Weekly Vulnerabilities Reports > May 28 to June 3, 2018

Overview

378 new vulnerabilities reported during this period, including 97 critical vulnerabilities and 41 high severity vulnerabilities. This weekly summary report vulnerabilities in 357 products from 239 vendors including Quest, Canonical, IBM, Espruino, and F5. Vulnerabilities are notably categorized as "Cryptographic Issues", "OS Command Injection", "Cross-site Scripting", "Information Exposure", and "Improper Input Validation".

  • 356 reported vulnerabilities are remotely exploitables.
  • 21 reported vulnerabilities have public exploit available.
  • 139 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 281 reported vulnerabilities are exploitable by an anonymous user.
  • Quest has the most reported vulnerabilities, with 63 reported vulnerabilities.
  • Quest has the most reported critical vulnerabilities, with 10 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

97 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-06-01 CVE-2018-3757 PDF Image Project OS Command Injection vulnerability in Pdf-Image Project Pdf-Image 2.0.0

Command injection exists in pdf-image v2.0.0 due to an unescaped string parameter.

10.0
2018-06-01 CVE-2018-11652 Cirt NET Improper Neutralization of Formula Elements in a CSV File vulnerability in Cirt.Net Nikto

CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report.

10.0
2018-05-31 CVE-2016-10546 Pouchdb Code Injection vulnerability in Pouchdb

An arbitrary code injection vector was found in PouchDB 6.0.4 and lesser via the map/reduce functions used in PouchDB temporary views and design documents.

10.0
2018-05-31 CVE-2016-10532 Console IO Project Improper Authentication vulnerability in Console-Io Project Console-Io

console-io is a module that allows users to implement a web console in their application.

10.0
2018-05-31 CVE-2018-11138 Quest OS Command Injection vulnerability in Quest Kace System Management Appliance 8.0.318

The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system.

10.0
2018-05-31 CVE-2018-9318 BMW Protection Mechanism Failure vulnerability in BMW Telematics Control Unit Firmware

The Telematics Control Unit (aka Telematic Communication Box or TCB), when present on BMW vehicles produced in 2012 through 2018, allows a remote attack via a cellular network.

10.0
2018-05-31 CVE-2018-9311 BMW Protection Mechanism Failure vulnerability in BMW Telematics Control Unit Firmware

The Telematics Control Unit (aka Telematic Communication Box or TCB), when present on BMW vehicles produced in 2012 through 2018, allows a remote attack via a cellular network.

10.0
2018-05-29 CVE-2018-1235 EMC OS Command Injection vulnerability in EMC Recoverpoint and Recoverpoint for Virtual Machines

Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contain a command injection vulnerability.

10.0
2018-06-02 CVE-2018-11682 Lutron Use of Hard-coded Credentials vulnerability in Lutron products

Default and unremovable support credentials allow attackers to gain total super user control of an IoT device through a TELNET session to products using the Stanza Lutron integration protocol Revision M to Revision Y.

9.8
2018-06-02 CVE-2018-11681 Lutron Use of Hard-coded Credentials vulnerability in Lutron products

Default and unremovable support credentials (user:nwk password:nwk2) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the RadioRA 2 Lutron integration protocol Revision M to Revision Y.

9.8
2018-06-02 CVE-2018-11629 Lutron Use of Hard-coded Credentials vulnerability in Lutron products

Default and unremovable support credentials (user:lutron password:integration) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the HomeWorks QS Lutron integration protocol Revision M to Revision Y.

9.8
2018-06-01 CVE-2018-3746 Pdfinfojs Project OS Command Injection vulnerability in Pdfinfojs Project Pdfinfojs

The pdfinfojs NPM module versions <= 0.3.6 has a command injection vulnerability that allows an attacker to execute arbitrary commands on the victim's machine.

9.8
2018-05-31 CVE-2016-10541 Shell Quote Project Code Injection vulnerability in Shell-Quote Project Shell-Quote

The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell.

9.8
2018-05-29 CVE-2018-3744 Html Pages Project Path Traversal vulnerability in Html-Pages Project Html-Pages 2.0.7

The html-pages node module contains a path traversal vulnerabilities that allows an attacker to read any file from the server with cURL.

9.8
2018-06-01 CVE-2016-10634 Scalajs Standalone BIN Project Cryptographic Issues vulnerability in Scalajs-Standalone-Bin Project Scalajs-Standalone-Bin

scala-standalone-bin is a Binary wrapper for ScalaJS.

9.3
2018-06-01 CVE-2016-10633 Dwebp BIN Project Cryptographic Issues vulnerability in Dwebp-Bin Project Dwebp-Bin

dwebp-bin is a dwebp node.js wrapper that convert WebP into PNG.

9.3
2018-06-01 CVE-2016-10632 APK Parser2 Project Cryptographic Issues vulnerability in Apk-Parser2 Project Apk-Parser2 0.1.0/0.1.1

apk-parser2 is a module which extracts Android Manifest info from an APK file.

9.3
2018-06-01 CVE-2016-10631 Jvminstall Project Cryptographic Issues vulnerability in Jvminstall Project Jvminstall

jvminstall is a module for downloading and unpacking jvm to local system.

9.3
2018-06-01 CVE-2016-10629 NW With ARM Project Cryptographic Issues vulnerability in Nw-With-Arm Project Nw-With-Arm 0.12.2

nw-with-arm is a NW Installer including ARM-Build.

9.3
2018-06-01 CVE-2016-10628 Selenium Wrapper Project Cryptographic Issues vulnerability in Selenium-Wrapper Project Selenium-Wrapper

selenium-wrapper is a selenium server wrapper, including installation and chrome webdriver.

9.3
2018-06-01 CVE-2016-10626 Mystem3 Project Cryptographic Issues vulnerability in Mystem3 Project Mystem3

mystem3 is a NodeJS wrapper for the Yandex MyStem 3.

9.3
2018-06-01 CVE-2016-10625 Headless Browser Lite Project Cryptographic Issues vulnerability in Headless-Browser-Lite Project Headless-Browser-Lite

headless-browser-lite is a minimal npm installer for phantomjs and slimerjs with no external dependencies.

9.3
2018-06-01 CVE-2016-10624 Selenium Chromedriver Project Cryptographic Issues vulnerability in Selenium-Chromedriver Project Selenium-Chromedriver

selenium-chromedriver is a simple utility for downloading the Selenium Webdriver for Google Chrome selenium-chromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.

9.3
2018-06-01 CVE-2016-10623 Macaca Chromedriver ZXA Project Cryptographic Issues vulnerability in Macaca-Chromedriver-Zxa Project Macaca-Chromedriver-Zxa

macaca-chromedriver-zxa is a Node.js wrapper for the selenium chromedriver.

9.3
2018-06-01 CVE-2016-10622 Nodeschnaps Project Cryptographic Issues vulnerability in Nodeschnaps Project Nodeschnaps

nodeschnaps is a NodeJS compatibility layer for Java (Rhino).

9.3
2018-06-01 CVE-2016-10621 Fibjs Project Cryptographic Issues vulnerability in Fibjs Project Fibjs

fibjs is a runtime for javascript applictions built on google v8 JS.

9.3
2018-06-01 CVE-2016-10620 Atom Node Module Installer Project Cryptographic Issues vulnerability in Atom-Node-Module-Installer Project Atom-Node-Module-Installer

atom-node-module-installer installs node modules for atom-shell applications.

9.3
2018-06-01 CVE-2016-10617 Box2D Native Project Cryptographic Issues vulnerability in Box2D-Native Project Box2D-Native

box2d-native downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.

9.3
2018-06-01 CVE-2016-10615 Curses Project Cryptographic Issues vulnerability in Curses Project Curses

curses is bindings for the native curses library, a full featured console IO library.

9.3
2018-06-01 CVE-2016-10614 Httpsync Project Cryptographic Issues vulnerability in Httpsync Project Httpsync

httpsync is a port of libcurl to node.js.

9.3
2018-06-01 CVE-2016-10612 Dalekjs Cryptographic Issues vulnerability in Dalekjs

dalek-browser-ie-canary is Internet Explorer bindings for DalekJS.

9.3
2018-06-01 CVE-2016-10609 Chromedriver126 Project
Linux
Cryptographic Issues vulnerability in Chromedriver126 Project Chromedriver126

chromedriver126 is chromedriver version 1.26 for linux OS.

9.3
2018-06-01 CVE-2016-10608 Getrobot Cryptographic Issues vulnerability in Getrobot Robot-Js

robot-js is a module for native system automation for node.js.

9.3
2018-06-01 CVE-2016-10607 Openframe Glslviewer Project Cryptographic Issues vulnerability in Openframe-Glslviewer Project Openframe-Glslviewer

openframe-glsviewer is a Openframe extension which adds support for shaders via glslViewer.

9.3
2018-06-01 CVE-2016-10606 Grunt Webdriver Qunit Project Cryptographic Issues vulnerability in Grunt-Webdriver-Qunit Project Grunt-Webdriver-Qunit

grunt-webdriver-qunit is a grunt plugin to run qunit with webdriver in grunt grunt-webdriver-qunit downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.

9.3
2018-06-01 CVE-2016-10605 Dalekjs Cryptographic Issues vulnerability in Dalekjs

dalek-browser-ie is Internet Explorer bindings for DalekJS.

9.3
2018-06-01 CVE-2016-10604 Dalekjs Cryptographic Issues vulnerability in Dalekjs

dalek-browser-chrome is Google Chrome bindings for DalekJS.

9.3
2018-06-01 CVE-2016-10603 AIR SDK Project Cryptographic Issues vulnerability in Air-Sdk Project Air-Sdk

air-sdk is a NPM wrapper for the Adobe AIR SDK.

9.3
2018-06-01 CVE-2016-10602 Haxe Cryptographic Issues vulnerability in Haxe

haxe is a cross-platform toolkit haxe downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks.

9.3
2018-06-01 CVE-2016-10600 Webrtc Cryptographic Issues vulnerability in Webrtc Webrtc-Native

webrtc-native uses WebRTC from chromium project.

9.3
2018-06-01 CVE-2016-10599 Node Sauce Connect Project Cryptographic Issues vulnerability in Node-Sauce-Connect Project Node-Sauce-Connect 0.1.0/0.1.1

sauce-connect is a Node.js wrapper over the SauceLabs SauceConnect.jar program for establishing a secure tunnel for intranet testing.

9.3
2018-06-01 CVE-2016-10595 JDF Sass Project Cryptographic Issues vulnerability in Jdf-Sass Project Jdf-Sass

jdf-sass is a fork from node-sass, jdf use only.

9.3
2018-06-01 CVE-2016-10588 Nwjs Cryptographic Issues vulnerability in Nwjs NW

nw is an installer for nw.js.

9.3
2018-06-01 CVE-2016-10587 Wasdk Project Cryptographic Issues vulnerability in Wasdk Project Wasdk

wasdk is a toolkit for creating WebAssembly modules.

9.3
2018-06-01 CVE-2016-10585 Libxl Project Cryptographic Issues vulnerability in Libxl Project Libxl

libxl provides Node bindings for the libxl library for reading and writing excel (XLS and XLSX) spreadsheets.

9.3
2018-06-01 CVE-2016-10583 Openlayers Cryptographic Issues vulnerability in Openlayers Closure-Util

closure-utils is Utilities for Closure Library based projects.

9.3
2018-06-01 CVE-2016-10582 Closurecompiler Project Cryptographic Issues vulnerability in Closurecompiler Project Closurecompiler

closurecompiler is a Closure Compiler for node.js.

9.3
2018-06-01 CVE-2016-10581 Appgyver Cryptographic Issues vulnerability in Appgyver Steroids

Steroids is PhoneGap on Steroids, providing native UI elements, multiple WebViews and enhancements for better developer productivity.

9.3
2018-06-01 CVE-2016-10580 Nodewebkit Project Cryptographic Issues vulnerability in Nodewebkit Project Nodewebkit

nodewebkit is an installer for node-webkit.

9.3
2018-06-01 CVE-2016-10576 Fuseki Project Cryptographic Issues vulnerability in Fuseki Project Fuseki 1.0.0

Fuseki server wrapper and management API in fuseki before 1.0.1 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.

9.3
2018-06-01 CVE-2016-10575 Hakatashi Cryptographic Issues vulnerability in Hakatashi Kindlegen

Kindlegen is a simple Node.js wrapper of the official kindlegen program.

9.3
2018-06-01 CVE-2016-10574 APK Parser3 Project Cryptographic Issues vulnerability in Apk-Parser3 Project Apk-Parser3 0.1.1/0.1.2

apk-parser3 is a module to extract Android Manifest info from an APK file.

9.3
2018-06-01 CVE-2018-11551 NCH Untrusted Search Path vulnerability in NCH Axon PBX 2.02

AXON PBX 2.02 contains a DLL hijacking vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

9.3
2018-05-31 CVE-2016-10572 Mongodb Instance Project Cryptographic Issues vulnerability in Mongodb-Instance Project Mongodb-Instance 0.0.1/0.0.2

mongodb-instance before 0.0.3 installs mongodb locally.

9.3
2018-05-31 CVE-2016-10571 Bkjs Wand Project Cryptographic Issues vulnerability in Bkjs-Wand Project Bkjs-Wand

bkjs-wand is imagemagick wand support for node.js and backendjs bkjs-wand versions lower than 0.3.2 download binary resources over HTTP, which leaves it vulnerable to MITM attacks.

9.3
2018-05-31 CVE-2016-10569 Embedza Project Cryptographic Issues vulnerability in Embedza Project Embedza

embedza is a module to create HTML snippets/embeds from URLs using info from oEmbed, Open Graph, meta tags.

9.3
2018-05-31 CVE-2016-10562 Iedriver Project Cryptographic Issues vulnerability in Iedriver Project Iedriver

iedriver is an NPM wrapper for Selenium IEDriver.

9.3
2018-05-31 CVE-2016-10560 Galenframework Cryptographic Issues vulnerability in Galenframework Galenframework-Cli

galenframework-cli is the node wrapper for the Galen Framework.

9.3
2018-05-29 CVE-2017-16003 Windows Build Tools Project Missing Encryption of Sensitive Data vulnerability in Windows-Build-Tools Project Windows-Build-Tools

windows-build-tools is a module for installing C++ Build Tools for Windows using npm.

9.3
2018-05-29 CVE-2016-10698 Mystem FIX Project Cryptographic Issues vulnerability in Mystem-Fix Project Mystem-Fix 0.0.4/0.0.5

mystem-fix is a node.js wrapper for MyStem morphology text analyzer by Yandex.ru mystem-fix downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.

9.3
2018-05-29 CVE-2016-10682 Massif Project Cryptographic Issues vulnerability in Massif Project Massif 0.0.11

massif is a Phantomjs fork massif downloads resources over HTTP, which leaves it vulnerable to MITM attacks.

9.3
2018-05-29 CVE-2016-10681 Robotwebtools Cryptographic Issues vulnerability in Robotwebtools Roslibjs

roslib-socketio - The standard ROS Javascript Library fork for add support to socket.io roslib-socketio downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.

9.3
2018-05-29 CVE-2016-10679 Selenium Standalone Painful Project Cryptographic Issues vulnerability in Selenium-Standalone-Painful Project Selenium-Standalone-Painful 2.39.02.7.0

selenium-standalone-painful installs a start-selenium command line to start a standalone selenium server with chrome-driver.

9.3
2018-05-29 CVE-2016-10674 Limbus Buildgen Project Cryptographic Issues vulnerability in Limbus-Buildgen Project Limbus-Buildgen 0.1.0

limbus-buildgen is a "build anywhere" build system.

9.3
2018-05-29 CVE-2016-10666 Yandex Cryptographic Issues vulnerability in Yandex Tomita-Parser 0.0.1/0.0.2/0.0.3

tomita-parser is a Node wrapper for Yandex Tomita Parser tomita-parser downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.

9.3
2018-05-29 CVE-2016-10659 Macchina Cryptographic Issues vulnerability in Macchina Poco

poco - The POCO libraries, downloads source file resources used for compilation over HTTP, which leaves it vulnerable to MITM attacks.

9.3
2018-05-29 CVE-2016-10658 Native Opencv Project Cryptographic Issues vulnerability in Native-Opencv Project Native-Opencv 3.0.0

native-opencv is the OpenCV library installed via npm native-opencv downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.

9.3
2018-05-29 CVE-2016-10650 Shutterstock Cryptographic Issues vulnerability in Shutterstock Ntfserver

ntfserver is a Network Testing Framework Server.

9.3
2018-05-29 CVE-2016-10635 Broccoli Closure Project Cryptographic Issues vulnerability in Broccoli-Closure Project Broccoli-Closure 1.0.0/1.2.0/1.3.0

broccoli-closure is a Closure compiler plugin for Broccoli.

9.3
2018-05-29 CVE-2016-10627 Scala BIN Project Cryptographic Issues vulnerability in Scala-Bin Project Scala-Bin

scala-bin is a binary wrapper for Scala.

9.3
2018-05-29 CVE-2016-10611 Strider Sauce Project Cryptographic Issues vulnerability in Strider-Sauce Project Strider-Sauce

strider-sauce is Sauce Labs / Selenium support for Strider.

9.3
2018-05-29 CVE-2016-10601 Uxebu Cryptographic Issues vulnerability in Uxebu Webdrvr

webdrvr is a npm wrapper for Selenium Webdriver including Chromedriver / IEDriver / IOSDriver / Ghostdriver.

9.3
2018-05-29 CVE-2016-10593 Interactivebrokers Cryptographic Issues vulnerability in Interactivebrokers Ibapi

ibapi is an Interactive Brokers API addon for NodeJS.

9.3
2018-05-29 CVE-2016-10591 Prince Project Cryptographic Issues vulnerability in Prince Project Prince 1.4.4/1.4.5

Prince is a Node API for executing XML/HTML to PDF renderer PrinceXML via prince(1) CLI.

9.3
2018-05-29 CVE-2016-10590 CUE SDK Node Project Cryptographic Issues vulnerability in Cue-Sdk-Node Project Cue-Sdk-Node

cue-sdk-node is a Corsair Cue SDK wrapper for node.js.

9.3
2018-05-29 CVE-2016-10589 Spunjs Cryptographic Issues vulnerability in Spunjs Selenium-Binaries

selenium-binaries downloads Selenium related binaries for your OS.

9.3
2018-05-29 CVE-2016-10586 Macacajs Cryptographic Issues vulnerability in Macacajs Macaca-Chromedriver

macaca-chromedriver is a Node.js wrapper for the selenium chromedriver.

9.3
2018-05-29 CVE-2016-10584 Dalekjs Cryptographic Issues vulnerability in Dalekjs

dalek-browser-chrome-canary provides Google Chrome bindings for DalekJS.

9.3
2018-05-29 CVE-2016-10573 Baryton Saxophone Project Cryptographic Issues vulnerability in Baryton-Saxophone Project Baryton-Saxophone 2.48.2/2.50.1/2.53.0

baryton-saxophone is a module to install and launch Selenium Server for Mac, Linux and Windows.

9.3
2018-05-29 CVE-2016-10570 Pngcrush Installer Project Cryptographic Issues vulnerability in Pngcrush-Installer Project Pngcrush-Installer

pngcrush-installer is an installer for Pngcrush.

9.3
2018-05-29 CVE-2016-10567 Product Monitor Project Cryptographic Issues vulnerability in Product-Monitor Project Product-Monitor

product-monitor is a HTML/JavaScript template for monitoring a product by encouraging product developers to gather all the information about the status of a product, including live monitoring, statistics, endpoints, and test results into one place.

9.3
2018-05-29 CVE-2016-10566 Install NW Project Cryptographic Issues vulnerability in Install-Nw Project Install-Nw

install-nw is a module which quickly and robustly installs and caches NW.js.

9.3
2018-05-29 CVE-2016-10559 Groupon Cryptographic Issues vulnerability in Groupon Selenium-Download

selenium-download downloads the latest versions of the selenium standalone server and the chromedriver.

9.3
2018-05-29 CVE-2016-10558 Aerospike Cryptographic Issues vulnerability in Aerospike

aerospike is an Aerospike add-on module for Node.js.

9.3
2018-05-29 CVE-2018-3745 Atob Project Out-of-bounds Read vulnerability in Atob Project Atob

atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.

9.1
2018-06-02 CVE-2018-11194 Quest Incorrect Permission Assignment for Critical Resource vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 6 of 6).

9.0
2018-06-02 CVE-2018-11193 Quest Incorrect Permission Assignment for Critical Resource vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 5 of 6).

9.0
2018-06-02 CVE-2018-11192 Quest Incorrect Permission Assignment for Critical Resource vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 4 of 6).

9.0
2018-06-02 CVE-2018-11191 Quest Incorrect Permission Assignment for Critical Resource vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 3 of 6).

9.0
2018-06-02 CVE-2018-11190 Quest Improper Privilege Management vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 2 of 6).

9.0
2018-06-02 CVE-2018-11189 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 1 of 6).

9.0
2018-06-01 CVE-2018-7951 Huawei Code Injection vulnerability in Huawei products

The iBMC (Intelligent Baseboard Management Controller) of some Huawei servers have a JSON injection vulnerability due to insufficient input validation.

9.0
2018-06-01 CVE-2018-7950 Huawei Code Injection vulnerability in Huawei products

The iBMC (Intelligent Baseboard Management Controller) of some Huawei servers have a JSON injection vulnerability due to insufficient input validation.

9.0
2018-05-31 CVE-2018-11139 Quest OS Command Injection vulnerability in Quest Kace System Management Appliance 8.0.318

The '/common/ajax_email_connection_test.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by any authenticated user and can be abused to execute arbitrary commands on the system.

9.0
2018-05-31 CVE-2018-11134 Quest Weak Password Recovery Mechanism for Forgotten Password vulnerability in Quest Kace System Management Appliance 8.0.318

In order to perform actions that requires higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue managed that runs with root privileges and only allows a set of commands.

9.0
2018-05-31 CVE-2018-11132 Quest OS Command Injection vulnerability in Quest Kace System Management Appliance 8.0.318

In order to perform actions that require higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue that runs daemonized with root privileges and only allows a set of commands to be executed.

9.0
2018-05-31 CVE-2018-11220 Bitmain Unspecified vulnerability in Bitmain products

Bitmain Antminer D3, L3+, and S9 devices allow Remote Command Execution via the system restore function.

9.0

41 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-05-31 CVE-2018-11135 Quest Unspecified vulnerability in Quest Kace System Management Appliance 8.0.318

The script '/adminui/error_details.php' in the Quest KACE System Management Appliance 8.0.318 allows authenticated users to conduct PHP object injection attacks.

8.8
2018-05-28 CVE-2018-11516 Videolan Use After Free vulnerability in Videolan VLC Media Player 3.0.0/3.0.1

The vlc_demux_chained_Delete function in input/demux_chained.c in VideoLAN VLC media player 3.0.1 allows remote attackers to cause a denial of service (heap corruption and application crash) or possibly have unspecified other impact via a crafted .swf file.

8.8
2018-06-01 CVE-2016-10598 Arrayfire JS Project Cryptographic Issues vulnerability in Arrayfire-Js Project Arrayfire-Js

arrayfire-js is a module for ArrayFire for the Node.js platform.

8.5
2018-05-30 CVE-2018-11556 Littlecms Out-of-bounds Write vulnerability in Littlecms Little CMS 2.9

tificc in Little CMS 2.9 has an out-of-bounds write in the cmsPipelineCheckAndRetreiveStages function in cmslut.c in liblcms2.a via a crafted TIFF file.

7.8
2018-05-30 CVE-2018-11555 Littlecms Out-of-bounds Write vulnerability in Littlecms Little CMS 2.9

tificc in Little CMS 2.9 has an out-of-bounds write in the PrecalculatedXFORM function in cmsxform.c in liblcms2.a via a crafted TIFF file.

7.8
2018-05-29 CVE-2016-7076 Sudo Project Command Injection vulnerability in Sudo Project Sudo

sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument.

7.8
2018-05-28 CVE-2018-11506 Linux
Canonical
Debian
Out-of-bounds Write vulnerability in multiple products

The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux kernel through 4.16.12 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact because sense buffers have different sizes at the CDROM layer and the SCSI layer, as demonstrated by a CDROMREADMODE2 ioctl call.

7.8
2018-06-02 CVE-2018-11143 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 1 of 46).

7.5
2018-06-01 CVE-2016-1000338 Bouncycastle
Redhat
Canonical
Netapp
Improper Verification of Cryptographic Signature vulnerability in multiple products

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification.

7.5
2018-05-31 CVE-2016-10554 Sequelizejs SQL Injection vulnerability in Sequelizejs Sequelize

sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS.

7.5
2018-05-31 CVE-2016-10553 Sequelizejs SQL Injection vulnerability in Sequelizejs Sequelize

sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS.

7.5
2018-05-31 CVE-2016-10550 Sequelizejs SQL Injection vulnerability in Sequelizejs Sequelize

sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the `limit` or `order` parameters, a malicious user can put in their own SQL statements.

7.5
2018-05-31 CVE-2018-11141 Quest Path Traversal vulnerability in Quest Kace System Management Appliance 8.0.318

The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the '/adminui/advisory.php' script in the Quest KACE System Management Virtual Appliance 8.0.318 can be abused to write and delete files respectively via Directory Traversal.

7.5
2018-05-31 CVE-2018-11140 Quest SQL Injection vulnerability in Quest Kace System Management Appliance 8.0.318

The 'reportID' parameter received by the '/common/run_report.php' script in the Quest KACE System Management Appliance 8.0.318 is not sanitized, leading to SQL injection (in particular, an error-based type).

7.5
2018-05-31 CVE-2018-11136 Quest SQL Injection vulnerability in Quest Kace System Management Appliance 8.0.318

The 'orgID' parameter received by the '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is not sanitized, leading to SQL injection (in particular, a blind time-based type).

7.5
2018-05-31 CVE-2018-11576 Miniupnp Project Out-of-bounds Read vulnerability in Miniupnp Project Ngiflib 0.4

ngiflib.c in MiniUPnP ngiflib 0.4 has a heap-based buffer over-read in GifIndexToTrueColor.

7.5
2018-05-31 CVE-2018-11575 Miniupnp Project Out-of-bounds Write vulnerability in Miniupnp Project Ngiflib 0.4

ngiflib.c in MiniUPnP ngiflib 0.4 has a stack-based buffer overflow in DecodeGifImg.

7.5
2018-05-30 CVE-2018-11482 TP Link Use of Hard-coded Credentials vulnerability in Tp-Link products

/usr/lib/lua/luci/websys.lua on TP-LINK IPC TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4 devices has a hardcoded zMiVw8Kw0oxKXL0 password.

7.5
2018-05-29 CVE-2018-11547 Md4C Project Out-of-bounds Read vulnerability in Md4C Project Md4C 0.2.5

md_is_link_reference_definition_helper in md4c 0.2.5 has a heap-based buffer over-read because md_is_link_label mishandles loop termination.

7.5
2018-05-29 CVE-2018-11546 Md4C Project Out-of-bounds Read vulnerability in Md4C Project Md4C 0.2.5

md4c 0.2.5 has a heap-based buffer over-read because md_is_named_entity_contents has an off-by-one error.

7.5
2018-05-29 CVE-2018-11545 Md4C Project Out-of-bounds Write vulnerability in Md4C Project Md4C 0.2.5

md4c 0.2.5 has a heap-based buffer overflow in md_merge_lines because md_is_link_label mishandles the case of a link label composed solely of backslash escapes.

7.5
2018-05-29 CVE-2018-3734 Stattic Project Path Traversal vulnerability in Stattic Project Stattic 0.2.3

stattic node module suffers from a Path Traversal vulnerability due to lack of validation of path, which allows a malicious user to read content of any file with known path.

7.5
2018-05-29 CVE-2018-3733 Crud File Server Project Path Traversal vulnerability in Crud-File-Server Project Crud-File-Server

crud-file-server node module before 0.9.0 suffers from a Path Traversal vulnerability due to incorrect validation of url, which allows a malicious user to read content of any file with known path.

7.5
2018-05-29 CVE-2018-10466 Zohocorp SQL Injection vulnerability in Zohocorp Manageengine Adaudit Plus

Zoho ManageEngine ADAudit Plus before 5.0.0 build 5100 allows blind SQL Injection.

7.5
2018-05-29 CVE-2016-10551 Balderdash SQL Injection vulnerability in Balderdash Waterline-Sequel 0.5.0

waterline-sequel is a module that helps generate SQL statements for Waterline apps Any user input that goes into Waterline's `like`, `contains`, `startsWith`, or `endsWith` will end up in waterline-sequel with the potential for malicious code.

7.5
2018-05-29 CVE-2016-10525 Dwyl Improper Authentication vulnerability in Dwyl Hapi-Auth-Jwt2

When attempting to allow authentication mode `try` in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass authentication.

7.5
2018-05-29 CVE-2015-9244 Mysqljs SQL Injection vulnerability in Mysqljs Mysql

Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not escaped with `mysql.escape()` which could lead to SQL Injection.

7.5
2018-05-29 CVE-2015-9235 Auth0 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Auth0 Jsonwebtoken

In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).

7.5
2018-05-29 CVE-2018-5241 Broadcom Unspecified vulnerability in Broadcom Advanced Secure Gateway and Symantec Proxysg

Symantec Advanced Secure Gateway (ASG) 6.6 and 6.7, and ProxySG 6.5, 6.6, and 6.7 are susceptible to a SAML authentication bypass vulnerability.

7.5
2018-05-29 CVE-2018-11536 Md4C Project Out-of-bounds Write vulnerability in Md4C Project Md4C

md4c before 0.2.5 has a heap-based buffer overflow because md_split_simple_pairing_mark mishandles splits.

7.5
2018-05-29 CVE-2018-11535 Sitemakin SQL Injection vulnerability in Sitemakin Slac 1.0

An issue was discovered in SITEMAKIN SLAC (Site Login and Access Control) v1.0.

7.5
2018-05-29 CVE-2018-11531 Exiv2
Debian
Canonical
Out-of-bounds Write vulnerability in multiple products

Exiv2 0.26 has a heap-based buffer overflow in getData in preview.cpp.

7.5
2018-05-29 CVE-2018-11528 Wuzhicms SQL Injection vulnerability in Wuzhicms Wuzhi CMS 4.1.0

WUZHI CMS 4.1.0 has SQL Injection via an api/sms_check.php?param= URI.

7.5
2018-05-29 CVE-2018-11523 Nuuo Unrestricted Upload of File with Dangerous Type vulnerability in Nuuo Nvrmini 2 Firmware

upload.php on NUUO NVRmini 2 devices allows Arbitrary File Upload, such as upload of .php files.

7.5
2018-05-28 CVE-2018-11309 Membermouse SQL Injection vulnerability in Membermouse

Blind SQL injection in coupon_code in the MemberMouse plugin 2.2.8 and prior for WordPress allows an unauthenticated attacker to dump the WordPress MySQL database via an applyCoupon action in an admin-ajax.php request.

7.5
2018-05-31 CVE-2018-6552 Apport Project
Canonical
Unspecified vulnerability in Apport Project Apport

Apport does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion, possibly gain root privileges, or escape from containers.

7.2
2018-05-31 CVE-2018-9322 BMW Protection Mechanism Failure vulnerability in BMW Head Unit HU NBT Firmware

The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series vehicles produced in 2012 through 2018 allows local attacks involving the USB or OBD-II interface.

7.2
2018-05-31 CVE-2018-9320 BMW Protection Mechanism Failure vulnerability in BMW Head Unit HU NBT Firmware

The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series vehicles produced in 2012 through 2018 allows a local attack when a USB device is plugged in.

7.2
2018-05-31 CVE-2018-9314 BMW Protection Mechanism Failure vulnerability in BMW Head Unit HU NBT Firmware

The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series vehicles produced in 2012 through 2018 allows an attack by an attacker who has direct physical access.

7.2
2018-05-31 CVE-2018-9312 BMW Protection Mechanism Failure vulnerability in BMW Head Unit HU NBT Firmware

The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series vehicles produced in 2012 through 2018 allows a local attack when a USB device is plugged in.

7.2
2018-05-29 CVE-2018-6964 Vmware
Linux
Unspecified vulnerability in VMWare Horizon Client

VMware Horizon Client for Linux (4.x before 4.8.0 and prior) contains a local privilege escalation vulnerability due to insecure usage of SUID binary.

7.2

218 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-06-02 CVE-2018-11679 Cmseasy Cross-Site Request Forgery (CSRF) vulnerability in Cmseasy 6.0

An issue was discovered in CmsEasy 6.1_20180508.

6.8
2018-06-01 CVE-2018-11538 Searchblox Cross-Site Request Forgery (CSRF) vulnerability in Searchblox 8.6.6

servlet/UserServlet in SearchBlox 8.6.6 has CSRF via the u_name, u_passwd1, u_passwd2, role, and X-XSRF-TOKEN POST parameters because of CSRF Token Bypass.

6.8
2018-06-01 CVE-2016-10619 Pennyworth Project Cryptographic Issues vulnerability in Pennyworth Project Pennyworth

pennyworth is a natural language templating engine.

6.8
2018-06-01 CVE-2016-10618 Node Browser Project Cryptographic Issues vulnerability in Node-Browser Project Node-Browser 0.0.1/0.0.2/0.0.3

node-browser is a wrapper webdriver by nodejs.

6.8
2018-06-01 CVE-2016-10616 Openframe Image Project Cryptographic Issues vulnerability in Openframe-Image Project Openframe-Image

openframe-image is an Openframe extension which adds support for images via fbi.

6.8
2018-06-01 CVE-2016-10610 Unicode Cryptographic Issues vulnerability in Unicode Unicode-Json

unicode-json is a unicode lookup table.

6.8
2018-06-01 CVE-2016-10596 Imageoptim Project Cryptographic Issues vulnerability in Imageoptim Project Imageoptim

imageoptim is a Node.js wrapper for some images compression algorithms.

6.8
2018-06-01 CVE-2016-10594 Ipip Project Cryptographic Issues vulnerability in Ipip Project Ipip

ipip is a Node.js module to query geolocation information for an IP or domain, based on database by ipip.net.

6.8
2018-06-01 CVE-2016-10592 Jser Stat Project Cryptographic Issues vulnerability in Jser-Stat Project Jser-Stat

jser-stat is a JSer.info stat library.

6.8
2018-06-01 CVE-2016-10579 Chromedriver Project Cryptographic Issues vulnerability in Chromedriver Project Chromedriver

Chromedriver is an NPM wrapper for selenium ChromeDriver.

6.8
2018-06-01 CVE-2018-11671 Njtech Cross-Site Request Forgery (CSRF) vulnerability in Njtech Greencms 2.3.0603

An issue was discovered in GreenCMS v2.3.0603.

6.8
2018-06-01 CVE-2018-11670 Njtech Cross-Site Request Forgery (CSRF) vulnerability in Njtech Greencms 2.3.0603

An issue was discovered in GreenCMS v2.3.0603.

6.8
2018-05-31 CVE-2016-10565 Cnpmjs Cryptographic Issues vulnerability in Cnpmjs Operadriver 0.2.1/0.2.2

operadriver is a Opera Driver for Selenium.

6.8
2018-05-31 CVE-2016-10564 APK Parser Project Cryptographic Issues vulnerability in Apk-Parser Project Apk-Parser

apk-parser is a tool to extract Android Manifest info from an APK file.

6.8
2018-05-31 CVE-2016-10563 Ipfs Cryptographic Issues vulnerability in Ipfs Go-Ipfs-Dep

During the installation process, the go-ipfs-deps module before 0.4.4 insecurely downloads resources over HTTP.

6.8
2018-05-31 CVE-2016-10557 Appium Cryptographic Issues vulnerability in Appium Appium-Chromedriver

appium-chromedriver is a Node.js wrapper around Chromedriver.

6.8
2018-05-31 CVE-2016-10529 Droppy Project Cross-Site Request Forgery (CSRF) vulnerability in Droppy Project Droppy

Droppy versions <3.5.0 does not perform any verification for cross-domain websocket requests.

6.8
2018-05-31 CVE-2018-11625 Imagemagick
Canonical
Out-of-bounds Read vulnerability in multiple products

In ImageMagick 7.0.7-37 Q16, SetGrayscaleImage in the quantize.c file allows attackers to cause a heap-based buffer over-read via a crafted file.

6.8
2018-05-31 CVE-2018-11624 Imagemagick Use After Free vulnerability in Imagemagick 7.0.736

In ImageMagick 7.0.7-36 Q16, the ReadMATImage function in coders/mat.c allows attackers to cause a use after free via a crafted file.

6.8
2018-05-31 CVE-2018-11595 Espruino Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Espruino

Espruino before 1.99 allows attackers to cause a denial of service (application crash) and a potential Escalation of Privileges with a user crafted input file via a Buffer Overflow during syntax parsing, because strncat is misused.

6.8
2018-05-31 CVE-2018-11577 Liblouis
Canonical
Opensuse
Classic Buffer Overflow vulnerability in multiple products

Liblouis 3.5.0 has a Segmentation fault in lou_logPrint in logging.c.

6.8
2018-05-31 CVE-2018-11571 Clippercms Session Fixation vulnerability in Clippercms 1.3.3

ClipperCMS 1.3.3 allows Session Fixation.

6.8
2018-05-30 CVE-2015-7610 Zimbra
Synacor
Cross-Site Request Forgery (CSRF) vulnerability in multiple products

Cross-site request forgery (CSRF) vulnerability in the login form in Zimbra Collaboration Suite (aka ZCS) before 8.6.0 Patch 10, 8.7.x before 8.7.11 Patch 2, and 8.8.x before 8.8.8 Patch 1 allows remote attackers to hijack the authentication of unspecified victims by leveraging failure to use a CSRF token.

6.8
2018-05-30 CVE-2018-11518 Hcltech Improper Input Validation vulnerability in Hcltech Legacy IVR Firmware

A vulnerability allows a phreaking attack on HCL legacy IVR systems that do not use VoIP.

6.8
2018-05-30 CVE-2018-11438 Libmobi Project Out-of-bounds Write vulnerability in Libmobi Project Libmobi 0.3

The mobi_decompress_lz77 function in compression.c in Libmobi 0.3 allows remote attackers to cause remote code execution (heap-based buffer overflow) via a crafted mobi file.

6.8
2018-05-30 CVE-2018-11235 Debian
Canonical
Redhat
GIT SCM
Gitforwindows
Path Traversal vulnerability in multiple products

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur.

6.8
2018-05-29 CVE-2016-10680 Adamvr Geoip Lite Project Cryptographic Issues vulnerability in Adamvr-Geoip-Lite Project Adamvr-Geoip-Lite

adamvr-geoip-lite is a light weight native JavaScript implementation of GeoIP API from MaxMind adamvr-geoip-lite downloads geoip resources over HTTP, which leaves it vulnerable to MITM attacks.

6.8
2018-05-29 CVE-2016-10578 Unicode Project Cryptographic Issues vulnerability in Unicode Project Unicode

unicode loads unicode data downloaded from unicode.org into nodejs.

6.8
2018-05-29 CVE-2016-10577 IBM Cryptographic Issues vulnerability in IBM DB

ibm_db is an asynchronous/synchronous interface for node.js to IBM DB2 and IBM Informix.

6.8
2018-05-29 CVE-2016-10568 Geoip Lite Country Project Cryptographic Issues vulnerability in Geoip-Lite-Country Project Geoip-Lite-Country

geoip-lite-country is a stripped down version of geoip-lite, supporting only country lookup.

6.8
2018-05-29 CVE-2018-11527 Cscms Project Cross-Site Request Forgery (CSRF) vulnerability in Cscms Project Cscms 4.1

An issue was discovered in CScms v4.1.

6.8
2018-06-02 CVE-2018-11188 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 46 of 46).

6.5
2018-06-02 CVE-2018-11187 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 45 of 46).

6.5
2018-06-02 CVE-2018-11186 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 44 of 46).

6.5
2018-06-02 CVE-2018-11185 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 43 of 46).

6.5
2018-06-02 CVE-2018-11184 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 42 of 46).

6.5
2018-06-02 CVE-2018-11183 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 41 of 46).

6.5
2018-06-02 CVE-2018-11182 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 40 of 46).

6.5
2018-06-02 CVE-2018-11181 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 39 of 46).

6.5
2018-06-02 CVE-2018-11180 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 38 of 46).

6.5
2018-06-02 CVE-2018-11179 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 37 of 46).

6.5
2018-06-02 CVE-2018-11178 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 36 of 46).

6.5
2018-06-02 CVE-2018-11177 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 35 of 46).

6.5
2018-06-02 CVE-2018-11176 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 34 of 46).

6.5
2018-06-02 CVE-2018-11175 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 33 of 46).

6.5
2018-06-02 CVE-2018-11174 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 32 of 46).

6.5
2018-06-02 CVE-2018-11173 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 31 of 46).

6.5
2018-06-02 CVE-2018-11172 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 30 of 46).

6.5
2018-06-02 CVE-2018-11171 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 29 of 46).

6.5
2018-06-02 CVE-2018-11170 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 28 of 46).

6.5
2018-06-02 CVE-2018-11169 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 27 of 46).

6.5
2018-06-02 CVE-2018-11168 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 26 of 46).

6.5
2018-06-02 CVE-2018-11167 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 25 of 46).

6.5
2018-06-02 CVE-2018-11166 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 24 of 46).

6.5
2018-06-02 CVE-2018-11165 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 23 of 46).

6.5
2018-06-02 CVE-2018-11164 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 22 of 46).

6.5
2018-06-02 CVE-2018-11163 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 21 of 46).

6.5
2018-06-02 CVE-2018-11162 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 20 of 46).

6.5
2018-06-02 CVE-2018-11161 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 19 of 46).

6.5
2018-06-02 CVE-2018-11160 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 18 of 46).

6.5
2018-06-02 CVE-2018-11159 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 17 of 46).

6.5
2018-06-02 CVE-2018-11158 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 16 of 46).

6.5
2018-06-02 CVE-2018-11157 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 15 of 46).

6.5
2018-06-02 CVE-2018-11156 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 14 of 46).

6.5
2018-06-02 CVE-2018-11155 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 13 of 46).

6.5
2018-06-02 CVE-2018-11154 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 12 of 46).

6.5
2018-06-02 CVE-2018-11153 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 11 of 46).

6.5
2018-06-02 CVE-2018-11152 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 10 of 46).

6.5
2018-06-02 CVE-2018-11151 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 9 of 46).

6.5
2018-06-02 CVE-2018-11150 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 8 of 46).

6.5
2018-06-02 CVE-2018-11149 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 7 of 46).

6.5
2018-06-02 CVE-2018-11148 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 6 of 46).

6.5
2018-06-02 CVE-2018-11147 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 5 of 46).

6.5
2018-06-02 CVE-2018-11146 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 4 of 46).

6.5
2018-06-02 CVE-2018-11145 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 3 of 46).

6.5
2018-06-02 CVE-2018-11144 Quest OS Command Injection vulnerability in Quest Disk Backup

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 2 of 46).

6.5
2018-06-01 CVE-2018-5523 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 13.1.0-13.1.0.3, 13.0.0, 12.1.0-12.1.3.1, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1 and Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced.

6.5
2018-06-01 CVE-2018-8922 Synology Unspecified vulnerability in Synology Drive Server 1.0.210275

Improper access control vulnerability in Synology Drive before 1.0.2-10275 allows remote authenticated users to access non-shared files or folders via unspecified vectors.

6.5
2018-05-31 CVE-2018-5388 Strongswan
Debian
Canonical
Out-of-bounds Write vulnerability in multiple products

In stroke_socket.c in strongSwan before 5.6.3, a missing packet length check could allow a buffer underflow, which may lead to resource exhaustion and denial of service while reading from the socket.

6.5
2018-05-30 CVE-2018-11481 TP Link Improper Input Validation vulnerability in Tp-Link products

TP-LINK IPC TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4 devices allow authenticated remote code execution via crafted JSON data because /usr/lib/lua/luci/torchlight/validator.lua does not block various punctuation characters.

6.5
2018-05-29 CVE-2018-11392 Jigowatt Unrestricted Upload of File with Dangerous Type vulnerability in Jigowatt PHP Login & User Management

An arbitrary file upload vulnerability in /classes/profile.class.php in Jigowatt "PHP Login & User Management" before 4.1.1, as distributed in the Envato Market, allows any remote authenticated user to upload .php files to the web server via a profile avatar field.

6.5
2018-05-29 CVE-2018-1370 IBM Incorrect Permission Assignment for Critical Resource vulnerability in IBM Security Guardium BIG Data Intelligence 3.1

IBM Security Guardium Big Data Intelligence (SonarG) 3.1 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

6.5
2018-05-28 CVE-2018-11514 Naukri Clone Script Project Unrestricted Upload of File with Dangerous Type vulnerability in Naukri Clone Script Project Naukri Clone Script 3.0.3

PHP Scripts Mall Naukri Clone Script through 3.0.3 allows Unrestricted Upload of a File with a Dangerous Type in edit_resume_det.php, as demonstrated by changing .docx to .php.

6.5
2018-05-31 CVE-2018-11036 Ruckuswireless Information Exposure vulnerability in Ruckuswireless products

Ruckus SmartZone (formerly Virtual SmartCell Gateway or vSCG) 3.5.0, 3.5.1, 3.6.0, and 3.6.1 (Essentials and High Scale) on vSZ, SZ-100, SZ-300, and SCG-200 devices allows remote attackers to obtain sensitive information or modify data.

6.4
2018-06-01 CVE-2017-17171 Huawei Improper Input Validation vulnerability in Huawei Mate 8 Firmware, P9 Firmware and P9 Plus Firmware

Some Huawei smart phones have the denial of service (DoS) vulnerability due to the improper processing of malicious parameters.

6.3
2018-06-01 CVE-2018-3755 Sexstatic Project Cross-site Scripting vulnerability in Sexstatic Project Sexstatic 0.6.0/0.6.2

XSS in sexstatic <=0.6.2 causes HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name.

6.1
2018-06-01 CVE-2018-3743 Hekto Project Open Redirect vulnerability in Hekto Project Hekto

Open redirect in hekto <=0.2.3 when target domain name is used as html filename on server.

6.1
2018-05-31 CVE-2016-10524 I18N Node Angular Project Resource Exhaustion vulnerability in I18N-Node-Angular Project I18N-Node-Angular

i18n-node-angular is a module used to interact between i18n and angular without using additional resources.

6.0
2018-05-31 CVE-2016-10552 Infragistics 7PK - Security Features vulnerability in Infragistics Igniteui

igniteui 0.0.5 and earlier downloads JavaScript and CSS resources over insecure protocol.

5.8
2018-05-31 CVE-2018-11598 Espruino Out-of-bounds Read vulnerability in Espruino

Espruino before 1.99 allows attackers to cause a denial of service (application crash) and a potential Information Disclosure with user crafted input files via a Buffer Overflow or Out-of-bounds Read during syntax parsing of certain for loops in jsparse.c.

5.8
2018-05-31 CVE-2018-11593 Espruino Out-of-bounds Write vulnerability in Espruino

Espruino before 1.99 allows attackers to cause a denial of service (application crash) and potential Information Disclosure with a user crafted input file via a Buffer Overflow during syntax parsing because strncpy is misused in jslex.c.

5.8
2018-05-30 CVE-2018-11478 Vgate Improper Authentication vulnerability in Vgate Icar 2 Wi-Fi Obd2 Firmware

An issue was discovered on Vgate iCar 2 Wi-Fi OBD2 Dongle devices.

5.8
2018-05-30 CVE-2018-11476 Vgate Missing Authentication for Critical Function vulnerability in Vgate Icar 2 Wi-Fi Obd2 Firmware

An issue was discovered on Vgate iCar 2 Wi-Fi OBD2 Dongle devices.

5.8
2018-05-31 CVE-2018-9313 BMW Protection Mechanism Failure vulnerability in BMW Head Unit HU NBT Firmware

The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series vehicles produced in 2012 through 2018 allows a remote attack via Bluetooth when in pairing mode, leading to a Head Unit reboot.

5.7
2018-05-30 CVE-2018-10196 Graphviz
Fedoraproject
Canonical
NULL Pointer Dereference vulnerability in multiple products

NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library in Graphviz 2.40.1 allows remote attackers to cause a denial of service (application crash) via a crafted file.

5.5
2018-05-29 CVE-2018-1495 IBM Improper Privilege Management vulnerability in IBM Flashsystem 840 Firmware and Flashsystem 900 Firmware

IBM FlashSystem V840 and V900 products could allow an authenticated attacker with specialized access to overwrite arbitrary files which could cause a denial of service.

5.5
2018-06-01 CVE-2018-8921 Synology Cross-site Scripting vulnerability in Synology Drive Server 1.0.010240/1.0.110253

Cross-site scripting (XSS) vulnerability in File Sharing Notify Toast in Synology Drive before 1.0.2-10275 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name.

5.4
2018-05-29 CVE-2018-10751 Samsung Integer Overflow or Wraparound vulnerability in Samsung Mobile

A malformed OMACP WAP push message can cause memory corruption on a Samsung S7 Edge device when processing the String Extension portion of the WbXml payload.

5.4
2018-06-01 CVE-2018-11645 Artifex Information Exposure vulnerability in Artifex Ghostscript

psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine the existence and size of arbitrary files, a similar issue to CVE-2016-7977.

5.3
2018-06-01 CVE-2018-3809 Zeit Information Exposure vulnerability in Zeit Serve 6.5.3

Information exposure through directory listings in serve 6.5.3 allows directory listing and file access even when they have been set to be ignored.

5.0
2018-06-01 CVE-2018-3756 Hyperledger Improper Verification of Cryptographic Signature vulnerability in Hyperledger Iroha 1.0/1.0.0

Hyperledger Iroha versions v1.0_beta and v1.0.0_beta-1 are vulnerable to transaction and block signature verification bypass in the transaction and block validator allowing a single node to sign a transaction and/or block multiple times, each with a random nonce, and have other validating nodes accept them as separate valid signatures.

5.0
2018-06-01 CVE-2018-11196 Mahara Unrestricted Upload of File with Dangerous Type vulnerability in Mahara

Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 can be used as medium to transmit viruses by placing infected files into a Leap2A archive and uploading that to Mahara.

5.0
2018-06-01 CVE-2018-11657 Miniupnp Project Infinite Loop vulnerability in Miniupnp Project Ngiflib 0.4

ngiflib.c in MiniUPnP ngiflib 0.4 has an infinite loop in DecodeGifImg and LoadGif.

5.0
2018-06-01 CVE-2017-2860 Natus Out-of-bounds Read vulnerability in Natus Xltek Neuroworks 8

An exploitable denial-of-service vulnerability exists in the lookup entry functionality of KeyTrees in Natus Xltek NeuroWorks 8.

5.0
2018-06-01 CVE-2017-2858 Natus Out-of-bounds Read vulnerability in Natus Xltek Neuroworks 8

An exploitable denial-of-service vulnerability exists in the traversal of lists functionality of Natus Xltek NeuroWorks 8.

5.0
2018-06-01 CVE-2017-2852 Natus Out-of-bounds Read vulnerability in Natus Xltek Neuroworks 8

An exploitable denial-of-service vulnerability exists in the unserialization of lists functionality of Natus Xltek NeuroWorks 8.

5.0
2018-06-01 CVE-2018-5524 F5 Unspecified vulnerability in F5 products

Under certain conditions, on F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.1, or 11.6.1 HF2-11.6.3.1, virtual servers configured with Client SSL or Server SSL profiles which make use of network hardware security module (HSM) functionality are exposed and impacted by this issue.

5.0
2018-06-01 CVE-2018-5513 F5 Improper Input Validation vulnerability in F5 products

On F5 BIG-IP 13.1.0-13.1.0.3, 13.0.0, 12.1.0-12.1.3.3, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1, a malformed TLS handshake causes TMM to crash leading to a disruption of service.

5.0
2018-06-01 CVE-2017-6153 F5 Resource Exhaustion vulnerability in F5 products

Features in F5 BIG-IP 13.0.0-13.1.0.3, 12.1.0-12.1.3.1, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1 system that utilizes inflate functionality directly, via an iRule, or via the inflate code from PEM module are subjected to a service disruption via a "Zip Bomb" attack.

5.0
2018-06-01 CVE-2018-11646 Webkitgtk Unspecified vulnerability in Webkitgtk Webkitgtk+

webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash.

5.0
2018-05-31 CVE-2016-10561 Bitty Project Path Traversal vulnerability in Bitty Project Bitty 0.2.10

Bitty is a development web server tool that functions similar to `python -m SimpleHTTPServer`.

5.0
2018-05-31 CVE-2016-10543 Call Project Improper Input Validation vulnerability in Call Project Call

call is an HTTP router that is primarily used by the hapi framework.

5.0
2018-05-31 CVE-2016-10542 WS Project Improper Input Validation vulnerability in WS Project WS

ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455".

5.0
2018-05-31 CVE-2016-10540 Minimatch Project Improper Input Validation vulnerability in Minimatch Project Minimatch

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects.

5.0
2018-05-31 CVE-2016-10539 Negotiator Project Improper Input Validation vulnerability in Negotiator Project Negotiator

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa.

5.0
2018-05-31 CVE-2016-10527 Riot JS Resource Management Errors vulnerability in Riot.Js Riot-Compiler 2.3.21

The riot-compiler version version 2.3.21 has an issue in a regex (Catastrophic Backtracking) thats make it unusable under certain conditions.

5.0
2018-05-31 CVE-2016-10526 Grunt GH Pages Project Credentials Management vulnerability in Grunt-Gh-Pages Project Grunt-Gh-Pages

A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url.

5.0
2018-05-31 CVE-2016-10523 Mqtt Packet Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mqtt-Packet Project Mqtt-Packet 4.0.0

MQTT before 3.4.6 and 4.0.x before 4.0.5 allows specifically crafted MQTT packets to crash the application, making a DoS attack feasible with very little bandwidth.

5.0
2018-05-31 CVE-2016-10521 Jshamcrest Project Improper Input Validation vulnerability in Jshamcrest Project Jshamcrest 0.6.7/0.7.0/0.7.1

jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator.

5.0
2018-05-31 CVE-2016-10520 Jadedown Project Improper Input Validation vulnerability in Jadedown Project Jadedown 0.0.1/0.0.2/0.0.3

jadedown is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.

5.0
2018-05-31 CVE-2016-10519 Webtorrent Information Exposure vulnerability in Webtorrent Bittorrent-Dht

A security issue was found in bittorrent-dht before 5.1.3 that allows someone to send a specific series of messages to a listening peer and get it to reveal internal memory.

5.0
2018-05-31 CVE-2016-10518 WS Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in WS Project WS

A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame.

5.0
2018-05-31 CVE-2015-9239 Ansi2Html Project Improper Input Validation vulnerability in Ansi2Html Project Ansi2Html 0.0.1

ansi2html is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.

5.0
2018-05-31 CVE-2015-9238 Secure Compare Project Use of Externally-Controlled Format String vulnerability in Secure-Compare Project Secure-Compare

secure-compare 3.0.0 and below do not actually compare two strings properly.

5.0
2018-05-31 CVE-2015-9236 Hapijs Information Exposure vulnerability in Hapijs Hapi

Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden.

5.0
2018-05-31 CVE-2014-10066 Fancy Server Project Path Traversal vulnerability in Fancy-Server Project Fancy-Server

Versions less than 0.1.4 of the static file server module fancy-server are vulnerable to directory traversal.

5.0
2018-05-31 CVE-2014-10064 QS Project Resource Management Errors vulnerability in QS Project QS

The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time.

5.0
2018-05-31 CVE-2018-11626 Simple Lossless Audio Project Out-of-bounds Write vulnerability in Simple Lossless Audio Project Simple Lossless Audio 0.1.2

SELA (aka SimplE Lossless Audio) v0.1.2-alpha has a stack-based buffer overflow in the core/apev2.c init_apev2_keys function.

5.0
2018-05-31 CVE-2018-11579 Multidots Improper Authentication vulnerability in Multidots Woocommerce Category Banner Management 1.1.0

class-woo-banner-management.php in the MULTIDOTS WooCommerce Category Banner Management plugin 1.1.0 for WordPress has an Unauthenticated Settings Change Vulnerability, related to certain wp_ajax_nopriv_ usage.

5.0
2018-05-30 CVE-2018-11565 Mahara Information Exposure vulnerability in Mahara

Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 are vulnerable to mentioning the usernames that are already taken by people registered in the system rather than masking that information.

5.0
2018-05-30 CVE-2018-10995 Schedmd
Debian
Improper Input Validation vulnerability in multiple products

SchedMD Slurm before 17.02.11 and 17.1x.x before 17.11.7 mishandles user names (aka user_name fields) and group ids (aka gid fields).

5.0
2018-05-30 CVE-2018-11233 Canonical
GIT SCM
Out-of-bounds Read vulnerability in multiple products

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory.

5.0
2018-05-29 CVE-2018-11548 Block Improper Input Validation vulnerability in Block EOS Dawn4.2.0

An issue was discovered in EOS.IO DAWN 4.2.

5.0
2018-05-29 CVE-2018-11544 Theolivetree Insufficiently Protected Credentials vulnerability in Theolivetree FTP Server 1.32

The Olive Tree Ftp Server application 1.32 for Android has Insecure Data Storage because a username and password are stored in the /data/data/com.theolivetree.ftpserver/shared_prefs/com.theolivetree.ftpserver_preferences.xml file as the prefUsername and prefUserpass strings.

5.0
2018-05-29 CVE-2017-16153 Gaoxuyan Project Path Traversal vulnerability in Gaoxuyan Project Gaoxuyan

gaoxuyan is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

5.0
2018-05-29 CVE-2017-16062 Node Tkinter Project Information Exposure vulnerability in Node-Tkinter Project Node-Tkinter

node-tkinter was a malicious module published with the intent to hijack environment variables.

5.0
2018-05-29 CVE-2017-16061 Tkinter Package Information Exposure vulnerability in Tkinter Package Tkinter

tkinter was a malicious module published with the intent to hijack environment variables.

5.0
2018-05-29 CVE-2017-16047 Mysqljs Project Information Exposure vulnerability in Mysqljs Project Mysqljs

mysqljs was a malicious module published with the intent to hijack environment variables.

5.0
2018-05-29 CVE-2016-10556 Sequelizejs SQL Injection vulnerability in Sequelizejs Sequelize

sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped.

5.0
2018-05-29 CVE-2015-9242 Ecstatic Project Improper Input Validation vulnerability in Ecstatic Project Ecstatic

Certain input strings when passed to new Date() or Date.parse() in ecstatic node module before 1.4.0 will cause v8 to raise an exception.

5.0
2018-05-29 CVE-2015-9241 Hapijs Improper Input Validation vulnerability in Hapijs Hapi

Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised.

5.0
2018-05-29 CVE-2015-9240 Keystonejs Credentials Management vulnerability in Keystonejs Keystone

Due to a bug in the the default sign in functionality in the keystone node module before 0.3.16, incomplete email addresses could be matched.

5.0
2018-05-29 CVE-2014-10068 Hapi Path Traversal vulnerability in Hapi Inert 1.0.0/1.1.0

The inert directory handler in inert node module before 1.1.1 always allows files in hidden directories to be served, even when `showHidden` is false.

5.0
2018-05-29 CVE-2018-1375 IBM Session Fixation vulnerability in IBM Security Guardium BIG Data Intelligence 3.1

IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability.

5.0
2018-05-29 CVE-2018-11488 Dtsearch Allocation of Resources Without Limits or Throttling vulnerability in Dtsearch 7.66.7936/7.90.8538.1

A stack exhaustion vulnerability in the search function of dtSearch 7.90.8538.1 and prior allows remote attackers to cause a denial of service condition by sending a specially crafted HTTP request.

5.0
2018-05-28 CVE-2018-10732 Dataiku Information Exposure vulnerability in Dataiku Data Science Studio

The REST API in Dataiku DSS before 4.2.3 allows remote attackers to obtain sensitive information (i.e., determine if a username is valid) because of profile pictures visibility.

5.0
2018-05-28 CVE-2018-11517 Myscada Information Exposure vulnerability in Myscada Mypro 7.0

mySCADA myPRO 7 allows remote attackers to discover all ProjectIDs in a project by sending all of the prj parameter values from 870000 to 875000 in t=0&rq=0 requests to TCP port 11010.

5.0
2018-05-28 CVE-2018-11515 Gvectors SQL Injection vulnerability in Gvectors Wpforo

The wpForo plugin through 2018-02-05 for WordPress has SQL Injection via a search with the /forum/ wpfo parameter.

5.0
2018-05-31 CVE-2016-10538 CLI Project
Debian
Race Condition vulnerability in multiple products

The package `node-cli` before 1.0.0 insecurely uses the lock_file and log_file.

4.9
2018-06-02 CVE-2018-11680 Cmseasy Cross-Site Request Forgery (CSRF) vulnerability in Cmseasy 6.0

An issue was discovered in CmsEasy 6.1_20180508.

4.3
2018-06-02 CVE-2018-11522 Yosoro Project Cross-site Scripting vulnerability in Yosoro Project Yosoro 1.0.4

Yosoro 1.0.4 has stored XSS.

4.3
2018-06-01 CVE-2016-10630 Install G Test Project Cryptographic Issues vulnerability in Install-G-Test Project Install-G-Test

install-g-test downloads resources over HTTP, which leaves it vulnerable to MITM attacks.

4.3
2018-06-01 CVE-2016-10613 Bionode Cryptographic Issues vulnerability in Bionode Bionode-Sra

bionode-sra is a Node.js wrapper for SRA Toolkit.

4.3
2018-06-01 CVE-2016-10597 Cobalt CLI Project Missing Encryption of Sensitive Data vulnerability in Cobalt-Cli Project Cobalt-Cli

cobalt-cli downloads resources over HTTP, which leaves it vulnerable to MITM attacks.

4.3
2018-06-01 CVE-2018-11552 NCH Cross-site Scripting vulnerability in NCH Axon PBX 2.02

There is a reflected XSS vulnerability in AXON PBX 2.02 via the "AXON->Auto-Dialer->Agents->Name" field.

4.3
2018-06-01 CVE-2018-11656 Imagemagick
Canonical
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function ReadDCMImage in coders/dcm.c, which allows attackers to cause a denial of service via a crafted DCM image file.

4.3
2018-06-01 CVE-2018-11655 Imagemagick
Canonical
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function GetImagePixelCache in MagickCore/cache.c, which allows attackers to cause a denial of service via a crafted CALS image file.

4.3
2018-06-01 CVE-2018-11628 Emssoftware Cross-site Scripting vulnerability in Emssoftware EMS Master Calendar

Data input into EMS Master Calendar before 8.0.0.201805210 via URL parameters is not properly sanitized, allowing malicious attackers to send a crafted URL for XSS.

4.3
2018-06-01 CVE-2018-11486 Multidots Cross-site Scripting vulnerability in Multidots Advance Search FOR Woocommerce

An issue was discovered in the MULTIDOTS Advance Search for WooCommerce plugin 1.0.9 and earlier for WordPress.

4.3
2018-06-01 CVE-2018-11485 Multidots Cross-site Scripting vulnerability in Multidots Woocommerce Quick Reports

The MULTIDOTS WooCommerce Quick Reports plugin 1.0.6 and earlier for WordPress is vulnerable to Stored XSS.

4.3
2018-06-01 CVE-2018-5526 F5 Unspecified vulnerability in F5 Big-Ip Application Security Manager

Under certain conditions, on F5 BIG-IP ASM 13.1.0-13.1.0.5, Behavioral DOS (BADOS) protection may fail during an attack.

4.3
2018-06-01 CVE-2018-5522 F5 Improper Input Validation vulnerability in F5 products

On F5 BIG-IP 13.0.0, 12.0.0-12.1.2, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1, when processing DIAMETER transactions with carefully crafted attribute-value pairs, TMM may crash.

4.3
2018-06-01 CVE-2018-5521 F5 Cross-site Scripting vulnerability in F5 products

On F5 BIG-IP 12.1.0-12.1.3.1, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1, carefully crafted URLs can be used to reflect arbitrary content into GeoIP lookup responses, potentially exposing clients to XSS.

4.3
2018-06-01 CVE-2018-11651 Graylog Cross-site Scripting vulnerability in Graylog

Graylog before v2.4.4 has an XSS security issue with unescaped text in dashboard names, related to components/dashboard/Dashboard.jsx, components/dashboard/EditDashboardModal.jsx, and pages/ShowDashboardPage.jsx.

4.3
2018-06-01 CVE-2018-11650 Graylog Cross-site Scripting vulnerability in Graylog

Graylog before v2.4.4 has an XSS security issue with unescaped text in notifications, related to toastr and util/UserNotification.js.

4.3
2018-06-01 CVE-2018-11649 Gethue Cross-site Scripting vulnerability in Gethue HUE 3.12

Hue 3.12 has XSS via the /pig/save/ name and script parameters.

4.3
2018-05-31 CVE-2018-9186 Fortinet Cross-site Scripting vulnerability in Fortinet Fortiauthenticator

A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 "CSRF validation failure" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header.

4.3
2018-05-31 CVE-2018-10379 Gitlab Cross-site Scripting vulnerability in Gitlab

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 10.5.8, 10.6.x before 10.6.5, and 10.7.x before 10.7.2.

4.3
2018-05-31 CVE-2018-11633 Multidots Cross-Site Request Forgery (CSRF) vulnerability in Multidots WOO Checkout for Digital Goods 2.1

An issue was discovered in the MULTIDOTS Woo Checkout for Digital Goods plugin 2.1 for WordPress.

4.3
2018-05-31 CVE-2018-11632 Multidots Cross-Site Request Forgery (CSRF) vulnerability in Multidots ADD Social Share Messenger Buttons Whatsapp and Viber 1.0.8

An issue was discovered in the MULTIDOTS Add Social Share Messenger Buttons Whatsapp and Viber plugin 1.0.8 for WordPress.

4.3
2018-05-31 CVE-2016-10548 Reduce CSS Calc Project Cross-site Scripting vulnerability in Reduce-Css-Calc Project Reduce-Css-Calc

Arbitrary code execution is possible in reduce-css-calc node module <=1.2.4 through crafted css.

4.3
2018-05-31 CVE-2016-10547 Mozilla Cross-site Scripting vulnerability in Mozilla Nunjucks

Nunjucks is a full featured templating engine for JavaScript.

4.3
2018-05-31 CVE-2016-10544 UWS Project Improper Input Validation vulnerability in UWS Project UWS 0.10.0/0.10.8

uws is a WebSocket server library.

4.3
2018-05-31 CVE-2016-10536 Socket Improper Certificate Validation vulnerability in Socket Engine.Io-Client

engine.io-client is the client for engine.io, the implementation of a transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO.

4.3
2018-05-31 CVE-2016-10535 Csrf Lite Project Cryptographic Issues vulnerability in Csrf-Lite Project Csrf-Lite

csrf-lite is a cross-site request forgery protection library for framework-less node sites.

4.3
2018-05-31 CVE-2016-10534 Electron Packager Project Improper Certificate Validation vulnerability in Electron-Packager Project Electron-Packager

electron-packager is a command line tool that packages Electron source code into `.app` and `.exe` packages.

4.3
2018-05-31 CVE-2016-10531 Marked Project Cross-site Scripting vulnerability in Marked Project Marked

marked is an application that is meant to parse and compile markdown.

4.3
2018-05-31 CVE-2016-10530 Airbrake Information Exposure vulnerability in Airbrake

The airbrake module 0.3.8 and earlier defaults to sending environment variables over HTTP.

4.3
2018-05-31 CVE-2014-10065 Remarkable Project Cross-site Scripting vulnerability in Remarkable Project Remarkable

Certain input when passed into remarkable before 1.4.1 will bypass the bad protocol check that disallows the javascript: scheme allowing for javascript: url's to be injected into the rendered content.

4.3
2018-05-31 CVE-2018-11627 Sinatrarb
Redhat
Cross-site Scripting vulnerability in multiple products

Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.

4.3
2018-05-31 CVE-2018-11133 Quest Cross-site Scripting vulnerability in Quest Kace System Management Appliance 8.0.318

The 'fmt' parameter of the '/common/run_cross_report.php' script in the the Quest KACE System Management Appliance 8.0.318 is vulnerable to cross-site scripting.

4.3
2018-05-31 CVE-2018-11597 Espruino Uncontrolled Recursion vulnerability in Espruino

Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via a Buffer Overflow during syntax parsing because of a missing check for stack exhaustion with many '{' characters in jsparse.c.

4.3
2018-05-31 CVE-2018-11596 Espruino Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Espruino

Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via a Buffer Overflow during syntax parsing because a check for '\0' is made for the wrong array element in jsvar.c.

4.3
2018-05-31 CVE-2018-11594 Espruino Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Espruino

Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via a Buffer Overflow during syntax parsing of "VOID" tokens in jsparse.c.

4.3
2018-05-31 CVE-2018-11592 Espruino Out-of-bounds Read vulnerability in Espruino

Espruino before 1.98 allows attackers to cause a denial of service (application crash) with a user crafted input file via an Out-of-bounds Read during syntax parsing in which certain height validation is missing in libs/graphics/jswrap_graphics.c.

4.3
2018-05-31 CVE-2018-11591 Espruino NULL Pointer Dereference vulnerability in Espruino

Espruino before 1.98 allows attackers to cause a denial of service (application crash) with a user crafted input file via a NULL pointer dereference during syntax parsing.

4.3
2018-05-31 CVE-2018-11590 Espruino Integer Overflow or Wraparound vulnerability in Espruino

Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via an integer overflow during syntax parsing.

4.3
2018-05-31 CVE-2018-11583 Seacms Cross-site Scripting vulnerability in Seacms 6.61

SeaCMS 6.61 has stored XSS in admin_collect.php via the siteurl parameter.

4.3
2018-05-31 CVE-2018-11578 Miniupnp Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Miniupnp Project Ngiflib 0.4

GifIndexToTrueColor in ngiflib.c in MiniUPnP ngiflib 0.4 has a Segmentation fault.

4.3
2018-05-30 CVE-2018-11568 Cactusthemes Cross-site Scripting vulnerability in Cactusthemes Gameplan-Event and GYM Fitness

Reflected XSS is possible in the GamePlan theme through 1.5.13.2 for WordPress because of insufficient input sanitization, as demonstrated by the s parameter.

4.3
2018-05-30 CVE-2018-10939 Zimbra
Synacor
Cross-site Scripting vulnerability in multiple products

Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS via a contact group.

4.3
2018-05-30 CVE-2018-11562 Misp Cross-site Scripting vulnerability in Misp 2.4.91

An issue was discovered in MISP 2.4.91.

4.3
2018-05-30 CVE-2018-11439 Taglib
Debian
Out-of-bounds Read vulnerability in multiple products

The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib 1.11.1 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted audio file.

4.3
2018-05-30 CVE-2018-11437 Libmobi Project Information Exposure vulnerability in Libmobi Project Libmobi 0.3

The mobi_reconstruct_parts function in parse_rawml.c in Libmobi 0.3 allows remote attackers to cause information disclosure (read access violation) via a crafted mobi file.

4.3
2018-05-30 CVE-2018-11436 Libmobi Project Out-of-bounds Read vulnerability in Libmobi Project Libmobi 0.3

The buffer_addraw function in buffer.c in Libmobi 0.3 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted mobi file.

4.3
2018-05-30 CVE-2018-11435 Libmobi Project Information Exposure vulnerability in Libmobi Project Libmobi 0.3

The mobi_decompress_huffman_internal function in compression.c in Libmobi 0.3 allows remote attackers to cause information disclosure (read access violation) via a crafted mobi file.

4.3
2018-05-30 CVE-2018-11434 Libmobi Project Out-of-bounds Read vulnerability in Libmobi Project Libmobi 0.3

The buffer_fill64 function in compression.c in Libmobi 0.3 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted mobi file.

4.3
2018-05-30 CVE-2018-11433 Libmobi Project Out-of-bounds Read vulnerability in Libmobi Project Libmobi 0.3

The mobi_get_kf8boundary_seqnumber function in util.c in Libmobi 0.3 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted mobi file.

4.3
2018-05-30 CVE-2018-11432 Libmobi Project Out-of-bounds Read vulnerability in Libmobi Project Libmobi 0.3

The mobi_parse_mobiheader function in read.c in Libmobi 0.3 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted mobi file.

4.3
2018-05-30 CVE-2018-11557 Yiban Cross-site Scripting vulnerability in Yiban Easy Class Education Platform 2.0

YIBAN Easy class education platform 2.0 has XSS via the articlelist.php k parameter.

4.3
2018-05-29 CVE-2018-11027 Ruckussecurity Cross-site Scripting vulnerability in Ruckussecurity Icx7450-48 Firmware

A reflected XSS vulnerability on Ruckus ICX7450-48 devices allows remote attackers to inject arbitrary web script or HTML.

4.3
2018-05-29 CVE-2017-16010 I18Next Cross-site Scripting vulnerability in I18Next

i18next is a language translation framework.

4.3
2018-05-29 CVE-2015-9243 Hapijs 7PK - Security Features vulnerability in Hapijs Hapi

When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g.

4.3
2018-05-29 CVE-2014-10067 Paypal IPN Project Improper Authentication vulnerability in Paypal-Ipn Project Paypal-Ipn

paypal-ipn before 3.0.0 uses the `test_ipn` parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox.

4.3
2018-05-29 CVE-2018-1376 IBM Cross-site Scripting vulnerability in IBM Security Guardium BIG Data Intelligence 3.1

IBM Security Guardium Big Data Intelligence (SonarG) 3.1 is vulnerable to cross-site scripting.

4.3
2018-05-29 CVE-2018-1369 IBM Information Exposure vulnerability in IBM Security Guardium BIG Data Intelligence 3.1

IBM Security Guardium Big Data Intelligence (SonarG) 3.1 stores sensitive information in URL parameters.

4.3
2018-05-29 CVE-2018-11532 Changuondyu Advanced Statistics Project Cross-site Scripting vulnerability in Changuondyu Advanced Statistics Project Changuondyu Advanced Statistics 1.0.2

An issue was discovered in the ChangUonDyU Advanced Statistics plugin 1.0.2 for MyBB.

4.3
2018-05-28 CVE-2018-11507 Flif Excessive Iteration vulnerability in Flif 0.3

An issue was discovered in Free Lossless Image Format (FLIF) 0.3.

4.3
2018-06-01 CVE-2018-7949 Huawei Improper Authentication vulnerability in Huawei products

The iBMC (Intelligent Baseboard Management Controller) of some Huawei servers have a privilege escalation vulnerability.

4.0
2018-06-01 CVE-2018-5525 F5 Information Exposure vulnerability in F5 products

A local file vulnerability exists in the F5 BIG-IP Configuration utility on versions 13.0.0, 12.1.0-12.1.2, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1 that exposes files containing F5-provided data only and do not include any configuration data, proxied traffic, or other potentially sensitive customer data.

4.0
2018-05-31 CVE-2018-1532 IBM Information Exposure vulnerability in IBM API Connect

IBM API Connect 5.0.0.0 through 5.0.8.2 does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system.

4.0
2018-05-31 CVE-2016-10555 JWT Simple Project Cryptographic Issues vulnerability in Jwt-Simple Project Jwt-Simple 0.1.0/0.2.0/0.3.0

Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server.

4.0
2018-05-31 CVE-2016-10533 Express Restify Mongoose Project Information Exposure vulnerability in Express-Restify-Mongoose Project Express-Restify-Mongoose

express-restify-mongoose is a module to easily create a flexible REST interface for mongoose models.

4.0
2018-05-31 CVE-2016-10528 Restafary Project Path Traversal vulnerability in Restafary Project Restafary

restafary is a REpresentful State Transfer API for Creating, Reading, Using, Deleting files on a server from the web.

4.0
2018-05-31 CVE-2018-11137 Quest Path Traversal vulnerability in Quest Kace System Management Appliance 8.0.318

The 'checksum' parameter of the '/common/download_attachment.php' script in the Quest KACE System Management Appliance 8.0.318 can be abused to read arbitrary files with 'www' privileges via Directory Traversal.

4.0
2018-05-29 CVE-2018-1242 EMC OS Command Injection vulnerability in EMC Recoverpoint and Recoverpoint FOR Virtual Machines

Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contains a command injection vulnerability in the Boxmgmt CLI.

4.0
2018-05-29 CVE-2018-1241 EMC Information Exposure Through Log Files vulnerability in EMC Recoverpoint and Recoverpoint for Virtual Machines

Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, under certain conditions, may leak LDAP password in plain-text into the RecoverPoint log file.

4.0
2018-05-29 CVE-2017-1768 IBM Information Exposure vulnerability in IBM Security Guardium BIG Data Intelligence 3.1

IBM Security Guardium Big Data Intelligence (SonarG) 3.1 generates an error message that includes sensitive information about its environment, users, or associated data.

4.0

22 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-06-02 CVE-2018-1002100 Kubernetes Improper Input Validation vulnerability in Kubernetes

In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.

3.6
2018-06-02 CVE-2018-11564 Pagekit Cross-site Scripting vulnerability in Pagekit

Stored XSS in YOOtheme Pagekit 1.0.13 and earlier allows a user to upload malicious code via the picture upload feature.

3.5
2018-06-01 CVE-2018-11581 Brother Cross-site Scripting vulnerability in Brother Hl-L2340D Firmware and Hl-L2380Dw Firmware

Cross-site scripting (XSS) vulnerability on Brother HL series printers allows remote attackers to inject arbitrary web script or HTML via the url parameter to etc/loginerror.html.

3.5
2018-06-01 CVE-2018-10382 Modx Cross-site Scripting vulnerability in Modx Revolution 2.6.3

MODX Revolution 2.6.3 has XSS.

3.5
2018-06-01 CVE-2018-7976 Huawei Cross-site Scripting vulnerability in Huawei Espace Desktop 300R001C00/300R001C50

There is a stored cross-site scripting (XSS) vulnerability in Huawei eSpace Desktop V300R001C00 and V300R001C50 version.

3.5
2018-05-31 CVE-2018-1496 IBM Cross-site Scripting vulnerability in IBM Content Navigator

IBM Content Navigator 2.0.3, 3.0.0, 3.0.1, 3.0.2, and 3.0.3 is vulnerable to cross-site scripting.

3.5
2018-05-31 CVE-2016-10537 Backbone Project Cross-site Scripting vulnerability in Backbone Project Backbone

backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON There exists a potential Cross Site Scripting vulnerability in the `Model#Escape` function of backbone 0.3.3 and earlier, if a user is able to supply input.

3.5
2018-05-31 CVE-2018-11580 Multidots Cross-site Scripting vulnerability in Multidots Mass Pages/Posts Creator 1.2.2

An issue was discovered in mass-pages-posts-creator.php in the MULTIDOTS Mass Pages/Posts Creator plugin 1.2.2 for WordPress.

3.5
2018-05-31 CVE-2018-11572 Clippercms Cross-site Scripting vulnerability in Clippercms 1.3.3

ClipperCMS 1.3.3 has XSS in the "Module name" field in a "Modules -> Manage modules -> edit" action to the manager/ URI.

3.5
2018-05-30 CVE-2018-11559 Domainmod Cross-site Scripting vulnerability in Domainmod 4.10.0

DomainMod 4.10.0 has Stored XSS in the "/settings/profile/index.php" new_last_name parameter.

3.5
2018-05-30 CVE-2018-11558 Domainmod Cross-site Scripting vulnerability in Domainmod 4.10.0

DomainMod 4.10.0 has Stored XSS in the "/settings/profile/index.php" new_first_name parameter.

3.5
2018-05-29 CVE-2018-11549 Wuzhicms Cross-site Scripting vulnerability in Wuzhicms Wuzhi CMS 4.1.0

An issue was discovered in WUZHI CMS 4.1.0 There is a Stored XSS Vulnerability in "Account Settings -> Member Centre -> Chinese information -> Ordinary member" via a QQ number, as demonstrated by a form[qq_10]= substring.

3.5
2018-05-28 CVE-2018-11430 Moderator LOG Notes Project Cross-site Scripting vulnerability in Moderator LOG Notes Project Moderator LOG Notes 1.1

An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB.

3.5
2018-05-28 CVE-2018-11512 Creatiwity Cross-site Scripting vulnerability in Creatiwity Witycms 0.6.1

Stored cross-site scripting (XSS) vulnerability in the "Website's name" field found in the "Settings" page under the "General" menu in Creatiwity wityCMS 0.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to admin/settings/general.

3.5
2018-05-31 CVE-2018-11631 Rondaful Project Unspecified vulnerability in Rondaful Project Rondaful M1 Wristband Smart Band 1 Firmware

Rondaful M1 Wristband Smart Band 1 devices allow remote attackers to send an arbitrary number of call or SMS notifications via crafted Bluetooth Low Energy (BLE) traffic.

3.3
2018-05-30 CVE-2018-11567 Amazon Session Fixation vulnerability in Amazon products

Prior to 2018-04-27, the reprompt feature in Amazon Echo devices could be misused by a custom Alexa skill.

3.3
2018-05-30 CVE-2018-11477 Vgate Cleartext Transmission of Sensitive Information vulnerability in Vgate Icar 2 Wi-Fi Obd2 Firmware

An issue was discovered on Vgate iCar 2 Wi-Fi OBD2 Dongle devices.

3.3
2018-06-01 CVE-2018-11195 Mahara Information Exposure vulnerability in Mahara

Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 are vulnerable to the browser "back and refresh" attack.

2.1
2018-05-31 CVE-2016-10549 Sailsjs Cross-site Scripting vulnerability in Sailsjs Sails

Sails is an MVC style framework for building realtime web applications.

2.1
2018-05-31 CVE-2018-11142 Quest Incorrect Authorization vulnerability in Quest Kace System Management Appliance 8.0.318

The 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts in the Quest KACE System Management Appliance 8.0.318 are accessible only from localhost.

2.1
2018-05-28 CVE-2018-11508 Linux
Canonical
Information Exposure vulnerability in Linux Kernel

The compat_get_timex function in kernel/compat.c in the Linux kernel before 4.16.9 allows local users to obtain sensitive information from kernel memory via adjtimex.

2.1
2018-05-30 CVE-2018-7534 Unisys Key Management Errors vulnerability in Unisys Stealth Authorization Server

In Stealth Authorization Server before 3.3.017.0 in Unisys Stealth Solution, an encryption key may be left in memory.

1.9