Weekly Vulnerabilities Reports > August 13 to 19, 2018
Overview
231 new vulnerabilities reported during this period, including 21 critical vulnerabilities and 68 high severity vulnerabilities. This weekly summary report vulnerabilities in 875 products from 89 vendors including Microsoft, Open EMR, Cisco, HP, and SAP. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Cross-site Scripting", "Information Exposure", "SQL Injection", and "Path Traversal".
- 182 reported vulnerabilities are remotely exploitables.
- 21 reported vulnerabilities have public exploit available.
- 70 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 178 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 62 reported vulnerabilities.
- Microsoft has the most reported critical vulnerabilities, with 10 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
21 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-08-17 | CVE-2018-15353 | Kraftway | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Kraftway 24F2Xg Router Firmware A Buffer Overflow exploited through web interface by remote attacker can cause remote code execution in Kraftway 24F2XG Router firmware 3.5.30.1118. | 10.0 |
2018-08-17 | CVE-2018-15350 | Kraftway | Insecure Default Initialization of Resource vulnerability in Kraftway 24F2Xg Router Firmware Router Default Credentials in Kraftway 24F2XG Router firmware version 3.5.30.1118 allow remote attackers to get privileged access to the router. | 10.0 |
2018-08-15 | CVE-2018-14007 | Citrix | Path Traversal vulnerability in Citrix Xenserver 7.1/7.4/7.5 Citrix XenServer 7.1 and newer allows Directory Traversal. | 10.0 |
2018-08-15 | CVE-2018-8302 | Microsoft | Out-of-bounds Write vulnerability in Microsoft Exchange Server 2010/2013/2016 A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka "Microsoft Exchange Memory Corruption Vulnerability." This affects Microsoft Exchange Server. | 10.0 |
2018-08-15 | CVE-2018-8273 | Microsoft | Out-of-bounds Write vulnerability in Microsoft SQL Server 2016/2017 A buffer overflow vulnerability exists in the Microsoft SQL Server that could allow remote code execution on an affected system, aka "Microsoft SQL Server Remote Code Execution Vulnerability." This affects Microsoft SQL Server. | 10.0 |
2018-08-13 | CVE-2018-15124 | Zipato | Inadequate Encryption Strength vulnerability in Zipato Zipabox Firmware 118 Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device. | 10.0 |
2018-08-13 | CVE-2018-15123 | Zipato | Unspecified vulnerability in Zipato Zipabox Firmware 118 Insecure configuration storage in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows remote attacker perform new attack vectors and take under control device and smart home. | 10.0 |
2018-08-17 | CVE-2018-3785 | GIT Dummy Commit Project | OS Command Injection vulnerability in Git-Dummy-Commit Project Git-Dummy-Commit 1.3.0 A command injection in git-dummy-commit v1.3.0 allows os level commands to be executed due to an unescaped parameter. | 9.8 |
2018-08-15 | CVE-2018-10369 | Intelbras | Cross-site Scripting vulnerability in Intelbras WIN 240 Firmware 1.1.0 A Cross-site scripting (XSS) vulnerability was discovered on Intelbras Win 240 V1.1.0 devices. | 9.8 |
2018-08-15 | CVE-2018-14722 | Btrfsmaintenance Project | Unspecified vulnerability in Btrfsmaintenance Project Btrfsmaintenance An issue was discovered in evaluate_auto_mountpoint in btrfsmaintenance-functions in btrfsmaintenance through 0.4.1. | 9.3 |
2018-08-15 | CVE-2018-8414 | Microsoft | Improper Input Validation vulnerability in Microsoft Windows 10 and Windows Server A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths, aka "Windows Shell Remote Code Execution Vulnerability." This affects Windows 10 Servers, Windows 10. | 9.3 |
2018-08-15 | CVE-2018-8397 | Microsoft | Unspecified vulnerability in Microsoft Windows 7 and Windows Server 2008 A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory, aka "GDI+ Remote Code Execution Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2. | 9.3 |
2018-08-15 | CVE-2018-8379 | Microsoft | Unspecified vulnerability in Microsoft Excel and Excel 2013 RT A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka "Microsoft Excel Remote Code Execution Vulnerability." This affects Microsoft Excel. | 9.3 |
2018-08-15 | CVE-2018-8376 | Microsoft | Unspecified vulnerability in Microsoft Powerpoint 2010 A remote code execution vulnerability exists in Microsoft PowerPoint software when the software fails to properly handle objects in memory, aka "Microsoft PowerPoint Remote Code Execution Vulnerability." This affects Microsoft PowerPoint. | 9.3 |
2018-08-15 | CVE-2018-8350 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 and Windows Server A remote code execution vulnerability exists when Microsoft Windows PDF Library improperly handles objects in memory, aka "Windows PDF Remote Code Execution Vulnerability." This affects Windows 10 Servers, Windows 10. | 9.3 |
2018-08-15 | CVE-2018-8349 | Microsoft | Deserialization of Untrusted Data vulnerability in Microsoft products A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM for Windows Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. | 9.3 |
2018-08-15 | CVE-2018-8346 | Microsoft | Code Injection vulnerability in Microsoft Windows 7 and Windows Server 2008 A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed, aka "LNK Remote Code Execution Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2. | 9.3 |
2018-08-15 | CVE-2018-8344 | Microsoft | Code Injection vulnerability in Microsoft products A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka "Microsoft Graphics Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. | 9.3 |
2018-08-13 | CVE-2018-10636 | Deltaww | Out-of-bounds Write vulnerability in Deltaww Cncsoft and Screeneditor CNCSoft Version 1.00.83 and prior with ScreenEditor Version 1.00.54 has multiple stack-based buffer overflow vulnerabilities that could cause the software to crash due to lacking user input validation before copying data from project files onto the stack. | 9.3 |
2018-08-13 | CVE-2018-5925 | HP | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in HP products A security vulnerability has been identified with certain HP Inkjet printers. | 9.3 |
2018-08-15 | CVE-2018-0427 | Cisco | OS Command Injection vulnerability in Cisco Application Policy Infrastructure Controller Enterprise Module Dnac1.1 A vulnerability in the CronJob scheduler API of Cisco Digital Network Architecture (DNA) Center could allow an authenticated, remote attacker to perform a command injection attack. | 9.0 |
68 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-08-14 | CVE-2018-14348 | Libcgroup Project Debian Fedoraproject | Information Exposure vulnerability in multiple products libcgroup up to and including 0.41 creates /var/log/cgred with mode 0666 regardless of the configured umask, leading to disclosure of information. | 8.1 |
2018-08-17 | CVE-2018-15471 | XEN Linux Canonical | Out-of-bounds Read vulnerability in multiple products An issue was discovered in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c in the Linux kernel through 4.18.1, as used in Xen through 4.11.x and other products. | 7.8 |
2018-08-17 | CVE-2018-5547 | F5 | Missing Authorization vulnerability in F5 Big-Ip Access Policy Manager Client 7.1.6/7.1.6.1/7.1.7 Windows Logon Integration feature of F5 BIG-IP APM client prior to version 7.1.7.1 for Windows by default uses Legacy logon mode which uses a SYSTEM account to establish network access. | 7.8 |
2018-08-15 | CVE-2018-0418 | Cisco | Improper Input Validation vulnerability in Cisco IOS XR A vulnerability in the Local Packet Transport Services (LPTS) feature set of Cisco ASR 9000 Series Aggregation Services Router Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 7.8 |
2018-08-15 | CVE-2018-0410 | Cisco | Resource Exhaustion vulnerability in Cisco web Security Appliance A vulnerability in the web proxy functionality of Cisco AsyncOS Software for Cisco Web Security Appliances could allow an unauthenticated, remote attacker to exhaust system memory and cause a denial of service (DoS) condition on an affected system. | 7.8 |
2018-08-15 | CVE-2018-8375 | Microsoft | Unspecified vulnerability in Microsoft products A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka "Microsoft Excel Remote Code Execution Vulnerability." This affects Microsoft Excel Viewer, Microsoft Office, Microsoft Excel. | 7.8 |
2018-08-14 | CVE-2018-7093 | HP | Unspecified vulnerability in HP products A security vulnerability in HPE Integrated Lights-Out 3 prior to v1.90, iLO 4 prior to v2.60, iLO 5 prior to v1.30, Moonshot Chassis Manager firmware prior to v1.58, and Moonshot Component Pack prior to v2.55 could be remotely exploited to create a denial of service. | 7.8 |
2018-08-15 | CVE-2018-8403 | Microsoft | Out-of-bounds Write vulnerability in Microsoft Edge and Internet Explorer A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory, aka "Microsoft Browser Memory Corruption Vulnerability." This affects Internet Explorer 11, Microsoft Edge, Internet Explorer 10. | 7.6 |
2018-08-15 | CVE-2018-8390 | Microsoft | Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. | 7.6 |
2018-08-15 | CVE-2018-8389 | Microsoft | Out-of-bounds Write vulnerability in Microsoft Internet Explorer 10/11/9 A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. | 7.6 |
2018-08-15 | CVE-2018-8387 | Microsoft | Out-of-bounds Write vulnerability in Microsoft Edge A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge. | 7.6 |
2018-08-15 | CVE-2018-8385 | Microsoft | Out-of-bounds Write vulnerability in Microsoft Chakracore, Edge and Internet Explorer A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, ChakraCore, Internet Explorer 11, Microsoft Edge, Internet Explorer 10. | 7.6 |
2018-08-15 | CVE-2018-8384 | Microsoft | Type Confusion vulnerability in Microsoft Chakracore A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. | 7.6 |
2018-08-15 | CVE-2018-8381 | Microsoft | Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. | 7.6 |
2018-08-15 | CVE-2018-8380 | Microsoft | Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. | 7.6 |
2018-08-15 | CVE-2018-8377 | Microsoft | Out-of-bounds Write vulnerability in Microsoft Edge A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge. | 7.6 |
2018-08-15 | CVE-2018-8373 | Microsoft | Out-of-bounds Write vulnerability in Microsoft Internet Explorer 10/11/9 A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. | 7.6 |
2018-08-15 | CVE-2018-8372 | Microsoft | Out-of-bounds Write vulnerability in Microsoft Chakracore, Edge and Internet Explorer A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore, Internet Explorer 11, Microsoft Edge. | 7.6 |
2018-08-15 | CVE-2018-8371 | Microsoft | Out-of-bounds Write vulnerability in Microsoft Internet Explorer 10/11/9 A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. | 7.6 |
2018-08-15 | CVE-2018-8359 | Microsoft | Out-of-bounds Write vulnerability in Microsoft Chakracore A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. | 7.6 |
2018-08-15 | CVE-2018-8355 | Microsoft | Out-of-bounds Write vulnerability in Microsoft Chakracore, Edge and Internet Explorer A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore, Internet Explorer 11, Microsoft Edge. | 7.6 |
2018-08-15 | CVE-2018-8353 | Microsoft | Use After Free vulnerability in Microsoft Internet Explorer 10/11/9 A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. | 7.6 |
2018-08-15 | CVE-2018-8345 | Microsoft | Code Injection vulnerability in Microsoft products A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed, aka "LNK Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. | 7.6 |
2018-08-15 | CVE-2018-8316 | Microsoft | Improper Input Validation vulnerability in Microsoft Internet Explorer 10/11 A remote code execution vulnerability exists when Internet Explorer improperly validates hyperlinks before loading executable libraries, aka "Internet Explorer Remote Code Execution Vulnerability." This affects Internet Explorer 11, Internet Explorer 10. | 7.6 |
2018-08-15 | CVE-2018-8266 | Microsoft | Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. | 7.6 |
2018-08-18 | CVE-2018-15505 | Embedthis Juniper | NULL Pointer Dereference vulnerability in multiple products An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. | 7.5 |
2018-08-18 | CVE-2018-15504 | Embedthis Juniper | NULL Pointer Dereference vulnerability in multiple products An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. | 7.5 |
2018-08-18 | CVE-2018-15494 | Dojotoolkit Debian | Improper Encoding or Escaping of Output vulnerability in multiple products In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid. | 7.5 |
2018-08-17 | CVE-2018-15482 | Google LG | Incorrect Permission Assignment for Critical Resource vulnerability in Google Android Certain LG devices based on Android 6.0 through 8.1 have incorrect access control for MLT application intents. | 7.5 |
2018-08-17 | CVE-2018-14982 | Google LG | Incorrect Permission Assignment for Critical Resource vulnerability in Google Android Certain LG devices based on Android 6.0 through 8.1 have incorrect access control in the GNSS application. | 7.5 |
2018-08-17 | CVE-2018-14981 | Google LG | Incorrect Permission Assignment for Critical Resource vulnerability in Google Android Certain LG devices based on Android 6.0 through 8.1 have incorrect access control for SystemUI application intents. | 7.5 |
2018-08-17 | CVE-2018-15360 | Eltex | Use of Hard-coded Credentials vulnerability in Eltex Esp-200 Firmware 1.2.0 An attacker without authentication can login with default credentials for privileged users in Eltex ESP-200 firmware version 1.2.0. | 7.5 |
2018-08-17 | CVE-2018-3784 | Cryo Project | Deserialization of Untrusted Data vulnerability in Cryo Project Cryo 0.0.6 A code injection in cryo 0.0.6 allows an attacker to arbitrarily execute code due to insecure implementation of deserialization. | 7.5 |
2018-08-17 | CVE-2018-3783 | Flintcms | SQL Injection vulnerability in Flintcms A privilege escalation detected in flintcms versions <= 1.1.9 allows account takeover due to blind MongoDB injection in password reset. | 7.5 |
2018-08-16 | CVE-2018-11511 | Asustor | SQL Injection vulnerability in Asustor Data Master 3.1.0 The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'album_id' or 'scope' parameter via a photo-gallery/api/album/tree_lists/ URI. | 7.5 |
2018-08-16 | CVE-2018-11509 | Asustor | Use of Hard-coded Credentials vulnerability in Asustor Data Master 3.1.0 ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository. | 7.5 |
2018-08-16 | CVE-2018-1712 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM API Connect IBM API Connect's Developer Portal 5.0.0.0 through 5.0.8.3 is vulnerable to Server Side Request Forgery. | 7.5 |
2018-08-15 | CVE-2018-10510 | Trendmicro Microsoft | Path Traversal vulnerability in Trendmicro Control Manager 6.0/7.0 A Directory Traversal Remote Code Execution vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) could allow an attacker to execute arbitrary code on vulnerable installations. | 7.5 |
2018-08-15 | CVE-2018-11247 | Nasdaq | Missing Authentication for Critical Function vulnerability in Nasdaq Bwise 5.0 The JMX/RMI interface in Nasdaq BWise 5.0 does not require authentication for an SAP BO Component, which allows remote attackers to execute arbitrary code via a session on port 81. | 7.5 |
2018-08-15 | CVE-2018-12056 | ALL FOR ONE | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in All-For-One ALL for ONE The maxRandom function of a smart contract implementation for All For One, an Ethereum gambling game, generates a random value with publicly readable variables because the _seed value can be retrieved with a getStorageAt call. | 7.5 |
2018-08-14 | CVE-2018-3938 | Sony | Out-of-bounds Write vulnerability in Sony products An exploitable stack-based buffer overflow vulnerability exists in the 802dot1xclientcert.cgi functionality of Sony IPELA E Series Camera G5 firmware 1.87.00. | 7.5 |
2018-08-14 | CVE-2018-2449 | SAP | Improper Authentication vulnerability in SAP Supplier Relationship Management MDM Catalog 3.73/7.31/7.32 SAP SRM MDM Catalog versions 3.73, 7.31, 7.32 in (SAP NetWeaver 7.3) - import functionality does not perform authentication checks for valid repository user. | 7.5 |
2018-08-14 | CVE-2018-7096 | HP | Unspecified vulnerability in HP 3Par Service Provider Sp4.2.0/Sp4.3.0/Sp4.4.0 A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7). | 7.5 |
2018-08-14 | CVE-2018-7095 | HP | Unspecified vulnerability in HP 3Par Service Provider Sp4.2.0/Sp4.3.0/Sp4.4.0 A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7). | 7.5 |
2018-08-13 | CVE-2018-15145 | Open EMR | SQL Injection vulnerability in Open-Emr Openemr Multiple SQL injection vulnerabilities in portal/add_edit_event_user.php in versions of OpenEMR before 5.0.1.4 allow a remote attacker to execute arbitrary SQL commands via the (1) eid, (2) userid, or (3) pid parameter. | 7.5 |
2018-08-13 | CVE-2018-15143 | Open EMR | SQL Injection vulnerability in Open-Emr Openemr Multiple SQL injection vulnerabilities in portal/find_appt_popup_user.php in versions of OpenEMR before 5.0.1.4 allow a remote attacker to execute arbitrary SQL commands via the (1) catid or (2) providerid parameter. | 7.5 |
2018-08-13 | CVE-2018-13417 | Vuze | XXE vulnerability in Vuze Bittorrent Client 5.7.6.0 In Vuze Bittorrent Client 5.7.6.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. | 7.5 |
2018-08-13 | CVE-2018-13415 | Plex | XXE vulnerability in Plex Media Server 1.13.2.5154 In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. | 7.5 |
2018-08-13 | CVE-2018-6414 | Hikvision | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Hikvision IP Cameras A buffer overflow vulnerability in the web server of some Hikvision IP Cameras allows an attacker to send a specially crafted message to affected devices. | 7.5 |
2018-08-13 | CVE-2018-5924 | HP | Out-of-bounds Write vulnerability in HP products A security vulnerability has been identified with certain HP Inkjet printers. | 7.5 |
2018-08-13 | CVE-2018-0714 | Qnap | Command Injection vulnerability in Qnap Helpdesk Command injection vulnerability in Helpdesk versions 1.1.21 and earlier in QNAP QTS 4.2.6 build 20180531, QTS 4.3.3 build 20180528, QTS 4.3.4 build 20180528 and their earlier versions could allow remote attackers to run arbitrary commands in the compromised application. | 7.5 |
2018-08-17 | CVE-2018-5546 | F5 | Incorrect Permission Assignment for Critical Resource vulnerability in F5 products The svpn and policyserver components of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host. | 7.2 |
2018-08-15 | CVE-2018-0428 | Cisco | Improper Privilege Management vulnerability in Cisco web Security Appliance A vulnerability in the account management subsystem of Cisco Web Security Appliance (WSA) could allow an authenticated, local attacker to elevate privileges to root. | 7.2 |
2018-08-15 | CVE-2018-14779 | Yubico | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Yubico PIV Manager, PIV Tool and Smart Card Minidriver A buffer overflow issue was discovered in the Yubico-Piv 1.5.0 smartcard driver. | 7.2 |
2018-08-15 | CVE-2018-8406 | Microsoft | Improper Resource Shutdown or Release vulnerability in Microsoft Windows 10 and Windows Server 2016 An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. | 7.2 |
2018-08-15 | CVE-2018-8405 | Microsoft | Improper Resource Shutdown or Release vulnerability in Microsoft products An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers. | 7.2 |
2018-08-15 | CVE-2018-8404 | Microsoft | Improper Resource Shutdown or Release vulnerability in Microsoft products An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. | 7.2 |
2018-08-15 | CVE-2018-8401 | Microsoft | Improper Resource Shutdown or Release vulnerability in Microsoft Windows 10 and Windows Server 2016 An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. | 7.2 |
2018-08-15 | CVE-2018-8400 | Microsoft | Improper Resource Shutdown or Release vulnerability in Microsoft Windows 10 and Windows Server 2016 An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows 10 Servers, Windows 10. | 7.2 |
2018-08-15 | CVE-2018-8347 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016 An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links, aka "Windows Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. | 7.2 |
2018-08-15 | CVE-2018-8343 | Microsoft | Classic Buffer Overflow vulnerability in Microsoft products An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it, aka "Windows NDIS Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. | 7.2 |
2018-08-15 | CVE-2018-8342 | Microsoft | Classic Buffer Overflow vulnerability in Microsoft Windows 7 and Windows Server 2008 An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it, aka "Windows NDIS Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2008 R2. | 7.2 |
2018-08-15 | CVE-2018-0952 | Microsoft | Unspecified vulnerability in Microsoft products An Elevation of Privilege vulnerability exists when Diagnostics Hub Standard Collector allows file creation in arbitrary locations, aka "Diagnostic Hub Standard Collector Elevation Of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Microsoft Visual Studio, Windows 10 Servers. | 7.2 |
2018-08-15 | CVE-2018-6973 | Vmware | Out-of-bounds Write vulnerability in VMWare Fusion and Workstation VMware Workstation (14.x before 14.1.3) and Fusion (10.x before 10.1.3) contain an out-of-bounds write vulnerability in the e1000 device. | 7.2 |
2018-08-13 | CVE-2017-7500 | RPM | Link Following vulnerability in RPM 4.13.0.1/4.14.0.0 It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. | 7.2 |
2018-08-17 | CVE-2018-15351 | Kraftway | Link Following vulnerability in Kraftway 24F2Xg Router Firmware Denial of service via crafting malicious link and sending it to a privileged user can cause Denial of Service in Kraftway 24F2XG Router firmware version 3.5.30.1118. | 7.1 |
2018-08-16 | CVE-2018-13446 | Linecorp | Improper Authentication vulnerability in Linecorp Line 8.8.1 An issue was discovered in the LINE jp.naver.line application 8.8.1 for Android. | 7.0 |
2018-08-16 | CVE-2018-13435 | Linecorp | Improper Authentication vulnerability in Linecorp Line 8.8.0 An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS. | 7.0 |
123 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-08-15 | CVE-2018-8399 | Microsoft | Improper Resource Shutdown or Release vulnerability in Microsoft Windows 10 and Windows Server An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 10 Servers, Windows 10. | 6.9 |
2018-08-15 | CVE-2018-8339 | Microsoft | Improper Input Validation vulnerability in Microsoft products An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior, aka "Windows Installer Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. | 6.9 |
2018-08-17 | CVE-2018-14057 | Pimcore | Cross-Site Request Forgery (CSRF) vulnerability in Pimcore Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the "Settings > Users / Roles" function. | 6.8 |
2018-08-16 | CVE-2018-15122 | Telerik | Improper Input Validation vulnerability in Telerik Justassembly and Justdecompile An issue found in Progress Telerik JustAssembly through 2018.1.323.2 and JustDecompile through 2018.2.605.0 makes it possible to execute code by decompiling a compiled .NET object (such as DLL or EXE) with an embedded resource file by clicking on the resource. | 6.8 |
2018-08-15 | CVE-2018-1455 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Tivoli Application Dependency Discovery Manager 7.2.2/7.3.0 IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | 6.8 |
2018-08-14 | CVE-2018-2442 | SAP | Cross-Site Request Forgery (CSRF) vulnerability in SAP products In SAP BusinessObjects Business Intelligence, versions 4.0, 4.1 and 4.2, while viewing a Web Intelligence report from BI Launchpad, the user session details captured by an HTTP analysis tool could be reused in a HTML page while the user session is still valid. | 6.8 |
2018-08-14 | CVE-2018-7097 | HP | Cross-Site Request Forgery (CSRF) vulnerability in HP 3Par Service Provider Sp4.2.0/Sp4.3.0/Sp4.4.0 A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7). | 6.8 |
2018-08-13 | CVE-2018-14878 | Jetbrains | Deserialization of Untrusted Data vulnerability in Jetbrains Dotpeek and Resharper Ultimate JetBrains dotPeek before 2018.2 and ReSharper Ultimate before 2018.1.4 allow attackers to execute code by decompiling a compiled .NET object (such as a DLL or EXE file) with a specific file, because of Deserialization of Untrusted Data. | 6.8 |
2018-08-17 | CVE-2018-15359 | Eltex | Unspecified vulnerability in Eltex Esp-200 Firmware 1.2.0 An authenticated attacker with low privileges can use insecure sudo configuration to expand attack surface in Eltex ESP-200 firmware version 1.2.0. | 6.5 |
2018-08-17 | CVE-2018-15358 | Eltex | Improper Input Validation vulnerability in Eltex Esp-200 Firmware 1.2.0 An authenticated attacker with low privileges can activate high privileged user and use it to expand attack surface in Eltex ESP-200 firmware version 1.2.0. | 6.5 |
2018-08-17 | CVE-2018-15356 | Eltex | Command Injection vulnerability in Eltex Esp-200 Firmware 1.2.0 An authenticated attacker can execute arbitrary code using command ejection in Eltex ESP-200 firmware version 1.2.0. | 6.5 |
2018-08-17 | CVE-2018-10873 | Spice Project Debian Canonical Redhat | Improper Input Validation vulnerability in multiple products A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. | 6.5 |
2018-08-16 | CVE-2018-12256 | Litecart | Unrestricted Upload of File with Dangerous Type vulnerability in Litecart admin/vqmods.app/vqmods.inc.php in LiteCart before 2.1.3 allows remote authenticated attackers to upload a malicious file (resulting in remote code execution) by using the text/xml or application/xml Content-Type in a public_html/admin/?app=vqmods&doc=vqmods request. | 6.5 |
2018-08-16 | CVE-2016-9596 | Redhat Xmlsoft | Resource Exhaustion vulnerability in multiple products libxml2, as used in Red Hat JBoss Core Services and when in recovery mode, allows context-dependent attackers to cause a denial of service (stack consumption) via a crafted XML document. | 6.5 |
2018-08-15 | CVE-2018-15156 | Open EMR | OS Command Injection vulnerability in Open-Emr Openemr OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/fax/faxq.php after modifying the "hylafax_server" global variable in interface/super/edit_globals.php. | 6.5 |
2018-08-15 | CVE-2018-15155 | Open EMR | OS Command Injection vulnerability in Open-Emr Openemr OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/fax/fax_dispatch.php after modifying the "hylafax_enscript" global variable in interface/super/edit_globals.php. | 6.5 |
2018-08-15 | CVE-2018-15154 | Open EMR | OS Command Injection vulnerability in Open-Emr Openemr OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/billing/sl_eob_search.php after modifying the "print_command" global variable in interface/super/edit_globals.php. | 6.5 |
2018-08-15 | CVE-2018-15153 | Open EMR | OS Command Injection vulnerability in Open-Emr Openemr OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/main/daemon_frame.php after modifying the "hylafax_server" global variable in interface/super/edit_globals.php. | 6.5 |
2018-08-15 | CVE-2018-15151 | Open EMR | SQL Injection vulnerability in Open-Emr Openemr SQL injection vulnerability in interface/de_identification_forms/find_code_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter. | 6.5 |
2018-08-15 | CVE-2018-15150 | Open EMR | SQL Injection vulnerability in Open-Emr Openemr SQL injection vulnerability in interface/de_identification_forms/de_identification_screen2.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'temporary_files_dir' variable in interface/super/edit_globals.php. | 6.5 |
2018-08-15 | CVE-2018-15149 | Open EMR | SQL Injection vulnerability in Open-Emr Openemr SQL injection vulnerability in interface/forms/eye_mag/php/Anything_simple.php from library/forms.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'encounter' parameter. | 6.5 |
2018-08-15 | CVE-2018-15148 | Open EMR | SQL Injection vulnerability in Open-Emr Openemr SQL injection vulnerability in interface/patient_file/encounter/search_code.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'text' parameter. | 6.5 |
2018-08-15 | CVE-2018-15147 | Open EMR | SQL Injection vulnerability in Open-Emr Openemr SQL injection vulnerability in interface/forms_admin/forms_admin.php from library/registry.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'id' parameter. | 6.5 |
2018-08-15 | CVE-2018-15146 | Open EMR | SQL Injection vulnerability in Open-Emr Openemr SQL injection vulnerability in interface/de_identification_forms/find_immunization_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter. | 6.5 |
2018-08-15 | CVE-2018-10917 | Pulpproject | Path Traversal vulnerability in Pulpproject Pulp pulp 2.16.x and possibly older is vulnerable to an improper path parsing. | 6.5 |
2018-08-14 | CVE-2018-3937 | Sony | OS Command Injection vulnerability in Sony products An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. | 6.5 |
2018-08-14 | CVE-2018-2450 | SAP | SQL Injection vulnerability in SAP Maxdb 7.8/7.9 SAP MaxDB (liveCache), versions 7.8 and 7.9, allows an attacker who gets DBM operator privileges to execute crafted database queries and therefore read, modify or delete sensitive data from database. | 6.5 |
2018-08-13 | CVE-2018-15144 | Open EMR | SQL Injection vulnerability in Open-Emr Openemr SQL injection vulnerability in interface/de_identification_forms/find_drug_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the search_term parameter. | 6.5 |
2018-08-13 | CVE-2018-15142 | Open EMR | Path Traversal vulnerability in Open-Emr Openemr Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to execute arbitrary PHP code by writing a file with a PHP extension via the "docid" and "content" parameters and accessing it in the traversed directory. | 6.5 |
2018-08-13 | CVE-2018-15139 | Open EMR | Unrestricted Upload of File with Dangerous Type vulnerability in Open-Emr Openemr Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload form and accessing it in the images directory. | 6.5 |
2018-08-15 | CVE-2018-10511 | Trendmicro | Server-Side Request Forgery (SSRF) vulnerability in Trendmicro Control Manager 6.0/7.0 A vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) could allow an attacker to conduct a server-side request forgery (SSRF) attack on vulnerable installations. | 6.4 |
2018-08-15 | CVE-2018-15152 | Open EMR | Improper Authentication vulnerability in Open-Emr Openemr Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access (1) portal/add_edit_event_user.php, (2) portal/find_appt_popup_user.php, (3) portal/get_allergies.php, (4) portal/get_amendments.php, (5) portal/get_lab_results.php, (6) portal/get_medications.php, (7) portal/get_patient_documents.php, (8) portal/get_problems.php, (9) portal/get_profile.php, (10) portal/portal_payment.php, (11) portal/messaging/messages.php, (12) portal/messaging/secure_chat.php, (13) portal/report/pat_ledger.php, (14) portal/report/portal_custom_report.php, or (15) portal/report/portal_patient_report.php without authenticating as a patient. | 6.4 |
2018-08-16 | CVE-2018-13434 | Linecorp | Improper Authentication vulnerability in Linecorp Line 8.8.0 An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS. | 6.3 |
2018-08-13 | CVE-2018-10864 | Redhat | Resource Exhaustion vulnerability in Redhat Certification An uncontrolled resource consumption flaw has been discovered in redhat-certification in the way documents are loaded. | 6.2 |
2018-08-14 | CVE-2016-4975 | Apache | CRLF Injection vulnerability in Apache Http Server Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. | 6.1 |
2018-08-14 | CVE-2018-2451 | SAP | Insufficient Session Expiration vulnerability in SAP Hana Extended Application Services 1.0 XS Command-Line Interface (CLI) user sessions with the SAP HANA Extended Application Services (XS), version 1, advanced server may have an unintentional prolonged period of validity. | 6.0 |
2018-08-15 | CVE-2018-9129 | Zyxel | Unspecified vulnerability in Zyxel products ZyXEL ZyWALL/USG series devices have a Bleichenbacher vulnerability in their Internet Key Exchange (IKE) handshake implementation used for IPsec based VPN connections. | 5.9 |
2018-08-13 | CVE-2018-10598 | Deltaww | Out-of-bounds Read vulnerability in Deltaww Cncsoft and Screeneditor CNCSoft Version 1.00.83 and prior with ScreenEditor Version 1.00.54 has two out-of-bounds read vulnerabilities could cause the software to crash due to lacking user input validation for processing project files. | 5.8 |
2018-08-14 | CVE-2018-3646 | Intel | Unspecified vulnerability in Intel products Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis. | 5.6 |
2018-08-14 | CVE-2018-3620 | Intel | Information Exposure Through Discrepancy vulnerability in Intel products Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis. | 5.6 |
2018-08-16 | CVE-2018-11771 | Apache Oracle | Infinite Loop vulnerability in multiple products When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. | 5.5 |
2018-08-15 | CVE-2018-0415 | Cisco | 7PK - Errors vulnerability in Cisco products A vulnerability in the implementation of Extensible Authentication Protocol over LAN (EAPOL) functionality in Cisco Small Business 100 Series Wireless Access Points and Cisco Small Business 300 Series Wireless Access Points could allow an authenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. | 5.5 |
2018-08-14 | CVE-2018-2445 | SAP | Server-Side Request Forgery (SSRF) vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2 AdminTools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application, resulting in a Server-Side Request Forgery (SSRF) vulnerability. | 5.5 |
2018-08-14 | CVE-2018-2441 | SAP | Unspecified vulnerability in SAP Kernel Under certain conditions the SAP Change and Transport System (ABAP), SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49, 7.53 and 7.73, allows an attacker to transport information which would otherwise be restricted. | 5.5 |
2018-08-13 | CVE-2018-15141 | Open EMR | Path Traversal vulnerability in Open-Emr Openemr Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to delete arbitrary files via the "docid" parameter when the mode is set to delete. | 5.5 |
2018-08-14 | CVE-2018-3615 | Intel | Information Exposure Through Discrepancy vulnerability in Intel products Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis. | 5.4 |
2018-08-17 | CVE-2018-15473 | Openbsd Debian Redhat Canonical Netapp Oracle Siemens | Race Condition vulnerability in multiple products OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. | 5.3 |
2018-08-15 | CVE-2018-8357 | Microsoft | Unspecified vulnerability in Microsoft Edge and Internet Explorer An elevation of privilege vulnerability exists in Microsoft browsers allowing sandbox escape, aka "Microsoft Browser Elevation of Privilege Vulnerability." This affects Internet Explorer 11, Microsoft Edge. | 5.1 |
2018-08-18 | CVE-2018-15503 | Swoole | Deserialization of Untrusted Data vulnerability in Swoole 4.0.4 The unpack implementation in Swoole version 4.0.4 lacks correct size checks in the deserialization process. | 5.0 |
2018-08-18 | CVE-2018-15501 | Debian Libgit2 | Out-of-bounds Read vulnerability in multiple products In ng_pkt in transports/smart_pkt.c in libgit2 before 0.26.6 and 0.27.x before 0.27.4, a remote attacker can send a crafted smart-protocol "ng" packet that lacks a '\0' byte to trigger an out-of-bounds read that leads to DoS. | 5.0 |
2018-08-18 | CVE-2018-15495 | Tecrail | Path Traversal vulnerability in Tecrail Responsive Filemanager /filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value. | 5.0 |
2018-08-18 | CVE-2018-15492 | Gemalto | Asymmetric Resource Consumption (Amplification) vulnerability in Gemalto Sentinel License Manager 8.5.3.2403/8.5.3.35 A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification. | 5.0 |
2018-08-18 | CVE-2018-15491 | Zemana | Incorrect Permission Assignment for Critical Resource vulnerability in Zemana Antilogger A vulnerability in the permission and encryption implementation of Zemana Anti-Logger 1.9.3.527 and prior (fixed in 1.9.3.602) allows an attacker to take control of the whitelisting feature (MyRules2.ini under %LOCALAPPDATA%\Zemana\ZALSDK) to permit execution of unauthorized applications (such as ones that record keystrokes). | 5.0 |
2018-08-17 | CVE-2017-1732 | IBM | Information Exposure vulnerability in IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 does not set the secure attribute on authorization tokens or session cookies. | 5.0 |
2018-08-17 | CVE-2018-15354 | Kraftway | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Kraftway 24F2Xg Router Firmware A Buffer Overflow exploited through web interface by remote attacker can cause denial of service in Kraftway 24F2XG Router firmware 3.5.30.1118. | 5.0 |
2018-08-15 | CVE-2017-13108 | Psafe | Use of Hard-coded Credentials vulnerability in Psafe Dfndr Security 5.0.9 DFNDR Security Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android application uses a hard-coded key for encryption. | 5.0 |
2018-08-15 | CVE-2017-13107 | Liveme | Use of Hard-coded Credentials vulnerability in Liveme 3.7.20 Live.me - live stream video chat, 3.7.20, 2017-11-06, Android application uses a hard-coded key for encryption. | 5.0 |
2018-08-15 | CVE-2017-13106 | Cmcm | Use of Hard-coded Credentials vulnerability in Cmcm CM Launcher 3D 5.0.3 Cheetahmobile CM Launcher 3D - Theme, wallpaper, Secure, Efficient, 5.0.3, 2017-09-19, Android application uses a hard-coded key for encryption. | 5.0 |
2018-08-15 | CVE-2017-13104 | Uber | Use of Hard-coded Credentials vulnerability in Uber Ubereats 1.108.10001 Uber Technologies, Inc. | 5.0 |
2018-08-15 | CVE-2017-13102 | Gameloft | Use of Hard-coded Credentials vulnerability in Gameloft Asphalt Xtreme 1.6.0 Gameloft Asphalt Xtreme: Offroad Rally Racing, 1.6.0, 2017-08-13, iOS application uses a hard-coded key for encryption. | 5.0 |
2018-08-15 | CVE-2017-13101 | Tiktok | Use of Hard-coded Credentials vulnerability in Tiktok Musical.Ly 6.1.6 Musical.ly Inc., musical.ly - your video social network, 6.1.6, 2017-10-03, iOS application uses a hard-coded key for encryption. | 5.0 |
2018-08-15 | CVE-2017-13100 | Distinctdev | Use of Hard-coded Credentials vulnerability in Distinctdev the Moron Test 6.3.1 DistinctDev, Inc., The Moron Test, 6.3.1, 2017-05-04, iOS application uses a hard-coded key for encryption. | 5.0 |
2018-08-15 | CVE-2018-0409 | Cisco | Out-of-bounds Read vulnerability in Cisco products A vulnerability in the XCP Router service of the Cisco Unified Communications Manager IM & Presence Service (CUCM IM&P) and the Cisco TelePresence Video Communication Server (VCS) and Expressway could allow an unauthenticated, remote attacker to cause a temporary service outage for all IM&P users, resulting in a denial of service (DoS) condition. | 5.0 |
2018-08-15 | CVE-2018-10512 | Trendmicro Microsoft | Unspecified vulnerability in Trendmicro Control Manager 6.0/7.0 A vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) could allow an attacker to manipulate a reverse proxy .dll on vulnerable installations, which may lead to a denial of server (DoS). | 5.0 |
2018-08-15 | CVE-2018-8360 | Microsoft | Information Exposure vulnerability in Microsoft .Net Framework An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments, aka ".NET Framework Information Disclosure Vulnerability." This affects Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.0, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 4.7.2, Microsoft .NET Framework 2.0, Microsoft .NET Framework 4.6/4.6.1/4.6.2. | 5.0 |
2018-08-15 | CVE-2018-15172 | TP Link | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Tp-Link Tl-Wr840N Firmware 0.9.1 TP-Link WR840N devices have a buffer overflow via a long Authorization HTTP header. | 5.0 |
2018-08-15 | CVE-2018-15138 | Ericssonlg | Path Traversal vulnerability in Ericssonlg Ipecs NMS 30M2.3Gn/30Mb.2Ia Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=../ URIs. | 5.0 |
2018-08-15 | CVE-2018-11687 | Bitcoin RED Project | Integer Overflow or Wraparound vulnerability in Bitcoin RED Project Bitcoin RED An integer overflow in the distributeBTR function of a smart contract implementation for Bitcoin Red (BTCR), an Ethereum ERC20 token, allows the owner to accomplish an unauthorized increase of digital assets by providing a large address[] array, as exploited in the wild in May 2018, aka the "ownerUnderflow" issue. | 5.0 |
2018-08-14 | CVE-2018-12537 | Eclipse | Improper Input Validation vulnerability in Eclipse Vert.X In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. | 5.0 |
2018-08-14 | CVE-2018-14429 | MAN CGI Project | Path Traversal vulnerability in Man-Cgi Project Man-Cgi man-cgi before 1.16 allows Local File Inclusion via absolute path traversal, as demonstrated by a cgi-bin/man-cgi?/etc/passwd URI. | 5.0 |
2018-08-14 | CVE-2018-5392 | Mingw | Unspecified vulnerability in Mingw Mingw-W64 5.0.4 mingw-w64 version 5.0.4 by default produces executables that opt in to ASLR, but are not compatible with ASLR. | 5.0 |
2018-08-14 | CVE-2018-2448 | SAP | Unspecified vulnerability in SAP Supplier Relationship Management MDM Catalog 3.0/7.01/7.02 Under certain conditions SAP SRM-MDM (CATALOG versions 3.0, 7.01, 7.02) utilities functionality allows an attacker to access information of user existence which would otherwise be restricted. | 5.0 |
2018-08-14 | CVE-2018-2446 | SAP | Unspecified vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2 Admin tools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allow an unauthenticated user to read sensitive information (server name), hence leading to an information disclosure. | 5.0 |
2018-08-14 | CVE-2018-7077 | HP | Unspecified vulnerability in HP products A security vulnerability in HPE XP P9000 Command View Advanced Edition (CVAE) Device Manager (DevMgr 8.5.0-00 and prior to 8.6.0-00), Configuration Manager (CM 8.5.0-00 and prior to 8.6.0-00) could be exploited to allow local and remote unauthorized access to sensitive information. | 5.0 |
2018-08-13 | CVE-2018-15125 | Zipato | Information Exposure vulnerability in Zipato Zipabox Firmware 118 Sensitive Information Disclosure in Zipato Zipabox Smart Home Controller allows remote attacker get sensitive information that expands attack surface. | 5.0 |
2018-08-13 | CVE-2017-1749 | IBM | Path Traversal vulnerability in IBM Urbancode Deploy IBM UrbanCode Deploy 6.1 through 6.9.6.0 could allow a remote attacker to traverse directories on the system. | 5.0 |
2018-08-17 | CVE-2018-15470 | XEN | Resource Exhaustion vulnerability in XEN An issue was discovered in Xen through 4.11.x. | 4.9 |
2018-08-17 | CVE-2018-15469 | XEN Debian | Resource Exhaustion vulnerability in multiple products An issue was discovered in Xen through 4.11.x. | 4.9 |
2018-08-17 | CVE-2018-15468 | XEN | Incorrect Authorization vulnerability in XEN An issue was discovered in Xen through 4.11.x. | 4.9 |
2018-08-15 | CVE-2018-8412 | Microsoft | Improper Input Validation vulnerability in Microsoft Office for mac 2016 An elevation of privilege vulnerability exists when the Microsoft AutoUpdate (MAU) application for Mac improperly validates updates before executing them, aka "Microsoft (MAU) Office Elevation of Privilege Vulnerability." This affects Microsoft Office. | 4.6 |
2018-08-15 | CVE-2018-8204 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016 A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session, aka "Device Guard Code Integrity Policy Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. | 4.6 |
2018-08-15 | CVE-2018-8200 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016 A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session, aka "Device Guard Code Integrity Policy Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. | 4.6 |
2018-08-14 | CVE-2018-12539 | Eclipse Oracle | Deserialization of Untrusted Data vulnerability in multiple products In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. | 4.6 |
2018-08-14 | CVE-2018-14424 | Gnome | Use After Free vulnerability in Gnome Display Manager The daemon in GDM through 3.29.1 does not properly unexport display objects from its D-Bus interface when they are destroyed, which allows a local attacker to trigger a use-after-free via a specially crafted sequence of D-Bus method calls, resulting in a denial of service or potential code execution. | 4.6 |
2018-08-17 | CVE-2018-15355 | Kraftway | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Kraftway 24F2Xg Router Firmware Usage of SSLv2 and SSLv3 leads to transmitted data decryption in Kraftway 24F2XG Router firmware 3.5.30.1118. | 4.3 |
2018-08-16 | CVE-2018-14567 | Xmlsoft Canonical Debian | Infinite Loop vulnerability in multiple products libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251. | 4.3 |
2018-08-16 | CVE-2016-9598 | Redhat Xmlsoft | Out-of-bounds Read vulnerability in multiple products libxml2, as used in Red Hat JBoss Core Services, allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted XML document. | 4.3 |
2018-08-16 | CVE-2018-10139 | Paloaltonetworks | Cross-site Scripting vulnerability in Paloaltonetworks Pan-Os The PAN-OS response for GlobalProtect Gateway in Palo Alto Networks PAN-OS 6.1.21 and earlier, PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier may allow an unauthenticated attacker to inject arbitrary JavaScript or HTML. | 4.3 |
2018-08-15 | CVE-2017-13105 | Hisecuritylab | Improper Certificate Validation vulnerability in Hisecuritylab Virus Cleaner 3.7.1.1329 Hi Security Virus Cleaner - Antivirus, Booster, 3.7.1.1329, 2017-09-13, Android application accepts all SSL certificates during SSL communication. | 4.3 |
2018-08-15 | CVE-2018-0419 | Cisco | Improper Input Validation vulnerability in Cisco Email Security Appliance A vulnerability in certain attachment detection mechanisms of Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to bypass the filtering functionality of an affected system. | 4.3 |
2018-08-15 | CVE-2018-0386 | Cisco | Cross-site Scripting vulnerability in Cisco products A vulnerability in Cisco Unified Communications Domain Manager Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on an affected system. | 4.3 |
2018-08-15 | CVE-2018-8753 | Clavister | Unspecified vulnerability in Clavister COS Core The IKEv1 implementation in Clavister cOS Core before 11.00.11, 11.20.xx before 11.20.06, and 12.00.xx before 12.00.09 allows remote attackers to decrypt RSA-encrypted nonces by leveraging a Bleichenbacher attack. | 4.3 |
2018-08-15 | CVE-2018-8398 | Microsoft | Information Exposure vulnerability in Microsoft products An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. | 4.3 |
2018-08-15 | CVE-2018-8394 | Microsoft | Information Exposure vulnerability in Microsoft products An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. | 4.3 |
2018-08-15 | CVE-2018-8388 | Microsoft | Authentication Bypass by Spoofing vulnerability in Microsoft Edge A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge. | 4.3 |
2018-08-15 | CVE-2018-8383 | Microsoft | Authentication Bypass by Spoofing vulnerability in Microsoft Edge A spoofing vulnerability exists when Microsoft Edge does not properly parse HTTP content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge. | 4.3 |
2018-08-15 | CVE-2018-8382 | Microsoft | Information Exposure vulnerability in Microsoft products An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory, aka "Microsoft Excel Information Disclosure Vulnerability." This affects Microsoft Excel Viewer, Microsoft Office, Microsoft Excel. | 4.3 |
2018-08-15 | CVE-2018-8378 | Microsoft | Out-of-bounds Read vulnerability in Microsoft products An information disclosure vulnerability exists when Microsoft Office software reads out of bound memory due to an uninitialized variable, which could disclose the contents of memory, aka "Microsoft Office Information Disclosure Vulnerability." This affects Word, Microsoft SharePoint Server, Microsoft Office Word Viewer, Microsoft Excel Viewer, Microsoft SharePoint, Microsoft Office. | 4.3 |
2018-08-15 | CVE-2018-8370 | Microsoft | Information Exposure vulnerability in Microsoft Edge A information disclosure vulnerability exists when WebAudio Library improperly handles audio requests, aka "Microsoft Edge Information Disclosure Vulnerability." This affects Microsoft Edge. | 4.3 |
2018-08-15 | CVE-2018-8358 | Microsoft | Unspecified vulnerability in Microsoft Edge A security feature bypass vulnerability exists when Microsoft Edge improperly handles redirect requests, aka "Microsoft Edge Security Feature Bypass Vulnerability." This affects Microsoft Edge. | 4.3 |
2018-08-15 | CVE-2018-8351 | Microsoft | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Microsoft Edge and Internet Explorer An information disclosure vulnerability exists when affected Microsoft browsers improperly allow cross-frame interaction, aka "Microsoft Browser Information Disclosure Vulnerability." This affects Internet Explorer 11, Microsoft Edge, Internet Explorer 10. | 4.3 |
2018-08-15 | CVE-2018-13394 | Atlassian | Cross-Site Request Forgery (CSRF) vulnerability in Atlassian Questions FOR Confluence The acceptAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request forgery (CSRF) vulnerability. | 4.3 |
2018-08-15 | CVE-2018-13393 | Atlassian | Cross-Site Request Forgery (CSRF) vulnerability in Atlassian Questions FOR Confluence The convertCommentToAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request forgery (CSRF) vulnerability. | 4.3 |
2018-08-14 | CVE-2018-14922 | Monstra | Cross-site Scripting vulnerability in Monstra 3.0.4 Multiple cross-site scripting (XSS) vulnerabilities in Monstra CMS 3.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) first name or (2) last name field in the edit profile page. | 4.3 |
2018-08-14 | CVE-2018-14888 | Thank YOU Like Project | Cross-site Scripting vulnerability in Thank You/Like Project Thank You/Like inc/plugins/thankyoulike.php in the Eldenroot Thank You/Like plugin before 3.1.0 for MyBB allows XSS via a post or thread subject. | 4.3 |
2018-08-14 | CVE-2018-2444 | SAP | Cross-site Scripting vulnerability in SAP Businessobjects Financial Consolidation 10.0/10.1 SAP BusinessObjects Financial Consolidation, versions 10.0, 10.1, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | 4.3 |
2018-08-14 | CVE-2018-0131 | Cisco | Inadequate Encryption Strength vulnerability in Cisco IOS and IOS XE A vulnerability in the implementation of RSA-encrypted nonces in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to obtain the encrypted nonces of an Internet Key Exchange Version 1 (IKEv1) session. | 4.3 |
2018-08-13 | CVE-2018-12587 | German Spelling Dictionary Project | Cross-site Scripting vulnerability in German Spelling Dictionary Project German Spelling Dictionary 1.3 A cross-site scripting (XSS) vulnerability was found in valeuraddons German Spelling Dictionary v1.3 (an Opera Browser add-on). | 4.3 |
2018-08-13 | CVE-2018-10569 | Edimax | Cross-site Scripting vulnerability in Edimax Ew-7438Rpn V2 Firmware An issue was discovered in Edimax EW-7438RPn Mini v2 before version 1.26. | 4.3 |
2018-08-13 | CVE-2016-2922 | IBM | Improper Certificate Validation vulnerability in IBM Rational Clearquest IBM Rational ClearQuest 8.0 through 8.0.1.9 and 9.0 through 9.0.1.3 (CQ OSLC linkages, EmailRelay) fails to check the SSL certificate against the requested hostname. | 4.3 |
2018-08-13 | CVE-2018-13392 | Atlassian | Cross-site Scripting vulnerability in Atlassian Crucible and Fisheye Several resources in Atlassian Fisheye and Crucible before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in linked issue keys. | 4.3 |
2018-08-13 | CVE-2018-11770 | Apache | Improper Authentication vulnerability in Apache Spark From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. | 4.2 |
2018-08-17 | CVE-2018-14058 | Pimcore | SQL Injection vulnerability in Pimcore Pimcore before 5.3.0 allows SQL Injection via the REST web service API. | 4.0 |
2018-08-17 | CVE-2018-15357 | Eltex | Information Exposure vulnerability in Eltex Esp-200 Firmware 1.2.0 An authenticated attacker with low privileges can extract password hash information for all users in Eltex ESP-200 firmware version 1.2.0. | 4.0 |
2018-08-17 | CVE-2018-15352 | Kraftway | Unspecified vulnerability in Kraftway 24F2Xg Router Firmware 3.5.30.1118 An attacker with low privileges can cause denial of service in Kraftway 24F2XG Router firmware version 3.5.30.1118. | 4.0 |
2018-08-16 | CVE-2018-10140 | Paloaltonetworks | Improper Input Validation vulnerability in Paloaltonetworks Pan-Os 8.1.0/8.1.1/8.1.2 The PAN-OS Management Web Interface in Palo Alto Networks PAN-OS 8.1.2 and earlier may allow an authenticated user to shut down all management sessions, resulting in all logged in users to be redirected to the login page. | 4.0 |
2018-08-15 | CVE-2018-8374 | Microsoft | Unspecified vulnerability in Microsoft Exchange Server 2016 A tampering vulnerability exists when Microsoft Exchange Server fails to properly handle profile data, aka "Microsoft Exchange Server Tampering Vulnerability." This affects Microsoft Exchange Server. | 4.0 |
2018-08-15 | CVE-2018-8340 | Microsoft | Unspecified vulnerability in Microsoft Windows Server 2012 and Windows Server 2016 A security feature bypass vulnerability exists when Active Directory Federation Services (AD FS) improperly handles multi-factor authentication requests, aka "AD FS Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows Server 2012 R2, Windows 10 Servers. | 4.0 |
2018-08-14 | CVE-2018-2447 | SAP | SQL Injection vulnerability in SAP Businessobjects Business Intelligence 4.2 SAP BusinessObjects Business Intelligence (Launchpad Web Intelligence), version 4.2, allows an attacker to execute crafted InfoObject queries, exposing the CMS InfoObjects database. | 4.0 |
2018-08-13 | CVE-2018-6970 | Vmware | Out-of-bounds Read vulnerability in VMWare Horizon Client and Horizon View VMware Horizon 6 (6.x.x before 6.2.7), Horizon 7 (7.x.x before 7.5.1), and Horizon Client (4.x.x and prior before 4.8.1) contain an out-of-bounds read vulnerability in the Message Framework library. | 4.0 |
2018-08-13 | CVE-2018-15140 | Open EMR | Path Traversal vulnerability in Open-Emr Openemr Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to read arbitrary files via the "docid" parameter when the mode is set to get. | 4.0 |
2018-08-13 | CVE-2017-15138 | Redhat | Information Exposure vulnerability in Redhat Openshift Container Platform 3.9 The OpenShift Enterprise cluster-read can access webhook tokens which would allow an attacker with sufficient privileges to view confidential webhook tokens. | 4.0 |
2018-08-13 | CVE-2017-1286 | IBM | Information Exposure vulnerability in IBM Urbancode Deploy Sensitive information about the configuration of the IBM UrbanCode Deploy 6.1 through 6.9.6.0 server and database can be obtained by a user who has been given elevated permissions in the UI, even after those elevated permissions have been revoked. | 4.0 |
19 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-08-17 | CVE-2018-6622 | Trustedcomputinggroup | Unspecified vulnerability in Trustedcomputinggroup Trusted Platform Module 2.0 An issue was discovered that affects all producers of BIOS firmware who make a certain realistic interpretation of an obscure portion of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2.0 specification. | 3.6 |
2018-08-14 | CVE-2018-7098 | HP | Path Traversal vulnerability in HP 3Par Service Provider Sp4.2.0/Sp4.3.0/Sp4.4.0 A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7). | 3.6 |
2018-08-16 | CVE-2018-1715 | IBM | Cross-site Scripting vulnerability in IBM Maximo Asset Management IBM Maximo Asset Management 7.6 through 7.6.3 is vulnerable to cross-site scripting. | 3.5 |
2018-08-15 | CVE-2018-0367 | Cisco | Cross-site Scripting vulnerability in Cisco Registered Envelope Service A vulnerability in the web-based management interface of the Cisco Registered Envelope Service could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected service. | 3.5 |
2018-08-13 | CVE-2018-3781 | Nextcloud | Cross-site Scripting vulnerability in Nextcloud Talk A missing sanitization of search results for an autocomplete field in NextCloud Talk <3.2.5 could lead to a stored XSS requiring user-interaction. | 3.5 |
2018-08-13 | CVE-2018-3780 | Nextcloud | Cross-site Scripting vulnerability in Nextcloud Server A missing sanitization of search results for an autocomplete field in NextCloud Server <13.0.5 could lead to a stored XSS requiring user-interaction. | 3.5 |
2018-08-13 | CVE-2018-14850 | Tiki | Cross-site Scripting vulnerability in Tiki Tikiwiki Cms/Groupware Stored XSS vulnerabilities in Tiki before 18.2, 15.7 and 12.14 allow an authenticated user injecting JavaScript to gain administrator privileges if an administrator opens a wiki page and moves the mouse pointer over a modified link or thumb image. | 3.5 |
2018-08-13 | CVE-2018-14849 | Tiki | Cross-site Scripting vulnerability in Tiki Tikiwiki Cms/Groupware Tiki before 18.2, 15.7 and 12.14 has XSS via link attributes, related to lib/core/WikiParser/OutputLink.php and lib/parser/parserlib.php. | 3.5 |
2018-08-15 | CVE-2018-0412 | Cisco | Unspecified vulnerability in Cisco products A vulnerability in the implementation of Extensible Authentication Protocol over LAN (EAPOL) functionality in Cisco Small Business 100 Series Wireless Access Points and Cisco Small Business 300 Series Wireless Access Points could allow an unauthenticated, adjacent attacker to force the downgrade of the encryption algorithm that is used between an authenticator (access point) and a supplicant (Wi-Fi client). | 2.9 |
2018-08-13 | CVE-2018-14781 | Medtronicdiabetes | Improper Authentication vulnerability in Medtronicdiabetes products Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G The models identified above, when paired with a remote controller and having the "easy bolus" and "remote bolus" options enabled (non-default), are vulnerable to a capture-replay attack. | 2.9 |
2018-08-13 | CVE-2018-10634 | Medtronic | Cleartext Transmission of Sensitive Information vulnerability in Medtronic products Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G communications between the pump and wireless accessories are transmitted in cleartext. | 2.9 |
2018-08-15 | CVE-2018-14780 | Yubico | Out-of-bounds Read vulnerability in Yubico PIV Manager, PIV Tool and Smart Card Minidriver An out-of-bounds read issue was discovered in the Yubico-Piv 1.5.0 smartcard driver. | 2.1 |
2018-08-15 | CVE-2018-8253 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016 An elevation of privilege vulnerability exists when Microsoft Cortana allows arbitrary website browsing on the lockscreen, aka "Microsoft Cortana Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10. | 2.1 |
2018-08-14 | CVE-2018-7100 | HP | Unspecified vulnerability in HP products A potential security vulnerability has been identified in HPE OfficeConnect 1810 Switch Series (HP 1810-24G - P.2.22 and previous versions, HP 1810-48G PK.1.34 and previous versions, HP 1810-8 v2 P.2.22 and previous versions). | 2.1 |
2018-08-14 | CVE-2018-7099 | HP | Unspecified vulnerability in HP 3Par Service Provider Sp4.2.0/Sp4.3.0/Sp4.4.0 A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7). | 2.1 |
2018-08-14 | CVE-2018-7094 | HPE | Unspecified vulnerability in HPE 3Par Service Provider A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-5.0.0.0-22913(GA). | 2.1 |
2018-08-15 | CVE-2018-8396 | Microsoft | Information Exposure vulnerability in Microsoft Windows 7 and Windows Server 2008 An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2. | 1.9 |
2018-08-15 | CVE-2018-8348 | Microsoft | Information Exposure vulnerability in Microsoft products An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. | 1.9 |
2018-08-15 | CVE-2018-8341 | Microsoft | Information Exposure vulnerability in Microsoft products An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. | 1.9 |