Weekly Vulnerabilities Reports > October 8 to 14, 2018

Overview

350 new vulnerabilities reported during this period, including 65 critical vulnerabilities and 50 high severity vulnerabilities. This weekly summary report vulnerabilities in 364 products from 97 vendors including Microsoft, Adobe, Apple, Juniper, and IBM. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Cross-site Scripting", "Out-of-bounds Read", "Use After Free", and "Improper Input Validation".

  • 310 reported vulnerabilities are remotely exploitables.
  • 16 reported vulnerabilities have public exploit available.
  • 79 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 307 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 149 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 56 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

65 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-10-10 CVE-2018-8500 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore.

10.0
2018-10-09 CVE-2018-14649 Redhat Unspecified vulnerability in Redhat products

It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode.

10.0
2018-10-08 CVE-2018-5399 Auto Maskin USE of Hard-Coded Credentials vulnerability in Auto-Maskin Dcu-210E Firmware and Rp-210E Firmware

The Auto-Maskin DCU 210E firmware contains an undocumented Dropbear SSH server, v2015.55, configured to listen on Port 22 while the DCU is running.

10.0
2018-10-08 CVE-2018-1000804 Contiki NG Buffer Errors vulnerability in Contiki-Ng 4.0

contiki-ng version 4 contains a Buffer Overflow vulnerability in AQL (Antelope Query Language) database engine that can result in Attacker can perform Remote Code Execution on device using Contiki-NG operating system.

10.0
2018-10-12 CVE-2018-15966 Adobe
Apple
Microsoft
Unspecified vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have a security bypass vulnerability.

9.3
2018-10-12 CVE-2018-15955 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-15954 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-15952 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-15951 Adobe
Apple
Microsoft
Buffer Errors vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have a buffer errors vulnerability.

9.3
2018-10-12 CVE-2018-15945 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-15944 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-15941 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-15940 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-15939 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-15938 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-15937 Adobe
Apple
Microsoft
Null Pointer Dereference vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an untrusted pointer dereference vulnerability.

9.3
2018-10-12 CVE-2018-15936 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-15935 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-15934 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-15933 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-15931 Adobe
Apple
Microsoft
Null Pointer Dereference vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an untrusted pointer dereference vulnerability.

9.3
2018-10-12 CVE-2018-15930 Adobe
Apple
Microsoft
Null Pointer Dereference vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an untrusted pointer dereference vulnerability.

9.3
2018-10-12 CVE-2018-15929 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-15928 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-15924 Adobe
Apple
Microsoft
USE After Free vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an use after free vulnerability.

9.3
2018-10-12 CVE-2018-15920 Adobe
Apple
Microsoft
USE After Free vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an use after free vulnerability.

9.3
2018-10-12 CVE-2018-12877 Adobe
Apple
Microsoft
USE After Free vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an use after free vulnerability.

9.3
2018-10-12 CVE-2018-12876 Adobe
Apple
Microsoft
Incorrect Type Conversion OR Cast vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have a type confusion vulnerability.

9.3
2018-10-12 CVE-2018-12868 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-12865 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-12864 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-12863 Adobe
Apple
Microsoft
USE After Free vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an use after free vulnerability.

9.3
2018-10-12 CVE-2018-12862 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-12861 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-12860 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-12858 Adobe
Apple
Microsoft
Incorrect Type Conversion OR Cast vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have a type confusion vulnerability.

9.3
2018-10-12 CVE-2018-12855 Adobe
Apple
Microsoft
Buffer Errors vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have a buffer errors vulnerability.

9.3
2018-10-12 CVE-2018-12853 Adobe
Apple
Microsoft
Buffer Errors vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have a buffer errors vulnerability.

9.3
2018-10-12 CVE-2018-12852 Adobe
Apple
Microsoft
USE After Free vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an use after free vulnerability.

9.3
2018-10-12 CVE-2018-12851 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have a heap overflow vulnerability.

9.3
2018-10-12 CVE-2018-12846 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have a heap overflow vulnerability.

9.3
2018-10-12 CVE-2018-12841 Adobe
Apple
Microsoft
Double Free vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have a double free vulnerability.

9.3
2018-10-12 CVE-2018-12837 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have a heap overflow vulnerability.

9.3
2018-10-12 CVE-2018-12836 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have a heap overflow vulnerability.

9.3
2018-10-12 CVE-2018-12835 Adobe
Apple
Microsoft
Incorrect Type Conversion OR Cast vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have a type confusion vulnerability.

9.3
2018-10-12 CVE-2018-12833 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have a heap overflow vulnerability.

9.3
2018-10-12 CVE-2018-12832 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have a heap overflow vulnerability.

9.3
2018-10-12 CVE-2018-12831 Adobe
Apple
Microsoft
USE After Free vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an use after free vulnerability.

9.3
2018-10-12 CVE-2018-12769 Adobe
Apple
Microsoft
USE After Free vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an use after free vulnerability.

9.3
2018-10-12 CVE-2018-12759 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds write vulnerability.

9.3
2018-10-12 CVE-2018-17896 Yokogawa USE of Hard-Coded Credentials vulnerability in Yokogawa products

Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The affected controllers utilize hard-coded credentials which may allow an attacker gain unauthorized access to the maintenance functions and obtain or modify information.

9.3
2018-10-10 CVE-2018-12455 Intelbras Improper Authentication vulnerability in Intelbras Nplug Firmware 1.0.0.14

Intelbras NPLUG 1.0.0.14 wireless repeater devices have a critical vulnerability that allows an attacker to authenticate in the web interface just by using "admin:" as the name of a cookie.

9.3
2018-10-10 CVE-2018-0052 Juniper Improper Authentication vulnerability in Juniper Junos

If RSH service is enabled on Junos OS and if the PAM authentication is disabled, a remote unauthenticated attacker can obtain root access to the device.

9.3
2018-10-10 CVE-2018-8531 Microsoft Out-Of-Bounds Write vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that Azure IoT Hub Device Client SDK using MQTT protocol accesses objects in memory, aka "Azure IoT Device Client SDK Memory Corruption Vulnerability." This affects Hub Device Client SDK, Azure IoT Edge.

9.3
2018-10-10 CVE-2018-8504 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in Microsoft Word software when the software fails to properly handle objects in Protected View, aka "Microsoft Word Remote Code Execution Vulnerability." This affects Microsoft SharePoint Server, Office 365 ProPlus, Microsoft Office, Microsoft Word.

9.3
2018-10-10 CVE-2018-8502 Microsoft Unspecified vulnerability in Microsoft Excel, Office and Office 365 Proplus

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in Protected View, aka "Microsoft Excel Remote Code Execution Vulnerability." This affects Office 365 ProPlus, Microsoft Office, Microsoft Excel.

9.3
2018-10-10 CVE-2018-8501 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in Microsoft PowerPoint software when the software fails to properly handle objects in Protected View, aka "Microsoft PowerPoint Remote Code Execution Vulnerability." This affects Office 365 ProPlus, PowerPoint Viewer, Microsoft Office, Microsoft PowerPoint.

9.3
2018-10-10 CVE-2018-8494 Microsoft XXE vulnerability in Microsoft products

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka "MS XML Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

9.3
2018-10-10 CVE-2018-8432 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory, aka "Microsoft Graphics Components Remote Code Execution Vulnerability." This affects Windows 7, Microsoft Office, Microsoft Office Word Viewer, Office 365 ProPlus, Microsoft Excel Viewer, Microsoft PowerPoint Viewer, Windows Server 2019, Windows Server 2008 R2, Windows 10, Windows Server 2008.

9.3
2018-10-10 CVE-2018-8423 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products

A remote code execution vulnerability exists in the Microsoft JET Database Engine, aka "Microsoft JET Database Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

9.3
2018-10-10 CVE-2018-8413 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when "Windows Theme API" does not properly decompress files, aka "Windows Theme API Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

9.3
2018-10-10 CVE-2018-8265 Microsoft Improper Input Validation vulnerability in Microsoft Exchange Server 2013/2016

A remote code execution vulnerability exists in the way Microsoft Exchange software parses specially crafted email messages, aka "Microsoft Exchange Remote Code Execution Vulnerability." This affects Microsoft Exchange Server.

9.3
2018-10-08 CVE-2018-14810 WE CON Out-Of-Bounds Write vulnerability in We-Con PI Studio and PI Studio HMI

WECON Technology Co., Ltd.

9.3
2018-10-10 CVE-2018-13802 Siemens Improper Privilege Management vulnerability in Siemens ROX II Firmware

A vulnerability has been identified in ROX II (All versions < V2.12.1).

9.0
2018-10-10 CVE-2018-13801 Siemens Improper Privilege Management vulnerability in Siemens ROX II Firmware

A vulnerability has been identified in ROX II (All versions < V2.12.1).

9.0

50 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-10-12 CVE-2018-17898 Yokogawa Resource Exhaustion vulnerability in Yokogawa products

Yokogawa STARDOM Controllers FCJ,FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The controller application fails to prevent memory exhaustion by unauthorized requests.

7.8
2018-10-12 CVE-2018-18226 Wireshark
Debian
Missing Release of Resource After Effective Lifetime vulnerability in multiple products

In Wireshark 2.6.0 to 2.6.3, the Steam IHS Discovery dissector could consume system memory.

7.8
2018-10-11 CVE-2018-1745 IBM Missing Authentication FOR Critical Function vulnerability in IBM Security KEY Lifecycle Manager

IBM Security Key Lifecycle Manager 2.7 and 3.0 could allow an unauthenticated user to restart the SKLM server due to missing authentication.

7.8
2018-10-10 CVE-2018-0058 Juniper Improper Input Validation vulnerability in Juniper Junos

Receipt of a specially crafted IPv6 exception packet may be able to trigger a kernel crash (vmcore), causing the device to reboot.

7.8
2018-10-10 CVE-2018-8490 Microsoft Improper Input Validation vulnerability in Microsoft products

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, aka "Windows Hyper-V Remote Code Execution Vulnerability." This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers.

7.7
2018-10-10 CVE-2018-8489 Microsoft Improper Input Validation vulnerability in Microsoft products

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, aka "Windows Hyper-V Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

7.7
2018-10-10 CVE-2018-8513 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore.

7.6
2018-10-10 CVE-2018-8511 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore.

7.6
2018-10-10 CVE-2018-8510 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore.

7.6
2018-10-10 CVE-2018-8509 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Edge

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge.

7.6
2018-10-10 CVE-2018-8505 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore.

7.6
2018-10-10 CVE-2018-8503 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore.

7.6
2018-10-10 CVE-2018-8495 Microsoft Path Traversal vulnerability in Microsoft Windows 10 and Windows Server 2016

A remote code execution vulnerability exists when Windows Shell improperly handles URIs, aka "Windows Shell Remote Code Execution Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers.

7.6
2018-10-10 CVE-2018-8491 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Internet Explorer 11

A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory, aka "Internet Explorer Memory Corruption Vulnerability." This affects Internet Explorer 11.

7.6
2018-10-10 CVE-2018-8473 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore.

7.6
2018-10-10 CVE-2018-8460 Microsoft Out-Of-Bounds Write vulnerability in Microsoft Internet Explorer 11

A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory, aka "Internet Explorer Memory Corruption Vulnerability." This affects Internet Explorer 11.

7.6
2018-10-12 CVE-2018-17894 Nuuo USE of Hard-Coded Credentials vulnerability in Nuuo CMS 3.1

NUUO CMS all versions 3.1 and prior, The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access.

7.5
2018-10-12 CVE-2018-17890 Nuuo 7PK - Code Quality vulnerability in Nuuo CMS 3.1

NUUO CMS all versions 3.1 and prior, The application uses insecure and outdated software components for functionality, which could allow arbitrary code execution.

7.5
2018-10-12 CVE-2018-17888 Nuuo USE of Insufficiently Random Values vulnerability in Nuuo CMS 3.1

NUUO CMS all versions 3.1 and prior, The application uses a session identification mechanism that could allow attackers to obtain the active session ID, which could allow arbitrary remote code execution.

7.5
2018-10-11 CVE-2018-18258 Bagesoft Code Injection vulnerability in Bagesoft Bagecms 3.1.3

An issue was discovered in BageCMS 3.1.3.

7.5
2018-10-11 CVE-2018-9206 Jquery File Upload Project Unrestricted Upload of File With Dangerous Type vulnerability in Jquery File Upload Project Jquery File Upload

Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0

7.5
2018-10-11 CVE-2018-18242 Youke365 SQL Injection vulnerability in Youke365 Youke 365 1.1.5

youke365 v1.1.5 has SQL injection via admin/login.html, as demonstrated by username=admin&pass=123456&code=9823&act=login&submit=%E7%99%BB+%E9%99%86.

7.5
2018-10-11 CVE-2018-18240 Pippo Deserialization of Untrusted Data vulnerability in Pippo

Pippo through 1.11.0 allows remote code execution via a command to java.lang.ProcessBuilder because the XstreamEngine component does not use XStream's available protection mechanisms to restrict unmarshalling.

7.5
2018-10-10 CVE-2018-12596 Episerver Improper Privilege Management vulnerability in Episerver Ektron CMS 9.00/9.10/9.20

Episerver Ektron CMS before 9.0 SP3 Site CU 31, 9.1 before SP3 Site CU 45, or 9.2 before SP2 Site CU 22 allows remote attackers to call aspx pages via the "activateuser.aspx" page, even if a page is located under the /WorkArea/ path, which is forbidden (normally available exclusively for local admins).

7.5
2018-10-10 CVE-2018-12544 Eclipse XXE vulnerability in Eclipse Vert.X

In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks.

7.5
2018-10-10 CVE-2018-12542 Eclipse Path Traversal vulnerability in Eclipse Vert.X

In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the StaticHandler uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\' (forward slashes) sequences that can resolve to a location that is outside of that directory when running on Windows Operating Systems.

7.5
2018-10-10 CVE-2018-12410 Tibco Unspecified vulnerability in Tibco Spotfire Statistics Services

The web server component of TIBCO Software Inc's Spotfire Statistics Services contains multiple vulnerabilities that may allow the remote execution of code.

7.5
2018-10-09 CVE-2018-7633 Adbglobal Code Injection vulnerability in Adbglobal Epicentro 7.3.2

Code injection in the /ui/login form Language parameter in Epicentro E_7.3.2+ allows attackers to execute JavaScript code by making a user issue a manipulated POST request.

7.5
2018-10-09 CVE-2018-7631 Adbglobal Buffer Errors vulnerability in Adbglobal Epicentro 7.3.2

Buffer Overflow in httpd in EpiCentro E_7.3.2+ allows attackers to execute code remotely via a specially crafted GET request without a leading "/" and without authentication.

7.5
2018-10-09 CVE-2018-18200 Redaxo SQL Injection vulnerability in Redaxo

There is a SQL injection in Benutzerverwaltung in REDAXO before 5.6.4.

7.5
2018-10-09 CVE-2018-17963 Qemu
Debian
Canonical
Redhat
Integer Overflow OR Wraparound vulnerability in multiple products

qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.

7.5
2018-10-09 CVE-2018-18197 Linuxsampler Buffer Errors vulnerability in Linuxsampler Libgig 4.1.0

An issue was discovered in libgig 4.1.0.

7.5
2018-10-09 CVE-2018-18084 Duomicms SQL Injection vulnerability in Comsenz Duomicms 3.0

An issue was discovered in DuomiCMS 3.0.

7.5
2018-10-09 CVE-2018-18083 Comsenz Code Injection vulnerability in Comsenz Duomicms 3.0

An issue was discovered in DuomiCMS 3.0.

7.5
2018-10-09 CVE-2018-18075 Wikidforum Project SQL Injection vulnerability in Wikidforum Project Wikidforum 2.20

WikidForum 2.20 has SQL Injection via the rpc.php parent_post_id or num_records parameter, or the index.php?action=search select_sort parameter.

7.5
2018-10-09 CVE-2018-12474 Opensuse Improper Input Validation vulnerability in Opensuse TAR SCM

Improper input validation in obs-service-tar_scm of Open Build Service allows remote attackers to cause access and extract information outside the current build or cause the creation of file in attacker controlled locations.

7.5
2018-10-08 CVE-2018-17440 D Link Unrestricted Upload of File With Dangerous Type vulnerability in D-Link Central Wifimanager 1.00/1.01/1.02

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1.

7.5
2018-10-08 CVE-2018-1000810 Rust Lang Integer Overflow OR Wraparound vulnerability in Rust-Lang Rust

The Rust Programming Language Standard Library version 1.29.0, 1.28.0, 1.27.2, 1.27.1, 127.0, 126.2, 126.1, 126.0 contains a CWE-680: Integer Overflow to Buffer Overflow vulnerability in standard library that can result in buffer overflow.

7.5
2018-10-08 CVE-2018-14818 WE CON Out-Of-Bounds Write vulnerability in We-Con PI Studio and PI Studio HMI

WECON Technology Co., Ltd.

7.5
2018-10-11 CVE-2018-12441 Corsair Incorrect Default Permissions vulnerability in Corsair Utility Engine

The CorsairService Service in Corsair Utility Engine is installed with insecure default permissions, which allows unprivileged local users to execute arbitrary commands via modification of the CorsairService BINARY_PATH_NAME, leading to complete control of the affected system.

7.2
2018-10-10 CVE-2018-12173 Intel Incorrect Permission Assignment FOR Critical Resource vulnerability in Intel products

Insufficient access protection in firmware in Intel Server Board, Intel Server System and Intel Compute Module before firmware version 00.01.0014 may allow an unauthenticated attacker to potentially execute arbitrary code resulting in information disclosure, escalation of privilege and/or denial of service via local access.

7.2
2018-10-10 CVE-2018-0053 Juniper Improper Authentication vulnerability in Juniper Junos 15.1X49

An authentication bypass vulnerability in the initial boot sequence of Juniper Networks Junos OS on vSRX Series may allow an attacker to gain full control of the system without authentication when the system is initially booted up.

7.2
2018-10-10 CVE-2018-8484 Microsoft Improper Resource Shutdown OR Release vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows Server 2019, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers.

7.2
2018-10-10 CVE-2018-8453 Microsoft Improper Resource Shutdown OR Release vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

7.2
2018-10-10 CVE-2018-8411 Microsoft Incorrect Permission Assignment FOR Critical Resource vulnerability in Microsoft products

An elevation of privilege vulnerability exists when NTFS improperly checks access, aka "NTFS Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

7.2
2018-10-10 CVE-2018-8329 Microsoft Improper Resource Shutdown OR Release vulnerability in Microsoft Windows 10 and Windows Server 2016

An Elevation of Privilege vulnerability exists in Windows Subsystem for Linux when it fails to properly handle objects in memory, aka "Linux On Windows Elevation Of Privilege Vulnerability." This affects Windows 10, Windows 10 Servers.

7.2
2018-10-08 CVE-2018-17775 Seqrite Incorrect Permission Assignment for Critical Resource vulnerability in Seqrite END Point Security 7.4

Seqrite End Point Security v7.4 has "Everyone: (F)" permission for %PROGRAMFILES%\Seqrite\Seqrite, which allows local users to gain privileges by replacing an executable file with a Trojan horse.

7.2
2018-10-08 CVE-2018-1742 IBM USE of Hard-Coded Credentials vulnerability in IBM Security KEY Lifecycle Manager

IBM Tivoli Key Lifecycle Manager 2.6, 2.7, and 3.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

7.2
2018-10-10 CVE-2018-0049 Juniper Null Pointer Dereference vulnerability in Juniper Junos

A NULL Pointer Dereference vulnerability in Juniper Networks Junos OS allows an attacker to cause the Junos OS kernel to crash.

7.1
2018-10-09 CVE-2018-18070 Mbusa Infinite Loop vulnerability in Mbusa Cockpit Management and Data 17/13.050.12

An issue was discovered in Daimler Mercedes-Benz COMAND 17/13.0 50.12 on Mercedes-Benz C-Class 2018 vehicles.

7.1

204 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-10-10 CVE-2018-8333 Microsoft Improper Resource Shutdown OR Release vulnerability in Microsoft products

An Elevation of Privilege vulnerability exists in Filter Manager when it improperly handles objects in memory, aka "Microsoft Filter Manager Elevation Of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

6.9
2018-10-12 CVE-2018-18274 Pdfalto Project Out-Of-Bounds Write vulnerability in Pdfalto Project Pdfalto 0.2

A issue was found in pdfalto 0.2.

6.8
2018-10-12 CVE-2018-12847 Adobe
Apple
Microsoft
Out-Of-Bounds Write vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have a heap overflow vulnerability.

6.8
2018-10-11 CVE-2018-17929 Deltaww Buffer Errors vulnerability in Deltaww Tpeditor 1.89/1.90

In Delta Industrial Automation TPEditor, TPEditor Versions 1.90 and prior, multiple stack-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files lacking user input validation before copying data from project files onto the stack and may allow an attacker to remotely execute arbitrary code.

6.8
2018-10-11 CVE-2018-17927 Deltaww Out-Of-Bounds Write vulnerability in Deltaww Tpeditor 1.89/1.90

In Delta Industrial Automation TPEditor, TPEditor Versions 1.90 and prior, multiple out-of-bounds write vulnerabilities may be exploited by processing specially crafted project files lacking user input validation, which may cause the system to write outside the intended buffer area and may allow remote code execution.

6.8
2018-10-11 CVE-2018-18215 Youke365 Cross-Site Request Forgery (CSRF) vulnerability in Youke365 Youke 365 1.1.5

In youke365 v1.1.5, admin/user.html has a CSRF vulnerability that can add an user account.

6.8
2018-10-11 CVE-2018-12449 Navercorp Untrusted Search Path vulnerability in Navercorp Whale 0.4.3.0

The Whale browser installer 0.4.3.0 and earlier versions allows DLL hijacking.

6.8
2018-10-10 CVE-2018-12456 Intelbras Cross-Site Request Forgery (CSRF) vulnerability in Intelbras Nplug Firmware 1.0.0.14

Intelbras NPLUG 1.0.0.14 wireless repeater devices have no CSRF token protection in the web interface, allowing attackers to perform actions such as changing the wireless SSID, rebooting the device, editing access control lists, or activating remote access.

6.8
2018-10-10 CVE-2018-0044 Juniper Improper Authentication vulnerability in Juniper Junos

An insecure SSHD configuration in Juniper Device Manager (JDM) and host OS on Juniper NFX Series devices may allow remote unauthenticated access if any of the passwords on the system are empty.

6.8
2018-10-10 CVE-2018-18211 Pbootcms SQL Injection vulnerability in Pbootcms 1.2.1

PbootCMS 1.2.1 has SQL injection via the HTTP POST data to the api.php/cms/addform?fcode=1 URI.

6.8
2018-10-09 CVE-2018-18201 Qibosoft Cross-Site Request Forgery (CSRF) vulnerability in Qibosoft 7.0

qibosoft V7.0 allows CSRF via admin/index.php?lfj=member&action=addmember to add a user account.

6.8
2018-10-09 CVE-2018-17858 Joomla Cross-Site Request Forgery (CSRF) vulnerability in Joomla Joomla!

An issue was discovered in Joomla! before 3.8.13.

6.8
2018-10-09 CVE-2018-10614 WE CON XXE vulnerability in We-Con Levistudiou 1.8.29/1.8.44

An XXE vulnerability in LeviStudioU, Versions 1.8.29 and 1.8.44 can be exploited when the application processes specially crafted project XML files.

6.8
2018-10-09 CVE-2018-10610 WE CON Out-Of-Bounds Write vulnerability in We-Con Levistudiou 1.8.29/1.8.44

An out-of-bounds vulnerability in LeviStudioU, Versions 1.8.29 and 1.8.44 can be exploited when the application processes specially crafted project files.

6.8
2018-10-09 CVE-2018-18196 Linuxsampler Out-Of-Bounds Read vulnerability in Linuxsampler Libgig 4.1.0

An issue was discovered in libgig 4.1.0.

6.8
2018-10-09 CVE-2018-18194 Linuxsampler Out-Of-Bounds Read vulnerability in Linuxsampler Libgig 4.1.0

An issue was discovered in libgig 4.1.0.

6.8
2018-10-09 CVE-2018-18193 Linuxsampler Buffer Errors vulnerability in Linuxsampler Libgig 4.1.0

An issue was discovered in libgig 4.1.0.

6.8
2018-10-09 CVE-2018-18191 Finecms Cross-Site Request Forgery (CSRF) vulnerability in Finecms 5.4

Cross-site request forgery (CSRF) vulnerability in /admin.php?c=member&m=edit&uid=1 in dayrui FineCms 5.4 allows remote attackers to change the administrator's password.

6.8
2018-10-08 CVE-2018-3997 Foxitsoftware
Microsoft
USE After Free vulnerability in Foxitsoftware Phantompdf and Reader

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader, version 9.2.0.9297.

6.8
2018-10-08 CVE-2018-3996 Foxitsoftware
Microsoft
USE After Free vulnerability in Foxitsoftware Phantompdf and Reader

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's PDF Reader, version 9.2.0.9297.

6.8
2018-10-08 CVE-2018-3992 Foxitsoftware
Microsoft
USE After Free vulnerability in Foxitsoftware Phantompdf and Reader

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader, version 9.2.0.9297.

6.8
2018-10-08 CVE-2018-3945 Foxitsoftware
Microsoft
USE After Free vulnerability in Foxitsoftware Phantompdf and Reader

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader version 9.1.0.5096.

6.8
2018-10-08 CVE-2018-3942 Foxitsoftware
Microsoft
USE After Free vulnerability in Foxitsoftware Phantompdf and Reader

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's PDF Reader, version 9.1.0.5096.

6.8
2018-10-08 CVE-2018-3941 Foxitsoftware
Microsoft
USE After Free vulnerability in Foxitsoftware Phantompdf and Reader

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader version 9.1.0.5096.

6.8
2018-10-08 CVE-2018-3940 Foxitsoftware
Microsoft
USE After Free vulnerability in Foxitsoftware Phantompdf and Reader

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's PDF Reader, version 9.1.0.5096.

6.8
2018-10-08 CVE-2018-16297 Foxitsoftware
Microsoft
USE After Free vulnerability in Foxitsoftware Phantompdf and Reader

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Reader before 9.3 and PhantomPDF before 9.3, a different vulnerability than CVE-2018-16291, CVE-2018-16292, CVE-2018-16293, CVE-2018-16294, CVE-2018-16295, and CVE-2018-16296.

6.8
2018-10-08 CVE-2018-16296 Foxitsoftware
Microsoft
USE After Free vulnerability in Foxitsoftware Phantompdf and Reader

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Reader before 9.3 and PhantomPDF before 9.3, a different vulnerability than CVE-2018-16291, CVE-2018-16292, CVE-2018-16293, CVE-2018-16294, CVE-2018-16295, and CVE-2018-16297.

6.8
2018-10-08 CVE-2018-16295 Foxitsoftware
Microsoft
USE After Free vulnerability in Foxitsoftware Phantompdf and Reader

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Reader before 9.3 and PhantomPDF before 9.3, a different vulnerability than CVE-2018-16291, CVE-2018-16292, CVE-2018-16293, CVE-2018-16294, CVE-2018-16296, and CVE-2018-16297.

6.8
2018-10-08 CVE-2018-16294 Foxitsoftware
Microsoft
USE After Free vulnerability in Foxitsoftware Phantompdf and Reader

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Reader before 9.3 and PhantomPDF before 9.3, a different vulnerability than CVE-2018-16291, CVE-2018-16292, CVE-2018-16293, CVE-2018-16295, CVE-2018-16296, and CVE-2018-16297.

6.8
2018-10-08 CVE-2018-16293 Foxitsoftware
Microsoft
USE After Free vulnerability in Foxitsoftware Phantompdf and Reader

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Reader before 9.3 and PhantomPDF before 9.3, a different vulnerability than CVE-2018-16291, CVE-2018-16292, CVE-2018-16294, CVE-2018-16295, CVE-2018-16296, and CVE-2018-16297.

6.8
2018-10-08 CVE-2018-16292 Foxitsoftware
Microsoft
USE After Free vulnerability in Foxitsoftware Phantompdf and Reader

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Reader before 9.3 and PhantomPDF before 9.3, a different vulnerability than CVE-2018-16291, CVE-2018-16293, CVE-2018-16294, CVE-2018-16295, CVE-2018-16296, and CVE-2018-16297.

6.8
2018-10-08 CVE-2018-16291 Foxitsoftware
Microsoft
USE After Free vulnerability in Foxitsoftware Phantompdf and Reader

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Reader before 9.3 and PhantomPDF before 9.3, a different vulnerability than CVE-2018-16292, CVE-2018-16293, CVE-2018-16294, CVE-2018-16295, CVE-2018-16296, and CVE-2018-16297.

6.8
2018-10-08 CVE-2018-1000807 Pyopenssl
Canonical
Redhat
USE After Free vulnerability in multiple products

Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution..

6.8
2018-10-12 CVE-2018-15755 Cloud Foundry SQL Injection vulnerability in Cloud Foundry Cf-Networking

Cloud Foundry CF Networking Release, versions 2.11.0 prior to 2.16.0, contain an internal api endpoint vulnerable to SQL injection between Diego cells and the policy server.

6.5
2018-10-12 CVE-2018-17892 Nuuo Unspecified vulnerability in Nuuo CMS 3.1

NUUO CMS all versions 3.1 and prior, The application implements a method of user account control that causes standard account security features to not be utilized as intended, which could allow user account compromise and may allow for remote code execution.

6.5
2018-10-09 CVE-2018-17856 Joomla Unspecified vulnerability in Joomla Joomla!

An issue was discovered in Joomla! before 3.8.13.

6.5
2018-10-09 CVE-2018-17855 Joomla Improper Privilege Management vulnerability in Joomla Joomla!

An issue was discovered in Joomla! before 3.8.13.

6.5
2018-10-09 CVE-2018-18086 Phome Unrestricted Upload of File With Dangerous Type vulnerability in Phome Empirecms 7.5

EmpireCMS v7.5 has an arbitrary file upload vulnerability in the LoadInMod function in e/class/moddofun.php, exploitable by logged-in users.

6.5
2018-10-08 CVE-2018-17442 D Link Unrestricted Upload of File With Dangerous Type vulnerability in D-Link Central Wifimanager 1.00/1.01/1.02

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1.

6.5
2018-10-08 CVE-2018-5402 Auto Maskin
ARM
Cryptographic Issues vulnerability in Auto-Maskin products

The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App use an embedded webserver that uses unencrypted plaintext for the transmission of the administrator PIN Impact: An attacker once authenticated can change configurations, upload new configuration files, and upload executable code via file upload for firmware updates.

6.5
2018-10-08 CVE-2018-1000805 Paramiko
Redhat
Debian
Canonical
Incorrect Permission Assignment FOR Critical Resource vulnerability in multiple products

Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE.

6.5
2018-10-11 CVE-2018-18257 Bagesoft Path Traversal vulnerability in Bagesoft Bagecms 3.1.3

An issue was discovered in BageCMS 3.1.3.

6.4
2018-10-10 CVE-2018-18061 Tecrail Improper Authentication vulnerability in Tecrail Responsive Filemanager 9.8.1

An issue was discovered in dialog.php in tecrail Responsive FileManager 9.8.1.

6.4
2018-10-10 CVE-2018-17919 Xiongmaitech USE of Hard-Coded Credentials vulnerability in Xiongmaitech Xmeye P2P Cloud Server

All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server may allow an attacker to use an undocumented user account "default" with its default password to login to XMeye and access/view video streams.

6.4
2018-10-10 CVE-2018-17915 Xiongmaitech Missing Encryption of Sensitive Data vulnerability in Xiongmaitech Xmeye P2P Cloud Server

All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server do not encrypt all device communication.

6.4
2018-10-09 CVE-2018-12477 Opensuse Crlf Injection vulnerability in Opensuse Leap 15.0/42.3

A Improper Neutralization of CRLF Sequences vulnerability in Open Build Service allows remote attackers to cause deletion of directories by tricking obs-service-refresh_patches to delete them.

6.4
2018-10-08 CVE-2018-5400 Auto Maskin
ARM
Origin Validation Error vulnerability in Auto-Maskin DCU 210E Firmware and RP 210E Firmware

The Auto-Maskin products utilize an undocumented custom protocol to set up Modbus communications with other devices without validating those devices.

6.4
2018-10-08 CVE-2018-1741 IBM Unspecified vulnerability in IBM Security KEY Lifecycle Manager

IBM Tivoli Key Lifecycle Manager 2.6, 2.7, and 3.0 does not properly limit the number or frequency of interaction which could be used to cause a denial of service, compromise program logic or other consequences.

6.4
2018-10-09 CVE-2018-2475 Gardener Unspecified vulnerability in Gardener

Following the Gardener architecture, the Kubernetes apiserver of a Gardener managed shoot cluster resides in the corresponding seed cluster.

6.0
2018-10-10 CVE-2018-0045 Juniper Improper Input Validation vulnerability in Juniper Junos

Receipt of a specific Draft-Rosen MVPN control packet may cause the routing protocol daemon (RPD) process to crash and restart or may lead to remote code execution.

5.8
2018-10-10 CVE-2018-0043 Juniper Improper Input Validation vulnerability in Juniper Junos

Receipt of a specific MPLS packet may cause the routing protocol daemon (RPD) process to crash and restart or may lead to remote code execution.

5.8
2018-10-10 CVE-2018-8512 Microsoft Improper Input Validation vulnerability in Microsoft Edge

A security feature bypass vulnerability exists in Microsoft Edge when the Edge Content Security Policy (CSP) fails to properly validate certain specially crafted documents, aka "Microsoft Edge Security Feature Bypass Vulnerability." This affects Microsoft Edge.

5.8
2018-10-10 CVE-2018-8448 Microsoft Cross-Site Scripting vulnerability in Microsoft Exchange Server 2013/2016

An elevation of privilege vulnerability exists when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests, aka "Microsoft Exchange Server Elevation of Privilege Vulnerability." This affects Microsoft Exchange Server.

5.8
2018-10-10 CVE-2018-12158 Intel Information Exposure vulnerability in Intel Next Unit of Computing Firmware

Insufficient input validation in BIOS update utility in Intel NUC FW kits downloaded before May 24, 2018 may allow a privileged user to potentially trigger a denial of service or information disclosure via local access.

5.6
2018-10-12 CVE-2018-1844 IBM XXE vulnerability in IBM Filenet Content Manager 5.2.1/5.5.0

IBM FileNet Content Manager 5.2.1 and 5.5.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data.

5.5
2018-10-11 CVE-2018-1738 IBM Improper Authentication vulnerability in IBM Security KEY Lifecycle Manager

IBM Security Key Lifecycle Manager 2.6, 2.7, 3.0 could allow an authenticated user to obtain highly sensitive information or jeopardize system integrity due to improper authentication mechanisms.

5.5
2018-10-10 CVE-2018-0057 Juniper Unspecified vulnerability in Juniper Junos

On MX Series and M120/M320 platforms configured in a Broadband Edge (BBE) environment, subscribers logging in with DHCP Option 50 to request a specific IP address will be assigned the requested IP address, even if there is a static MAC to IP address binding in the access profile.

5.5
2018-10-08 CVE-2018-1750 IBM Incorrect Permission Assignment FOR Critical Resource vulnerability in IBM Security KEY Lifecycle Manager

IBM Security Key Lifecycle Manager 3.0 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

5.5
2018-10-14 CVE-2018-18289 Mesilat Information Exposure vulnerability in Mesilat Zabbix

The MESILAT Zabbix plugin before 1.1.15 for Atlassian Confluence allows attackers to read arbitrary files.

5.0
2018-10-14 CVE-2018-18287 Asus Information Exposure vulnerability in Asus Rt-Ac58U Firmware 3.0.0.4.380.6516

On ASUS RT-AC58U 3.0.0.4.380_6516 devices, remote attackers can discover hostnames and IP addresses by reading dhcpLeaseInfo data in the HTML source code of the Main_Login.asp page.

5.0
2018-10-12 CVE-2018-17902 Yokogawa Session Fixation vulnerability in Yokogawa products

Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The application utilizes multiple methods of session management which could result in a denial of service to the remote management functions.

5.0
2018-10-12 CVE-2018-17900 Yokogawa Insufficiently Protected Credentials vulnerability in Yokogawa products

Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The web application improperly protects credentials which could allow an attacker to obtain credentials for remote access to controllers.

5.0
2018-10-12 CVE-2018-8890 Blackberry Information Exposure vulnerability in Blackberry Unified Endpoint Manager 12.8.0/12.8.1

An information disclosure vulnerability in the Management Console of BlackBerry UEM 12.8.0 and 12.8.1 could allow an attacker to take over a UEM user's session and perform administrative actions in the context of the user.

5.0
2018-10-12 CVE-2018-12469 Microfocus Null Pointer Dereference vulnerability in Microfocus Enterprise Developer and Enterprise Server

Incorrect handling of an invalid value for an HTTP request parameter by Directory Server (aka Enterprise Server Administration web UI) in Micro Focus Enterprise Developer and Enterprise Server 2.3 Update 2 and earlier, 3.0 before Patch Update 12, and 4.0 before Patch Update 2 causes a null pointer dereference (CWE-476) and subsequent denial of service due to process termination.

5.0
2018-10-12 CVE-2018-18227 Wireshark
Debian
Null Pointer Dereference vulnerability in multiple products

In Wireshark 2.6.0 to 2.6.3 and 2.4.0 to 2.4.9, the MS-WSP protocol dissector could crash.

5.0
2018-10-12 CVE-2018-18225 Wireshark
Debian
Opensuse
Incorrect Calculation vulnerability in multiple products

In Wireshark 2.6.0 to 2.6.3, the CoAP dissector could crash.

5.0
2018-10-11 CVE-2018-15766 Dell Weak Password Requirements vulnerability in Dell Encryption and Endpoint Security Suite Enterprise

On install, Dell Encryption versions prior 10.0.1 and Dell Endpoint Security Suite Enterprise versions prior 2.0.1 will overwrite and manually set the "Minimum Password Length" group policy object to a value of 1 on that device.

5.0
2018-10-10 CVE-2018-16737 Tinc VPN Improper Authentication vulnerability in Tinc-Vpn Tinc

tinc before 1.0.30 has a broken authentication protocol, without even a partial mitigation.

5.0
2018-10-10 CVE-2018-13789 Descor Authentication Bypass BY Capture-Replay vulnerability in Descor Infocad FM

An issue was discovered in Descor Infocad FM before 3.1.0.0.

5.0
2018-10-10 CVE-2018-0062 Juniper Improper Input Validation vulnerability in Juniper Junos

A Denial of Service vulnerability in J-Web service may allow a remote unauthenticated user to cause Denial of Service which may prevent other users to authenticate or to perform J-Web operations.

5.0
2018-10-10 CVE-2018-0061 Juniper Resource Exhaustion vulnerability in Juniper Junos

A denial of service vulnerability in the telnetd service on Junos OS allows remote unauthenticated users to cause high CPU usage which may affect system performance.

5.0
2018-10-10 CVE-2018-0048 Juniper Resource Exhaustion vulnerability in Juniper Junos

A vulnerability in the Routing Protocols Daemon (RPD) with Juniper Extension Toolkit (JET) support can allow a network based unauthenticated attacker to cause a severe memory exhaustion condition on the device.

5.0
2018-10-10 CVE-2018-13805 Siemens Resource Exhaustion vulnerability in Siemens products

A vulnerability has been identified in SIMATIC ET 200SP Open Controller (All versions >= V2.0 and < V2.1.6), SIMATIC S7-1500 Software Controller (All versions >= V2.0 and < V2.5), SIMATIC S7-1500 incl.

5.0
2018-10-10 CVE-2018-17917 Xiongmaitech Information Exposure vulnerability in Xiongmaitech Xmeye P2P Cloud Server

All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server may allow an attacker to use MAC addresses to enumerate potential Cloud IDs.

5.0
2018-10-10 CVE-2018-8493 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows TCP/IP stack improperly handles fragmented IP packets, aka "Windows TCP/IP Information Disclosure Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers.

5.0
2018-10-10 CVE-2018-8292 Microsoft Information Exposure vulnerability in Microsoft Asp.Net Core and Powershell Core

An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.

5.0
2018-10-10 CVE-2018-18206 Bytom Integer Overflow OR Wraparound vulnerability in Bytom

In the client in Bytom before 1.0.6, checkTopicRegister in p2p/discover/net.go does not prevent negative idx values, leading to a crash.

5.0
2018-10-10 CVE-2018-18202 IBM Unspecified vulnerability in IBM products

The QLogic 4Gb Fibre Channel 5.5.2.6.0 and 4/8Gb SAN 7.10.1.20.0 modules for IBM BladeCenter have an undocumented support account with a support password, an undocumented diags account with a diags password, and an undocumented prom account with a prom password.

5.0
2018-10-09 CVE-2018-7632 Adbglobal Buffer Errors vulnerability in Adbglobal Epicentro 7.3.2

Buffer Overflow in httpd in EpiCentro E_7.3.2+ allows attackers to cause a denial of service attack remotely via a specially crafted GET request with a leading "/" in the URL.

5.0
2018-10-09 CVE-2018-17962 Qemu
Canonical
Debian
Oracle
Redhat
Suse
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used.

5.0
2018-10-09 CVE-2018-17958 Qemu
Canonical
Debian
Redhat
Integer Overflow OR Wraparound vulnerability in multiple products

Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used.

5.0
2018-10-09 CVE-2018-11796 Apache XXE vulnerability in Apache Tika

In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing.

5.0
2018-10-09 CVE-2018-18074 Python
Canonical
Opensuse
Redhat
Insufficiently Protected Credentials vulnerability in multiple products

The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.

5.0
2018-10-09 CVE-2018-14081 D Link Insufficiently Protected Credentials vulnerability in D-Link products

An issue was discovered on D-Link DIR-809 A1 through 1.09, A2 through 1.11, and Guest Zone through 1.09 devices.

5.0
2018-10-09 CVE-2018-14080 D Link Improper Authentication vulnerability in D-Link products

An issue was discovered on D-Link DIR-809 A1 through 1.09, A2 through 1.11, and Guest Zone through 1.09 devices.

5.0
2018-10-09 CVE-2018-2471 SAP Unspecified vulnerability in SAP Businessobjects Business Intelligence Platform 4.10/4.20

Under certain conditions SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 allows an attacker to access information which would otherwise be restricted.

5.0
2018-10-09 CVE-2018-2469 SAP Unspecified vulnerability in SAP Adaptive Server Enterprise 15.7/16.0

Under certain conditions SAP Adaptive Server Enterprise (ASE), versions 15.7 and 16.0, allows an attacker to access information which would otherwise be restricted.

5.0
2018-10-09 CVE-2018-2468 SAP Unspecified vulnerability in SAP Adaptive Server Enterprise 15.7/16.0

Under certain conditions the backup server in SAP Adaptive Server Enterprise (ASE), versions 15.7 and 16.0, allows an attacker to access information which would otherwise be restricted.

5.0
2018-10-09 CVE-2018-2467 SAP Unspecified vulnerability in SAP Businessobjects BI Platform 4.1/4.2

In the Software Development Kit in SAP BusinessObjects BI Platform Servers, versions 4.1 and 4.2, using the specially crafted URL in a Web Browser such as Chrome the system returns an error with the path of the used application server.

5.0
2018-10-09 CVE-2018-12479 Opensuse Improper Input Validation vulnerability in Opensuse Open Build Service

A Improper Input Validation vulnerability in Open Build Service allows remote attackers to cause DoS by specifying crafted request IDs.

5.0
2018-10-09 CVE-2018-18071 Mercedes Benz Cleartext Transmission of Sensitive Information vulnerability in Mercedes-Benz Mercedes ME 2.11.0

An issue was discovered in the Daimler Mercedes-Benz Me app 2.11.0-846 for iOS.

5.0
2018-10-08 CVE-2016-7475 F5 Improper Input Validation vulnerability in F5 products

Under some circumstances on BIG-IP 12.0.0-12.1.0, 11.6.0-11.6.1, or 11.4.0-11.5.4 HF1, the Traffic Management Microkernel (TMM) may not properly clean-up pool member network connections when using SPDY or HTTP/2 virtual server profiles.

5.0
2018-10-08 CVE-2018-18066 NET Snmp
Netapp
Null Pointer Dereference vulnerability in multiple products

snmp_oid_compare in snmplib/snmp_api.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an unauthenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.

5.0
2018-10-08 CVE-2018-17060 Progress Unspecified vulnerability in Progress Telerik Extensions FOR Asp.Net MVC

Telerik Extensions for ASP.NET MVC (all versions) does not whitelist requests, which can allow a remote attacker to access files inside the server's web directory.

5.0
2018-10-08 CVE-2018-1743 IBM Information Exposure vulnerability in IBM Security KEY Lifecycle Manager

IBM Tivoli Key Lifecycle Manager 2.6, 2.7, and 3.0 discloses sensitive information to unauthorized users.

5.0
2018-10-08 CVE-2018-1000809 Privacyidea Improper Input Validation vulnerability in Privacyidea

privacyIDEA version 2.23.1 and earlier contains a Improper Input Validation vulnerability in token validation api that can result in Denial-of-Service.

5.0
2018-10-08 CVE-2018-1000803 Gitea Information Exposure vulnerability in Gitea

Gitea version prior to version 1.5.1 contains a CWE-200 vulnerability that can result in Exposure of users private email addresses.

5.0
2018-10-10 CVE-2018-12153 Intel Improper Input Validation vulnerability in Intel Graphics Driver

Denial of Service in Unified Shader Compiler in Intel Graphics Drivers before 10.18.x.5056 (aka 15.33.x.5056), 10.18.x.5057 (aka 15.36.x.5057) and 20.19.x.5058 (aka 15.40.x.5058) may allow an unprivileged user from a virtual machine guest to potentially crash the host system via local access.

4.9
2018-10-10 CVE-2018-13800 Siemens Cross-Site Request Forgery (CSRF) vulnerability in Siemens Simatic S7-1200 V4 Firmware

A vulnerability has been identified in SIMATIC S7-1200 CPU family version 4 (All versions < V4.2.3).

4.9
2018-10-09 CVE-2018-6977 Vmware Infinite Loop vulnerability in VMWare Esxi, Fusion and Workstation

VMware ESXi (6.7, 6.5, 6.0), Workstation (15.x and 14.x) and Fusion (11.x and 10.x) contain a denial-of-service vulnerability due to an infinite loop in a 3D-rendering shader.

4.9
2018-10-08 CVE-2018-17977 Linux Resource Exhaustion vulnerability in Linux Kernel 4.14.67

The Linux kernel 4.14.67 mishandles certain interaction among XFRM Netlink messages, IPPROTO_AH packets, and IPPROTO_IP packets, which allows local users to cause a denial of service (memory consumption and system hang) by leveraging root access to execute crafted applications, as demonstrated on CentOS 7.

4.9
2018-10-11 CVE-2018-1724 IBM Incorrect Permission Assignment FOR Critical Resource vulnerability in IBM Spectrum LSF

IBM Spectrum LSF 9.1.1 9.1.2, 9.1.3, and 10.1 could allow a local user to change their job user at job submission time due to improper file permission settings.

4.6
2018-10-10 CVE-2018-12152 Intel Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Intel Graphics Driver

Pointer corruption in Unified Shader Compiler in Intel Graphics Drivers before 10.18.x.5056 (aka 15.33.x.5056), 10.18.x.5057 (aka 15.36.x.5057) and 20.19.x.5058 (aka 15.40.x.5058) may allow an unauthenticated remote user to potentially execute arbitrary WebGL code via local access.

4.6
2018-10-10 CVE-2018-12131 Intel Incorrect Permission Assignment for Critical Resource vulnerability in Intel products

Permissions in the driver pack installers for Intel NVMe before version 4.0.0.1007 and Intel RSTe before version 4.7.0.2083 may allow an authenticated user to potentially escalate privilege via local access.

4.6
2018-10-10 CVE-2018-8497 Microsoft Improper Resource Shutdown OR Release vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka "Windows Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers.

4.6
2018-10-10 CVE-2018-8492 Microsoft Unspecified vulnerability in Microsoft products

A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session, aka "Device Guard Code Integrity Policy Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers.

4.6
2018-10-09 CVE-2018-15543 Telegram Improper Authentication vulnerability in Telegram 4.8.11

** DISPUTED ** An issue was discovered in the org.telegram.messenger application 4.8.11 for Android.

4.6
2018-10-10 CVE-2018-17925 GE Unspecified vulnerability in GE Ifix

Multiple instances of this vulnerability (Unsafe ActiveX Control Marked Safe For Scripting) have been identified in the third-party ActiveX object provided to GE iFIX versions 2.0 - 5.8 by Gigasoft.

4.4
2018-10-09 CVE-2018-15542 Telegram Improper Authentication vulnerability in Telegram 4.8.11

** DISPUTED ** An issue was discovered in the org.telegram.messenger application 4.8.11 for Android.

4.4
2018-10-14 CVE-2018-18291 Asus Cross-Site Scripting vulnerability in Asus Rt-Ac58U Firmware 3.0.0.4.380.6516

A cross site scripting (XSS) vulnerability on ASUS RT-AC58U 3.0.0.4.380_6516 devices allows remote attackers to inject arbitrary web script or HTML via Advanced_ASUSDDNS_Content.asp, Advanced_WSecurity_Content.asp, Advanced_Wireless_Content.asp, Logout.asp, Main_Login.asp, MobileQIS_Login.asp, QIS_wizard.htma, YandexDNS.asp, ajax_status.xml, apply.cgi, clients.asp, disk.asp, disk_utility.asp, or internet.asp.

4.3
2018-10-12 CVE-2018-18282 Zeit Cross-Site Scripting vulnerability in Zeit Next.Js 7.0.0/7.0.1

Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page.

4.3
2018-10-12 CVE-2018-10141 Paloaltonetworks Cross-Site Scripting vulnerability in Paloaltonetworks Pan-Os

GlobalProtect Portal Login page in Palo Alto Networks PAN-OS before 8.1.4 allows an unauthenticated attacker to inject arbitrary JavaScript or HTML.

4.3
2018-10-12 CVE-2018-16210 Wago Cross-Site Scripting vulnerability in Wago 750-881 Ethernet Controller Devices Firmware 01.08.01(10)/01.09.18(13)

WAGO 750-88X and WAGO 750-89X Ethernet Controller devices, versions 01.09.18(13) and before, have XSS in the SNMP configuration via the webserv/cplcfg/snmp.ssi SNMP_DESC or SNMP_LOC_SNMP_CONT field.

4.3
2018-10-12 CVE-2018-18271 Cmsmadesimple Cross-Site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.7

XSS exists in CMS Made Simple version 2.2.7 via the m1_extra parameter in an admin/moduleinterface.php "Content-->News-->Add Article" action.

4.3
2018-10-12 CVE-2018-18270 Cmsmadesimple Cross-Site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.7

XSS exists in CMS Made Simple version 2.2.7 via the m1_news_url parameter in an admin/moduleinterface.php "Content-->News-->Add Article" action.

4.3
2018-10-12 CVE-2018-15968 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-15956 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-15953 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-15950 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-15949 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-15948 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-15947 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-15946 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-15943 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-15942 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-15932 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-15927 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-15926 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-15925 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-15923 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-15922 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12881 Adobe
Apple
Microsoft
Integer Overflow OR Wraparound vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an integer overflow vulnerability.

4.3
2018-10-12 CVE-2018-12880 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12879 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12878 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12875 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12874 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12873 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12872 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12871 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12870 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12869 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12867 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12866 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12859 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12857 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12856 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12845 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12844 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12843 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12842 Adobe
Apple
Microsoft
Integer Overflow OR Wraparound vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an integer overflow vulnerability.

4.3
2018-10-12 CVE-2018-12839 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-12838 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have a stack overflow vulnerability.

4.3
2018-10-12 CVE-2018-12834 Adobe
Apple
Microsoft
Out-Of-Bounds Read vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability.

4.3
2018-10-12 CVE-2018-1673 IBM Cross-Site Scripting vulnerability in IBM Websphere Portal

IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting.

4.3
2018-10-10 CVE-2018-18062 Tecrail Cross-Site Scripting vulnerability in Tecrail Responsive Filemanager 9.8.1

An issue was discovered in dialog.php in tecrail Responsive FileManager 9.8.1.

4.3
2018-10-10 CVE-2018-17784 Sugarcrm Cross-Site Scripting vulnerability in Sugarcrm

Multiple vulnerabilities in YUI and FlashCanvas embedded in SugarCRM Community Edition 6.5.26 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system.

4.3
2018-10-10 CVE-2018-17337 Intelbras Cross-Site Scripting vulnerability in Intelbras Nplug Firmware 1.0.0.14

Intelbras NPLUG 1.0.0.14 devices have XSS via a crafted SSID that is received via a network broadcast.

4.3
2018-10-10 CVE-2018-16758 Tinc VPN
Debian
Missing Authentication FOR Critical Function vulnerability in multiple products

Missing message authentication in the meta-protocol in Tinc VPN version 1.0.34 and earlier allows a man-in-the-middle attack to disable the encryption of VPN packets.

4.3
2018-10-10 CVE-2018-16738 Tinc VPN
Debian
Improper Authentication vulnerability in multiple products

tinc 1.0.30 through 1.0.34 has a broken authentication protocol, although there is a partial mitigation.

4.3
2018-10-10 CVE-2018-12161 Intel Information Exposure vulnerability in Intel Raid web Console 3.0

Insufficient session validation in the webserver component of the Intel Rapid Web Server 3 may allow an unauthenticated user to potentially disclose information via network access.

4.3
2018-10-10 CVE-2018-0060 Juniper Improper Input Validation vulnerability in Juniper Junos

An improper input validation weakness in the device control daemon process (dcd) of Juniper Networks Junos OS allows an attacker to cause a Denial of Service to the dcd process and interfaces and connected clients when the Junos device is requesting an IP address for itself.

4.3
2018-10-10 CVE-2018-0051 Juniper Improper Input Validation vulnerability in Juniper Junos

A Denial of Service vulnerability in the SIP application layer gateway (ALG) component of Junos OS based platforms allows an attacker to crash MS-PIC, MS-MIC, MS-MPC, MS-DPC or SRX flow daemon (flowd) process.

4.3
2018-10-10 CVE-2018-0050 Juniper Improper Input Validation vulnerability in Juniper Junos 14.1/14.1X53/14.2

An error handling vulnerability in Routing Protocols Daemon (RPD) of Juniper Networks Junos OS allows an attacker to cause RPD to crash.

4.3
2018-10-10 CVE-2018-0046 Juniper Cross-Site Scripting vulnerability in Juniper Junos Space 18.1R1

A reflected cross-site scripting vulnerability in OpenNMS included with Juniper Networks Junos Space may allow the stealing of sensitive information or session credentials from Junos Space administrators or perform administrative actions.

4.3
2018-10-10 CVE-2018-18210 Dilicms Cross-Site Scripting vulnerability in Dilicms 2.4.0

XSS exists in DiliCMS 2.4.0 via the admin/index.php/setting/site?tab=site_attachment attachment_url parameter.

4.3
2018-10-10 CVE-2018-18209 Dilicms Cross-Site Scripting vulnerability in Dilicms 2.4.0

XSS exists in DiliCMS 2.4.0 via the admin/index.php/setting/site?tab=site_attachment attachment_type parameter.

4.3
2018-10-10 CVE-2018-18208 Virtualmin Cross-Site Scripting vulnerability in Virtualmin 6.03

Virtualmin 6.03 allows XSS via the query string, as demonstrated by the webmin_search.cgi URI.

4.3
2018-10-10 CVE-2018-18207 Virtualmin Injection vulnerability in Virtualmin 6.03

Virtualmin 6.03 allows Frame Injection via the settings-editor_read.cgi file parameter.

4.3
2018-10-10 CVE-2018-8006 Apache Cross-Site Scripting vulnerability in Apache Activemq

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the queue.jsp page of Apache ActiveMQ versions 5.0.0 to 5.15.5.

4.3
2018-10-10 CVE-2018-15311 F5 Unspecified vulnerability in F5 products

When F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, 11.6.0-11.6.3.2, or 11.5.1-11.5.6 is processing specially crafted TCP traffic with the Large Receive Offload (LRO) feature enabled, TMM may crash, leading to a failover event.

4.3
2018-10-10 CVE-2018-8533 Microsoft XXE vulnerability in Microsoft SQL Server Management Studio 17.9/18.0

An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing malicious XML content containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulnerability." This affects SQL Server Management Studio 17.9, SQL Server Management Studio 18.0.

4.3
2018-10-10 CVE-2018-8532 Microsoft XXE vulnerability in Microsoft SQL Server Management Studio 17.9/18.0

An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing a malicious XMLA file containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulnerability." This affects SQL Server Management Studio 17.9, SQL Server Management Studio 18.0.

4.3
2018-10-10 CVE-2018-8530 Microsoft Unspecified vulnerability in Microsoft Edge

A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins, aka "Microsoft Edge Security Feature Bypass Vulnerability." This affects Microsoft Edge.

4.3
2018-10-10 CVE-2018-8527 Microsoft XXE vulnerability in Microsoft SQL Server Management Studio 17.9/18.0

An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing a malicious XEL file containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulnerability." This affects SQL Server Management Studio 17.9, SQL Server Management Studio 18.0.

4.3
2018-10-09 CVE-2018-18199 Redaxo Cross-Site Scripting vulnerability in Redaxo

Mediamanager in REDAXO before 5.6.4 has XSS.

4.3
2018-10-09 CVE-2018-18198 Redaxo Cross-Site Scripting vulnerability in Redaxo 5.6.3

The $opener_input_field variable in addons/mediapool/pages/index.php in REDAXO 5.6.3 is not effectively filtered and is output directly to the page.

4.3
2018-10-09 CVE-2018-17866 Ultimatemember Cross-Site Scripting vulnerability in Ultimatemember Ultimate Member

Multiple cross-site scripting (XSS) vulnerabilities in includes/core/um-actions-login.php in the "Ultimate Member - User Profile & Membership" plugin before 2.0.28 for WordPress allow remote attackers to inject arbitrary web script or HTML via the "Primary button Text" or "Second button text" field.

4.3
2018-10-09 CVE-2018-18195 Linuxsampler Divide BY Zero vulnerability in Linuxsampler Libgig 4.1.0

An issue was discovered in libgig 4.1.0.

4.3
2018-10-09 CVE-2018-18192 Linuxsampler Null Pointer Dereference vulnerability in Linuxsampler Libgig 4.1.0

An issue was discovered in libgig 4.1.0.

4.3
2018-10-09 CVE-2018-18190 Gopro Divide BY Zero vulnerability in Gopro Gpmf-Parser

An issue was discovered in GoPro gpmf-parser before 1.2.1.

4.3
2018-10-09 CVE-2018-18088 Uclouvain
Debian
Null Pointer Dereference vulnerability in multiple products

OpenJPEG 2.3.0 has a NULL pointer dereference for "red" in the imagetopnm function of jp2/convert.c

4.3
2018-10-09 CVE-2018-18082 Bijiadao Cross-Site Scripting vulnerability in Bijiadao Waimai Super CMS 20150505

XSS exists in Waimai Super Cms 20150505 via the fname parameter to the admin.php?m=Food&a=addsave or admin.php?m=Food&a=editsave URI.

4.3
2018-10-09 CVE-2018-2474 SAP Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori 1.0

SAP Fiori 1.0 for SAP ERP HCM (Approve Leave Request, version 2) application allows an attacker to trick an authenticated user to send unintended request to the web server.

4.3
2018-10-09 CVE-2018-2472 SAP Cross-Site Scripting vulnerability in SAP Businessobjects BI Platform 4.1/4.2

SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 (Web Intelligence DHTML client) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

4.3
2018-10-09 CVE-2018-2470 SAP Cross-Site Scripting vulnerability in SAP Netweaver

In SAP NetWeaver Application Server for ABAP, from 7.0 to 7.02, 7.30, 7.31, 7.40 and from 7.50 to 7.53, applications do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

4.3
2018-10-09 CVE-2018-12478 Opensuse Improper Input Validation vulnerability in Opensuse Open Build Service

A Improper Input Validation vulnerability in Open Build Service allows remote attackers to extract files from the system where the service runs.

4.3
2018-10-08 CVE-2018-18069 Wpml Cross-Site Scripting vulnerability in Wpml

process_forms in the WPML (aka sitepress-multilingual-cms) plugin through 3.6.3 for WordPress has XSS via any locale_file_name_ parameter (such as locale_file_name_en) in an authenticated theme-localization.php request to wp-admin/admin.php.

4.3
2018-10-08 CVE-2018-18064 Cairographics Out-Of-Bounds Write vulnerability in Cairographics Cairo

cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function).

4.3
2018-10-08 CVE-2018-17443 D Link Cross-Site Scripting vulnerability in D-Link Central Wifimanager

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1.

4.3
2018-10-08 CVE-2018-17441 D Link Cross-Site Scripting vulnerability in D-Link Central Wifimanager

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1.

4.3
2018-10-08 CVE-2018-5401 Auto Maskin
ARM
Cleartext Transmission of Sensitive Information vulnerability in Auto-Maskin products

The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App transmit sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

4.3
2018-10-08 CVE-2018-1000808 Pyopenssl Project
Canonical
Redhat
Improper Resource Shutdown OR Release vulnerability in multiple products

Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted.

4.3
2018-10-08 CVE-2018-17889 WE CON XXE vulnerability in We-Con PI Studio and PI Studio HMI

In WECON Technology Co., Ltd.

4.3
2018-10-12 CVE-2018-1770 IBM Path Traversal vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system.

4.0
2018-10-12 CVE-2018-1838 IBM Information Exposure vulnerability in IBM Websphere Application Server 8.5.0.0/9.0.0.0

IBM WebSphere Application Server 8.5 and 9.0 in IBM Cloud could allow a remote attacker to obtain sensitive information caused by improper handling of passwords.

4.0
2018-10-11 CVE-2018-1708 IBM Information Exposure vulnerability in IBM Platform Symphony and Specturm Symphony

IBM Spectrum Symphony 7.1.2 and 7.2.0.2 could allow an authenticated user to obtain sensitive user information such as passwords through the WebUI.

4.0
2018-10-10 CVE-2018-12541 Eclipse Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Eclipse Vert.X

In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory.

4.0
2018-10-10 CVE-2018-8320 Microsoft Unspecified vulnerability in Microsoft products

A security feature bypass vulnerability exists in DNS Global Blocklist feature, aka "Windows DNS Security Feature Bypass Vulnerability." This affects Windows Server 2012 R2, Windows Server 2008, Windows Server 2012, Windows Server 2019, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

4.0
2018-10-09 CVE-2018-17859 Joomla Unspecified vulnerability in Joomla Joomla!

An issue was discovered in Joomla! before 3.8.13.

4.0
2018-10-09 CVE-2018-17857 Joomla Incorrect Authorization vulnerability in Joomla Joomla!

An issue was discovered in Joomla! before 3.8.13.

4.0
2018-10-08 CVE-2018-18065 NET Snmp
Debian
Canonical
Netapp
Paloaltonetworks
Null Pointer Dereference vulnerability in multiple products

_set_key in agent/helpers/table_container.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an authenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.

4.0
2018-10-08 CVE-2018-1753 IBM Information Exposure vulnerability in IBM Security KEY Lifecycle Manager

IBM Tivoli Key Lifecycle Manager 2.6, 2.7, and 3.0 generates an error message that includes sensitive information about its environment, users, or associated data.

4.0
2018-10-08 CVE-2018-1749 IBM Unspecified vulnerability in IBM Security KEY Lifecycle Manager

IBM Tivoli Key Lifecycle Manager 2.6, 2.7, and 3.0 uses incomplete blacklisting for input validation which allows attackers to bypass application controls resulting in direct impact to the system and data integrity.

4.0

31 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-10-09 CVE-2018-7928 Westerndigital Unspecified vulnerability in Westerndigital MY Cloud

There is a security vulnerability which could lead to Factory Reset Protection (FRP) bypass in the MyCloud APP with the versions before 8.1.2.303 installed on some Huawei smart phones.

3.6
2018-10-14 CVE-2018-18290 Nconsulting Cross-Site Scripting vulnerability in Nconsulting Nc-Cms

** DISPUTED ** An issue was discovered in nc-cms through 2017-03-10.

3.5
2018-10-12 CVE-2018-14664 Theforeman Cross-Site Scripting vulnerability in Theforeman Foreman 1.18.0

A flaw was found in foreman from versions 1.18.

3.5
2018-10-12 CVE-2018-1534 IBM Cross-Site Scripting vulnerability in IBM Rational Publishing Engine 6.0.5/6.0.6

IBM Rational Publishing Engine 6.0.5 and 6.0.6 is vulnerable to cross-site scripting.

3.5
2018-10-12 CVE-2018-1533 IBM Cross-Site Scripting vulnerability in IBM Rational Publishing Engine 6.0.5/6.0.6

IBM Rational Publishing Engine 6.0.5 and 6.0.6 is vulnerable to cross-site scripting.

3.5
2018-10-11 CVE-2018-1706 IBM Cross-Site Scripting vulnerability in IBM Spectrum Symphony 7.2.0.2

IBM Spectrum Symphony 7.2.0.2 is vulnerable to cross-site scripting.

3.5
2018-10-10 CVE-2018-0059 Juniper Cross-Site Scripting vulnerability in Juniper Netscreen Screenos

A persistent cross-site scripting vulnerability in the graphical user interface of ScreenOS may allow a remote authenticated user to inject web script or HTML and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device.

3.5
2018-10-10 CVE-2018-0047 Juniper Cross-Site Scripting vulnerability in Juniper Junos Space

A persistent cross-site scripting vulnerability in the UI framework used by Junos Space Security Director may allow authenticated users to inject persistent and malicious scripts.

3.5
2018-10-10 CVE-2018-8518 Microsoft Cross-Site Scripting vulnerability in Microsoft Sharepoint Enterprise Server 2013/2016

An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint.

3.5
2018-10-10 CVE-2018-8498 Microsoft Cross-Site Scripting vulnerability in Microsoft Sharepoint Enterprise Server 2013/2016

An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint.

3.5
2018-10-10 CVE-2018-8488 Microsoft Cross-Site Scripting vulnerability in Microsoft Sharepoint Enterprise Server 2013/2016

An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint.

3.5
2018-10-10 CVE-2018-8480 Microsoft Cross-Site Scripting vulnerability in Microsoft Sharepoint Enterprise Server 2016

An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint.

3.5
2018-10-09 CVE-2018-18087 Bixie Cross-Site Scripting vulnerability in Bixie Portfolio 1.2.0

The Bixie Portfolio plugin 1.2.0 for Pagekit has XSS: a logged-in user who has the "Manage portfolio" privilege can inject arbitrary web script or HTML via the Image URL field in the portfolio editor.

3.5
2018-10-09 CVE-2018-18029 Naviwebs Cross-Site Scripting vulnerability in Naviwebs Navigate CMS

Navigate CMS has Stored XSS via the navigate.php Title field in an edit action.

3.5
2018-10-09 CVE-2018-2466 SAP Cross-Site Scripting vulnerability in SAP Data Services 4.2

In Impact and Lineage Analysis in SAP Data Services, version 4.2, the management console does not sufficiently validate user-controlled inputs, which results in Cross-Site Scripting (XSS) vulnerability.

3.5
2018-10-08 CVE-2018-15903 Claromentis Cross-Site Scripting vulnerability in Claromentis 8.2.2

The Discuss v1.2.1 module in Claromentis 8.2.2 is vulnerable to stored Cross Site Scripting (XSS).

3.5
2018-10-10 CVE-2018-0063 Juniper Resource Exhaustion vulnerability in Juniper Junos 17.3R3

A vulnerability in the IP next-hop index database in Junos OS 17.3R3 may allow a flood of ARP requests, sent to the management interface, to exhaust the private Internal routing interfaces (IRIs) next-hop limit.

3.3
2018-10-10 CVE-2018-0054 Juniper Resource Exhaustion vulnerability in Juniper Junos

On QFX5000 Series and EX4600 switches, a high rate of Ethernet pause frames or an ARP packet storm received on the management interface (fxp0) can cause egress interface congestion, resulting in routing protocol packet drops, such as BGP, leading to peering flaps.

3.3
2018-10-10 CVE-2018-0056 Juniper Improper Input Validation vulnerability in Juniper Junos

If a duplicate MAC address is learned by two different interfaces on an MX Series device, the MAC address learning function correctly flaps between the interfaces.

2.9
2018-10-10 CVE-2018-0055 Juniper Improper Input Validation vulnerability in Juniper Junos

Receipt of a specially crafted DHCPv6 message destined to a Junos OS device configured as a DHCP server in a Broadband Edge (BBE) environment may result in a jdhcpd daemon crash.

2.9
2018-10-10 CVE-2018-8482 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when Windows Media Player improperly discloses file information, aka "Windows Media Player Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

2.6
2018-10-10 CVE-2018-8481 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when Windows Media Player improperly discloses file information, aka "Windows Media Player Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

2.6
2018-10-12 CVE-2017-1231 IBM Insufficiently Protected Credentials vulnerability in IBM Bigfix Platform

IBM BigFix Platform 9.5 - 9.5.9 stores user credentials in plain in clear text which can be read by a local user.

2.1
2018-10-10 CVE-2018-12193 Intel Unspecified vulnerability in Intel Quickassist Technology

Insufficient access control in driver stack for Intel QuickAssist Technology for Linux before version 4.2 may allow an unprivileged user to potentially disclose information via local access.

2.1
2018-10-10 CVE-2018-12172 Intel Unspecified vulnerability in Intel products

Improper password hashing in firmware in Intel Server Board (S7200AP,S7200APR) and Intel Compute Module (HNS7200AP, HNS7200AP) may allow a privileged user to potentially disclose firmware passwords via local access.

2.1
2018-10-10 CVE-2018-8486 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when DirectX improperly handles objects in memory, aka "DirectX Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

2.1
2018-10-10 CVE-2018-8472 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

2.1
2018-10-10 CVE-2018-8427 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists in the way that Microsoft Graphics Components handle objects in memory, aka "Microsoft Graphics Components Information Disclosure Vulnerability." This affects Microsoft Office, Microsoft Office Word Viewer, Office 365 ProPlus, Windows Server 2008, Microsoft PowerPoint Viewer, Microsoft Excel Viewer.

2.1
2018-10-10 CVE-2018-8330 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

2.1
2018-10-08 CVE-2018-14656 Linux Improper Input Validation vulnerability in Linux Kernel

A missing address check in the callers of the show_opcodes() in the Linux kernel allows an attacker to dump the kernel memory at an arbitrary kernel address into the dmesg log.

2.1
2018-10-10 CVE-2018-8506 Microsoft Unspecified vulnerability in Microsoft products

An Information Disclosure vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory, aka "Microsoft Windows Codecs Library Information Disclosure Vulnerability." This affects Windows 10 Servers, Windows 10, Windows Server 2019.

1.9