Weekly Vulnerabilities Reports > August 13 to 19, 2018

Overview

231 new vulnerabilities reported during this period, including 21 critical vulnerabilities and 68 high severity vulnerabilities. This weekly summary report vulnerabilities in 875 products from 89 vendors including Microsoft, Open EMR, Cisco, HP, and SAP. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Cross-site Scripting", "Information Exposure", "SQL Injection", and "Path Traversal".

  • 182 reported vulnerabilities are remotely exploitables.
  • 21 reported vulnerabilities have public exploit available.
  • 70 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 178 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 62 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 10 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

21 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-08-17 CVE-2018-15353 Kraftway Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Kraftway 24F2Xg Router Firmware

A Buffer Overflow exploited through web interface by remote attacker can cause remote code execution in Kraftway 24F2XG Router firmware 3.5.30.1118.

10.0
2018-08-17 CVE-2018-15350 Kraftway Insecure Default Initialization of Resource vulnerability in Kraftway 24F2Xg Router Firmware

Router Default Credentials in Kraftway 24F2XG Router firmware version 3.5.30.1118 allow remote attackers to get privileged access to the router.

10.0
2018-08-15 CVE-2018-14007 Citrix Path Traversal vulnerability in Citrix Xenserver 7.1/7.4/7.5

Citrix XenServer 7.1 and newer allows Directory Traversal.

10.0
2018-08-15 CVE-2018-8302 Microsoft Out-of-bounds Write vulnerability in Microsoft Exchange Server 2010/2013/2016

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka "Microsoft Exchange Memory Corruption Vulnerability." This affects Microsoft Exchange Server.

10.0
2018-08-15 CVE-2018-8273 Microsoft Out-of-bounds Write vulnerability in Microsoft SQL Server 2016/2017

A buffer overflow vulnerability exists in the Microsoft SQL Server that could allow remote code execution on an affected system, aka "Microsoft SQL Server Remote Code Execution Vulnerability." This affects Microsoft SQL Server.

10.0
2018-08-13 CVE-2018-15124 Zipato Inadequate Encryption Strength vulnerability in Zipato Zipabox Firmware 118

Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device.

10.0
2018-08-13 CVE-2018-15123 Zipato Unspecified vulnerability in Zipato Zipabox Firmware 118

Insecure configuration storage in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows remote attacker perform new attack vectors and take under control device and smart home.

10.0
2018-08-17 CVE-2018-3785 GIT Dummy Commit Project OS Command Injection vulnerability in Git-Dummy-Commit Project Git-Dummy-Commit 1.3.0

A command injection in git-dummy-commit v1.3.0 allows os level commands to be executed due to an unescaped parameter.

9.8
2018-08-15 CVE-2018-10369 Intelbras Cross-site Scripting vulnerability in Intelbras WIN 240 Firmware 1.1.0

A Cross-site scripting (XSS) vulnerability was discovered on Intelbras Win 240 V1.1.0 devices.

9.8
2018-08-15 CVE-2018-14722 Btrfsmaintenance Project Unspecified vulnerability in Btrfsmaintenance Project Btrfsmaintenance

An issue was discovered in evaluate_auto_mountpoint in btrfsmaintenance-functions in btrfsmaintenance through 0.4.1.

9.3
2018-08-15 CVE-2018-8414 Microsoft Improper Input Validation vulnerability in Microsoft Windows 10 and Windows Server

A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths, aka "Windows Shell Remote Code Execution Vulnerability." This affects Windows 10 Servers, Windows 10.

9.3
2018-08-15 CVE-2018-8397 Microsoft Unspecified vulnerability in Microsoft Windows 7 and Windows Server 2008

A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory, aka "GDI+ Remote Code Execution Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2.

9.3
2018-08-15 CVE-2018-8379 Microsoft Unspecified vulnerability in Microsoft Excel and Excel 2013 RT

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka "Microsoft Excel Remote Code Execution Vulnerability." This affects Microsoft Excel.

9.3
2018-08-15 CVE-2018-8376 Microsoft Unspecified vulnerability in Microsoft Powerpoint 2010

A remote code execution vulnerability exists in Microsoft PowerPoint software when the software fails to properly handle objects in memory, aka "Microsoft PowerPoint Remote Code Execution Vulnerability." This affects Microsoft PowerPoint.

9.3
2018-08-15 CVE-2018-8350 Microsoft Unspecified vulnerability in Microsoft Windows 10 and Windows Server

A remote code execution vulnerability exists when Microsoft Windows PDF Library improperly handles objects in memory, aka "Windows PDF Remote Code Execution Vulnerability." This affects Windows 10 Servers, Windows 10.

9.3
2018-08-15 CVE-2018-8349 Microsoft Deserialization of Untrusted Data vulnerability in Microsoft products

A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM for Windows Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

9.3
2018-08-15 CVE-2018-8346 Microsoft Code Injection vulnerability in Microsoft Windows 7 and Windows Server 2008

A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed, aka "LNK Remote Code Execution Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2.

9.3
2018-08-15 CVE-2018-8344 Microsoft Code Injection vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka "Microsoft Graphics Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

9.3
2018-08-13 CVE-2018-10636 Deltaww Out-of-bounds Write vulnerability in Deltaww Cncsoft and Screeneditor

CNCSoft Version 1.00.83 and prior with ScreenEditor Version 1.00.54 has multiple stack-based buffer overflow vulnerabilities that could cause the software to crash due to lacking user input validation before copying data from project files onto the stack.

9.3
2018-08-13 CVE-2018-5925 HP Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in HP products

A security vulnerability has been identified with certain HP Inkjet printers.

9.3
2018-08-15 CVE-2018-0427 Cisco OS Command Injection vulnerability in Cisco Application Policy Infrastructure Controller Enterprise Module Dnac1.1

A vulnerability in the CronJob scheduler API of Cisco Digital Network Architecture (DNA) Center could allow an authenticated, remote attacker to perform a command injection attack.

9.0

68 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-08-14 CVE-2018-14348 Libcgroup Project
Debian
Fedoraproject
Information Exposure vulnerability in multiple products

libcgroup up to and including 0.41 creates /var/log/cgred with mode 0666 regardless of the configured umask, leading to disclosure of information.

8.1
2018-08-17 CVE-2018-15471 XEN
Linux
Canonical
Out-of-bounds Read vulnerability in multiple products

An issue was discovered in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c in the Linux kernel through 4.18.1, as used in Xen through 4.11.x and other products.

7.8
2018-08-17 CVE-2018-5547 F5 Missing Authorization vulnerability in F5 Big-Ip Access Policy Manager Client 7.1.6/7.1.6.1/7.1.7

Windows Logon Integration feature of F5 BIG-IP APM client prior to version 7.1.7.1 for Windows by default uses Legacy logon mode which uses a SYSTEM account to establish network access.

7.8
2018-08-15 CVE-2018-0418 Cisco Improper Input Validation vulnerability in Cisco IOS XR

A vulnerability in the Local Packet Transport Services (LPTS) feature set of Cisco ASR 9000 Series Aggregation Services Router Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

7.8
2018-08-15 CVE-2018-0410 Cisco Resource Exhaustion vulnerability in Cisco web Security Appliance

A vulnerability in the web proxy functionality of Cisco AsyncOS Software for Cisco Web Security Appliances could allow an unauthenticated, remote attacker to exhaust system memory and cause a denial of service (DoS) condition on an affected system.

7.8
2018-08-15 CVE-2018-8375 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka "Microsoft Excel Remote Code Execution Vulnerability." This affects Microsoft Excel Viewer, Microsoft Office, Microsoft Excel.

7.8
2018-08-14 CVE-2018-7093 HP Unspecified vulnerability in HP products

A security vulnerability in HPE Integrated Lights-Out 3 prior to v1.90, iLO 4 prior to v2.60, iLO 5 prior to v1.30, Moonshot Chassis Manager firmware prior to v1.58, and Moonshot Component Pack prior to v2.55 could be remotely exploited to create a denial of service.

7.8
2018-08-15 CVE-2018-8403 Microsoft Out-of-bounds Write vulnerability in Microsoft Edge and Internet Explorer

A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory, aka "Microsoft Browser Memory Corruption Vulnerability." This affects Internet Explorer 11, Microsoft Edge, Internet Explorer 10.

7.6
2018-08-15 CVE-2018-8390 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore.

7.6
2018-08-15 CVE-2018-8389 Microsoft Out-of-bounds Write vulnerability in Microsoft Internet Explorer 10/11/9

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10.

7.6
2018-08-15 CVE-2018-8387 Microsoft Out-of-bounds Write vulnerability in Microsoft Edge

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge.

7.6
2018-08-15 CVE-2018-8385 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore, Edge and Internet Explorer

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, ChakraCore, Internet Explorer 11, Microsoft Edge, Internet Explorer 10.

7.6
2018-08-15 CVE-2018-8384 Microsoft Type Confusion vulnerability in Microsoft Chakracore

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore.

7.6
2018-08-15 CVE-2018-8381 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore.

7.6
2018-08-15 CVE-2018-8380 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore.

7.6
2018-08-15 CVE-2018-8377 Microsoft Out-of-bounds Write vulnerability in Microsoft Edge

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge.

7.6
2018-08-15 CVE-2018-8373 Microsoft Out-of-bounds Write vulnerability in Microsoft Internet Explorer 10/11/9

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10.

7.6
2018-08-15 CVE-2018-8372 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore, Edge and Internet Explorer

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore, Internet Explorer 11, Microsoft Edge.

7.6
2018-08-15 CVE-2018-8371 Microsoft Out-of-bounds Write vulnerability in Microsoft Internet Explorer 10/11/9

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10.

7.6
2018-08-15 CVE-2018-8359 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore.

7.6
2018-08-15 CVE-2018-8355 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore, Edge and Internet Explorer

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore, Internet Explorer 11, Microsoft Edge.

7.6
2018-08-15 CVE-2018-8353 Microsoft Use After Free vulnerability in Microsoft Internet Explorer 10/11/9

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10.

7.6
2018-08-15 CVE-2018-8345 Microsoft Code Injection vulnerability in Microsoft products

A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed, aka "LNK Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

7.6
2018-08-15 CVE-2018-8316 Microsoft Improper Input Validation vulnerability in Microsoft Internet Explorer 10/11

A remote code execution vulnerability exists when Internet Explorer improperly validates hyperlinks before loading executable libraries, aka "Internet Explorer Remote Code Execution Vulnerability." This affects Internet Explorer 11, Internet Explorer 10.

7.6
2018-08-15 CVE-2018-8266 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore.

7.6
2018-08-18 CVE-2018-15505 Embedthis
Juniper
NULL Pointer Dereference vulnerability in multiple products

An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2.

7.5
2018-08-18 CVE-2018-15504 Embedthis
Juniper
NULL Pointer Dereference vulnerability in multiple products

An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2.

7.5
2018-08-18 CVE-2018-15494 Dojotoolkit
Debian
Improper Encoding or Escaping of Output vulnerability in multiple products

In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.

7.5
2018-08-17 CVE-2018-15482 Google
LG
Incorrect Permission Assignment for Critical Resource vulnerability in Google Android

Certain LG devices based on Android 6.0 through 8.1 have incorrect access control for MLT application intents.

7.5
2018-08-17 CVE-2018-14982 Google
LG
Incorrect Permission Assignment for Critical Resource vulnerability in Google Android

Certain LG devices based on Android 6.0 through 8.1 have incorrect access control in the GNSS application.

7.5
2018-08-17 CVE-2018-14981 Google
LG
Incorrect Permission Assignment for Critical Resource vulnerability in Google Android

Certain LG devices based on Android 6.0 through 8.1 have incorrect access control for SystemUI application intents.

7.5
2018-08-17 CVE-2018-15360 Eltex Use of Hard-coded Credentials vulnerability in Eltex Esp-200 Firmware 1.2.0

An attacker without authentication can login with default credentials for privileged users in Eltex ESP-200 firmware version 1.2.0.

7.5
2018-08-17 CVE-2018-3784 Cryo Project Deserialization of Untrusted Data vulnerability in Cryo Project Cryo 0.0.6

A code injection in cryo 0.0.6 allows an attacker to arbitrarily execute code due to insecure implementation of deserialization.

7.5
2018-08-17 CVE-2018-3783 Flintcms SQL Injection vulnerability in Flintcms

A privilege escalation detected in flintcms versions <= 1.1.9 allows account takeover due to blind MongoDB injection in password reset.

7.5
2018-08-16 CVE-2018-11511 Asustor SQL Injection vulnerability in Asustor Data Master 3.1.0

The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'album_id' or 'scope' parameter via a photo-gallery/api/album/tree_lists/ URI.

7.5
2018-08-16 CVE-2018-11509 Asustor Use of Hard-coded Credentials vulnerability in Asustor Data Master 3.1.0

ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository.

7.5
2018-08-16 CVE-2018-1712 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM API Connect

IBM API Connect's Developer Portal 5.0.0.0 through 5.0.8.3 is vulnerable to Server Side Request Forgery.

7.5
2018-08-15 CVE-2018-10510 Trendmicro
Microsoft
Path Traversal vulnerability in Trendmicro Control Manager 6.0/7.0

A Directory Traversal Remote Code Execution vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) could allow an attacker to execute arbitrary code on vulnerable installations.

7.5
2018-08-15 CVE-2018-11247 Nasdaq Missing Authentication for Critical Function vulnerability in Nasdaq Bwise 5.0

The JMX/RMI interface in Nasdaq BWise 5.0 does not require authentication for an SAP BO Component, which allows remote attackers to execute arbitrary code via a session on port 81.

7.5
2018-08-15 CVE-2018-12056 ALL FOR ONE Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in All-For-One ALL for ONE

The maxRandom function of a smart contract implementation for All For One, an Ethereum gambling game, generates a random value with publicly readable variables because the _seed value can be retrieved with a getStorageAt call.

7.5
2018-08-14 CVE-2018-3938 Sony Out-of-bounds Write vulnerability in Sony products

An exploitable stack-based buffer overflow vulnerability exists in the 802dot1xclientcert.cgi functionality of Sony IPELA E Series Camera G5 firmware 1.87.00.

7.5
2018-08-14 CVE-2018-2449 SAP Improper Authentication vulnerability in SAP Supplier Relationship Management MDM Catalog 3.73/7.31/7.32

SAP SRM MDM Catalog versions 3.73, 7.31, 7.32 in (SAP NetWeaver 7.3) - import functionality does not perform authentication checks for valid repository user.

7.5
2018-08-14 CVE-2018-7096 HP Unspecified vulnerability in HP 3Par Service Provider Sp4.2.0/Sp4.3.0/Sp4.4.0

A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7).

7.5
2018-08-14 CVE-2018-7095 HP Unspecified vulnerability in HP 3Par Service Provider Sp4.2.0/Sp4.3.0/Sp4.4.0

A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7).

7.5
2018-08-13 CVE-2018-15145 Open EMR SQL Injection vulnerability in Open-Emr Openemr

Multiple SQL injection vulnerabilities in portal/add_edit_event_user.php in versions of OpenEMR before 5.0.1.4 allow a remote attacker to execute arbitrary SQL commands via the (1) eid, (2) userid, or (3) pid parameter.

7.5
2018-08-13 CVE-2018-15143 Open EMR SQL Injection vulnerability in Open-Emr Openemr

Multiple SQL injection vulnerabilities in portal/find_appt_popup_user.php in versions of OpenEMR before 5.0.1.4 allow a remote attacker to execute arbitrary SQL commands via the (1) catid or (2) providerid parameter.

7.5
2018-08-13 CVE-2018-13417 Vuze XXE vulnerability in Vuze Bittorrent Client 5.7.6.0

In Vuze Bittorrent Client 5.7.6.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack.

7.5
2018-08-13 CVE-2018-13415 Plex XXE vulnerability in Plex Media Server 1.13.2.5154

In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack.

7.5
2018-08-13 CVE-2018-6414 Hikvision Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Hikvision IP Cameras

A buffer overflow vulnerability in the web server of some Hikvision IP Cameras allows an attacker to send a specially crafted message to affected devices.

7.5
2018-08-13 CVE-2018-5924 HP Out-of-bounds Write vulnerability in HP products

A security vulnerability has been identified with certain HP Inkjet printers.

7.5
2018-08-13 CVE-2018-0714 Qnap Command Injection vulnerability in Qnap Helpdesk

Command injection vulnerability in Helpdesk versions 1.1.21 and earlier in QNAP QTS 4.2.6 build 20180531, QTS 4.3.3 build 20180528, QTS 4.3.4 build 20180528 and their earlier versions could allow remote attackers to run arbitrary commands in the compromised application.

7.5
2018-08-17 CVE-2018-5546 F5 Incorrect Permission Assignment for Critical Resource vulnerability in F5 products

The svpn and policyserver components of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host.

7.2
2018-08-15 CVE-2018-0428 Cisco Improper Privilege Management vulnerability in Cisco web Security Appliance

A vulnerability in the account management subsystem of Cisco Web Security Appliance (WSA) could allow an authenticated, local attacker to elevate privileges to root.

7.2
2018-08-15 CVE-2018-14779 Yubico Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Yubico PIV Manager, PIV Tool and Smart Card Minidriver

A buffer overflow issue was discovered in the Yubico-Piv 1.5.0 smartcard driver.

7.2
2018-08-15 CVE-2018-8406 Microsoft Improper Resource Shutdown or Release vulnerability in Microsoft Windows 10 and Windows Server 2016

An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers.

7.2
2018-08-15 CVE-2018-8405 Microsoft Improper Resource Shutdown or Release vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers.

7.2
2018-08-15 CVE-2018-8404 Microsoft Improper Resource Shutdown or Release vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

7.2
2018-08-15 CVE-2018-8401 Microsoft Improper Resource Shutdown or Release vulnerability in Microsoft Windows 10 and Windows Server 2016

An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers.

7.2
2018-08-15 CVE-2018-8400 Microsoft Improper Resource Shutdown or Release vulnerability in Microsoft Windows 10 and Windows Server 2016

An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows 10 Servers, Windows 10.

7.2
2018-08-15 CVE-2018-8347 Microsoft Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016

An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links, aka "Windows Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers.

7.2
2018-08-15 CVE-2018-8343 Microsoft Classic Buffer Overflow vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it, aka "Windows NDIS Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

7.2
2018-08-15 CVE-2018-8342 Microsoft Classic Buffer Overflow vulnerability in Microsoft Windows 7 and Windows Server 2008

An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it, aka "Windows NDIS Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2008 R2.

7.2
2018-08-15 CVE-2018-0952 Microsoft Unspecified vulnerability in Microsoft products

An Elevation of Privilege vulnerability exists when Diagnostics Hub Standard Collector allows file creation in arbitrary locations, aka "Diagnostic Hub Standard Collector Elevation Of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Microsoft Visual Studio, Windows 10 Servers.

7.2
2018-08-15 CVE-2018-6973 Vmware Out-of-bounds Write vulnerability in VMWare Fusion and Workstation

VMware Workstation (14.x before 14.1.3) and Fusion (10.x before 10.1.3) contain an out-of-bounds write vulnerability in the e1000 device.

7.2
2018-08-13 CVE-2017-7500 RPM Link Following vulnerability in RPM 4.13.0.1/4.14.0.0

It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination.

7.2
2018-08-17 CVE-2018-15351 Kraftway Link Following vulnerability in Kraftway 24F2Xg Router Firmware

Denial of service via crafting malicious link and sending it to a privileged user can cause Denial of Service in Kraftway 24F2XG Router firmware version 3.5.30.1118.

7.1
2018-08-16 CVE-2018-13446 Linecorp Improper Authentication vulnerability in Linecorp Line 8.8.1

An issue was discovered in the LINE jp.naver.line application 8.8.1 for Android.

7.0
2018-08-16 CVE-2018-13435 Linecorp Improper Authentication vulnerability in Linecorp Line 8.8.0

An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS.

7.0

123 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-08-15 CVE-2018-8399 Microsoft Improper Resource Shutdown or Release vulnerability in Microsoft Windows 10 and Windows Server

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 10 Servers, Windows 10.

6.9
2018-08-15 CVE-2018-8339 Microsoft Improper Input Validation vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior, aka "Windows Installer Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

6.9
2018-08-17 CVE-2018-14057 Pimcore Cross-Site Request Forgery (CSRF) vulnerability in Pimcore

Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the "Settings > Users / Roles" function.

6.8
2018-08-16 CVE-2018-15122 Telerik Improper Input Validation vulnerability in Telerik Justassembly and Justdecompile

An issue found in Progress Telerik JustAssembly through 2018.1.323.2 and JustDecompile through 2018.2.605.0 makes it possible to execute code by decompiling a compiled .NET object (such as DLL or EXE) with an embedded resource file by clicking on the resource.

6.8
2018-08-15 CVE-2018-1455 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Tivoli Application Dependency Discovery Manager 7.2.2/7.3.0

IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

6.8
2018-08-14 CVE-2018-2442 SAP Cross-Site Request Forgery (CSRF) vulnerability in SAP products

In SAP BusinessObjects Business Intelligence, versions 4.0, 4.1 and 4.2, while viewing a Web Intelligence report from BI Launchpad, the user session details captured by an HTTP analysis tool could be reused in a HTML page while the user session is still valid.

6.8
2018-08-14 CVE-2018-7097 HP Cross-Site Request Forgery (CSRF) vulnerability in HP 3Par Service Provider Sp4.2.0/Sp4.3.0/Sp4.4.0

A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7).

6.8
2018-08-13 CVE-2018-14878 Jetbrains Deserialization of Untrusted Data vulnerability in Jetbrains Dotpeek and Resharper Ultimate

JetBrains dotPeek before 2018.2 and ReSharper Ultimate before 2018.1.4 allow attackers to execute code by decompiling a compiled .NET object (such as a DLL or EXE file) with a specific file, because of Deserialization of Untrusted Data.

6.8
2018-08-17 CVE-2018-15359 Eltex Unspecified vulnerability in Eltex Esp-200 Firmware 1.2.0

An authenticated attacker with low privileges can use insecure sudo configuration to expand attack surface in Eltex ESP-200 firmware version 1.2.0.

6.5
2018-08-17 CVE-2018-15358 Eltex Improper Input Validation vulnerability in Eltex Esp-200 Firmware 1.2.0

An authenticated attacker with low privileges can activate high privileged user and use it to expand attack surface in Eltex ESP-200 firmware version 1.2.0.

6.5
2018-08-17 CVE-2018-15356 Eltex Command Injection vulnerability in Eltex Esp-200 Firmware 1.2.0

An authenticated attacker can execute arbitrary code using command ejection in Eltex ESP-200 firmware version 1.2.0.

6.5
2018-08-17 CVE-2018-10873 Spice Project
Debian
Canonical
Redhat
Improper Input Validation vulnerability in multiple products

A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks.

6.5
2018-08-16 CVE-2018-12256 Litecart Unrestricted Upload of File with Dangerous Type vulnerability in Litecart

admin/vqmods.app/vqmods.inc.php in LiteCart before 2.1.3 allows remote authenticated attackers to upload a malicious file (resulting in remote code execution) by using the text/xml or application/xml Content-Type in a public_html/admin/?app=vqmods&doc=vqmods request.

6.5
2018-08-16 CVE-2016-9596 Redhat
Xmlsoft
Resource Exhaustion vulnerability in multiple products

libxml2, as used in Red Hat JBoss Core Services and when in recovery mode, allows context-dependent attackers to cause a denial of service (stack consumption) via a crafted XML document.

6.5
2018-08-15 CVE-2018-15156 Open EMR OS Command Injection vulnerability in Open-Emr Openemr

OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/fax/faxq.php after modifying the "hylafax_server" global variable in interface/super/edit_globals.php.

6.5
2018-08-15 CVE-2018-15155 Open EMR OS Command Injection vulnerability in Open-Emr Openemr

OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/fax/fax_dispatch.php after modifying the "hylafax_enscript" global variable in interface/super/edit_globals.php.

6.5
2018-08-15 CVE-2018-15154 Open EMR OS Command Injection vulnerability in Open-Emr Openemr

OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/billing/sl_eob_search.php after modifying the "print_command" global variable in interface/super/edit_globals.php.

6.5
2018-08-15 CVE-2018-15153 Open EMR OS Command Injection vulnerability in Open-Emr Openemr

OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/main/daemon_frame.php after modifying the "hylafax_server" global variable in interface/super/edit_globals.php.

6.5
2018-08-15 CVE-2018-15151 Open EMR SQL Injection vulnerability in Open-Emr Openemr

SQL injection vulnerability in interface/de_identification_forms/find_code_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter.

6.5
2018-08-15 CVE-2018-15150 Open EMR SQL Injection vulnerability in Open-Emr Openemr

SQL injection vulnerability in interface/de_identification_forms/de_identification_screen2.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'temporary_files_dir' variable in interface/super/edit_globals.php.

6.5
2018-08-15 CVE-2018-15149 Open EMR SQL Injection vulnerability in Open-Emr Openemr

SQL injection vulnerability in interface/forms/eye_mag/php/Anything_simple.php from library/forms.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'encounter' parameter.

6.5
2018-08-15 CVE-2018-15148 Open EMR SQL Injection vulnerability in Open-Emr Openemr

SQL injection vulnerability in interface/patient_file/encounter/search_code.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'text' parameter.

6.5
2018-08-15 CVE-2018-15147 Open EMR SQL Injection vulnerability in Open-Emr Openemr

SQL injection vulnerability in interface/forms_admin/forms_admin.php from library/registry.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'id' parameter.

6.5
2018-08-15 CVE-2018-15146 Open EMR SQL Injection vulnerability in Open-Emr Openemr

SQL injection vulnerability in interface/de_identification_forms/find_immunization_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter.

6.5
2018-08-15 CVE-2018-10917 Pulpproject Path Traversal vulnerability in Pulpproject Pulp

pulp 2.16.x and possibly older is vulnerable to an improper path parsing.

6.5
2018-08-14 CVE-2018-3937 Sony OS Command Injection vulnerability in Sony products

An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00.

6.5
2018-08-14 CVE-2018-2450 SAP SQL Injection vulnerability in SAP Maxdb 7.8/7.9

SAP MaxDB (liveCache), versions 7.8 and 7.9, allows an attacker who gets DBM operator privileges to execute crafted database queries and therefore read, modify or delete sensitive data from database.

6.5
2018-08-13 CVE-2018-15144 Open EMR SQL Injection vulnerability in Open-Emr Openemr

SQL injection vulnerability in interface/de_identification_forms/find_drug_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the search_term parameter.

6.5
2018-08-13 CVE-2018-15142 Open EMR Path Traversal vulnerability in Open-Emr Openemr

Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to execute arbitrary PHP code by writing a file with a PHP extension via the "docid" and "content" parameters and accessing it in the traversed directory.

6.5
2018-08-13 CVE-2018-15139 Open EMR Unrestricted Upload of File with Dangerous Type vulnerability in Open-Emr Openemr

Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload form and accessing it in the images directory.

6.5
2018-08-15 CVE-2018-10511 Trendmicro Server-Side Request Forgery (SSRF) vulnerability in Trendmicro Control Manager 6.0/7.0

A vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) could allow an attacker to conduct a server-side request forgery (SSRF) attack on vulnerable installations.

6.4
2018-08-15 CVE-2018-15152 Open EMR Improper Authentication vulnerability in Open-Emr Openemr

Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access (1) portal/add_edit_event_user.php, (2) portal/find_appt_popup_user.php, (3) portal/get_allergies.php, (4) portal/get_amendments.php, (5) portal/get_lab_results.php, (6) portal/get_medications.php, (7) portal/get_patient_documents.php, (8) portal/get_problems.php, (9) portal/get_profile.php, (10) portal/portal_payment.php, (11) portal/messaging/messages.php, (12) portal/messaging/secure_chat.php, (13) portal/report/pat_ledger.php, (14) portal/report/portal_custom_report.php, or (15) portal/report/portal_patient_report.php without authenticating as a patient.

6.4
2018-08-16 CVE-2018-13434 Linecorp Improper Authentication vulnerability in Linecorp Line 8.8.0

An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS.

6.3
2018-08-13 CVE-2018-10864 Redhat Resource Exhaustion vulnerability in Redhat Certification

An uncontrolled resource consumption flaw has been discovered in redhat-certification in the way documents are loaded.

6.2
2018-08-14 CVE-2016-4975 Apache CRLF Injection vulnerability in Apache Http Server

Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir.

6.1
2018-08-14 CVE-2018-2451 SAP Insufficient Session Expiration vulnerability in SAP Hana Extended Application Services 1.0

XS Command-Line Interface (CLI) user sessions with the SAP HANA Extended Application Services (XS), version 1, advanced server may have an unintentional prolonged period of validity.

6.0
2018-08-15 CVE-2018-9129 Zyxel Unspecified vulnerability in Zyxel products

ZyXEL ZyWALL/USG series devices have a Bleichenbacher vulnerability in their Internet Key Exchange (IKE) handshake implementation used for IPsec based VPN connections.

5.9
2018-08-13 CVE-2018-10598 Deltaww Out-of-bounds Read vulnerability in Deltaww Cncsoft and Screeneditor

CNCSoft Version 1.00.83 and prior with ScreenEditor Version 1.00.54 has two out-of-bounds read vulnerabilities could cause the software to crash due to lacking user input validation for processing project files.

5.8
2018-08-14 CVE-2018-3646 Intel Unspecified vulnerability in Intel products

Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.

5.6
2018-08-14 CVE-2018-3620 Intel Information Exposure Through Discrepancy vulnerability in Intel products

Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.

5.6
2018-08-16 CVE-2018-11771 Apache
Oracle
Infinite Loop vulnerability in multiple products

When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached.

5.5
2018-08-15 CVE-2018-0415 Cisco 7PK - Errors vulnerability in Cisco products

A vulnerability in the implementation of Extensible Authentication Protocol over LAN (EAPOL) functionality in Cisco Small Business 100 Series Wireless Access Points and Cisco Small Business 300 Series Wireless Access Points could allow an authenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device.

5.5
2018-08-14 CVE-2018-2445 SAP Server-Side Request Forgery (SSRF) vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2

AdminTools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application, resulting in a Server-Side Request Forgery (SSRF) vulnerability.

5.5
2018-08-14 CVE-2018-2441 SAP Unspecified vulnerability in SAP Kernel

Under certain conditions the SAP Change and Transport System (ABAP), SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49, 7.53 and 7.73, allows an attacker to transport information which would otherwise be restricted.

5.5
2018-08-13 CVE-2018-15141 Open EMR Path Traversal vulnerability in Open-Emr Openemr

Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to delete arbitrary files via the "docid" parameter when the mode is set to delete.

5.5
2018-08-14 CVE-2018-3615 Intel Information Exposure Through Discrepancy vulnerability in Intel products

Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.

5.4
2018-08-17 CVE-2018-15473 Openbsd
Debian
Redhat
Canonical
Netapp
Oracle
Siemens
Race Condition vulnerability in multiple products

OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

5.3
2018-08-15 CVE-2018-8357 Microsoft Unspecified vulnerability in Microsoft Edge and Internet Explorer

An elevation of privilege vulnerability exists in Microsoft browsers allowing sandbox escape, aka "Microsoft Browser Elevation of Privilege Vulnerability." This affects Internet Explorer 11, Microsoft Edge.

5.1
2018-08-18 CVE-2018-15503 Swoole Deserialization of Untrusted Data vulnerability in Swoole 4.0.4

The unpack implementation in Swoole version 4.0.4 lacks correct size checks in the deserialization process.

5.0
2018-08-18 CVE-2018-15501 Debian
Libgit2
Out-of-bounds Read vulnerability in multiple products

In ng_pkt in transports/smart_pkt.c in libgit2 before 0.26.6 and 0.27.x before 0.27.4, a remote attacker can send a crafted smart-protocol "ng" packet that lacks a '\0' byte to trigger an out-of-bounds read that leads to DoS.

5.0
2018-08-18 CVE-2018-15495 Tecrail Path Traversal vulnerability in Tecrail Responsive Filemanager

/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.

5.0
2018-08-18 CVE-2018-15492 Gemalto Asymmetric Resource Consumption (Amplification) vulnerability in Gemalto Sentinel License Manager 8.5.3.2403/8.5.3.35

A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.

5.0
2018-08-18 CVE-2018-15491 Zemana Incorrect Permission Assignment for Critical Resource vulnerability in Zemana Antilogger

A vulnerability in the permission and encryption implementation of Zemana Anti-Logger 1.9.3.527 and prior (fixed in 1.9.3.602) allows an attacker to take control of the whitelisting feature (MyRules2.ini under %LOCALAPPDATA%\Zemana\ZALSDK) to permit execution of unauthorized applications (such as ones that record keystrokes).

5.0
2018-08-17 CVE-2017-1732 IBM Information Exposure vulnerability in IBM Security Access Manager for Enterprise Single Sign-On 8.2.2

IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 does not set the secure attribute on authorization tokens or session cookies.

5.0
2018-08-17 CVE-2018-15354 Kraftway Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Kraftway 24F2Xg Router Firmware

A Buffer Overflow exploited through web interface by remote attacker can cause denial of service in Kraftway 24F2XG Router firmware 3.5.30.1118.

5.0
2018-08-15 CVE-2017-13108 Psafe Use of Hard-coded Credentials vulnerability in Psafe Dfndr Security 5.0.9

DFNDR Security Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android application uses a hard-coded key for encryption.

5.0
2018-08-15 CVE-2017-13107 Liveme Use of Hard-coded Credentials vulnerability in Liveme 3.7.20

Live.me - live stream video chat, 3.7.20, 2017-11-06, Android application uses a hard-coded key for encryption.

5.0
2018-08-15 CVE-2017-13106 Cmcm Use of Hard-coded Credentials vulnerability in Cmcm CM Launcher 3D 5.0.3

Cheetahmobile CM Launcher 3D - Theme, wallpaper, Secure, Efficient, 5.0.3, 2017-09-19, Android application uses a hard-coded key for encryption.

5.0
2018-08-15 CVE-2017-13104 Uber Use of Hard-coded Credentials vulnerability in Uber Ubereats 1.108.10001

Uber Technologies, Inc.

5.0
2018-08-15 CVE-2017-13102 Gameloft Use of Hard-coded Credentials vulnerability in Gameloft Asphalt Xtreme 1.6.0

Gameloft Asphalt Xtreme: Offroad Rally Racing, 1.6.0, 2017-08-13, iOS application uses a hard-coded key for encryption.

5.0
2018-08-15 CVE-2017-13101 Tiktok Use of Hard-coded Credentials vulnerability in Tiktok Musical.Ly 6.1.6

Musical.ly Inc., musical.ly - your video social network, 6.1.6, 2017-10-03, iOS application uses a hard-coded key for encryption.

5.0
2018-08-15 CVE-2017-13100 Distinctdev Use of Hard-coded Credentials vulnerability in Distinctdev the Moron Test 6.3.1

DistinctDev, Inc., The Moron Test, 6.3.1, 2017-05-04, iOS application uses a hard-coded key for encryption.

5.0
2018-08-15 CVE-2018-0409 Cisco Out-of-bounds Read vulnerability in Cisco products

A vulnerability in the XCP Router service of the Cisco Unified Communications Manager IM & Presence Service (CUCM IM&P) and the Cisco TelePresence Video Communication Server (VCS) and Expressway could allow an unauthenticated, remote attacker to cause a temporary service outage for all IM&P users, resulting in a denial of service (DoS) condition.

5.0
2018-08-15 CVE-2018-10512 Trendmicro
Microsoft
Unspecified vulnerability in Trendmicro Control Manager 6.0/7.0

A vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) could allow an attacker to manipulate a reverse proxy .dll on vulnerable installations, which may lead to a denial of server (DoS).

5.0
2018-08-15 CVE-2018-8360 Microsoft Information Exposure vulnerability in Microsoft .Net Framework

An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments, aka ".NET Framework Information Disclosure Vulnerability." This affects Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.0, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 4.7.2, Microsoft .NET Framework 2.0, Microsoft .NET Framework 4.6/4.6.1/4.6.2.

5.0
2018-08-15 CVE-2018-15172 TP Link Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Tp-Link Tl-Wr840N Firmware 0.9.1

TP-Link WR840N devices have a buffer overflow via a long Authorization HTTP header.

5.0
2018-08-15 CVE-2018-15138 Ericssonlg Path Traversal vulnerability in Ericssonlg Ipecs NMS 30M2.3Gn/30Mb.2Ia

Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=../ URIs.

5.0
2018-08-15 CVE-2018-11687 Bitcoin RED Project Integer Overflow or Wraparound vulnerability in Bitcoin RED Project Bitcoin RED

An integer overflow in the distributeBTR function of a smart contract implementation for Bitcoin Red (BTCR), an Ethereum ERC20 token, allows the owner to accomplish an unauthorized increase of digital assets by providing a large address[] array, as exploited in the wild in May 2018, aka the "ownerUnderflow" issue.

5.0
2018-08-14 CVE-2018-12537 Eclipse Improper Input Validation vulnerability in Eclipse Vert.X

In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value.

5.0
2018-08-14 CVE-2018-14429 MAN CGI Project Path Traversal vulnerability in Man-Cgi Project Man-Cgi

man-cgi before 1.16 allows Local File Inclusion via absolute path traversal, as demonstrated by a cgi-bin/man-cgi?/etc/passwd URI.

5.0
2018-08-14 CVE-2018-5392 Mingw Unspecified vulnerability in Mingw Mingw-W64 5.0.4

mingw-w64 version 5.0.4 by default produces executables that opt in to ASLR, but are not compatible with ASLR.

5.0
2018-08-14 CVE-2018-2448 SAP Unspecified vulnerability in SAP Supplier Relationship Management MDM Catalog 3.0/7.01/7.02

Under certain conditions SAP SRM-MDM (CATALOG versions 3.0, 7.01, 7.02) utilities functionality allows an attacker to access information of user existence which would otherwise be restricted.

5.0
2018-08-14 CVE-2018-2446 SAP Unspecified vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2

Admin tools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allow an unauthenticated user to read sensitive information (server name), hence leading to an information disclosure.

5.0
2018-08-14 CVE-2018-7077 HP Unspecified vulnerability in HP products

A security vulnerability in HPE XP P9000 Command View Advanced Edition (CVAE) Device Manager (DevMgr 8.5.0-00 and prior to 8.6.0-00), Configuration Manager (CM 8.5.0-00 and prior to 8.6.0-00) could be exploited to allow local and remote unauthorized access to sensitive information.

5.0
2018-08-13 CVE-2018-15125 Zipato Information Exposure vulnerability in Zipato Zipabox Firmware 118

Sensitive Information Disclosure in Zipato Zipabox Smart Home Controller allows remote attacker get sensitive information that expands attack surface.

5.0
2018-08-13 CVE-2017-1749 IBM Path Traversal vulnerability in IBM Urbancode Deploy

IBM UrbanCode Deploy 6.1 through 6.9.6.0 could allow a remote attacker to traverse directories on the system.

5.0
2018-08-17 CVE-2018-15470 XEN Resource Exhaustion vulnerability in XEN

An issue was discovered in Xen through 4.11.x.

4.9
2018-08-17 CVE-2018-15469 XEN
Debian
Resource Exhaustion vulnerability in multiple products

An issue was discovered in Xen through 4.11.x.

4.9
2018-08-17 CVE-2018-15468 XEN Incorrect Authorization vulnerability in XEN

An issue was discovered in Xen through 4.11.x.

4.9
2018-08-15 CVE-2018-8412 Microsoft Improper Input Validation vulnerability in Microsoft Office for mac 2016

An elevation of privilege vulnerability exists when the Microsoft AutoUpdate (MAU) application for Mac improperly validates updates before executing them, aka "Microsoft (MAU) Office Elevation of Privilege Vulnerability." This affects Microsoft Office.

4.6
2018-08-15 CVE-2018-8204 Microsoft Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016

A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session, aka "Device Guard Code Integrity Policy Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers.

4.6
2018-08-15 CVE-2018-8200 Microsoft Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016

A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session, aka "Device Guard Code Integrity Policy Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers.

4.6
2018-08-14 CVE-2018-12539 Eclipse
Oracle
Deserialization of Untrusted Data vulnerability in multiple products

In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code.

4.6
2018-08-14 CVE-2018-14424 Gnome Use After Free vulnerability in Gnome Display Manager

The daemon in GDM through 3.29.1 does not properly unexport display objects from its D-Bus interface when they are destroyed, which allows a local attacker to trigger a use-after-free via a specially crafted sequence of D-Bus method calls, resulting in a denial of service or potential code execution.

4.6
2018-08-17 CVE-2018-15355 Kraftway Use of a Broken or Risky Cryptographic Algorithm vulnerability in Kraftway 24F2Xg Router Firmware

Usage of SSLv2 and SSLv3 leads to transmitted data decryption in Kraftway 24F2XG Router firmware 3.5.30.1118.

4.3
2018-08-16 CVE-2018-14567 Xmlsoft
Canonical
Debian
Infinite Loop vulnerability in multiple products

libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.

4.3
2018-08-16 CVE-2016-9598 Redhat
Xmlsoft
Out-of-bounds Read vulnerability in multiple products

libxml2, as used in Red Hat JBoss Core Services, allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted XML document.

4.3
2018-08-16 CVE-2018-10139 Paloaltonetworks Cross-site Scripting vulnerability in Paloaltonetworks Pan-Os

The PAN-OS response for GlobalProtect Gateway in Palo Alto Networks PAN-OS 6.1.21 and earlier, PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier may allow an unauthenticated attacker to inject arbitrary JavaScript or HTML.

4.3
2018-08-15 CVE-2017-13105 Hisecuritylab Improper Certificate Validation vulnerability in Hisecuritylab Virus Cleaner 3.7.1.1329

Hi Security Virus Cleaner - Antivirus, Booster, 3.7.1.1329, 2017-09-13, Android application accepts all SSL certificates during SSL communication.

4.3
2018-08-15 CVE-2018-0419 Cisco Improper Input Validation vulnerability in Cisco Email Security Appliance

A vulnerability in certain attachment detection mechanisms of Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to bypass the filtering functionality of an affected system.

4.3
2018-08-15 CVE-2018-0386 Cisco Cross-site Scripting vulnerability in Cisco products

A vulnerability in Cisco Unified Communications Domain Manager Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on an affected system.

4.3
2018-08-15 CVE-2018-8753 Clavister Unspecified vulnerability in Clavister COS Core

The IKEv1 implementation in Clavister cOS Core before 11.00.11, 11.20.xx before 11.20.06, and 12.00.xx before 12.00.09 allows remote attackers to decrypt RSA-encrypted nonces by leveraging a Bleichenbacher attack.

4.3
2018-08-15 CVE-2018-8398 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

4.3
2018-08-15 CVE-2018-8394 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

4.3
2018-08-15 CVE-2018-8388 Microsoft Authentication Bypass by Spoofing vulnerability in Microsoft Edge

A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge.

4.3
2018-08-15 CVE-2018-8383 Microsoft Authentication Bypass by Spoofing vulnerability in Microsoft Edge

A spoofing vulnerability exists when Microsoft Edge does not properly parse HTTP content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge.

4.3
2018-08-15 CVE-2018-8382 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory, aka "Microsoft Excel Information Disclosure Vulnerability." This affects Microsoft Excel Viewer, Microsoft Office, Microsoft Excel.

4.3
2018-08-15 CVE-2018-8378 Microsoft Out-of-bounds Read vulnerability in Microsoft products

An information disclosure vulnerability exists when Microsoft Office software reads out of bound memory due to an uninitialized variable, which could disclose the contents of memory, aka "Microsoft Office Information Disclosure Vulnerability." This affects Word, Microsoft SharePoint Server, Microsoft Office Word Viewer, Microsoft Excel Viewer, Microsoft SharePoint, Microsoft Office.

4.3
2018-08-15 CVE-2018-8370 Microsoft Information Exposure vulnerability in Microsoft Edge

A information disclosure vulnerability exists when WebAudio Library improperly handles audio requests, aka "Microsoft Edge Information Disclosure Vulnerability." This affects Microsoft Edge.

4.3
2018-08-15 CVE-2018-8358 Microsoft Unspecified vulnerability in Microsoft Edge

A security feature bypass vulnerability exists when Microsoft Edge improperly handles redirect requests, aka "Microsoft Edge Security Feature Bypass Vulnerability." This affects Microsoft Edge.

4.3
2018-08-15 CVE-2018-8351 Microsoft Inclusion of Functionality from Untrusted Control Sphere vulnerability in Microsoft Edge and Internet Explorer

An information disclosure vulnerability exists when affected Microsoft browsers improperly allow cross-frame interaction, aka "Microsoft Browser Information Disclosure Vulnerability." This affects Internet Explorer 11, Microsoft Edge, Internet Explorer 10.

4.3
2018-08-15 CVE-2018-13394 Atlassian Cross-Site Request Forgery (CSRF) vulnerability in Atlassian Questions FOR Confluence

The acceptAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request forgery (CSRF) vulnerability.

4.3
2018-08-15 CVE-2018-13393 Atlassian Cross-Site Request Forgery (CSRF) vulnerability in Atlassian Questions FOR Confluence

The convertCommentToAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request forgery (CSRF) vulnerability.

4.3
2018-08-14 CVE-2018-14922 Monstra Cross-site Scripting vulnerability in Monstra 3.0.4

Multiple cross-site scripting (XSS) vulnerabilities in Monstra CMS 3.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) first name or (2) last name field in the edit profile page.

4.3
2018-08-14 CVE-2018-14888 Thank YOU Like Project Cross-site Scripting vulnerability in Thank You/Like Project Thank You/Like

inc/plugins/thankyoulike.php in the Eldenroot Thank You/Like plugin before 3.1.0 for MyBB allows XSS via a post or thread subject.

4.3
2018-08-14 CVE-2018-2444 SAP Cross-site Scripting vulnerability in SAP Businessobjects Financial Consolidation 10.0/10.1

SAP BusinessObjects Financial Consolidation, versions 10.0, 10.1, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

4.3
2018-08-14 CVE-2018-0131 Cisco Inadequate Encryption Strength vulnerability in Cisco IOS and IOS XE

A vulnerability in the implementation of RSA-encrypted nonces in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to obtain the encrypted nonces of an Internet Key Exchange Version 1 (IKEv1) session.

4.3
2018-08-13 CVE-2018-12587 German Spelling Dictionary Project Cross-site Scripting vulnerability in German Spelling Dictionary Project German Spelling Dictionary 1.3

A cross-site scripting (XSS) vulnerability was found in valeuraddons German Spelling Dictionary v1.3 (an Opera Browser add-on).

4.3
2018-08-13 CVE-2018-10569 Edimax Cross-site Scripting vulnerability in Edimax Ew-7438Rpn V2 Firmware

An issue was discovered in Edimax EW-7438RPn Mini v2 before version 1.26.

4.3
2018-08-13 CVE-2016-2922 IBM Improper Certificate Validation vulnerability in IBM Rational Clearquest

IBM Rational ClearQuest 8.0 through 8.0.1.9 and 9.0 through 9.0.1.3 (CQ OSLC linkages, EmailRelay) fails to check the SSL certificate against the requested hostname.

4.3
2018-08-13 CVE-2018-13392 Atlassian Cross-site Scripting vulnerability in Atlassian Crucible and Fisheye

Several resources in Atlassian Fisheye and Crucible before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in linked issue keys.

4.3
2018-08-13 CVE-2018-11770 Apache Improper Authentication vulnerability in Apache Spark

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit.

4.2
2018-08-17 CVE-2018-14058 Pimcore SQL Injection vulnerability in Pimcore

Pimcore before 5.3.0 allows SQL Injection via the REST web service API.

4.0
2018-08-17 CVE-2018-15357 Eltex Information Exposure vulnerability in Eltex Esp-200 Firmware 1.2.0

An authenticated attacker with low privileges can extract password hash information for all users in Eltex ESP-200 firmware version 1.2.0.

4.0
2018-08-17 CVE-2018-15352 Kraftway Unspecified vulnerability in Kraftway 24F2Xg Router Firmware 3.5.30.1118

An attacker with low privileges can cause denial of service in Kraftway 24F2XG Router firmware version 3.5.30.1118.

4.0
2018-08-16 CVE-2018-10140 Paloaltonetworks Improper Input Validation vulnerability in Paloaltonetworks Pan-Os 8.1.0/8.1.1/8.1.2

The PAN-OS Management Web Interface in Palo Alto Networks PAN-OS 8.1.2 and earlier may allow an authenticated user to shut down all management sessions, resulting in all logged in users to be redirected to the login page.

4.0
2018-08-15 CVE-2018-8374 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2016

A tampering vulnerability exists when Microsoft Exchange Server fails to properly handle profile data, aka "Microsoft Exchange Server Tampering Vulnerability." This affects Microsoft Exchange Server.

4.0
2018-08-15 CVE-2018-8340 Microsoft Unspecified vulnerability in Microsoft Windows Server 2012 and Windows Server 2016

A security feature bypass vulnerability exists when Active Directory Federation Services (AD FS) improperly handles multi-factor authentication requests, aka "AD FS Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows Server 2012 R2, Windows 10 Servers.

4.0
2018-08-14 CVE-2018-2447 SAP SQL Injection vulnerability in SAP Businessobjects Business Intelligence 4.2

SAP BusinessObjects Business Intelligence (Launchpad Web Intelligence), version 4.2, allows an attacker to execute crafted InfoObject queries, exposing the CMS InfoObjects database.

4.0
2018-08-13 CVE-2018-6970 Vmware Out-of-bounds Read vulnerability in VMWare Horizon Client and Horizon View

VMware Horizon 6 (6.x.x before 6.2.7), Horizon 7 (7.x.x before 7.5.1), and Horizon Client (4.x.x and prior before 4.8.1) contain an out-of-bounds read vulnerability in the Message Framework library.

4.0
2018-08-13 CVE-2018-15140 Open EMR Path Traversal vulnerability in Open-Emr Openemr

Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to read arbitrary files via the "docid" parameter when the mode is set to get.

4.0
2018-08-13 CVE-2017-15138 Redhat Information Exposure vulnerability in Redhat Openshift Container Platform 3.9

The OpenShift Enterprise cluster-read can access webhook tokens which would allow an attacker with sufficient privileges to view confidential webhook tokens.

4.0
2018-08-13 CVE-2017-1286 IBM Information Exposure vulnerability in IBM Urbancode Deploy

Sensitive information about the configuration of the IBM UrbanCode Deploy 6.1 through 6.9.6.0 server and database can be obtained by a user who has been given elevated permissions in the UI, even after those elevated permissions have been revoked.

4.0

19 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-08-17 CVE-2018-6622 Trustedcomputinggroup Unspecified vulnerability in Trustedcomputinggroup Trusted Platform Module 2.0

An issue was discovered that affects all producers of BIOS firmware who make a certain realistic interpretation of an obscure portion of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2.0 specification.

3.6
2018-08-14 CVE-2018-7098 HP Path Traversal vulnerability in HP 3Par Service Provider Sp4.2.0/Sp4.3.0/Sp4.4.0

A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7).

3.6
2018-08-16 CVE-2018-1715 IBM Cross-site Scripting vulnerability in IBM Maximo Asset Management

IBM Maximo Asset Management 7.6 through 7.6.3 is vulnerable to cross-site scripting.

3.5
2018-08-15 CVE-2018-0367 Cisco Cross-site Scripting vulnerability in Cisco Registered Envelope Service

A vulnerability in the web-based management interface of the Cisco Registered Envelope Service could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected service.

3.5
2018-08-13 CVE-2018-3781 Nextcloud Cross-site Scripting vulnerability in Nextcloud Talk

A missing sanitization of search results for an autocomplete field in NextCloud Talk <3.2.5 could lead to a stored XSS requiring user-interaction.

3.5
2018-08-13 CVE-2018-3780 Nextcloud Cross-site Scripting vulnerability in Nextcloud Server

A missing sanitization of search results for an autocomplete field in NextCloud Server <13.0.5 could lead to a stored XSS requiring user-interaction.

3.5
2018-08-13 CVE-2018-14850 Tiki Cross-site Scripting vulnerability in Tiki Tikiwiki Cms/Groupware

Stored XSS vulnerabilities in Tiki before 18.2, 15.7 and 12.14 allow an authenticated user injecting JavaScript to gain administrator privileges if an administrator opens a wiki page and moves the mouse pointer over a modified link or thumb image.

3.5
2018-08-13 CVE-2018-14849 Tiki Cross-site Scripting vulnerability in Tiki Tikiwiki Cms/Groupware

Tiki before 18.2, 15.7 and 12.14 has XSS via link attributes, related to lib/core/WikiParser/OutputLink.php and lib/parser/parserlib.php.

3.5
2018-08-15 CVE-2018-0412 Cisco Unspecified vulnerability in Cisco products

A vulnerability in the implementation of Extensible Authentication Protocol over LAN (EAPOL) functionality in Cisco Small Business 100 Series Wireless Access Points and Cisco Small Business 300 Series Wireless Access Points could allow an unauthenticated, adjacent attacker to force the downgrade of the encryption algorithm that is used between an authenticator (access point) and a supplicant (Wi-Fi client).

2.9
2018-08-13 CVE-2018-14781 Medtronicdiabetes Improper Authentication vulnerability in Medtronicdiabetes products

Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G The models identified above, when paired with a remote controller and having the "easy bolus" and "remote bolus" options enabled (non-default), are vulnerable to a capture-replay attack.

2.9
2018-08-13 CVE-2018-10634 Medtronic Cleartext Transmission of Sensitive Information vulnerability in Medtronic products

Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G communications between the pump and wireless accessories are transmitted in cleartext.

2.9
2018-08-15 CVE-2018-14780 Yubico Out-of-bounds Read vulnerability in Yubico PIV Manager, PIV Tool and Smart Card Minidriver

An out-of-bounds read issue was discovered in the Yubico-Piv 1.5.0 smartcard driver.

2.1
2018-08-15 CVE-2018-8253 Microsoft Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016

An elevation of privilege vulnerability exists when Microsoft Cortana allows arbitrary website browsing on the lockscreen, aka "Microsoft Cortana Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10.

2.1
2018-08-14 CVE-2018-7100 HP Unspecified vulnerability in HP products

A potential security vulnerability has been identified in HPE OfficeConnect 1810 Switch Series (HP 1810-24G - P.2.22 and previous versions, HP 1810-48G PK.1.34 and previous versions, HP 1810-8 v2 P.2.22 and previous versions).

2.1
2018-08-14 CVE-2018-7099 HP Unspecified vulnerability in HP 3Par Service Provider Sp4.2.0/Sp4.3.0/Sp4.4.0

A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7).

2.1
2018-08-14 CVE-2018-7094 HPE Unspecified vulnerability in HPE 3Par Service Provider

A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-5.0.0.0-22913(GA).

2.1
2018-08-15 CVE-2018-8396 Microsoft Information Exposure vulnerability in Microsoft Windows 7 and Windows Server 2008

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2.

1.9
2018-08-15 CVE-2018-8348 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

1.9
2018-08-15 CVE-2018-8341 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

1.9