSRF) vulnerability in Droppy Project Droppy Droppy versions <3.5.0 does not perform any verification for cross-domain websocket requests. | 6.8 |
2018-05-31 | CVE-2018-11625 | Imagemagick Canonical | Out-of-bounds Read vulnerability in multiple products In ImageMagick 7.0.7-37 Q16, SetGrayscaleImage in the quantize.c file allows attackers to cause a heap-based buffer over-read via a crafted file. | 6.8 |
2018-05-31 | CVE-2018-11624 | Imagemagick | Use After Free vulnerability in Imagemagick 7.0.736 In ImageMagick 7.0.7-36 Q16, the ReadMATImage function in coders/mat.c allows attackers to cause a use after free via a crafted file. | 6.8 |
2018-05-31 | CVE-2018-11595 | Espruino | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Espruino Espruino before 1.99 allows attackers to cause a denial of service (application crash) and a potential Escalation of Privileges with a user crafted input file via a Buffer Overflow during syntax parsing, because strncat is misused. | 6.8 |
2018-05-31 | CVE-2018-11577 | Liblouis Canonical Opensuse | Classic Buffer Overflow vulnerability in multiple products Liblouis 3.5.0 has a Segmentation fault in lou_logPrint in logging.c. | 6.8 |
2018-05-31 | CVE-2018-11571 | Clippercms | Session Fixation vulnerability in Clippercms 1.3.3 ClipperCMS 1.3.3 allows Session Fixation. | 6.8 |
2018-05-30 | CVE-2015-7610 | Zimbra Synacor | Cross-Site Request Forgery (CSRF) vulnerability in multiple products Cross-site request forgery (CSRF) vulnerability in the login form in Zimbra Collaboration Suite (aka ZCS) before 8.6.0 Patch 10, 8.7.x before 8.7.11 Patch 2, and 8.8.x before 8.8.8 Patch 1 allows remote attackers to hijack the authentication of unspecified victims by leveraging failure to use a CSRF token. | 6.8 |
2018-05-30 | CVE-2018-11518 | Hcltech | Improper Input Validation vulnerability in Hcltech Legacy IVR Firmware A vulnerability allows a phreaking attack on HCL legacy IVR systems that do not use VoIP. | 6.8 |
2018-05-30 | CVE-2018-11438 | Libmobi Project | Out-of-bounds Write vulnerability in Libmobi Project Libmobi 0.3 The mobi_decompress_lz77 function in compression.c in Libmobi 0.3 allows remote attackers to cause remote code execution (heap-based buffer overflow) via a crafted mobi file. | 6.8 |
2018-05-30 | CVE-2018-11235 | Debian Canonical Redhat GIT SCM Gitforwindows | Path Traversal vulnerability in multiple products In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. | 6.8 |
2018-05-29 | CVE-2016-10680 | Adamvr Geoip Lite Project | Cryptographic Issues vulnerability in Adamvr-Geoip-Lite Project Adamvr-Geoip-Lite adamvr-geoip-lite is a light weight native JavaScript implementation of GeoIP API from MaxMind adamvr-geoip-lite downloads geoip resources over HTTP, which leaves it vulnerable to MITM attacks. | 6.8 |
2018-05-29 | CVE-2016-10578 | Unicode Project | Cryptographic Issues vulnerability in Unicode Project Unicode unicode loads unicode data downloaded from unicode.org into nodejs. | 6.8 |
2018-05-29 | CVE-2016-10577 | IBM | Cryptographic Issues vulnerability in IBM DB ibm_db is an asynchronous/synchronous interface for node.js to IBM DB2 and IBM Informix. | 6.8 |
2018-05-29 | CVE-2016-10568 | Geoip Lite Country Project | Cryptographic Issues vulnerability in Geoip-Lite-Country Project Geoip-Lite-Country geoip-lite-country is a stripped down version of geoip-lite, supporting only country lookup. | 6.8 |
2018-05-29 | CVE-2018-11527 | Cscms Project | Cross-Site Request Forgery (CSRF) vulnerability in Cscms Project Cscms 4.1 An issue was discovered in CScms v4.1. | 6.8 |
2018-06-02 | CVE-2018-11188 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 46 of 46). | 6.5 |
2018-06-02 | CVE-2018-11187 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 45 of 46). | 6.5 |
2018-06-02 | CVE-2018-11186 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 44 of 46). | 6.5 |
2018-06-02 | CVE-2018-11185 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 43 of 46). | 6.5 |
2018-06-02 | CVE-2018-11184 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 42 of 46). | 6.5 |
2018-06-02 | CVE-2018-11183 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 41 of 46). | 6.5 |
2018-06-02 | CVE-2018-11182 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 40 of 46). | 6.5 |
2018-06-02 | CVE-2018-11181 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 39 of 46). | 6.5 |
2018-06-02 | CVE-2018-11180 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 38 of 46). | 6.5 |
2018-06-02 | CVE-2018-11179 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 37 of 46). | 6.5 |
2018-06-02 | CVE-2018-11178 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 36 of 46). | 6.5 |
2018-06-02 | CVE-2018-11177 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 35 of 46). | 6.5 |
2018-06-02 | CVE-2018-11176 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 34 of 46). | 6.5 |
2018-06-02 | CVE-2018-11175 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 33 of 46). | 6.5 |
2018-06-02 | CVE-2018-11174 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 32 of 46). | 6.5 |
2018-06-02 | CVE-2018-11173 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 31 of 46). | 6.5 |
2018-06-02 | CVE-2018-11172 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 30 of 46). | 6.5 |
2018-06-02 | CVE-2018-11171 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 29 of 46). | 6.5 |
2018-06-02 | CVE-2018-11170 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 28 of 46). | 6.5 |
2018-06-02 | CVE-2018-11169 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 27 of 46). | 6.5 |
2018-06-02 | CVE-2018-11168 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 26 of 46). | 6.5 |
2018-06-02 | CVE-2018-11167 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 25 of 46). | 6.5 |
2018-06-02 | CVE-2018-11166 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 24 of 46). | 6.5 |
2018-06-02 | CVE-2018-11165 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 23 of 46). | 6.5 |
2018-06-02 | CVE-2018-11164 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 22 of 46). | 6.5 |
2018-06-02 | CVE-2018-11163 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 21 of 46). | 6.5 |
2018-06-02 | CVE-2018-11162 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 20 of 46). | 6.5 |
2018-06-02 | CVE-2018-11161 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 19 of 46). | 6.5 |
2018-06-02 | CVE-2018-11160 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 18 of 46). | 6.5 |
2018-06-02 | CVE-2018-11159 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 17 of 46). | 6.5 |
2018-06-02 | CVE-2018-11158 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 16 of 46). | 6.5 |
2018-06-02 | CVE-2018-11157 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 15 of 46). | 6.5 |
2018-06-02 | CVE-2018-11156 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 14 of 46). | 6.5 |
2018-06-02 | CVE-2018-11155 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 13 of 46). | 6.5 |
2018-06-02 | CVE-2018-11154 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 12 of 46). | 6.5 |
2018-06-02 | CVE-2018-11153 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 11 of 46). | 6.5 |
2018-06-02 | CVE-2018-11152 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 10 of 46). | 6.5 |
2018-06-02 | CVE-2018-11151 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 9 of 46). | 6.5 |
2018-06-02 | CVE-2018-11150 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 8 of 46). | 6.5 |
2018-06-02 | CVE-2018-11149 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 7 of 46). | 6.5 |
2018-06-02 | CVE-2018-11148 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 6 of 46). | 6.5 |
2018-06-02 | CVE-2018-11147 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 5 of 46). | 6.5 |
2018-06-02 | CVE-2018-11146 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 4 of 46). | 6.5 |
2018-06-02 | CVE-2018-11145 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 3 of 46). | 6.5 |
2018-06-02 | CVE-2018-11144 | Quest | OS Command Injection vulnerability in Quest Disk Backup Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 2 of 46). | 6.5 |
2018-06-01 | CVE-2018-5523 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 13.1.0-13.1.0.3, 13.0.0, 12.1.0-12.1.3.1, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1 and Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced. | 6.5 |
2018-06-01 | CVE-2018-8922 | Synology | Unspecified vulnerability in Synology Drive Server 1.0.210275 Improper access control vulnerability in Synology Drive before 1.0.2-10275 allows remote authenticated users to access non-shared files or folders via unspecified vectors. | 6.5 |
2018-05-31 | CVE-2018-5388 | Strongswan Debian Canonical | Out-of-bounds Write vulnerability in multiple products In stroke_socket.c in strongSwan before 5.6.3, a missing packet length check could allow a buffer underflow, which may lead to resource exhaustion and denial of service while reading from the socket. | 6.5 |
2018-05-30 | CVE-2018-11481 | TP Link | Improper Input Validation vulnerability in Tp-Link products TP-LINK IPC TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4 devices allow authenticated remote code execution via crafted JSON data because /usr/lib/lua/luci/torchlight/validator.lua does not block various punctuation characters. | 6.5 |
2018-05-29 | CVE-2018-11392 | Jigowatt | Unrestricted Upload of File with Dangerous Type vulnerability in Jigowatt PHP Login & User Management An arbitrary file upload vulnerability in /classes/profile.class.php in Jigowatt "PHP Login & User Management" before 4.1.1, as distributed in the Envato Market, allows any remote authenticated user to upload .php files to the web server via a profile avatar field. | 6.5 |
2018-05-29 | CVE-2018-1370 | IBM | Incorrect Permission Assignment for Critical Resource vulnerability in IBM Security Guardium BIG Data Intelligence 3.1 IBM Security Guardium Big Data Intelligence (SonarG) 3.1 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. | 6.5 |
2018-05-28 | CVE-2018-11514 | Naukri Clone Script Project | Unrestricted Upload of File with Dangerous Type vulnerability in Naukri Clone Script Project Naukri Clone Script 3.0.3 PHP Scripts Mall Naukri Clone Script through 3.0.3 allows Unrestricted Upload of a File with a Dangerous Type in edit_resume_det.php, as demonstrated by changing .docx to .php. | 6.5 |
2018-05-31 | CVE-2018-11036 | Ruckuswireless | Information Exposure vulnerability in Ruckuswireless products Ruckus SmartZone (formerly Virtual SmartCell Gateway or vSCG) 3.5.0, 3.5.1, 3.6.0, and 3.6.1 (Essentials and High Scale) on vSZ, SZ-100, SZ-300, and SCG-200 devices allows remote attackers to obtain sensitive information or modify data. | 6.4 |
2018-06-01 | CVE-2017-17171 | Huawei | Improper Input Validation vulnerability in Huawei Mate 8 Firmware, P9 Firmware and P9 Plus Firmware Some Huawei smart phones have the denial of service (DoS) vulnerability due to the improper processing of malicious parameters. | 6.3 |
2018-06-01 | CVE-2018-3755 | Sexstatic Project | Cross-site Scripting vulnerability in Sexstatic Project Sexstatic 0.6.0/0.6.2 XSS in sexstatic <=0.6.2 causes HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name. | 6.1 |
2018-06-01 | CVE-2018-3743 | Hekto Project | Open Redirect vulnerability in Hekto Project Hekto Open redirect in hekto <=0.2.3 when target domain name is used as html filename on server. | 6.1 |
2018-05-31 | CVE-2016-10524 | I18N Node Angular Project | Resource Exhaustion vulnerability in I18N-Node-Angular Project I18N-Node-Angular i18n-node-angular is a module used to interact between i18n and angular without using additional resources. | 6.0 |
2018-05-31 | CVE-2016-10552 | Infragistics | 7PK - Security Features vulnerability in Infragistics Igniteui igniteui 0.0.5 and earlier downloads JavaScript and CSS resources over insecure protocol. | 5.8 |
2018-05-31 | CVE-2018-11598 | Espruino | Out-of-bounds Read vulnerability in Espruino Espruino before 1.99 allows attackers to cause a denial of service (application crash) and a potential Information Disclosure with user crafted input files via a Buffer Overflow or Out-of-bounds Read during syntax parsing of certain for loops in jsparse.c. | 5.8 |
2018-05-31 | CVE-2018-11593 | Espruino | Out-of-bounds Write vulnerability in Espruino Espruino before 1.99 allows attackers to cause a denial of service (application crash) and potential Information Disclosure with a user crafted input file via a Buffer Overflow during syntax parsing because strncpy is misused in jslex.c. | 5.8 |
2018-05-30 | CVE-2018-11478 | Vgate | Improper Authentication vulnerability in Vgate Icar 2 Wi-Fi Obd2 Firmware An issue was discovered on Vgate iCar 2 Wi-Fi OBD2 Dongle devices. | 5.8 |
2018-05-30 | CVE-2018-11476 | Vgate | Missing Authentication for Critical Function vulnerability in Vgate Icar 2 Wi-Fi Obd2 Firmware An issue was discovered on Vgate iCar 2 Wi-Fi OBD2 Dongle devices. | 5.8 |
2018-05-31 | CVE-2018-9313 | BMW | Protection Mechanism Failure vulnerability in BMW Head Unit HU NBT Firmware The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series vehicles produced in 2012 through 2018 allows a remote attack via Bluetooth when in pairing mode, leading to a Head Unit reboot. | 5.7 |
2018-05-30 | CVE-2018-10196 | Graphviz Fedoraproject Canonical | NULL Pointer Dereference vulnerability in multiple products NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library in Graphviz 2.40.1 allows remote attackers to cause a denial of service (application crash) via a crafted file. | 5.5 |
2018-05-29 | CVE-2018-1495 | IBM | Improper Privilege Management vulnerability in IBM Flashsystem 840 Firmware and Flashsystem 900 Firmware IBM FlashSystem V840 and V900 products could allow an authenticated attacker with specialized access to overwrite arbitrary files which could cause a denial of service. | 5.5 |
2018-06-01 | CVE-2018-8921 | Synology | Cross-site Scripting vulnerability in Synology Drive Server 1.0.010240/1.0.110253 Cross-site scripting (XSS) vulnerability in File Sharing Notify Toast in Synology Drive before 1.0.2-10275 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name. | 5.4 |
2018-05-29 | CVE-2018-10751 | Samsung | Integer Overflow or Wraparound vulnerability in Samsung Mobile A malformed OMACP WAP push message can cause memory corruption on a Samsung S7 Edge device when processing the String Extension portion of the WbXml payload. | 5.4 |
2018-06-01 | CVE-2018-11645 | Artifex | Information Exposure vulnerability in Artifex Ghostscript psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine the existence and size of arbitrary files, a similar issue to CVE-2016-7977. | 5.3 |
2018-06-01 | CVE-2018-3809 | Zeit | Information Exposure vulnerability in Zeit Serve 6.5.3 Information exposure through directory listings in serve 6.5.3 allows directory listing and file access even when they have been set to be ignored. | 5.0 |
2018-06-01 | CVE-2018-3756 | Hyperledger | Improper Verification of Cryptographic Signature vulnerability in Hyperledger Iroha 1.0/1.0.0 Hyperledger Iroha versions v1.0_beta and v1.0.0_beta-1 are vulnerable to transaction and block signature verification bypass in the transaction and block validator allowing a single node to sign a transaction and/or block multiple times, each with a random nonce, and have other validating nodes accept them as separate valid signatures. | 5.0 |
2018-06-01 | CVE-2018-11196 | Mahara | Unrestricted Upload of File with Dangerous Type vulnerability in Mahara Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 can be used as medium to transmit viruses by placing infected files into a Leap2A archive and uploading that to Mahara. | 5.0 |
2018-06-01 | CVE-2018-11657 | Miniupnp Project | Infinite Loop vulnerability in Miniupnp Project Ngiflib 0.4 ngiflib.c in MiniUPnP ngiflib 0.4 has an infinite loop in DecodeGifImg and LoadGif. | 5.0 |
2018-06-01 | CVE-2017-2860 | Natus | Out-of-bounds Read vulnerability in Natus Xltek Neuroworks 8 An exploitable denial-of-service vulnerability exists in the lookup entry functionality of KeyTrees in Natus Xltek NeuroWorks 8. | 5.0 |
2018-06-01 | CVE-2017-2858 | Natus | Out-of-bounds Read vulnerability in Natus Xltek Neuroworks 8 An exploitable denial-of-service vulnerability exists in the traversal of lists functionality of Natus Xltek NeuroWorks 8. | 5.0 |
2018-06-01 | CVE-2017-2852 | Natus | Out-of-bounds Read vulnerability in Natus Xltek Neuroworks 8 An exploitable denial-of-service vulnerability exists in the unserialization of lists functionality of Natus Xltek NeuroWorks 8. | 5.0 |
2018-06-01 | CVE-2018-5524 | F5 | Unspecified vulnerability in F5 products Under certain conditions, on F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.1, or 11.6.1 HF2-11.6.3.1, virtual servers configured with Client SSL or Server SSL profiles which make use of network hardware security module (HSM) functionality are exposed and impacted by this issue. | 5.0 |
2018-06-01 | CVE-2018-5513 | F5 | Improper Input Validation vulnerability in F5 products On F5 BIG-IP 13.1.0-13.1.0.3, 13.0.0, 12.1.0-12.1.3.3, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1, a malformed TLS handshake causes TMM to crash leading to a disruption of service. | 5.0 |
2018-06-01 | CVE-2017-6153 | F5 | Resource Exhaustion vulnerability in F5 products Features in F5 BIG-IP 13.0.0-13.1.0.3, 12.1.0-12.1.3.1, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1 system that utilizes inflate functionality directly, via an iRule, or via the inflate code from PEM module are subjected to a service disruption via a "Zip Bomb" attack. | 5.0 |
2018-06-01 | CVE-2018-11646 | Webkitgtk | Unspecified vulnerability in Webkitgtk Webkitgtk+ webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash. | 5.0 |
2018-05-31 | CVE-2016-10561 | Bitty Project | Path Traversal vulnerability in Bitty Project Bitty 0.2.10 Bitty is a development web server tool that functions similar to `python -m SimpleHTTPServer`. | 5.0 |
2018-05-31 | CVE-2016-10543 | Call Project | Improper Input Validation vulnerability in Call Project Call call is an HTTP router that is primarily used by the hapi framework. | 5.0 |
2018-05-31 | CVE-2016-10542 | WS Project | Improper Input Validation vulnerability in WS Project WS ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". | 5.0 |
2018-05-31 | CVE-2016-10540 | Minimatch Project | Improper Input Validation vulnerability in Minimatch Project Minimatch Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. | 5.0 |
2018-05-31 | CVE-2016-10539 | Negotiator Project | Improper Input Validation vulnerability in Negotiator Project Negotiator negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. | 5.0 |
2018-05-31 | CVE-2016-10527 | Riot JS | Resource Management Errors vulnerability in Riot.Js Riot-Compiler 2.3.21 The riot-compiler version version 2.3.21 has an issue in a regex (Catastrophic Backtracking) thats make it unusable under certain conditions. | 5.0 |
2018-05-31 | CVE-2016-10526 | Grunt GH Pages Project | Credentials Management vulnerability in Grunt-Gh-Pages Project Grunt-Gh-Pages A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. | 5.0 |
2018-05-31 | CVE-2016-10523 | Mqtt Packet Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mqtt-Packet Project Mqtt-Packet 4.0.0 MQTT before 3.4.6 and 4.0.x before 4.0.5 allows specifically crafted MQTT packets to crash the application, making a DoS attack feasible with very little bandwidth. | 5.0 |
2018-05-31 | CVE-2016-10521 | Jshamcrest Project | Improper Input Validation vulnerability in Jshamcrest Project Jshamcrest 0.6.7/0.7.0/0.7.1 jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator. | 5.0 |
2018-05-31 | CVE-2016-10520 | Jadedown Project | Improper Input Validation vulnerability in Jadedown Project Jadedown 0.0.1/0.0.2/0.0.3 jadedown is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in. | 5.0 |
2018-05-31 | CVE-2016-10519 | Webtorrent | Information Exposure vulnerability in Webtorrent Bittorrent-Dht A security issue was found in bittorrent-dht before 5.1.3 that allows someone to send a specific series of messages to a listening peer and get it to reveal internal memory. | 5.0 |
2018-05-31 | CVE-2016-10518 | WS Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in WS Project WS A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. | 5.0 |
2018-05-31 | CVE-2015-9239 | Ansi2Html Project | Improper Input Validation vulnerability in Ansi2Html Project Ansi2Html 0.0.1 ansi2html is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in. | 5.0 |
2018-05-31 | CVE-2015-9238 | Secure Compare Project | Use of Externally-Controlled Format String vulnerability in Secure-Compare Project Secure-Compare secure-compare 3.0.0 and below do not actually compare two strings properly. | 5.0 |
2018-05-31 | CVE-2015-9236 | Hapijs | Information Exposure vulnerability in Hapijs Hapi Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. | 5.0 |
2018-05-31 | CVE-2014-10066 | Fancy Server Project | Path Traversal vulnerability in Fancy-Server Project Fancy-Server Versions less than 0.1.4 of the static file server module fancy-server are vulnerable to directory traversal. | 5.0 |
2018-05-31 | CVE-2014-10064 | QS Project | Resource Management Errors vulnerability in QS Project QS The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. | 5.0 |
2018-05-31 | CVE-2018-11626 | Simple Lossless Audio Project | Out-of-bounds Write vulnerability in Simple Lossless Audio Project Simple Lossless Audio 0.1.2 SELA (aka SimplE Lossless Audio) v0.1.2-alpha has a stack-based buffer overflow in the core/apev2.c init_apev2_keys function. | 5.0 |
2018-05-31 | CVE-2018-11579 | Multidots | Improper Authentication vulnerability in Multidots Woocommerce Category Banner Management 1.1.0 class-woo-banner-management.php in the MULTIDOTS WooCommerce Category Banner Management plugin 1.1.0 for WordPress has an Unauthenticated Settings Change Vulnerability, related to certain wp_ajax_nopriv_ usage. | 5.0 |
2018-05-30 | CVE-2018-11565 | Mahara | Information Exposure vulnerability in Mahara Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 are vulnerable to mentioning the usernames that are already taken by people registered in the system rather than masking that information. | 5.0 |
2018-05-30 | CVE-2018-10995 | Schedmd Debian | Improper Input Validation vulnerability in multiple products SchedMD Slurm before 17.02.11 and 17.1x.x before 17.11.7 mishandles user names (aka user_name fields) and group ids (aka gid fields). | 5.0 |
2018-05-30 | CVE-2018-11233 | Canonical GIT SCM | Out-of-bounds Read vulnerability in multiple products In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory. | 5.0 |
2018-05-29 | CVE-2018-11548 | Block | Improper Input Validation vulnerability in Block EOS Dawn4.2.0 An issue was discovered in EOS.IO DAWN 4.2. | 5.0 |
2018-05-29 | CVE-2018-11544 | Theolivetree | Insufficiently Protected Credentials vulnerability in Theolivetree FTP Server 1.32 The Olive Tree Ftp Server application 1.32 for Android has Insecure Data Storage because a username and password are stored in the /data/data/com.theolivetree.ftpserver/shared_prefs/com.theolivetree.ftpserver_preferences.xml file as the prefUsername and prefUserpass strings. | 5.0 |
2018-05-29 | CVE-2017-16153 | Gaoxuyan Project | Path Traversal vulnerability in Gaoxuyan Project Gaoxuyan gaoxuyan is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | 5.0 |
2018-05-29 | CVE-2017-16062 | Node Tkinter Project | Information Exposure vulnerability in Node-Tkinter Project Node-Tkinter node-tkinter was a malicious module published with the intent to hijack environment variables. | 5.0 |
2018-05-29 | CVE-2017-16061 | Tkinter Package | Information Exposure vulnerability in Tkinter Package Tkinter tkinter was a malicious module published with the intent to hijack environment variables. | 5.0 |
2018-05-29 | CVE-2017-16047 | Mysqljs Project | Information Exposure vulnerability in Mysqljs Project Mysqljs mysqljs was a malicious module published with the intent to hijack environment variables. | 5.0 |
2018-05-29 | CVE-2016-10556 | Sequelizejs | SQL Injection vulnerability in Sequelizejs Sequelize sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped. | 5.0 |
2018-05-29 | CVE-2015-9242 | Ecstatic Project | Improper Input Validation vulnerability in Ecstatic Project Ecstatic Certain input strings when passed to new Date() or Date.parse() in ecstatic node module before 1.4.0 will cause v8 to raise an exception. | 5.0 |
2018-05-29 | CVE-2015-9241 | Hapijs | Improper Input Validation vulnerability in Hapijs Hapi Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. | 5.0 |
2018-05-29 | CVE-2015-9240 | Keystonejs | Credentials Management vulnerability in Keystonejs Keystone Due to a bug in the the default sign in functionality in the keystone node module before 0.3.16, incomplete email addresses could be matched. | 5.0 |
2018-05-29 | CVE-2014-10068 | Hapi | Path Traversal vulnerability in Hapi Inert 1.0.0/1.1.0 The inert directory handler in inert node module before 1.1.1 always allows files in hidden directories to be served, even when `showHidden` is false. | 5.0 |
2018-05-29 | CVE-2018-1375 | IBM | Session Fixation vulnerability in IBM Security Guardium BIG Data Intelligence 3.1 IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. | 5.0 |
2018-05-29 | CVE-2018-11488 | Dtsearch | Allocation of Resources Without Limits or Throttling vulnerability in Dtsearch 7.66.7936/7.90.8538.1 A stack exhaustion vulnerability in the search function of dtSearch 7.90.8538.1 and prior allows remote attackers to cause a denial of service condition by sending a specially crafted HTTP request. | 5.0 |
2018-05-28 | CVE-2018-10732 | Dataiku | Information Exposure vulnerability in Dataiku Data Science Studio The REST API in Dataiku DSS before 4.2.3 allows remote attackers to obtain sensitive information (i.e., determine if a username is valid) because of profile pictures visibility. | 5.0 |
2018-05-28 | CVE-2018-11517 | Myscada | Information Exposure vulnerability in Myscada Mypro 7.0 mySCADA myPRO 7 allows remote attackers to discover all ProjectIDs in a project by sending all of the prj parameter values from 870000 to 875000 in t=0&rq=0 requests to TCP port 11010. | 5.0 |
2018-05-28 | CVE-2018-11515 | Gvectors | SQL Injection vulnerability in Gvectors Wpforo The wpForo plugin through 2018-02-05 for WordPress has SQL Injection via a search with the /forum/ wpfo parameter. | 5.0 |
2018-05-31 | CVE-2016-10538 | CLI Project Debian | Race Condition vulnerability in multiple products The package `node-cli` before 1.0.0 insecurely uses the lock_file and log_file. | 4.9 |
2018-06-02 | CVE-2018-11680 | Cmseasy | Cross-Site Request Forgery (CSRF) vulnerability in Cmseasy 6.0 An issue was discovered in CmsEasy 6.1_20180508. | 4.3 |
2018-06-02 | CVE-2018-11522 | Yosoro Project | Cross-site Scripting vulnerability in Yosoro Project Yosoro 1.0.4 Yosoro 1.0.4 has stored XSS. | 4.3 |
2018-06-01 | CVE-2016-10630 | Install G Test Project | Cryptographic Issues vulnerability in Install-G-Test Project Install-G-Test install-g-test downloads resources over HTTP, which leaves it vulnerable to MITM attacks. | 4.3 |
2018-06-01 | CVE-2016-10613 | Bionode | Cryptographic Issues vulnerability in Bionode Bionode-Sra bionode-sra is a Node.js wrapper for SRA Toolkit. | 4.3 |
2018-06-01 | CVE-2016-10597 | Cobalt CLI Project | Missing Encryption of Sensitive Data vulnerability in Cobalt-Cli Project Cobalt-Cli cobalt-cli downloads resources over HTTP, which leaves it vulnerable to MITM attacks. | 4.3 |
2018-06-01 | CVE-2018-11552 | NCH | Cross-site Scripting vulnerability in NCH Axon PBX 2.02 There is a reflected XSS vulnerability in AXON PBX 2.02 via the "AXON->Auto-Dialer->Agents->Name" field. | 4.3 |
2018-06-01 | CVE-2018-11656 | Imagemagick Canonical | Missing Release of Resource after Effective Lifetime vulnerability in multiple products In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function ReadDCMImage in coders/dcm.c, which allows attackers to cause a denial of service via a crafted DCM image file. | 4.3 |
2018-06-01 | CVE-2018-11655 | Imagemagick Canonical | Missing Release of Resource after Effective Lifetime vulnerability in multiple products In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function GetImagePixelCache in MagickCore/cache.c, which allows attackers to cause a denial of service via a crafted CALS image file. | 4.3 |
2018-06-01 | CVE-2018-11628 | Emssoftware | Cross-site Scripting vulnerability in Emssoftware EMS Master Calendar Data input into EMS Master Calendar before 8.0.0.201805210 via URL parameters is not properly sanitized, allowing malicious attackers to send a crafted URL for XSS. | 4.3 |
2018-06-01 | CVE-2018-11486 | Multidots | Cross-site Scripting vulnerability in Multidots Advance Search FOR Woocommerce An issue was discovered in the MULTIDOTS Advance Search for WooCommerce plugin 1.0.9 and earlier for WordPress. | 4.3 |
2018-06-01 | CVE-2018-11485 | Multidots | Cross-site Scripting vulnerability in Multidots Woocommerce Quick Reports The MULTIDOTS WooCommerce Quick Reports plugin 1.0.6 and earlier for WordPress is vulnerable to Stored XSS. | 4.3 |
2018-06-01 | CVE-2018-5526 | F5 | Unspecified vulnerability in F5 Big-Ip Application Security Manager Under certain conditions, on F5 BIG-IP ASM 13.1.0-13.1.0.5, Behavioral DOS (BADOS) protection may fail during an attack. | 4.3 |
2018-06-01 | CVE-2018-5522 | F5 | Improper Input Validation vulnerability in F5 products On F5 BIG-IP 13.0.0, 12.0.0-12.1.2, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1, when processing DIAMETER transactions with carefully crafted attribute-value pairs, TMM may crash. | 4.3 |
2018-06-01 | CVE-2018-5521 | F5 | Cross-site Scripting vulnerability in F5 products On F5 BIG-IP 12.1.0-12.1.3.1, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1, carefully crafted URLs can be used to reflect arbitrary content into GeoIP lookup responses, potentially exposing clients to XSS. | 4.3 |
2018-06-01 | CVE-2018-11651 | Graylog | Cross-site Scripting vulnerability in Graylog Graylog before v2.4.4 has an XSS security issue with unescaped text in dashboard names, related to components/dashboard/Dashboard.jsx, components/dashboard/EditDashboardModal.jsx, and pages/ShowDashboardPage.jsx. | 4.3 |
2018-06-01 | CVE-2018-11650 | Graylog | Cross-site Scripting vulnerability in Graylog Graylog before v2.4.4 has an XSS security issue with unescaped text in notifications, related to toastr and util/UserNotification.js. | 4.3 |
2018-06-01 | CVE-2018-11649 | Gethue | Cross-site Scripting vulnerability in Gethue HUE 3.12 Hue 3.12 has XSS via the /pig/save/ name and script parameters. | 4.3 |
2018-05-31 | CVE-2018-9186 | Fortinet | Cross-site Scripting vulnerability in Fortinet Fortiauthenticator A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 "CSRF validation failure" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header. | 4.3 |
2018-05-31 | CVE-2018-10379 | Gitlab | Cross-site Scripting vulnerability in Gitlab An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 10.5.8, 10.6.x before 10.6.5, and 10.7.x before 10.7.2. | 4.3 |
2018-05-31 | CVE-2018-11633 | Multidots | Cross-Site Request Forgery (CSRF) vulnerability in Multidots WOO Checkout for Digital Goods 2.1 An issue was discovered in the MULTIDOTS Woo Checkout for Digital Goods plugin 2.1 for WordPress. | 4.3 |
2018-05-31 | CVE-2018-11632 | Multidots | Cross-Site Request Forgery (CSRF) vulnerability in Multidots ADD Social Share Messenger Buttons Whatsapp and Viber 1.0.8 An issue was discovered in the MULTIDOTS Add Social Share Messenger Buttons Whatsapp and Viber plugin 1.0.8 for WordPress. | 4.3 |
2018-05-31 | CVE-2016-10548 | Reduce CSS Calc Project | Cross-site Scripting vulnerability in Reduce-Css-Calc Project Reduce-Css-Calc Arbitrary code execution is possible in reduce-css-calc node module <=1.2.4 through crafted css. | 4.3 |
2018-05-31 | CVE-2016-10547 | Mozilla | Cross-site Scripting vulnerability in Mozilla Nunjucks Nunjucks is a full featured templating engine for JavaScript. | 4.3 |
2018-05-31 | CVE-2016-10544 | UWS Project | Improper Input Validation vulnerability in UWS Project UWS 0.10.0/0.10.8 uws is a WebSocket server library. | 4.3 |
2018-05-31 | CVE-2016-10536 | Socket | Improper Certificate Validation vulnerability in Socket Engine.Io-Client engine.io-client is the client for engine.io, the implementation of a transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. | 4.3 |
2018-05-31 | CVE-2016-10535 | Csrf Lite Project | Cryptographic Issues vulnerability in Csrf-Lite Project Csrf-Lite csrf-lite is a cross-site request forgery protection library for framework-less node sites. | 4.3 |
2018-05-31 | CVE-2016-10534 | Electron Packager Project | Improper Certificate Validation vulnerability in Electron-Packager Project Electron-Packager electron-packager is a command line tool that packages Electron source code into `.app` and `.exe` packages. | 4.3 |
2018-05-31 | CVE-2016-10531 | Marked Project | Cross-site Scripting vulnerability in Marked Project Marked marked is an application that is meant to parse and compile markdown. | 4.3 |
2018-05-31 | CVE-2016-10530 | Airbrake | Information Exposure vulnerability in Airbrake The airbrake module 0.3.8 and earlier defaults to sending environment variables over HTTP. | 4.3 |
2018-05-31 | CVE-2014-10065 | Remarkable Project | Cross-site Scripting vulnerability in Remarkable Project Remarkable Certain input when passed into remarkable before 1.4.1 will bypass the bad protocol check that disallows the javascript: scheme allowing for javascript: url's to be injected into the rendered content. | 4.3 |
2018-05-31 | CVE-2018-11627 | Sinatrarb Redhat | Cross-site Scripting vulnerability in multiple products Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception. | 4.3 |
2018-05-31 | CVE-2018-11133 | Quest | Cross-site Scripting vulnerability in Quest Kace System Management Appliance 8.0.318 The 'fmt' parameter of the '/common/run_cross_report.php' script in the the Quest KACE System Management Appliance 8.0.318 is vulnerable to cross-site scripting. | 4.3 |
2018-05-31 | CVE-2018-11597 | Espruino | Uncontrolled Recursion vulnerability in Espruino Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via a Buffer Overflow during syntax parsing because of a missing check for stack exhaustion with many '{' characters in jsparse.c. | 4.3 |
2018-05-31 | CVE-2018-11596 | Espruino | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Espruino Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via a Buffer Overflow during syntax parsing because a check for '\0' is made for the wrong array element in jsvar.c. | 4.3 |
2018-05-31 | CVE-2018-11594 | Espruino | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Espruino Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via a Buffer Overflow during syntax parsing of "VOID" tokens in jsparse.c. | 4.3 |
2018-05-31 | CVE-2018-11592 | Espruino | Out-of-bounds Read vulnerability in Espruino Espruino before 1.98 allows attackers to cause a denial of service (application crash) with a user crafted input file via an Out-of-bounds Read during syntax parsing in which certain height validation is missing in libs/graphics/jswrap_graphics.c. | 4.3 |
2018-05-31 | CVE-2018-11591 | Espruino | NULL Pointer Dereference vulnerability in Espruino Espruino before 1.98 allows attackers to cause a denial of service (application crash) with a user crafted input file via a NULL pointer dereference during syntax parsing. | 4.3 |
2018-05-31 | CVE-2018-11590 | Espruino | Integer Overflow or Wraparound vulnerability in Espruino Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via an integer overflow during syntax parsing. | 4.3 |
2018-05-31 | CVE-2018-11583 | Seacms | Cross-site Scripting vulnerability in Seacms 6.61 SeaCMS 6.61 has stored XSS in admin_collect.php via the siteurl parameter. | 4.3 |
2018-05-31 | CVE-2018-11578 | Miniupnp Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Miniupnp Project Ngiflib 0.4 GifIndexToTrueColor in ngiflib.c in MiniUPnP ngiflib 0.4 has a Segmentation fault. | 4.3 |
2018-05-30 | CVE-2018-11568 | Cactusthemes | Cross-site Scripting vulnerability in Cactusthemes Gameplan-Event and GYM Fitness Reflected XSS is possible in the GamePlan theme through 1.5.13.2 for WordPress because of insufficient input sanitization, as demonstrated by the s parameter. | 4.3 |
2018-05-30 | CVE-2018-10939 | Zimbra Synacor | Cross-site Scripting vulnerability in multiple products Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS via a contact group. | 4.3 |
2018-05-30 | CVE-2018-11562 | Misp | Cross-site Scripting vulnerability in Misp 2.4.91 An issue was discovered in MISP 2.4.91. | 4.3 |
2018-05-30 | CVE-2018-11439 | Taglib Debian | Out-of-bounds Read vulnerability in multiple products The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib 1.11.1 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted audio file. | 4.3 |
2018-05-30 | CVE-2018-11437 | Libmobi Project | Information Exposure vulnerability in Libmobi Project Libmobi 0.3 The mobi_reconstruct_parts function in parse_rawml.c in Libmobi 0.3 allows remote attackers to cause information disclosure (read access violation) via a crafted mobi file. | 4.3 |
2018-05-30 | CVE-2018-11436 | Libmobi Project | Out-of-bounds Read vulnerability in Libmobi Project Libmobi 0.3 The buffer_addraw function in buffer.c in Libmobi 0.3 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted mobi file. | 4.3 |
2018-05-30 | CVE-2018-11435 | Libmobi Project | Information Exposure vulnerability in Libmobi Project Libmobi 0.3 The mobi_decompress_huffman_internal function in compression.c in Libmobi 0.3 allows remote attackers to cause information disclosure (read access violation) via a crafted mobi file. | 4.3 |
2018-05-30 | CVE-2018-11434 | Libmobi Project | Out-of-bounds Read vulnerability in Libmobi Project Libmobi 0.3 The buffer_fill64 function in compression.c in Libmobi 0.3 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted mobi file. | 4.3 |
2018-05-30 | CVE-2018-11433 | Libmobi Project | Out-of-bounds Read vulnerability in Libmobi Project Libmobi 0.3 The mobi_get_kf8boundary_seqnumber function in util.c in Libmobi 0.3 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted mobi file. | 4.3 |
2018-05-30 | CVE-2018-11432 | Libmobi Project | Out-of-bounds Read vulnerability in Libmobi Project Libmobi 0.3 The mobi_parse_mobiheader function in read.c in Libmobi 0.3 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted mobi file. | 4.3 |
2018-05-30 | CVE-2018-11557 | Yiban | Cross-site Scripting vulnerability in Yiban Easy Class Education Platform 2.0 YIBAN Easy class education platform 2.0 has XSS via the articlelist.php k parameter. | 4.3 |
2018-05-29 | CVE-2018-11027 | Ruckussecurity | Cross-site Scripting vulnerability in Ruckussecurity Icx7450-48 Firmware A reflected XSS vulnerability on Ruckus ICX7450-48 devices allows remote attackers to inject arbitrary web script or HTML. | 4.3 |
2018-05-29 | CVE-2017-16010 | I18Next | Cross-site Scripting vulnerability in I18Next i18next is a language translation framework. | 4.3 |
2018-05-29 | CVE-2015-9243 | Hapijs | 7PK - Security Features vulnerability in Hapijs Hapi When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. | 4.3 |
2018-05-29 | CVE-2014-10067 | Paypal IPN Project | Improper Authentication vulnerability in Paypal-Ipn Project Paypal-Ipn paypal-ipn before 3.0.0 uses the `test_ipn` parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. | 4.3 |
2018-05-29 | CVE-2018-1376 | IBM | Cross-site Scripting vulnerability in IBM Security Guardium BIG Data Intelligence 3.1 IBM Security Guardium Big Data Intelligence (SonarG) 3.1 is vulnerable to cross-site scripting. | 4.3 |
2018-05-29 | CVE-2018-1369 | IBM | Information Exposure vulnerability in IBM Security Guardium BIG Data Intelligence 3.1 IBM Security Guardium Big Data Intelligence (SonarG) 3.1 stores sensitive information in URL parameters. | 4.3 |
2018-05-29 | CVE-2018-11532 | Changuondyu Advanced Statistics Project | Cross-site Scripting vulnerability in Changuondyu Advanced Statistics Project Changuondyu Advanced Statistics 1.0.2 An issue was discovered in the ChangUonDyU Advanced Statistics plugin 1.0.2 for MyBB. | 4.3 |
2018-05-28 | CVE-2018-11507 | Flif | Excessive Iteration vulnerability in Flif 0.3 An issue was discovered in Free Lossless Image Format (FLIF) 0.3. | 4.3 |
2018-06-01 | CVE-2018-7949 | Huawei | Improper Authentication vulnerability in Huawei products The iBMC (Intelligent Baseboard Management Controller) of some Huawei servers have a privilege escalation vulnerability. | 4.0 |
2018-06-01 | CVE-2018-5525 | F5 | Information Exposure vulnerability in F5 products A local file vulnerability exists in the F5 BIG-IP Configuration utility on versions 13.0.0, 12.1.0-12.1.2, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1 that exposes files containing F5-provided data only and do not include any configuration data, proxied traffic, or other potentially sensitive customer data. | 4.0 |
2018-05-31 | CVE-2018-1532 | IBM | Information Exposure vulnerability in IBM API Connect IBM API Connect 5.0.0.0 through 5.0.8.2 does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system. | 4.0 |
2018-05-31 | CVE-2016-10555 | JWT Simple Project | Cryptographic Issues vulnerability in Jwt-Simple Project Jwt-Simple 0.1.0/0.2.0/0.3.0 Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. | 4.0 |
2018-05-31 | CVE-2016-10533 | Express Restify Mongoose Project | Information Exposure vulnerability in Express-Restify-Mongoose Project Express-Restify-Mongoose express-restify-mongoose is a module to easily create a flexible REST interface for mongoose models. | 4.0 |
2018-05-31 | CVE-2016-10528 | Restafary Project | Path Traversal vulnerability in Restafary Project Restafary restafary is a REpresentful State Transfer API for Creating, Reading, Using, Deleting files on a server from the web. | 4.0 |
2018-05-31 | CVE-2018-11137 | Quest | Path Traversal vulnerability in Quest Kace System Management Appliance 8.0.318 The 'checksum' parameter of the '/common/download_attachment.php' script in the Quest KACE System Management Appliance 8.0.318 can be abused to read arbitrary files with 'www' privileges via Directory Traversal. | 4.0 |
2018-05-29 | CVE-2018-1242 | EMC | OS Command Injection vulnerability in EMC Recoverpoint and Recoverpoint FOR Virtual Machines Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contains a command injection vulnerability in the Boxmgmt CLI. | 4.0 |
2018-05-29 | CVE-2018-1241 | EMC | Information Exposure Through Log Files vulnerability in EMC Recoverpoint and Recoverpoint for Virtual Machines Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, under certain conditions, may leak LDAP password in plain-text into the RecoverPoint log file. | 4.0 |
2018-05-29 | CVE-2017-1768 | IBM | Information Exposure vulnerability in IBM Security Guardium BIG Data Intelligence 3.1 IBM Security Guardium Big Data Intelligence (SonarG) 3.1 generates an error message that includes sensitive information about its environment, users, or associated data. | 4.0 |
22 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-06-02 | CVE-2018-1002100 | Kubernetes | Improper Input Validation vulnerability in Kubernetes In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files. | 3.6 |
2018-06-02 | CVE-2018-11564 | Pagekit | Cross-site Scripting vulnerability in Pagekit Stored XSS in YOOtheme Pagekit 1.0.13 and earlier allows a user to upload malicious code via the picture upload feature. | 3.5 |
2018-06-01 | CVE-2018-11581 | Brother | Cross-site Scripting vulnerability in Brother Hl-L2340D Firmware and Hl-L2380Dw Firmware Cross-site scripting (XSS) vulnerability on Brother HL series printers allows remote attackers to inject arbitrary web script or HTML via the url parameter to etc/loginerror.html. | 3.5 |
2018-06-01 | CVE-2018-10382 | Modx | Cross-site Scripting vulnerability in Modx Revolution 2.6.3 MODX Revolution 2.6.3 has XSS. | 3.5 |
2018-06-01 | CVE-2018-7976 | Huawei | Cross-site Scripting vulnerability in Huawei Espace Desktop 300R001C00/300R001C50 There is a stored cross-site scripting (XSS) vulnerability in Huawei eSpace Desktop V300R001C00 and V300R001C50 version. | 3.5 |
2018-05-31 | CVE-2018-1496 | IBM | Cross-site Scripting vulnerability in IBM Content Navigator IBM Content Navigator 2.0.3, 3.0.0, 3.0.1, 3.0.2, and 3.0.3 is vulnerable to cross-site scripting. | 3.5 |
2018-05-31 | CVE-2016-10537 | Backbone Project | Cross-site Scripting vulnerability in Backbone Project Backbone backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON There exists a potential Cross Site Scripting vulnerability in the `Model#Escape` function of backbone 0.3.3 and earlier, if a user is able to supply input. | 3.5 |
2018-05-31 | CVE-2018-11580 | Multidots | Cross-site Scripting vulnerability in Multidots Mass Pages/Posts Creator 1.2.2 An issue was discovered in mass-pages-posts-creator.php in the MULTIDOTS Mass Pages/Posts Creator plugin 1.2.2 for WordPress. | 3.5 |
2018-05-31 | CVE-2018-11572 | Clippercms | Cross-site Scripting vulnerability in Clippercms 1.3.3 ClipperCMS 1.3.3 has XSS in the "Module name" field in a "Modules -> Manage modules -> edit" action to the manager/ URI. | 3.5 |
2018-05-30 | CVE-2018-11559 | Domainmod | Cross-site Scripting vulnerability in Domainmod 4.10.0 DomainMod 4.10.0 has Stored XSS in the "/settings/profile/index.php" new_last_name parameter. | 3.5 |
2018-05-30 | CVE-2018-11558 | Domainmod | Cross-site Scripting vulnerability in Domainmod 4.10.0 DomainMod 4.10.0 has Stored XSS in the "/settings/profile/index.php" new_first_name parameter. | 3.5 |
2018-05-29 | CVE-2018-11549 | Wuzhicms | Cross-site Scripting vulnerability in Wuzhicms Wuzhi CMS 4.1.0 An issue was discovered in WUZHI CMS 4.1.0 There is a Stored XSS Vulnerability in "Account Settings -> Member Centre -> Chinese information -> Ordinary member" via a QQ number, as demonstrated by a form[qq_10]= substring. | 3.5 |
2018-05-28 | CVE-2018-11430 | Moderator LOG Notes Project | Cross-site Scripting vulnerability in Moderator LOG Notes Project Moderator LOG Notes 1.1 An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB. | 3.5 |
2018-05-28 | CVE-2018-11512 | Creatiwity | Cross-site Scripting vulnerability in Creatiwity Witycms 0.6.1 Stored cross-site scripting (XSS) vulnerability in the "Website's name" field found in the "Settings" page under the "General" menu in Creatiwity wityCMS 0.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to admin/settings/general. | 3.5 |
2018-05-31 | CVE-2018-11631 | Rondaful Project | Unspecified vulnerability in Rondaful Project Rondaful M1 Wristband Smart Band 1 Firmware Rondaful M1 Wristband Smart Band 1 devices allow remote attackers to send an arbitrary number of call or SMS notifications via crafted Bluetooth Low Energy (BLE) traffic. | 3.3 |
2018-05-30 | CVE-2018-11567 | Amazon | Session Fixation vulnerability in Amazon products Prior to 2018-04-27, the reprompt feature in Amazon Echo devices could be misused by a custom Alexa skill. | 3.3 |
2018-05-30 | CVE-2018-11477 | Vgate | Cleartext Transmission of Sensitive Information vulnerability in Vgate Icar 2 Wi-Fi Obd2 Firmware An issue was discovered on Vgate iCar 2 Wi-Fi OBD2 Dongle devices. | 3.3 |
2018-06-01 | CVE-2018-11195 | Mahara | Information Exposure vulnerability in Mahara Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 are vulnerable to the browser "back and refresh" attack. | 2.1 |
2018-05-31 | CVE-2016-10549 | Sailsjs | Cross-site Scripting vulnerability in Sailsjs Sails Sails is an MVC style framework for building realtime web applications. | 2.1 |
2018-05-31 | CVE-2018-11142 | Quest | Incorrect Authorization vulnerability in Quest Kace System Management Appliance 8.0.318 The 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts in the Quest KACE System Management Appliance 8.0.318 are accessible only from localhost. | 2.1 |
2018-05-28 | CVE-2018-11508 | Linux Canonical | Information Exposure vulnerability in Linux Kernel The compat_get_timex function in kernel/compat.c in the Linux kernel before 4.16.9 allows local users to obtain sensitive information from kernel memory via adjtimex. | 2.1 |
2018-05-30 | CVE-2018-7534 | Unisys | Key Management Errors vulnerability in Unisys Stealth Authorization Server In Stealth Authorization Server before 3.3.017.0 in Unisys Stealth Solution, an encryption key may be left in memory. | 1.9 |