Weekly Vulnerabilities Reports > August 27 to September 2, 2018
Overview
243 new vulnerabilities reported during this period, including 12 critical vulnerabilities and 73 high severity vulnerabilities. This weekly summary report vulnerabilities in 220 products from 123 vendors including Debian, Redhat, Google, Adobe, and Microsoft. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Cross-Site Request Forgery (CSRF)", "Information Exposure", and "Path Traversal".
- 216 reported vulnerabilities are remotely exploitables.
- 18 reported vulnerabilities have public exploit available.
- 89 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 200 reported vulnerabilities are exploitable by an anonymous user.
- Debian has the most reported vulnerabilities, with 40 reported vulnerabilities.
- Microfocus has the most reported critical vulnerabilities, with 2 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
12 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-08-30 | CVE-2018-15477 | Mystrom | OS Command Injection vulnerability in Mystrom Wifi Switch Firmware 2.31 myStrom WiFi Switch V1 devices before 2.66 did not sanitize a parameter received from the cloud that was used in an OS command. | 10.0 |
2018-08-30 | CVE-2018-16158 | Eaton | Use of Hard-coded Credentials vulnerability in Eaton products Eaton Power Xpert Meter 4000, 6000, and 8000 devices before 13.4.0.10 have a single SSH private key across different customers' installations and do not properly restrict access to this key, which makes it easier for remote attackers to perform SSH logins (to uid 0) via the PubkeyAuthentication option. | 10.0 |
2018-08-27 | CVE-2018-3904 | Samsung | Out-of-bounds Write vulnerability in Samsung Sth-Eth-250 Firmware 0.20.17 An exploitable buffer overflow vulnerability exists in the camera 'update' feature of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. | 9.9 |
2018-08-30 | CVE-2018-6499 | Microfocus | Code Injection vulnerability in Microfocus products Remote Code Execution in the following products Hybrid Cloud Management Containerized Suite HCM2017.11, HCM2018.02, HCM2018.05, Operations Bridge Containerized Suite 2017.11, 2018.02, 2018.05, Data Center Automation Containerized Suite 2017.01 until 2018.05, Service Management Automation Suite 2017.11, 2018.02, 2018.05, Service Virtualization (SV) with floating licenses using Any version using APLS older than 10.7, Unified Functional Testing (UFT) with floating licenses using Any version using APLS older than 10.7, Network Virtualization (NV) with floating licenses using Any version using APLS older than 10.7 and Network Operations Management (NOM) Suite CDF 2017.11, 2018.02, 2018.05 will allow Remote Code Execution. | 9.8 |
2018-08-30 | CVE-2018-6498 | Microfocus | Code Injection vulnerability in Microfocus products Remote Code Execution in the following products Hybrid Cloud Management Containerized Suite HCM2017.11, HCM2018.02, HCM2018.05, Operations Bridge Containerized Suite 2017.11, 2018.02, 2018.05, Data Center Automation Containerized Suite 2017.01 until 2018.05, Service Management Automation Suite 2017.11, 2018.02, 2018.05 and Network Operations Management (NOM) Suite CDF 2017.11, 2018.02, 2018.05 will allow Remote Code Execution. | 9.8 |
2018-08-29 | CVE-2018-14805 | Hitachienergy | Improper Authentication vulnerability in Hitachienergy Esoms 6.0.2 ABB eSOMS version 6.0.2 may allow unauthorized access to the system when LDAP is set to allow anonymous authentication, and specific key values within the eSOMS web.config file are present. | 9.8 |
2018-08-28 | CVE-2017-15398 | Google Redhat Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A stack buffer overflow in the QUIC networking stack in Google Chrome prior to 62.0.3202.89 allowed a remote attacker to gain code execution via a malicious server. | 9.8 |
2018-09-01 | CVE-2018-16302 | Mc1Soft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mc1Soft Zip-N-Go MediaComm Zip-n-Go before 4.95 has a Buffer Overflow via a crafted file. | 9.3 |
2018-08-30 | CVE-2018-15476 | Mystrom | Improper Certificate Validation vulnerability in Mystrom products An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. | 9.3 |
2018-09-02 | CVE-2018-16367 | Qduoj | Path Traversal vulnerability in Qduoj Onlinejudge 2.0 In OnlineJudge 2.0, the sandbox has an incorrect access control vulnerability that can write a file anywhere. | 9.0 |
2018-09-02 | CVE-2018-16334 | Tendacn | OS Command Injection vulnerability in Tendacn Ac10 Firmware and AC9 Firmware An issue was discovered on Tenda AC9 V15.03.05.19(6318)_CN and AC10 V15.03.06.23_CN devices. | 9.0 |
2018-08-29 | CVE-2018-14768 | Vivotek | Unspecified vulnerability in Vivotek Camera Various VIVOTEK FD8*, FD9*, FE9*, IB8*, IB9*, IP9*, IZ9*, MS9*, SD9*, and other devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code. | 9.0 |
73 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-08-28 | CVE-2017-15406 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Chrome A stack buffer overflow in V8 in Google Chrome prior to 62.0.3202.75 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. | 8.8 | |
2018-08-28 | CVE-2017-15399 | Google Debian Redhat | Use After Free vulnerability in multiple products A use after free in V8 in Google Chrome prior to 62.0.3202.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2018-08-28 | CVE-2018-3895 | Samsung | Classic Buffer Overflow vulnerability in Samsung Sth-Eth-250 Firmware 0.20.17 An exploitable buffer overflow vulnerability exists in the /cameras/XXXX/clips handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 Firmware version 0.20.17. | 8.8 |
2018-08-28 | CVE-2017-15413 | Redhat Debian | Incorrect Type Conversion or Cast vulnerability in multiple products Type confusion in WebAssembly in V8 in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2018-08-28 | CVE-2017-15412 | Redhat Debian Xmlsoft | Use After Free vulnerability in multiple products Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2018-08-28 | CVE-2017-15411 | Google Debian Redhat | Use After Free vulnerability in multiple products Use after free in PDFium in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | 8.8 |
2018-08-28 | CVE-2017-15410 | Google Debian Redhat | Use After Free vulnerability in multiple products Use after free in PDFium in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | 8.8 |
2018-08-28 | CVE-2017-15409 | Google Debian Redhat | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Heap buffer overflow in Skia in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2018-08-28 | CVE-2017-15408 | Google Debian Redhat | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Heap buffer overflow in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file that is mishandled by PDFium. | 8.8 |
2018-08-28 | CVE-2017-15407 | Google Debian Redhat | Out-of-bounds Write vulnerability in multiple products Out-of-bounds Write in the QUIC networking stack in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to gain code execution via a malicious server. | 8.8 |
2018-08-27 | CVE-2018-3893 | Samsung | Out-of-bounds Write vulnerability in Samsung Sth-Eth-250 Firmware 0.20.17 An exploitable buffer overflow vulnerability exists in the /cameras/XXXX/clips handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. | 8.8 |
2018-08-27 | CVE-2018-15695 | Asustor | Path Traversal vulnerability in Asustor Data Master ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to delete any file on the file system due to a path traversal vulnerability in wallpaper.cgi. | 8.5 |
2018-08-30 | CVE-2018-10936 | Postgresql Redhat | Improper Validation of Certificate with Host Mismatch vulnerability in multiple products A weakness was found in postgresql-jdbc before version 42.2.5. | 8.1 |
2018-08-29 | CVE-2018-12710 | Dlink | Cleartext Transmission of Sensitive Information vulnerability in Dlink Dir-601 Firmware 2.02Na An issue was discovered on D-Link DIR-601 2.02NA devices. | 8.0 |
2018-09-02 | CVE-2018-16333 | Tendacn | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Tendacn products An issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19(6318)_CN, AC10 V15.03.06.23_CN, AC15 V15.03.05.19_CN, and AC18 V15.03.05.19(6318)_CN devices. | 7.8 |
2018-08-31 | CVE-2018-16276 | Linux Debian Canonical | Out-of-bounds Write vulnerability in multiple products An issue was discovered in yurex_read in drivers/usb/misc/yurex.c in the Linux kernel before 4.17.7. | 7.8 |
2018-08-31 | CVE-2018-7685 | Opensuse | Improper Verification of Cryptographic Signature vulnerability in Opensuse Libzypp The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the cache, where a later call would not display the corrupted RPM warning and allow installation, a problem caused by malicious warnings only displayed during download. | 7.8 |
2018-08-30 | CVE-2018-14619 | Linux | Improper Input Validation vulnerability in Linux Kernel A flaw was found in the crypto subsystem of the Linux kernel before version kernel-4.15-rc4. | 7.8 |
2018-08-30 | CVE-2018-11615 | Mosca Project | Incorrect Regular Expression vulnerability in Mosca Project Mosca 2.8.1 This vulnerability allows remote attackers to deny service on vulnerable installations of npm mosca 2.8.1. | 7.8 |
2018-08-29 | CVE-2018-16132 | Signal | Resource Exhaustion vulnerability in Signal The image rendering component (createGenericPreview) of the Open Whisper Signal app through 2.29.0 for iOS fails to check for unreasonably large images before manipulating received images. | 7.8 |
2018-08-29 | CVE-2018-7789 | Schneider Electric | Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric Modicon M221 Firmware 1.1.1.5 An Improper Check for Unusual or Exceptional Conditions vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). | 7.8 |
2018-08-28 | CVE-2018-3916 | Samsung | Out-of-bounds Write vulnerability in Samsung Sth-Eth-250 Firmware 0.20.17 An exploitable stack-based buffer overflow vulnerability exists in the retrieval of database fields in the video-core HTTP server of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. | 7.8 |
2018-08-28 | CVE-2018-15911 | Debian Canonical Artifex Redhat Pulsesecure | Use of Uninitialized Resource vulnerability in multiple products In Artifex Ghostscript 9.23 before 2018-08-24, attackers able to supply crafted PostScript could use uninitialized memory access in the aesdecode operator to crash the interpreter or potentially execute code. | 7.8 |
2018-08-27 | CVE-2018-15910 | Debian Canonical Artifex Redhat Pulsesecure | Incorrect Type Conversion or Cast vulnerability in multiple products In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the LockDistillerParams parameter to crash the interpreter or execute code. | 7.8 |
2018-08-27 | CVE-2018-15909 | Debian Canonical Artifex Redhat Pulsesecure | Incorrect Type Conversion or Cast vulnerability in multiple products In Artifex Ghostscript 9.23 before 2018-08-24, a type confusion using the .shfill operator could be used by attackers able to supply crafted PostScript files to crash the interpreter or potentially execute code. | 7.8 |
2018-08-27 | CVE-2018-15908 | Artifex Debian Canonical Redhat | In Artifex Ghostscript 9.23 before 2018-08-23, attackers are able to supply malicious PostScript files to bypass .tempfile restrictions and write files. | 7.8 |
2018-09-02 | CVE-2018-16354 | Fhcrm Project | SQL Injection vulnerability in Fhcrm Project Fhcrm 20180211 An issue was discovered in FHCRM through 2018-02-11. | 7.5 |
2018-09-02 | CVE-2018-16353 | Fhcrm Project | SQL Injection vulnerability in Fhcrm Project Fhcrm 20180211 An issue was discovered in FHCRM through 2018-02-11. | 7.5 |
2018-09-02 | CVE-2018-16352 | Weaselcms Project | Unrestricted Upload of File with Dangerous Type vulnerability in Weaselcms Project Weaselcms 0.3.6 There is a PHP code upload vulnerability in WeaselCMS 0.3.6 via index.php because code can be embedded at the end of a .png file when the image/png content type is used. | 7.5 |
2018-09-01 | CVE-2018-16329 | Imagemagick | NULL Pointer Dereference vulnerability in Imagemagick In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the GetMagickProperty function in MagickCore/property.c. | 7.5 |
2018-09-01 | CVE-2018-16328 | Imagemagick | NULL Pointer Dereference vulnerability in Imagemagick In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the CheckEventLogging function in MagickCore/log.c. | 7.5 |
2018-08-31 | CVE-2018-3787 | Simplehttpserver Project | Path Traversal vulnerability in Simplehttpserver Project Simplehttpserver Path traversal in simplehttpserver <v0.2.1 allows listing any file on the server. | 7.5 |
2018-08-31 | CVE-2018-16278 | Phpkaiyuancms | SQL Injection vulnerability in PHPkaiyuancms PHPopensourcecms 3.2.0 phpkaiyuancms PhpOpenSourceCMS (POSCMS) V3.2.0 allows an unauthenticated user to execute arbitrary SQL commands via the diy/module/member/controllers/Api.php ajax_save_draft function with the dir parameter. | 7.5 |
2018-08-30 | CVE-2018-16159 | Codemenschen | SQL Injection vulnerability in Codemenschen Gift Vouchers The Gift Vouchers plugin through 2.0.1 for WordPress allows SQL Injection via the template_id parameter in a wp-admin/admin-ajax.php wpgv_doajax_front_template request. | 7.5 |
2018-08-30 | CVE-2018-15691 | Broadcom | Deserialization of Untrusted Data vulnerability in Broadcom Release Automation 6.3/6.4/6.5 Insecure deserialization of a specially crafted serialized object, in CA Release Automation 6.5 and earlier, allows attackers to potentially execute arbitrary code. | 7.5 |
2018-08-30 | CVE-2018-13824 | Broadcom CA | SQL Injection vulnerability in multiple products Insufficient input sanitization of two parameters in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to execute SQL injection attacks. | 7.5 |
2018-08-30 | CVE-2018-13821 | CA | Improper Authentication vulnerability in CA Unified Infrastructure Management 8.4.7/8.5/8.5.1 A lack of authentication, in CA Unified Infrastructure Management 8.5.1, 8.5, and 8.4.7, allows remote attackers to conduct a variety of attacks, including file reading/writing. | 7.5 |
2018-08-30 | CVE-2018-16131 | Lightbend | Resource Exhaustion vulnerability in Lightbend Akka Http The decodeRequest and decodeRequestWith directives in Lightbend Akka HTTP 10.1.x through 10.1.4 and 10.0.x through 10.0.13 allow remote attackers to cause a denial of service (memory consumption and daemon crash) via a ZIP bomb. | 7.5 |
2018-08-30 | CVE-2018-14622 | Redhat Debian Canonical Libtirpc Project | Unchecked Return Value vulnerability in multiple products A null-pointer dereference vulnerability was found in libtirpc before version 0.3.3-rc3. | 7.5 |
2018-08-30 | CVE-2018-14621 | Libtirpc Project | Infinite Loop vulnerability in Libtirpc Project Libtirpc An infinite loop vulnerability was found in libtirpc before version 1.0.2-rc2. | 7.5 |
2018-08-30 | CVE-2018-16058 | Wireshark Debian | Improper Initialization vulnerability in multiple products In Wireshark 2.6.0 to 2.6.2, 2.4.0 to 2.4.8, and 2.2.0 to 2.2.16, the Bluetooth AVDTP dissector could crash. | 7.5 |
2018-08-30 | CVE-2018-16057 | Wireshark Debian | In Wireshark 2.6.0 to 2.6.2, 2.4.0 to 2.4.8, and 2.2.0 to 2.2.16, the Radiotap dissector could crash. | 7.5 |
2018-08-30 | CVE-2018-16056 | Wireshark Debian | In Wireshark 2.6.0 to 2.6.2, 2.4.0 to 2.4.8, and 2.2.0 to 2.2.16, the Bluetooth Attribute Protocol dissector could crash. | 7.5 |
2018-08-29 | CVE-2018-7791 | Schneider Electric | Improper Authentication vulnerability in Schneider-Electric Modicon M221 Firmware 1.1.1.5 A Permissions, Privileges, and Access Control vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). | 7.5 |
2018-08-29 | CVE-2018-7790 | Schneider Electric | Authentication Bypass by Capture-replay vulnerability in Schneider-Electric Modicon M221 Firmware 1.1.1.5 An Information Management Error vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). | 7.5 |
2018-08-29 | CVE-2018-15727 | Grafana Redhat | Improper Authentication vulnerability in multiple products Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user. | 7.5 |
2018-08-29 | CVE-2018-8022 | Apache | Improper Input Validation vulnerability in Apache Traffic Server A carefully crafted invalid TLS handshake can cause Apache Traffic Server (ATS) to segfault. | 7.5 |
2018-08-29 | CVE-2018-1318 | Apache Debian | Improper Input Validation vulnerability in multiple products Adding method ACLs in remap.config can cause a segfault when the user makes a carefully crafted request. | 7.5 |
2018-08-29 | CVE-2018-12829 | Adobe | Improper Certificate Validation vulnerability in Adobe Creative Cloud Adobe Creative Cloud Desktop Application before 4.6.1 has an improper certificate validation vulnerability. | 7.5 |
2018-08-29 | CVE-2018-12828 | Adobe Apple Linux Microsoft Redhat | Unspecified vulnerability in Adobe Flash Player Adobe Flash Player 30.0.0.134 and earlier have a "use of a component with a known vulnerability" vulnerability. | 7.5 |
2018-08-29 | CVE-2018-12825 | Adobe Apple Linux Microsoft Redhat | Unspecified vulnerability in Adobe Flash Player Adobe Flash Player 30.0.0.134 and earlier have a security bypass vulnerability. | 7.5 |
2018-08-29 | CVE-2018-12811 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Photoshop CC Adobe Photoshop CC 2018 before 19.1.6 and Photoshop CC 2017 before 18.1.6 have a memory corruption vulnerability. | 7.5 |
2018-08-29 | CVE-2018-12810 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Photoshop CC Adobe Photoshop CC 2018 before 19.1.6 and Photoshop CC 2017 before 18.1.6 have a memory corruption vulnerability. | 7.5 |
2018-08-29 | CVE-2018-12808 | Adobe Apple Microsoft | Out-of-bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC Adobe Acrobat and Reader versions 2018.011.20055 and earlier, 2017.011.30096 and earlier, and 2015.006.30434 and earlier have an out-of-bounds write vulnerability. | 7.5 |
2018-08-29 | CVE-2018-15882 | Joomla | Unrestricted Upload of File with Dangerous Type vulnerability in Joomla Joomla! An issue was discovered in Joomla! before 3.8.12. | 7.5 |
2018-08-28 | CVE-2018-3908 | Samsung | HTTP Request Smuggling vulnerability in Samsung Sth-Eth-250 Firmware 0.20.17 An exploitable vulnerability exists in the REST parser of video-core's HTTP server of the Samsung SmartThings Hub STH-ETH-250-Firmware version 0.20.17. | 7.5 |
2018-08-28 | CVE-2018-15873 | Sapplica | SQL Injection vulnerability in Sapplica Sentrifugo 3.2 A SQL Injection issue was discovered in Sentrifugo 3.2 via the deptid parameter. | 7.5 |
2018-08-28 | CVE-2018-15839 | Dlink | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dlink Dir-615 Firmware D-Link DIR-615 devices have a buffer overflow via a long Authorization HTTP header. | 7.5 |
2018-08-27 | CVE-2017-15139 | Openstack Redhat | Information Exposure vulnerability in multiple products A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. | 7.5 |
2018-08-27 | CVE-2018-3918 | Samsung | Improper Enforcement of Message or Data Structure vulnerability in Samsung Sth-Eth-250 Firmware 0.20.17 An exploitable vulnerability exists in the remote servers of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. | 7.5 |
2018-08-27 | CVE-2018-15904 | A10Networks | SQL Injection vulnerability in A10Networks Acos web Application Firewall A10 ACOS Web Application Firewall (WAF) 2.7.1 and 2.7.2 before 2.7.2-P12, 4.1.0 before 4.1.0-P11, 4.1.1 before 4.1.1-P8, and 4.1.2 before 4.1.2-P4 mishandles the configured rules for blocking SQL injection attacks, aka A10-2017-0008. | 7.5 |
2018-08-27 | CVE-2018-15894 | Wuzhi CMS Project | SQL Injection vulnerability in Wuzhi CMS Project Wuzhi CMS 4.1.0 A SQL injection was discovered in /coreframe/app/admin/pay/admin/index.php in WUZHI CMS 4.1.0 via the index.php?m=pay&f=index&v=listing keyValue parameter. | 7.5 |
2018-08-27 | CVE-2018-15893 | Wuzhi CMS Project | SQL Injection vulnerability in Wuzhi CMS Project Wuzhi CMS 4.1.0 A SQL injection was discovered in /coreframe/app/admin/copyfrom.php in WUZHI CMS 4.1.0 via the index.php?m=core&f=copyfrom&v=listing keywords parameter. | 7.5 |
2018-08-27 | CVE-2015-9264 | Lansweeper | Improper Input Validation vulnerability in Lansweeper Lansweeper 4.x through 6.x before 6.0.0.48 allows attackers to execute arbitrary code on the administrator's workstation via a crafted Windows service. | 7.5 |
2018-08-27 | CVE-2015-9263 | Idera | Unrestricted Upload of File with Dangerous Type vulnerability in Idera Uptime Infrastructure Monitor 7.4.0/7.5.0 An issue was discovered in post2file.php in Up.Time Monitoring Station 7.5.0 (build 16) and 7.4.0 (build 13). | 7.5 |
2018-08-27 | CVE-2014-10074 | Umbraco | Unrestricted Upload of File with Dangerous Type vulnerability in Umbraco CMS Umbraco before 7.2.0 has a remote PHP code execution vulnerability because Umbraco.Web.UI/config/umbracoSettings.Release.config does not block the upload of .php files. | 7.5 |
2018-08-30 | CVE-2018-15363 | Trendmicro Microsoft | Out-of-bounds Read vulnerability in Trendmicro products An Out-of-Bounds Read Privilege Escalation vulnerability in Trend Micro Security 2018 (Consumer) products could allow a local attacker to escalate privileges on vulnerable installations. | 7.2 |
2018-08-30 | CVE-2018-10514 | Trendmicro Microsoft | Improper Privilege Management vulnerability in Trendmicro products A Missing Impersonation Privilege Escalation vulnerability in Trend Micro Security 2018 (Consumer) products could allow a local attacker to escalate privileges on vulnerable installations. | 7.2 |
2018-08-30 | CVE-2018-10513 | Trendmicro Microsoft | Deserialization of Untrusted Data vulnerability in Trendmicro products A Deserialization of Untrusted Data Privilege Escalation vulnerability in Trend Micro Security 2018 (Consumer) products could allow a local attacker to escalate privileges on vulnerable installations. | 7.2 |
2018-08-29 | CVE-2018-6597 | Alcatel | Unspecified vulnerability in Alcatel A30 Firmware 7.0 The Alcatel A30 device with a build fingerprint of TCL/5046G/MICKEY6US:7.0/NRD90M/J63:user/release-keys contains a hidden privilege escalation capability to achieve command execution as the root user. | 7.2 |
2018-08-29 | CVE-2018-15912 | Manjaro | Improper Privilege Management vulnerability in Manjaro Linux An issue was discovered in manjaro-update-system.sh in manjaro-system 20180716-1 on Manjaro Linux. | 7.2 |
2018-09-02 | CVE-2018-16359 | Unspecified vulnerability in Google Gvisor Google gVisor before 2018-08-23, within the seccomp sandbox, permits access to the renameat system call, which allows attackers to rename files on the host OS. | 7.1 | |
2018-08-27 | CVE-2018-10938 | Linux Canonical Debian | Infinite Loop vulnerability in multiple products A flaw was found in the Linux kernel present since v4.0-rc1 and through v4.13-rc4. | 7.1 |
142 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-09-02 | CVE-2018-16366 | Idreamsoft | Cross-Site Request Forgery (CSRF) vulnerability in Idreamsoft Icms 7.0.10 An issue was discovered in idreamsoft iCMS V7.0.10. | 6.8 |
2018-09-02 | CVE-2018-16365 | Idreamsoft | Cross-Site Request Forgery (CSRF) vulnerability in Idreamsoft Icms 7.0.10 An issue was discovered in idreamsoft iCMS V7.0.10. | 6.8 |
2018-09-02 | CVE-2018-16345 | Easycms | Cross-Site Request Forgery (CSRF) vulnerability in Easycms 1.5 An issue was discovered in EasyCMS 1.5. | 6.8 |
2018-09-02 | CVE-2018-16339 | Phome | Cross-Site Request Forgery (CSRF) vulnerability in Phome Empirecms 7.0 An issue was discovered in EmpireCMS 7.0. | 6.8 |
2018-09-02 | CVE-2018-16338 | Auracms | Cross-Site Request Forgery (CSRF) vulnerability in Auracms 2.3 An issue was discovered in AuraCMS 2.3. | 6.8 |
2018-09-02 | CVE-2018-16335 | Libtiff Debian | Out-of-bounds Write vulnerability in multiple products newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. | 6.8 |
2018-09-02 | CVE-2018-16332 | Idreamsoft | Cross-Site Request Forgery (CSRF) vulnerability in Idreamsoft Icms 7.0.9 An issue was discovered in iCMS 7.0.9. | 6.8 |
2018-09-02 | CVE-2018-16331 | Damicms | Cross-Site Request Forgery (CSRF) vulnerability in Damicms 6.0.0 admin.php?s=/Admin/doedit in DamiCMS v6.0.0 allows CSRF to change the administrator account's password. | 6.8 |
2018-09-01 | CVE-2018-16314 | Icmsdev | Cross-Site Request Forgery (CSRF) vulnerability in Icmsdev Icms 7.0.11 An issue was discovered in admincp.php in idreamsoft iCMS 7.0.11. | 6.8 |
2018-09-01 | CVE-2018-16308 | Ninjaforms | Improper Neutralization of Formula Elements in a CSV File vulnerability in Ninjaforms Ninja Forms The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection. | 6.8 |
2018-08-31 | CVE-2018-16275 | Opswat | Improper Neutralization of Formula Elements in a CSV File vulnerability in Opswat Metadefender OPSWAT MetaDefender before v4.11.2 allows CSV injection. | 6.8 |
2018-08-30 | CVE-2018-15478 | Mystrom | Improper Authentication vulnerability in Mystrom products An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. | 6.8 |
2018-08-30 | CVE-2018-11718 | Xovis | Cross-Site Request Forgery (CSRF) vulnerability in Xovis PC2 Firmware, Pc2R Firmware and PC3 Firmware Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow CSRF. | 6.8 |
2018-08-30 | CVE-2018-14317 | Foxitsoftware Microsoft | Incorrect Type Conversion or Cast vulnerability in Foxitsoftware Foxit Reader This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.1.0.5096. | 6.8 |
2018-08-30 | CVE-2018-11616 | Tencent | OS Command Injection vulnerability in Tencent Foxmail 7.2.9.115 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Tencent Foxmail 7.2.9.115. | 6.8 |
2018-08-30 | CVE-2018-16140 | Canonical Fig2Dev Project | Out-of-bounds Write vulnerability in multiple products A buffer underwrite vulnerability in get_line() (read.c) in fig2dev 3.2.7a allows an attacker to write prior to the beginning of the buffer via a crafted .fig file. | 6.8 |
2018-08-29 | CVE-2018-5003 | Adobe Microsoft | Untrusted Search Path vulnerability in Adobe Creative Cloud Adobe Creative Cloud Desktop Application before 4.5.5.342 (installer) has an insecure library loading (dll hijacking) vulnerability. | 6.8 |
2018-08-29 | CVE-2018-12799 | Adobe Apple Microsoft | NULL Pointer Dereference vulnerability in Adobe Acrobat DC and Acrobat Reader DC Adobe Acrobat and Reader versions 2018.011.20055 and earlier, 2017.011.30096 and earlier, and 2015.006.30434 and earlier have an untrusted pointer dereference vulnerability. | 6.8 |
2018-08-29 | CVE-2018-15121 | Auth0 | Cross-Site Request Forgery (CSRF) vulnerability in Auth0 Aspnet and Aspnet-Owin An issue was discovered in Auth0 auth0-aspnet and auth0-aspnet-owin. | 6.8 |
2018-08-28 | CVE-2018-15901 | E107 | Cross-Site Request Forgery (CSRF) vulnerability in E107 2.1.8 e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing details such as passwords of users including administrators. | 6.8 |
2018-08-28 | CVE-2018-15884 | Ricoh | Cross-Site Request Forgery (CSRF) vulnerability in Ricoh MP C4504Ex Firmware RICOH MP C4504ex devices allow HTML Injection via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter. | 6.8 |
2018-08-28 | CVE-2018-14572 | Pyconuk | Deserialization of Untrusted Data vulnerability in Pyconuk Conference-Scheduler-Cli In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call. | 6.8 |
2018-08-28 | CVE-2018-15571 | Export Users TO CSV Project | Improper Neutralization of Formula Elements in a CSV File vulnerability in Export Users TO CSV Project Export Users TO CSV The Export Users to CSV plugin through 1.1.1 for WordPress allows CSV injection. | 6.8 |
2018-08-28 | CVE-2014-6046 | Phpmyfaq | Cross-Site Request Forgery (CSRF) vulnerability in PHPmyfaq Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyFAQ before 2.8.13 allow remote attackers to hijack the authentication of unspecified users for requests that (1) delete active users by leveraging improper validation of CSRF tokens or that (2) delete open questions, (3) activate users, (4) publish FAQs, (5) add or delete Glossary, (6) add or delete FAQ news, or (7) add or delete comments or add votes by leveraging lack of a CSRF token. | 6.8 |
2018-08-27 | CVE-2018-15698 | Asustor | Information Exposure vulnerability in Asustor Data Master ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on the file system when providing the full path to loginimage.cgi. | 6.8 |
2018-09-02 | CVE-2018-16343 | Seacms | Code Injection vulnerability in Seacms 6.61 SeaCMS 6.61 allows remote attackers to execute arbitrary code because parseIf() in include/main.class.php does not block use of $GLOBALS. | 6.5 |
2018-09-01 | CVE-2018-16320 | Idreamsoft | Path Traversal vulnerability in Idreamsoft Icms 7.0.11 idreamsoft iCMS 7.0.11 allows admincp.php?app=config Directory Traversal, resulting in execution of arbitrary PHP code from a ZIP file. | 6.5 |
2018-09-01 | CVE-2018-15161 | Libesedb Project | Out-of-bounds Read vulnerability in Libesedb Project Libesedb 20180401 The libesedb_key_append_data function in libesedb_key.c in libesedb through 2018-04-01 allows remote attackers to cause a heap-based buffer over-read via a crafted esedb file. | 6.5 |
2018-09-01 | CVE-2018-15160 | Libesedb Project | Out-of-bounds Read vulnerability in Libesedb Project Libesedb 20180401 The libesedb_catalog_definition_read function in libesedb_catalog_definition.c in libesedb through 2018-04-01 allows remote attackers to cause a heap-based buffer over-read via a crafted esedb file. | 6.5 |
2018-09-01 | CVE-2018-15159 | Libesedb Project | Out-of-bounds Read vulnerability in Libesedb Project Libesedb 20180401 The libesedb_page_read_tags function in libesedb_page.c in libesedb through 2018-04-01 allows remote attackers to cause a heap-based buffer over-read via a crafted esedb file. | 6.5 |
2018-09-01 | CVE-2018-15158 | Libesedb Project | Out-of-bounds Read vulnerability in Libesedb Project Libesedb 20180401 The libesedb_page_read_values function in libesedb_page.c in libesedb through 2018-04-01 allows remote attackers to cause a heap-based buffer over-read via a crafted esedb file. | 6.5 |
2018-09-01 | CVE-2018-15157 | Libfsclfs Project | Out-of-bounds Read vulnerability in Libfsclfs Project Libfsclfs 20170206 The libfsclfs_block_read function in libfsclfs_block.c in libfsclfs before 2018-07-25 allows remote attackers to cause a heap-based buffer over-read via a crafted clfs file. | 6.5 |
2018-09-01 | CVE-2018-15514 | Docker | Deserialization of Untrusted Data vulnerability in Docker HandleRequestAsync in Docker for Windows before 18.06.0-ce-rc3-win68 (edge) and before 18.06.0-ce-win72 (stable) deserialized requests over the \\.\pipe\dockerBackend named pipe without verifying the validity of the deserialized .NET objects. | 6.5 |
2018-08-30 | CVE-2018-16238 | Damicms | Improper Input Validation vulnerability in Damicms 6.0.1 An issue was discovered in damiCMS V6.0.1. | 6.5 |
2018-08-30 | CVE-2018-15480 | Mystrom | Unspecified vulnerability in Mystrom products An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. | 6.5 |
2018-08-29 | CVE-2018-15907 | Technicolor | Resource Exhaustion vulnerability in Technicolor Tc8305C Firmware Technicolor (formerly RCA) TC8305C devices allow remote attackers to cause a denial of service (networking outage) via a flood of random MAC addresses, as demonstrated by macof. | 6.5 |
2018-08-29 | CVE-2018-8004 | Apache Debian | HTTP Request Smuggling vulnerability in multiple products There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). | 6.5 |
2018-08-28 | CVE-2017-15396 | Google Redhat Debian ICU Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A stack buffer overflow in NumberingSystem in International Components for Unicode (ICU) for C/C++ before 60.2, as used in V8 in Google Chrome prior to 62.0.3202.75 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 |
2018-08-28 | CVE-2017-15426 | Google Debian Redhat | Improper Input Validation vulnerability in multiple products Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name. | 6.5 |
2018-08-28 | CVE-2017-15425 | Google Redhat Debian | Improper Input Validation vulnerability in multiple products Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name. | 6.5 |
2018-08-28 | CVE-2017-15424 | Google Redhat Debian | Improper Input Validation vulnerability in multiple products Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name. | 6.5 |
2018-08-28 | CVE-2017-15422 | Google ICU Project Debian Canonical Redhat | Integer Overflow or Wraparound vulnerability in multiple products Integer overflow in international date handling in International Components for Unicode (ICU) for C/C++ before 60.1, as used in V8 in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. | 6.5 |
2018-08-28 | CVE-2017-15420 | Google Redhat Debian | Improper Input Validation vulnerability in multiple products Incorrect handling of back navigations in error pages in Navigation in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 6.5 |
2018-08-28 | CVE-2017-15419 | Redhat Debian | Open Redirect vulnerability in multiple products Insufficient policy enforcement in Resource Timing API in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to infer browsing history by triggering a leaked cross-origin URL via a crafted HTML page. | 6.5 |
2018-08-28 | CVE-2017-15416 | Redhat Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Heap buffer overflow in Blob API in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, aka a Blink out-of-bounds read. | 6.5 |
2018-08-28 | CVE-2017-15415 | Debian Redhat | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Incorrect serialization in IPC in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to leak the value of a pointer via a crafted HTML page. | 6.5 |
2018-08-28 | CVE-2018-15529 | Mutiny | OS Command Injection vulnerability in Mutiny 5.01.00/5.01.10/5.01.11 A command injection vulnerability in maintenance.cgi in Mutiny "Monitoring Appliance" before 6.1.0-5263 allows authenticated users, with access to the admin interface, to inject arbitrary commands within the filename of a system upgrade upload. | 6.5 |
2018-08-28 | CVE-2014-6045 | Phpmyfaq | SQL Injection vulnerability in PHPmyfaq SQL injection vulnerability in phpMyFAQ before 2.8.13 allows remote authenticated users with certain permissions to execute arbitrary SQL commands via vectors involving the restore function. | 6.5 |
2018-08-27 | CVE-2018-15887 | Asus | OS Command Injection vulnerability in Asus Dsl-N12E C1 Firmware 1.1.2.3345 Main_Analysis_Content.asp in ASUS DSL-N12E_C1 1.1.2.3_345 is prone to Authenticated Remote Command Execution, which allows a remote attacker to execute arbitrary OS commands via service parameters, such as shell metacharacters in the destIP parameter of a cmdMethod=ping request. | 6.5 |
2018-09-02 | CVE-2018-16344 | Zzcms | Path Traversal vulnerability in Zzcms 8.3 An issue was discovered in zzcms 8.3. | 6.4 |
2018-08-30 | CVE-2018-15479 | Mystrom | Improper Authentication vulnerability in Mystrom products An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. | 6.4 |
2018-08-30 | CVE-2018-13826 | Broadcom CA | XXE vulnerability in multiple products An XML external entity vulnerability in the XOG functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to conduct server side request forgery attacks. | 6.4 |
2018-08-29 | CVE-2018-16115 | Lightbend | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Lightbend Akka Lightbend Akka 2.5.x before 2.5.16 allows message disclosure and modification because of an RNG error. | 6.4 |
2018-08-28 | CVE-2017-15429 | Google Debian Redhat | Cross-site Scripting vulnerability in multiple products Inappropriate implementation in V8 WebAssembly JS bindings in Google Chrome prior to 63.0.3239.108 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. | 6.1 |
2018-08-28 | CVE-2017-15427 | Google Redhat Debian | Cross-site Scripting vulnerability in multiple products Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a socially engineered user to XSS themselves by dragging and dropping a javascript: URL into the URL bar. | 6.1 |
2018-08-27 | CVE-2018-15694 | Asustor | Path Traversal vulnerability in Asustor Data Master ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to upload files to arbitrary locations due to a path traversal vulnerability. | 6.0 |
2018-08-29 | CVE-2018-6598 | Orbic | Unspecified vulnerability in Orbic Wonder Rc555L Firmware 7.1.2 An issue was discovered on Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys devices. | 5.6 |
2018-08-30 | CVE-2018-16141 | Thinkcmf | Path Traversal vulnerability in Thinkcmf Thinkcmfx X2.2.3 ThinkCMF X2.2.3 has an arbitrary file deletion vulnerability in do_avatar in \application\User\Controller\ProfileController.class.php via an imgurl parameter with a ..\ sequence. | 5.5 |
2018-08-29 | CVE-2018-16062 | Elfutils Project Debian Opensuse Canonical Redhat | Out-of-bounds Read vulnerability in multiple products dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file. | 5.5 |
2018-08-28 | CVE-2018-3926 | Samsung | Integer Underflow (Wrap or Wraparound) vulnerability in Samsung Sth-Eth-250 Firmware 0.20.17 An exploitable integer underflow vulnerability exists in the ZigBee firmware update routine of the hubCore binary of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. | 5.5 |
2018-08-28 | CVE-2014-6049 | Phpmyfaq | Improper Authorization vulnerability in PHPmyfaq phpMyFAQ before 2.8.13 allows remote authenticated users with admin privileges to bypass authorization via a crafted instance ID parameter. | 5.5 |
2018-08-29 | CVE-2018-8040 | Apache Debian | Exposure of Resource to Wrong Sphere vulnerability in multiple products Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access. | 5.3 |
2018-08-29 | CVE-2018-8005 | Apache Debian | Resource Exhaustion vulnerability in multiple products When there are multiple ranges in a range request, Apache Traffic Server (ATS) will read the entire object from cache. | 5.3 |
2018-08-28 | CVE-2017-15423 | Google Redhat Debian | Cryptographic Issues vulnerability in multiple products Inappropriate implementation in BoringSSL SPAKE2 in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to leak the low-order bits of SHA512(password) by inspecting protocol traffic. | 5.3 |
2018-08-28 | CVE-2017-15417 | Google Redhat Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Inappropriate implementation in Skia canvas composite operations in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 5.3 |
2018-09-01 | CVE-2018-16303 | Tracker Software | XXE vulnerability in Tracker-Software Pdf-Xchange Editor PDF-XChange Editor through 7.0.326.1 allows remote attackers to cause a denial of service (resource consumption) via a crafted x:xmpmeta structure, a related issue to CVE-2003-1564. | 5.0 |
2018-08-31 | CVE-2018-11054 | Dell Oracle | Integer Overflow or Wraparound vulnerability in multiple products RSA BSAFE Micro Edition Suite, version 4.1.6, contains an integer overflow vulnerability. | 5.0 |
2018-08-30 | CVE-2018-16239 | Damicms | Use of Insufficiently Random Values vulnerability in Damicms 6.0.1 An issue was discovered in damiCMS V6.0.1. | 5.0 |
2018-08-30 | CVE-2018-16231 | Michael Roth Software | Improper Input Validation vulnerability in Michael-Roth-Software Pftp Michael Roth Software Personal FTP Server (PFTP) through 8.4f allows remote attackers to cause a denial of service (daemon crash) via an unspecified sequence of FTP commands. | 5.0 |
2018-08-30 | CVE-2018-15745 | Argussurveillance | Path Traversal vulnerability in Argussurveillance DVR 4.0.0.0 Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal, leading to File Disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter. | 5.0 |
2018-08-30 | CVE-2018-14903 | Epson | Origin Validation Error vulnerability in Epson Wf-2750 Firmware Jp02L2 EPSON WF-2750 printers with firmware JP02I2 do not properly validate files before running updates, which allows remote attackers to cause a printer malfunction or send malicious data to the printer. | 5.0 |
2018-08-30 | CVE-2018-14902 | Epson | Information Exposure vulnerability in Epson Iprint 6.6.3 The ContentProvider in the EPSON iPrint application 6.6.3 for Android does not properly restrict data access. | 5.0 |
2018-08-30 | CVE-2018-14901 | Epson | Use of Hard-coded Credentials vulnerability in Epson Iprint 6.6.3 The EPSON iPrint application 6.6.3 for Android contains hard-coded API and Secret keys for the Dropbox, Box, Evernote and OneDrive services. | 5.0 |
2018-08-30 | CVE-2018-14900 | Epson | Channel and Path Errors vulnerability in Epson Wf-2750 Firmware Jp02L2 On EPSON WF-2750 printers with firmware JP02I2, there is no filtering of print jobs. | 5.0 |
2018-08-30 | CVE-2018-11720 | Xovis | Path Traversal vulnerability in Xovis PC2 Firmware, Pc2R Firmware and PC3 Firmware Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow Directory Traversal. | 5.0 |
2018-08-30 | CVE-2018-13823 | Broadcom CA | XXE vulnerability in multiple products An XML external entity vulnerability in the XOG functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to access sensitive information. | 5.0 |
2018-08-30 | CVE-2018-13822 | CA | Insufficiently Protected Credentials vulnerability in CA Project Portfolio Management Unprotected storage of credentials in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows attackers to access sensitive information. | 5.0 |
2018-08-30 | CVE-2018-13820 | CA | Use of Hard-coded Credentials vulnerability in CA Unified Infrastructure Management 8.4.7/8.5/8.5.1 A hardcoded passphrase, in CA Unified Infrastructure Management 8.5.1, 8.5, and 8.4.7, allows attackers to access sensitive information. | 5.0 |
2018-08-30 | CVE-2018-13819 | CA | Use of Hard-coded Credentials vulnerability in CA Unified Infrastructure Management 8.4.7/8.5/8.5.1 A hardcoded secret key, in CA Unified Infrastructure Management 8.5.1, 8.5, and 8.4.7, allows attackers to access sensitive information. | 5.0 |
2018-08-30 | CVE-2018-16157 | Bijiadao | Unspecified vulnerability in Bijiadao Waimai Super CMS 20150505 waimai Super Cms 20150505 has a logic flaw allowing attackers to modify a price, before form submission, by observing data in a packet capture. | 5.0 |
2018-08-29 | CVE-2018-16133 | Cybrotech | Path Traversal vulnerability in Cybrotech Cybrohttpserver 1.0.3 Cybrotech CyBroHttpServer 1.0.3 allows Directory Traversal via a ../ in the URI. | 5.0 |
2018-08-29 | CVE-2018-7792 | Schneider Electric | Missing Authorization vulnerability in Schneider-Electric Modicon M221 Firmware 1.1.1.5 A Permissions, Privileges, and Access Control vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). | 5.0 |
2018-08-29 | CVE-2017-17762 | Episerver | XXE vulnerability in Episerver 7 XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request involving util/xmlrpc/Handler.ashx. | 5.0 |
2018-08-29 | CVE-2018-12827 | Adobe Apple Microsoft Linux Redhat | Out-of-bounds Read vulnerability in Adobe Flash Player Adobe Flash Player 30.0.0.134 and earlier have an out-of-bounds read vulnerability. | 5.0 |
2018-08-29 | CVE-2018-12826 | Adobe Apple Microsoft Linux Redhat | Out-of-bounds Read vulnerability in Adobe Flash Player Adobe Flash Player 30.0.0.134 and earlier have an out-of-bounds read vulnerability. | 5.0 |
2018-08-29 | CVE-2018-12807 | Adobe | Improper Input Validation vulnerability in Adobe Experience Manager Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have an input validation bypass vulnerability. | 5.0 |
2018-08-29 | CVE-2018-15881 | Joomla | Unspecified vulnerability in Joomla Joomla! An issue was discovered in Joomla! before 3.8.12. | 5.0 |
2018-08-28 | CVE-2014-6050 | Phpmyfaq | 7PK - Security Features vulnerability in PHPmyfaq phpMyFAQ before 2.8.13 allows remote attackers to bypass the CAPTCHA protection mechanism by replaying the request. | 5.0 |
2018-08-28 | CVE-2014-6048 | Phpmyfaq | Information Exposure vulnerability in PHPmyfaq phpMyFAQ before 2.8.13 allows remote attackers to read arbitrary attachments via a direct request. | 5.0 |
2018-08-28 | CVE-2014-6047 | Phpmyfaq | Permission Issues vulnerability in PHPmyfaq phpMyFAQ before 2.8.13 allows remote authenticated users with certain permissions to read arbitrary attachments by leveraging incorrect "download an attachment" permission checks. | 5.0 |
2018-08-28 | CVE-2018-13391 | Atlassian | Information Exposure vulnerability in Atlassian Jira and Jira Server The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote attackers who can access & view an issue to obtain the email address of the reporter and assignee user of an issue despite the configured email visibility setting being set to hidden. | 5.0 |
2018-08-28 | CVE-2018-15919 | Openbsd Netapp | Information Exposure vulnerability in multiple products Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. | 5.0 |
2018-08-27 | CVE-2018-15810 | Visiology | Path Traversal vulnerability in Visiology Flipbox 2.0.0/2.6.0 Visiology Flipbox Software Suite before 2.7.0 allows directory traversal via %5c%2e%2e%2f because it does not sanitize filename parameters. | 5.0 |
2018-08-27 | CVE-2018-15895 | Icmsdev | Server-Side Request Forgery (SSRF) vulnerability in Icmsdev Icms An SSRF vulnerability was discovered in idreamsoft iCMS 7.0.11 because the remote function in app/spider/spider_tools.class.php does not block DNS hostnames associated with private and reserved IP addresses, as demonstrated by 127.0.0.1 in an A record. | 5.0 |
2018-08-31 | CVE-2018-6257 | Nvidia | Unspecified vulnerability in Nvidia Geforce Experience NVIDIA GeForce Experience all versions prior to 3.14.1 contains a potential vulnerability when GameStream is enabled where improper access control may lead to a denial of service, escalation of privileges, or both. | 4.4 |
2018-09-02 | CVE-2018-16362 | Mantisbt | Cross-site Scripting vulnerability in Mantisbt Source Integration An issue was discovered in the Source Integration plugin before 1.5.9 and 2.x before 2.1.5 for MantisBT. | 4.3 |
2018-09-02 | CVE-2018-16350 | Wuzhi CMS Project | Cross-site Scripting vulnerability in Wuzhi CMS Project Wuzhi CMS 4.1.0 WUZHI CMS 4.1.0 has XSS via the index.php?m=core&f=set&v=basic form[statcode] parameter. | 4.3 |
2018-09-02 | CVE-2018-16349 | Wuzhi CMS Project | Cross-site Scripting vulnerability in Wuzhi CMS Project Wuzhi CMS 4.1.0 WUZHI CMS 4.1.0 has XSS via the index.php?m=link&f=index&v=add form[remark] parameter. | 4.3 |
2018-09-02 | CVE-2018-16347 | Gleezcms | Cross-site Scripting vulnerability in Gleezcms Gleez CMS 1.2.0 An issue was discovered in Gleez CMS v1.2.0. | 4.3 |
2018-09-02 | CVE-2018-16337 | Chshcms | Cross-Site Request Forgery (CSRF) vulnerability in Chshcms Cscms 4.1.8 An issue was discovered in Cscms V4.1.8. | 4.3 |
2018-09-02 | CVE-2018-16336 | Exiv2 Canonical Debian | Out-of-bounds Read vulnerability in multiple products Exiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, a different vulnerability than CVE-2018-10999. | 4.3 |
2018-09-02 | CVE-2018-16330 | Ipandao | Cross-site Scripting vulnerability in Ipandao Editor.Md 1.5.0 Pandao Editor.md 1.5.0 allows XSS via crafted attributes of an invalid IMG element. | 4.3 |
2018-09-01 | CVE-2018-16325 | GET Simple | Cross-site Scripting vulnerability in Get-Simple Getsimple CMS 3.4.0.9 There is XSS in GetSimple CMS 3.4.0.9 via the admin/edit.php title field. | 4.3 |
2018-09-01 | CVE-2018-16324 | Icewarp | Cross-site Scripting vulnerability in Icewarp Mail Server In IceWarp Server 12.0.3.1 and before, there is XSS in the /webmail/ username field. | 4.3 |
2018-09-01 | CVE-2018-16323 | Imagemagick Canonical | Information Exposure vulnerability in multiple products ReadXBMImage in coders/xbm.c in ImageMagick before 7.0.8-9 leaves data uninitialized when processing an XBM file that has a negative pixel value. | 4.3 |
2018-09-01 | CVE-2018-16315 | Bijiadao | Cross-Site Request Forgery (CSRF) vulnerability in Bijiadao Waimai Super CMS 20150505 In waimai Super Cms 20150505, there is a CSRF vulnerability that can change the configuration via admin.php?m=Config&a=add. | 4.3 |
2018-09-01 | CVE-2018-16313 | Bludit | Cross-site Scripting vulnerability in Bludit 2.3.4 Bludit 2.3.4 allows XSS via a user name. | 4.3 |
2018-08-31 | CVE-2018-16298 | 1234N | Cross-site Scripting vulnerability in 1234N Minicms 1.10 An issue was discovered in MiniCMS 1.10. | 4.3 |
2018-08-31 | CVE-2018-11057 | Dell Oracle | Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products RSA BSAFE Micro Edition Suite, versions prior to 4.0.11 (in 4.0.x) and prior to 4.1.6.1 (in 4.1.x) contains a Covert Timing Channel vulnerability during RSA decryption, also known as a Bleichenbacher attack on RSA decryption. | 4.3 |
2018-08-30 | CVE-2018-16236 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel through 74 allows XSS via a crafted filename in the logs subdirectory of a user account, because the filename is mishandled during frontend/THEME/raw/index.html rendering. | 4.3 |
2018-08-30 | CVE-2018-16234 | Morningstarsecurity | Cross-site Scripting vulnerability in Morningstarsecurity Whatweb 0.4.9 MorningStar WhatWeb 0.4.9 has XSS via JSON report files. | 4.3 |
2018-08-30 | CVE-2018-16233 | 1234N | Cross-site Scripting vulnerability in 1234N Minicms 1.10 MiniCMS V1.10 has XSS via the mc-admin/post-edit.php tags parameter. | 4.3 |
2018-08-30 | CVE-2018-14899 | Epson | Cross-site Scripting vulnerability in Epson Wf-2750 Firmware Jp02L2 On the EPSON WF-2750 printer with firmware JP02I2, the Web interface AirPrint Setup page is vulnerable to HTML Injection that can redirect users to malicious sites. | 4.3 |
2018-08-30 | CVE-2018-13825 | Broadcom CA | Cross-site Scripting vulnerability in multiple products Insufficient input validation in the gridExcelExport functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to execute reflected cross-site scripting attacks. | 4.3 |
2018-08-30 | CVE-2018-16142 | Phpok | Cross-site Scripting vulnerability in PHPok 4.8.278 PHPOK 4.8.278 has a Reflected XSS vulnerability in framework/www/login_control.php via the _back parameter to the ok_f function. | 4.3 |
2018-08-29 | CVE-2018-16134 | Cybrotech | Cross-site Scripting vulnerability in Cybrotech Cybrohttpserver 1.0.3 Cybrotech CyBroHttpServer 1.0.3 allows XSS via a URI. | 4.3 |
2018-08-29 | CVE-2018-7795 | Schneider Electric | Cross-site Scripting vulnerability in Schneider-Electric Powerlogic Pm5560 Firmware A Cross Protocol Injection vulnerability exists in Schneider Electric's PowerLogic (PM5560 prior to FW version 2.5.4) product. | 4.3 |
2018-08-29 | CVE-2018-12240 | Symantec | Use of Hard-coded Credentials vulnerability in Symantec Norton Identity Safe The Norton Identity Safe product prior to 5.3.0.976 may be susceptible to a privilege escalation issue via a hard coded IV, which is a type of vulnerability that can potentially increase the likelihood of encrypted data being recovered without adequate credentials. | 4.3 |
2018-08-29 | CVE-2018-15562 | Isweb | Cross-site Scripting vulnerability in Isweb 3.5.3 CMS ISWEB 3.5.3 has XSS via the ordineRis, sezioneRicerca, or oggettiRicerca parameter to index.php. | 4.3 |
2018-08-29 | CVE-2018-12824 | Adobe Apple Microsoft Linux Redhat | Out-of-bounds Read vulnerability in multiple products Adobe Flash Player 30.0.0.134 and earlier have an out-of-bounds read vulnerability. | 4.3 |
2018-08-29 | CVE-2018-12806 | Adobe | Cross-site Scripting vulnerability in Adobe Experience Manager Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a reflected cross-site scripting vulnerability. | 4.3 |
2018-08-28 | CVE-2018-6643 | Infoblox | Cross-site Scripting vulnerability in Infoblox Netmri 7.1.1 Infoblox NetMRI 7.1.1 has Reflected Cross-Site Scripting via the /api/docs/index.php query parameter. | 4.3 |
2018-08-28 | CVE-2018-15740 | Manageengine | Cross-site Scripting vulnerability in Manageengine Admanager Plus 6.5.7 Zoho ManageEngine ADManager Plus 6.5.7 has XSS on the "Workflow Delegation" "Requester Roles" screen. | 4.3 |
2018-08-28 | CVE-2018-15608 | Manageengine | Cross-site Scripting vulnerability in Manageengine Admanager Plus 6.5.7 Zoho ManageEngine ADManager Plus 6.5.7 allows HTML Injection on the "AD Delegation" "Help Desk Technicians" screen. | 4.3 |
2018-08-28 | CVE-2018-15596 | Mybb | Cross-site Scripting vulnerability in Mybb 1.8.17 An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. | 4.3 |
2018-08-28 | CVE-2017-15430 | Unspecified vulnerability in Google Chrome Insufficient data validation in Chromecast plugin in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. | 4.3 | |
2018-08-28 | CVE-2017-15418 | Google Redhat Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Use of uninitialized memory in Skia in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | 4.3 |
2018-08-28 | CVE-2014-4932 | Wordfence | Cross-site Scripting vulnerability in Wordfence Security Cross-site scripting (XSS) vulnerability in the Wordfence Security plugin before 5.1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the val parameter to whois.php. | 4.3 |
2018-08-28 | CVE-2018-13395 | Atlassian | Cross-site Scripting vulnerability in Atlassian Jira and Jira Server Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved. | 4.3 |
2018-08-27 | CVE-2018-3927 | Samsung | Improper Certificate Validation vulnerability in Samsung Sth-Eth-250 Firmware 0.20.17 An exploitable information disclosure vulnerability exists in the crash handler of the hubCore binary of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. | 4.3 |
2018-08-27 | CVE-2018-15699 | Asustor | Cross-site Scripting vulnerability in Asustor Data Master ASUSTOR Data Master 3.1.5 and below makes an HTTP request for a configuration file that is vulnerable to XSS. | 4.3 |
2018-08-27 | CVE-2018-0715 | Qnap | Cross-site Scripting vulnerability in Qnap Photo Station Cross-site scripting vulnerability in QNAP Photo Station versions 5.7.0 and earlier could allow remote attackers to inject Javascript code in the compromised application. | 4.3 |
2018-08-27 | CVE-2018-15899 | 1234N | Cross-site Scripting vulnerability in 1234N Minicms 1.10 An issue was discovered in MiniCMS 1.10. | 4.3 |
2018-08-31 | CVE-2018-11056 | Dell Oracle | Resource Exhaustion vulnerability in multiple products RSA BSAFE Micro Edition Suite, prior to 4.1.6.1 (in 4.1.x), and RSA BSAFE Crypto-C Micro Edition versions prior to 4.0.5.3 (in 4.0.x) contain an Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability when parsing ASN.1 data. | 4.0 |
2018-08-30 | CVE-2018-16237 | Damicms | Path Traversal vulnerability in Damicms 6.0.1 An issue was discovered in damiCMS V6.0.1. | 4.0 |
2018-08-30 | CVE-2018-11719 | Xovis | XXE vulnerability in Xovis PC2 Firmware, Pc2R Firmware and PC3 Firmware Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow XXE. | 4.0 |
2018-08-30 | CVE-2016-0373 | IBM | Improper Authorization vulnerability in IBM Urbancode Deploy IBM UrbanCode Deploy 6.0 through 6.2.2.1 could allow an authenticated user to read sensitive information due to UCD REST endpoints not properly authorizing users when determining who can read data. | 4.0 |
2018-08-28 | CVE-2018-15897 | Website Seller Script Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Website Seller Script Project Website Seller Script 2.0.5 PHP Scripts Mall Website Seller Script 2.0.5 allows remote attackers to cause a denial of service via crafted JavaScript code in the First Name, Last Name, Company Name, or Fax field, as demonstrated by crossPwn. | 4.0 |
2018-08-28 | CVE-2018-1705 | IBM | Information Exposure vulnerability in IBM Platform Symphony and Spectrum Symphony IBM Platform Symphony 7.1 Fix Pack 1 and 7.1.1 and IBM Spectrum Symphony 7.1.2 and 7.2.0.2 contain an information disclosure vulnerability that could allow an authenticated attacker to obtain highly sensitive information. | 4.0 |
2018-08-27 | CVE-2018-1644 | IBM | Information Exposure vulnerability in IBM Websphere Commerce IBM WebSphere Commerce Enterprise, Professional, Express, and Developer 9.0.0.0 - 9.0.0.4, 8.0.0.0 - 8.0.0.19, 8.0.1.0 - 8.0.1.13, 8.0.3.0 - 8.0.3.6, 8.0.4.0 - 8.0.4.14, and 7.0.0.0 Feature Pack 8 could allow an authenticated user to obtain sensitive information about another user. | 4.0 |
2018-08-27 | CVE-2018-15697 | Asustor | Information Exposure vulnerability in Asustor Data Master ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on a share by providing the full path. | 4.0 |
2018-08-27 | CVE-2018-15696 | Asustor | Information Exposure vulnerability in Asustor Data Master ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to enumerate all user accounts via user.cgi. | 4.0 |
16 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2018-09-02 | CVE-2018-16358 | Dotclear | Cross-site Scripting vulnerability in Dotclear A cross-site scripting (XSS) vulnerability in inc/core/class.dc.core.php in the media manager in Dotclear through 2.14.1 allows remote authenticated users to upload HTML content containing an XSS payload with the file extension .ahtml. | 3.5 |
2018-09-02 | CVE-2018-16348 | Seacms | Cross-site Scripting vulnerability in Seacms 6.61 SeaCMS V6.61 has XSS via the admin_video.php v_content parameter, related to the site name. | 3.5 |
2018-09-02 | CVE-2018-16346 | Chemcms Project | Cross-site Scripting vulnerability in Chemcms Project Chemcms 1.0.6 ChemCMS 1.0.6 has XSS via the "setting -> website information" field. | 3.5 |
2018-09-02 | CVE-2018-16342 | Showdoc | Cross-site Scripting vulnerability in Showdoc 1.8.0 ShowDoc v1.8.0 has XSS via a new page. | 3.5 |
2018-09-01 | CVE-2018-16327 | Intelliants | Cross-site Scripting vulnerability in Intelliants Subrion 4.2.1 There is Stored XSS in Subrion 4.2.1 via the admin panel URL configuration. | 3.5 |
2018-09-01 | CVE-2018-16316 | Portainer | Cross-site Scripting vulnerability in Portainer A stored Cross-site scripting (XSS) vulnerability in Portainer through 1.19.1 allows remote authenticated users to inject arbitrary JavaScript and/or HTML via the Team Name field. | 3.5 |
2018-08-29 | CVE-2018-15880 | Joomla | Cross-site Scripting vulnerability in Joomla Joomla! An issue was discovered in Joomla! before 3.8.12. | 3.5 |
2018-08-28 | CVE-2018-15896 | Website Seller Script Project | Cross-site Scripting vulnerability in Website Seller Script Project Website Seller Script 2.0.5 PHP Scripts Mall Website Seller Script 2.0.5 has XSS via Personal Address or Company Name. | 3.5 |
2018-08-31 | CVE-2018-11055 | Dell Oracle | Improper Resource Shutdown or Release vulnerability in multiple products RSA BSAFE Micro Edition Suite, versions prior to 4.0.11 (in 4.0.x) and prior to 4.1.6.1 (in 4.1.x), contains an Improper Clearing of Heap Memory Before Release ('Heap Inspection') vulnerability. | 2.1 |
2018-08-30 | CVE-2016-0234 | IBM | Insufficient Session Expiration vulnerability in IBM Openpages GRC Platform IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 could allow a local user to obtain sensitive information when a previous user has logged out of the system but neglected to close their browser. | 2.1 |
2018-08-30 | CVE-2016-0205 | IBM | Information Exposure vulnerability in IBM Cloud Orchestrator A vulnerability has been identified in IBM Cloud Orchestrator 2.3, 2.3.0.1, 2.4, and 2.4.0.1 that could allow an attacker after authentication to enumerate valid users of the system. | 2.1 |
2018-08-29 | CVE-2018-6599 | Orbic | Information Exposure Through Log Files vulnerability in Orbic Wonder Rc555L Firmware 7.1/7.1.2 An issue was discovered on Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys devices, allowing attackers to obtain sensitive information (such as text-message content) by reading a copy of the Android log on the SD card. | 2.1 |
2018-08-29 | CVE-2018-15746 | Qemu | Unspecified vulnerability in Qemu qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread. | 2.1 |
2018-08-31 | CVE-2018-6259 | Nvidia | Information Exposure vulnerability in Nvidia Geforce Experience NVIDIA GeForce Experience all versions prior to 3.14.1 contains a potential vulnerability when GameStream is enabled, an attacker has system access, and certain system features are enabled, where limited information disclosure may be possible. | 1.9 |
2018-08-31 | CVE-2018-6258 | Nvidia | Unspecified vulnerability in Nvidia Geforce Experience NVIDIA GeForce Experience all versions prior to 3.14.1 contains a potential vulnerability during GameStream installation where an attacker who has system access can potentially conduct a Man-in-the-Middle (MitM) attack to obtain sensitive information. | 1.9 |
2018-08-30 | CVE-2018-15364 | Trendmicro | Information Exposure vulnerability in Trendmicro Officescan XG 12.0 A Named Pipe Request Processing Out-of-Bounds Read Information Disclosure vulnerability in Trend Micro OfficeScan XG (12.0) could allow a local attacker to disclose sensitive information on vulnerable installations. | 1.9 |