Weekly Vulnerabilities Reports > October 15 to 21, 2018

Overview

427 new vulnerabilities reported during this period, including 18 critical vulnerabilities and 61 high severity vulnerabilities. This weekly summary report vulnerabilities in 313 products from 107 vendors including Oracle, Canonical, Debian, Redhat, and Mozilla. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Read", "Information Exposure", "Cross-Site Request Forgery (CSRF)", and "Out-of-bounds Write".

  • 363 reported vulnerabilities are remotely exploitables.
  • 18 reported vulnerabilities have public exploit available.
  • 94 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 337 reported vulnerabilities are exploitable by an anonymous user.
  • Oracle has the most reported vulnerabilities, with 190 reported vulnerabilities.
  • Adobe has the most reported critical vulnerabilities, with 4 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

18 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-10-19 CVE-2018-12670 Sv3C OS Command Injection vulnerability in Sv3C H.264 POE IP Camera Firmware V2.3.4.2103S50Ntdb20170508B/V2.3.4.2103S50Ntdb20170823B

SV3C L-SERIES HD CAMERA V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B devices allow OS Command Injection.

10.0
2018-10-19 CVE-2018-12668 Sv3C Use of Hard-coded Credentials vulnerability in Sv3C H.264 POE IP Camera Firmware V2.3.4.2103S50Ntdb20170508B/V2.3.4.2103S50Ntdb20170823B

SV3C L-SERIES HD CAMERA V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B devices have a Hard-coded Password.

10.0
2018-10-19 CVE-2018-18395 Moxa Unspecified vulnerability in Moxa Thingspro 2.1

Hidden Token Access in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.

10.0
2018-10-18 CVE-2018-1822 IBM Improper Authentication vulnerability in IBM Flashsystem 840 Firmware and Flashsystem 900 Firmware

IBM FlashSystem 900 product GUI allows a specially crafted attack to bypass the authentication requirements of the system, resulting in the ability to remotely change the superuser password.

10.0
2018-10-17 CVE-2018-12823 Adobe Out-of-bounds Write vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.8 and below have a heap overflow vulnerability.

10.0
2018-10-17 CVE-2018-12822 Adobe Use After Free vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.8 and below have an use after free vulnerability.

10.0
2018-10-17 CVE-2018-12814 Adobe Out-of-bounds Write vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.8 and below have a heap overflow vulnerability.

10.0
2018-10-17 CVE-2018-12813 Adobe Out-of-bounds Write vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.8 and below have a heap overflow vulnerability.

10.0
2018-10-17 CVE-2018-7076 HP Improper Authentication vulnerability in HP Intelligent Management Center

A remote code execution vulnerability was identified in HPE Intelligent Management Center (iMC) prior to iMC PLAT 7.3 E0605P04.

10.0
2018-10-15 CVE-2018-17532 Teltonika OS Command Injection vulnerability in Teltonika Rut900 Firmware, Rut950 Firmware and Rut955 Firmware

Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization.

10.0
2018-10-17 CVE-2018-10824 Dlink Insufficiently Protected Credentials vulnerability in Dlink products

An issue was discovered on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices.

9.8
2018-10-17 CVE-2018-18408 Broadcom
Fedoraproject
Use After Free vulnerability in multiple products

A use-after-free was discovered in the tcpbridge binary of Tcpreplay 4.3.0 beta1.

9.8
2018-10-15 CVE-2018-18322 Control Webpanel OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.480

CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command Injection via shell metacharacters in the admin/index.php service_start, service_restart, service_fullstatus, or service_stop parameter.

9.8
2018-10-15 CVE-2018-18320 Asuswrt Merlin Project Unspecified vulnerability in Asuswrt-Merlin Project products

An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices.

9.8
2018-10-15 CVE-2018-18319 Asuswrt Merlin Project Code Injection vulnerability in Asuswrt-Merlin Project products

An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices.

9.8
2018-10-18 CVE-2018-12368 Mozilla
Microsoft
Unspecified vulnerability in Mozilla Firefox and Firefox ESR

Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable.

9.3
2018-10-17 CVE-2018-18426 S CMS Code Injection vulnerability in S-Cms 3.0

s-cms 3.0 allows remote attackers to execute arbitrary PHP code by placing this code in a crafted User-agent Disallow value in the robots.php txt parameter.

9.0
2018-10-16 CVE-2018-14772 Pydio OS Command Injection vulnerability in Pydio

Pydio 4.2.1 through 8.2.1 has an authenticated remote code execution vulnerability in which an attacker with administrator access to the web application can execute arbitrary code on the underlying system via Command Injection.

9.0

61 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-10-17 CVE-2018-18444 ILM Out-of-bounds Write vulnerability in ILM Openexr 2.3.0

makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds write, leading to an assertion failure or possibly unspecified other impact.

8.8
2018-10-17 CVE-2018-10823 Dlink OS Command Injection vulnerability in Dlink products

An issue was discovered on D-Link DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices.

8.8
2018-10-17 CVE-2018-3275 Oracle Unspecified vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: LibKMIP).

8.8
2018-10-17 CVE-2018-3273 Oracle Unspecified vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Remote Administration Daemon (RAD)).

8.8
2018-10-19 CVE-2018-18284 Artifex
Debian
Canonical
Redhat
Pulsesecure
Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving the 1Policy operator.
8.6
2018-10-15 CVE-2018-17961 Artifex
Debian
Canonical
Redhat
Information Exposure Through an Error Message vulnerability in multiple products

Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup.

8.6
2018-10-17 CVE-2018-0417 Cisco Unspecified vulnerability in Cisco Wireless LAN Controller Software

A vulnerability in TACACS authentication with Cisco Wireless LAN Controller (WLC) Software could allow an authenticated, local attacker to perform certain operations within the GUI that are not normally available to that user on the CLI.

7.8
2018-10-17 CVE-2018-0378 Cisco Improper Input Validation vulnerability in Cisco Nx-Os 7.3(2)N1(0.8)

A vulnerability in the Precision Time Protocol (PTP) feature of Cisco Nexus 5500, 5600, and 6000 Series Switches running Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

7.8
2018-10-17 CVE-2018-18445 Linux
Canonical
Redhat
Out-of-bounds Read vulnerability in multiple products

In the Linux kernel 4.14.x, 4.15.x, 4.16.x, 4.17.x, and 4.18.x before 4.18.13, faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandles 32-bit right shifts.

7.8
2018-10-16 CVE-2018-11025 Amazon Argument Injection or Modification vulnerability in Amazon Fire OS 4.5.5.3

kernel/omap/drivers/mfd/twl6030-gpadc.c in the kernel component in Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device /dev/twl6030-gpadc with the command 24832 and cause a kernel crash.

7.8
2018-10-16 CVE-2018-11024 Amazon Argument Injection or Modification vulnerability in Amazon Fire OS 4.5.5.3

kernel/omap/drivers/misc/gcx/gcioctl/gcif.c in the kernel component in Amazon Kindle Fire HD (3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device /dev/gcioctl with the command 1077435789 and cause a kernel crash.

7.8
2018-10-16 CVE-2018-11023 Amazon Argument Injection or Modification vulnerability in Amazon Fire OS 4.5.5.3

kernel/omap/drivers/misc/gcx/gcioctl/gcif.c in the kernel component in Amazon Kindle Fire HD (3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device /dev/gcioctl with the command 3222560159 and cause a kernel crash.

7.8
2018-10-16 CVE-2018-11022 Amazon Argument Injection or Modification vulnerability in Amazon Fire OS 4.5.5.3

kernel/omap/drivers/misc/gcx/gcioctl/gcif.c in the kernel component in Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device /dev/gcioctl with the command 3224132973 and cause a kernel crash.

7.8
2018-10-16 CVE-2018-11021 Amazon Argument Injection or Modification vulnerability in Amazon Fire OS 4.5.5.3

kernel/omap/drivers/video/omap2/dsscomp/device.c in the kernel component in Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device /dev/dsscomp with the command 1118064517 and cause a kernel crash.

7.8
2018-10-16 CVE-2018-11019 Amazon Argument Injection or Modification vulnerability in Amazon Fire OS 4.5.5.3

kernel/omap/drivers/misc/gcx/gcioctl/gcif.c in the kernel component in Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device /dev/gcioctl with the command 3221773726 and cause a kernel crash.

7.8
2018-10-15 CVE-2018-18318 Qiku NULL Pointer Dereference vulnerability in Qiku 360 Mobile Phone N6 PRO Firmware V096

The /dev/block/mmcblk0rpmb driver kernel module on Qiku 360 Phone N6 Pro 1801-A01 devices allows attackers to cause a denial of service (NULL pointer dereference and device crash) via a crafted 0xc0d8b300 ioctl call.

7.8
2018-10-21 CVE-2018-18546 Thinkphp SQL Injection vulnerability in Thinkphp 3.2.4

ThinkPHP 3.2.4 has SQL Injection via the order parameter because the Library/Think/Db/Driver.class.php parseOrder function mishandles the key variable.

7.5
2018-10-19 CVE-2018-12667 Sv3C Improper Authentication vulnerability in Sv3C H.264 POE IP Camera Firmware V2.3.4.2103S50Ntdb20170508B/V2.3.4.2103S50Ntdb20170823B

The SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) is affected by an improper authentication vulnerability that allows requests to be made to back-end CGI scripts without a valid session.

7.5
2018-10-19 CVE-2018-12666 Sv3C Improper Authentication vulnerability in Sv3C H.264 POE IP Camera Firmware V2.3.4.2103S50Ntdb20170508B/V2.3.4.2103S50Ntdb20170823B

SV3C L-SERIES HD CAMERA V2.3.4.2103-S50-NTD-B20170508B devices improperly identifies users only by the authentication level sent in the cookies, which allow remote attackers to bypass authentication and gain administrator access by setting the authLevel cookie to 255.

7.5
2018-10-19 CVE-2018-18530 Thinkphp SQL Injection vulnerability in Thinkphp 5.1.25

ThinkPHP 5.1.25 has SQL Injection via the count parameter because the library/think/db/Query.php aggregate function mishandles the aggregate variable.

7.5
2018-10-19 CVE-2018-18529 Thinkphp SQL Injection vulnerability in Thinkphp 3.2.4

ThinkPHP 3.2.4 has SQL Injection via the count parameter because the Library/Think/Db/Driver/Mysql.class.php parseKey function mishandles the key variable.

7.5
2018-10-19 CVE-2018-18527 Owndms SQL Injection vulnerability in Owndms Ownticket 1.0

OwnTicket 2018-05-23 allows SQL Injection via the showTicketId or editTicketStatusId parameter.

7.5
2018-10-19 CVE-2018-18396 Moxa Unspecified vulnerability in Moxa Thingspro 2.1

Remote Code Execution in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.

7.5
2018-10-19 CVE-2018-4013 Live555
Debian
Out-of-bounds Write vulnerability in multiple products

An exploitable code execution vulnerability exists in the HTTP packet-parsing functionality of the LIVE555 RTSP server library version 0.92.

7.5
2018-10-18 CVE-2018-15756 Vmware
Oracle
Debian
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource.
7.5
2018-10-18 CVE-2018-18488 Gxlcms SQL Injection vulnerability in Gxlcms 2.0

In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, SQL Injection exists via the ids[] parameter.

7.5
2018-10-18 CVE-2018-18486 Phpshe SQL Injection vulnerability in PHPshe 1.7

An issue was discovered in PHPSHE 1.7.

7.5
2018-10-18 CVE-2018-14807 Opto22 Out-of-bounds Write vulnerability in Opto22 PAC Control

A stack-based buffer overflow vulnerability in Opto 22 PAC Control Basic and PAC Control Professional versions R10.0a and prior may allow remote code execution.

7.5
2018-10-18 CVE-2015-4633 Koha SQL Injection vulnerability in Koha

Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl in the OPAC interface or (2) remote authenticated users to execute arbitrary SQL commands via the Filter or (3) Criteria parameter to reports/borrowers_out.pl in the Staff interface.

7.5
2018-10-18 CVE-2018-5188 Debian
Canonical
Mozilla
Redhat
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Memory safety bugs present in Firefox 60, Firefox ESR 60, and Firefox ESR 52.8.

7.5
2018-10-18 CVE-2018-5187 Debian
Canonical
Mozilla
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Memory safety bugs present in Firefox 60 and Firefox ESR 60.

7.5
2018-10-18 CVE-2018-5186 Mozilla
Canonical
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Memory safety bugs present in Firefox 60.

7.5
2018-10-18 CVE-2018-5156 Redhat
Debian
Canonical
Mozilla
Improper Input Validation vulnerability in multiple products

A vulnerability can occur when capturing a media stream when the media source type is changed as the capture is occurring.

7.5
2018-10-18 CVE-2018-12378 Redhat
Debian
Canonical
Mozilla
Use After Free vulnerability in multiple products

A use-after-free vulnerability can occur when an IndexedDB index is deleted while still in use by JavaScript code that is providing payload values to be stored.

7.5
2018-10-18 CVE-2018-12377 Redhat
Debian
Canonical
Mozilla
Use After Free vulnerability in multiple products

A use-after-free vulnerability can occur when refresh driver timers are refreshed in some circumstances during shutdown when the timer is deleted while still in use.

7.5
2018-10-18 CVE-2018-12376 Redhat
Debian
Canonical
Mozilla
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Memory safety bugs present in Firefox 61 and Firefox ESR 60.1.

7.5
2018-10-18 CVE-2018-12369 Mozilla
Canonical
Incorrect Authorization vulnerability in Mozilla Firefox and Firefox ESR

WebExtensions bundled with embedded experiments were not correctly checked for proper authorization.

7.5
2018-10-18 CVE-2018-18461 Kibokolabs Code Injection vulnerability in Kibokolabs Arigato Autoresponder and Newsletter 2.5.1.7

The Arigato Autoresponder and Newsletter (aka bft-autoresponder) v2.5.1.7 plugin for WordPress allows remote attackers to execute arbitrary code via PHP code in attachments[] data to models/attachment.php.

7.5
2018-10-17 CVE-2018-18450 Pbootcms SQL Injection vulnerability in Pbootcms

apps\admin\controller\content\SingleController.php in PbootCMS before V1.3.0 build 2018-11-12 has SQL Injection, as demonstrated by the POST data to the admin.php/Single/mod/mcode/1/id/3 URI.

7.5
2018-10-17 CVE-2018-15616 Avaya Deserialization of Untrusted Data vulnerability in Avaya Aura System Platform

A vulnerability in the Web UI component of Avaya Aura System Platform could allow a remote, unauthenticated user to perform a targeted deserialization attack that could result in remote code execution.

7.5
2018-10-17 CVE-2018-10822 Dlink Path Traversal vulnerability in Dlink products

Directory traversal vulnerability in the web interface on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices allows remote attackers to read arbitrary files via a /..

7.5
2018-10-17 CVE-2018-18427 S CMS SQL Injection vulnerability in S-Cms 3.0

s-cms 3.0 allows SQL Injection via the member/post.php 0_id parameter or the POST data to member/member_login.php.

7.5
2018-10-17 CVE-2018-17897 Lcds Integer Overflow or Wraparound vulnerability in Lcds Laquis Scada 4.1.0.3870

LAquis SCADA Versions 4.1.0.3870 and prior has several integer overflow to buffer overflow vulnerabilities, which may allow remote code execution.

7.5
2018-10-17 CVE-2018-17895 Lcds Out-of-bounds Read vulnerability in Lcds Laquis Scada 4.1.0.3870

LAquis SCADA Versions 4.1.0.3870 and prior has several out-of-bounds read vulnerabilities, which may allow remote code execution.

7.5
2018-10-17 CVE-2018-17893 Lcds NULL Pointer Dereference vulnerability in Lcds Laquis Scada 4.1.0.3870

LAquis SCADA Versions 4.1.0.3870 and prior has an untrusted pointer dereference vulnerability, which may allow remote code execution.

7.5
2018-10-17 CVE-2018-3259 Oracle Unspecified vulnerability in Oracle Database Server

Vulnerability in the Java VM component of Oracle Database Server.

7.5
2018-10-17 CVE-2018-3252 Oracle Unspecified vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.3.0.0/12.2.1.3.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components).

7.5
2018-10-17 CVE-2018-3245 Oracle Deserialization of Untrusted Data vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.3.0.0/12.2.1.3.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components).

7.5
2018-10-17 CVE-2018-3201 Oracle Unspecified vulnerability in Oracle Weblogic Server 12.2.1.3.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components).

7.5
2018-10-17 CVE-2018-3197 Oracle Unspecified vulnerability in Oracle Weblogic Server 12.1.3.0.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components).

7.5
2018-10-17 CVE-2018-3191 Oracle Unspecified vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.3.0.0/12.2.1.3.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components).

7.5
2018-10-17 CVE-2018-2913 Oracle Out-of-bounds Write vulnerability in Oracle Goldengate 12.1.2.1.0/12.2.0.2.0/12.3.0.1.0

Vulnerability in the Oracle GoldenGate component of Oracle GoldenGate (subcomponent: Monitoring Manager).

7.5
2018-10-16 CVE-2018-18389 Neo4J Improper Authentication vulnerability in Neo4J

Due to incorrect access control in Neo4j Enterprise Database Server 3.4.x before 3.4.9, the setting of LDAP for authentication with STARTTLS, and System Account for authorization, allows an attacker to log into the server by sending any valid username with an arbitrary password.

7.5
2018-10-15 CVE-2018-15540 Agentejo Path Traversal vulnerability in Agentejo Cockpit

Agentejo Cockpit performs actions on files without appropriate validation and therefore allows an attacker to traverse the file system to unintended locations and/or access arbitrary files, aka /media/api Directory Traversal.

7.5
2018-10-15 CVE-2018-18323 Control Webpanel Path Traversal vulnerability in Control-Webpanel Webpanel 0.9.8.480

CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Local File Inclusion via directory traversal with an admin/index.php?module=file_editor&file=/../ URI.

7.5
2018-10-17 CVE-2017-17176 Huawei Out-of-bounds Write vulnerability in Huawei Mate 9 Firmware and Mate 9 PRO Firmware

The hardware security module of Mate 9 and Mate 9 Pro Huawei smart phones with the versions earlier before MHA-AL00BC00B156, versions earlier before MHA-CL00BC00B156, versions earlier before MHA-DL00BC00B156, versions earlier before MHA-TL00BC00B156, versions earlier before LON-AL00BC00B156, versions earlier before LON-CL00BC00B156, versions earlier before LON-DL00BC00B156, versions earlier before LON-TL00BC00B156 has a arbitrary memory read/write vulnerability due to the input parameters validation.

7.2
2018-10-17 CVE-2018-3955 Linksys OS Command Injection vulnerability in Linksys E1200 Firmware and E2500 Firmware

An exploitable operating system command injection exists in the Linksys ESeries line of routers (Linksys E1200 Firmware Version 2.0.09 and Linksys E2500 Firmware Version 3.0.04).

7.2
2018-10-17 CVE-2018-3954 Linksys OS Command Injection vulnerability in Linksys E1200 Firmware and E2500 Firmware

Devices in the Linksys ESeries line of routers (Linksys E1200 Firmware Version 2.0.09 and Linksys E2500 Firmware Version 3.0.04) are susceptible to OS command injection vulnerabilities due to improper filtering of data passed to and retrieved from NVRAMData entered into the 'Router Name' input field through the web portal is submitted to apply.cgi as the value to the 'machine_name' POST parameter.

7.2
2018-10-17 CVE-2018-3953 Linksys OS Command Injection vulnerability in Linksys E1200 Firmware and E2500 Firmware

Devices in the Linksys ESeries line of routers (Linksys E1200 Firmware Version 2.0.09 and Linksys E2500 Firmware Version 3.0.04) are susceptible to OS command injection vulnerabilities due to improper filtering of data passed to and retrieved from NVRAM.

7.2
2018-10-16 CVE-2018-6974 Vmware Out-of-bounds Read vulnerability in VMWare Esxi, Fusion and Workstation

VMware ESXi (6.7 before ESXi670-201810101-SG, 6.5 before ESXi650-201808401-BG, and 6.0 before ESXi600-201808401-BG), Workstation (14.x before 14.1.3) and Fusion (10.x before 10.1.3) contain an out-of-bounds read vulnerability in SVGA device.

7.2
2018-10-15 CVE-2018-17534 Teltonika Improper Authentication vulnerability in Teltonika Rut900 Firmware, Rut950 Firmware and Rut955 Firmware

Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control.

7.2

309 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-10-19 CVE-2017-18348 Splunk Incorrect Permission Assignment for Critical Resource vulnerability in Splunk

Splunk Enterprise 6.6.x, when configured to run as root but drop privileges to a specific non-root account, allows local users to gain privileges by leveraging access to that non-root account to modify $SPLUNK_HOME/etc/splunk-launch.conf and insert Trojan horse programs into $SPLUNK_HOME/bin, because the non-root setup instructions state that chown should be run across all of $SPLUNK_HOME to give non-root access.

6.9
2018-10-19 CVE-2018-18420 Tribalsystems Cross-Site Request Forgery (CSRF) vulnerability in Tribalsystems Zenario 8.3

Cross-Site Request Forgery (CSRF) vulnerability was discovered in the 8.3 version of Zenario Content Management System via the admin/organizer.ajax.php?path=zenario__content%2Fpanels%2Fcontent URI.

6.8
2018-10-18 CVE-2018-15758 Pivotal Software Unspecified vulnerability in Pivotal Software Spring Security Oauth

Spring Security OAuth, versions 2.3 prior to 2.3.4, and 2.2 prior to 2.2.3, and 2.1 prior to 2.1.3, and 2.0 prior to 2.0.16, and older unsupported versions could be susceptible to a privilege escalation under certain conditions.

6.8
2018-10-18 CVE-2018-18483 GNU Integer Overflow or Wraparound vulnerability in GNU Binutils 2.31

The get_count function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31, allows remote attackers to cause a denial of service (malloc called with the result of an integer-overflowing calculation) or possibly have unspecified other impact via a crafted string, as demonstrated by c++filt.

6.8
2018-10-18 CVE-2018-12375 Mozilla
Canonical
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Memory safety bugs present in Firefox 61.

6.8
2018-10-18 CVE-2018-12370 Canonical
Mozilla
Cross-Site Request Forgery (CSRF) vulnerability in multiple products

In Reader View SameSite cookie protections are not checked on exiting.

6.8
2018-10-18 CVE-2018-12364 Redhat
Debian
Canonical
Mozilla
Cross-Site Request Forgery (CSRF) vulnerability in multiple products

NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site.

6.8
2018-10-18 CVE-2018-12363 Redhat
Debian
Canonical
Mozilla
Use After Free vulnerability in multiple products

A use-after-free vulnerability can occur when script uses mutation events to move DOM nodes between documents, resulting in the old document that held the node being freed but the node still having a pointer referencing it.

6.8
2018-10-18 CVE-2018-12362 Redhat
Debian
Canonical
Mozilla
Integer Overflow or Wraparound vulnerability in multiple products

An integer overflow can occur during graphics operations done by the Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler, resulting in a potentially exploitable crash.

6.8
2018-10-18 CVE-2018-12361 Mozilla
Debian
Canonical
Integer Overflow or Wraparound vulnerability in Mozilla Firefox and Firefox ESR

An integer overflow can occur in the SwizzleData code while calculating buffer sizes.

6.8
2018-10-18 CVE-2018-12360 Redhat
Debian
Canonical
Mozilla
Use After Free vulnerability in multiple products

A use-after-free vulnerability can occur when deleting an input element during a mutation event handler triggered by focusing that element.

6.8
2018-10-18 CVE-2018-12359 Redhat
Debian
Canonical
Mozilla
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

A buffer overflow can occur when rendering canvas content while adjusting the height and width of the canvas element dynamically, causing data to be written outside of the currently computed boundaries.

6.8
2018-10-18 CVE-2016-9069 Mozilla Use After Free vulnerability in Mozilla Firefox

A use-after-free in nsINode::ReplaceOrInsertBefore during DOM operations resulting in potentially exploitable crashes.

6.8
2018-10-17 CVE-2018-15402 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Enterprise Network Virtualization Software Nfvis8.0/Nfvis9.0

A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks.

6.8
2018-10-17 CVE-2018-0456 Cisco Improper Input Validation vulnerability in Cisco Nx-Os 9.2(0.43)

A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco NX-OS Software could allow an authenticated, remote attacker to cause the SNMP application of an affected device to restart unexpectedly.

6.8
2018-10-17 CVE-2018-15976 Adobe Uncontrolled Search Path Element vulnerability in Adobe Technical Communications Suite 1.0.5.1

Adobe Technical Communications Suite versions 1.0.5.1 and below have an insecure library loading (dll hijacking) vulnerability.

6.8
2018-10-17 CVE-2018-15974 Adobe Untrusted Search Path vulnerability in Adobe Framemaker

Adobe Framemaker versions 1.0.5.1 and below have an insecure library loading (dll hijacking) vulnerability.

6.8
2018-10-17 CVE-2018-18436 Jtbc Cross-Site Request Forgery (CSRF) vulnerability in Jtbc PHP 3.0.0.0

JTBC(PHP) 3.0 allows CSRF for creating an account via the console/account/manage.php?type=action&action=add URI.

6.8
2018-10-17 CVE-2018-18432 Destoon Cross-Site Request Forgery (CSRF) vulnerability in Destoon B2B 7.0

An issue was discovered in DESTOON B2B 7.0.

6.8
2018-10-17 CVE-2018-18422 Usualtool Cross-Site Request Forgery (CSRF) vulnerability in Usualtool Usualtoolcms 8.0

UsualToolCMS 8.0 allows CSRF for adding a user account via the cmsadmin/a_adminx.php?x=a URI.

6.8
2018-10-17 CVE-2018-17911 Lcds Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Lcds Laquis Scada 4.1.0.3870

LAquis SCADA Versions 4.1.0.3870 and prior has several stack-based buffer overflow vulnerabilities, which may allow remote code execution.

6.8
2018-10-17 CVE-2018-17901 Lcds Out-of-bounds Write vulnerability in Lcds Laquis Scada 4.1.0.3870

LAquis SCADA Versions 4.1.0.3870 and prior, when processing project files the application fails to sanitize user input prior to performing write operations on a stack object, which may allow an attacker to execute code under the current process.

6.8
2018-10-17 CVE-2018-17899 Lcds Path Traversal vulnerability in Lcds Laquis Scada 4.1.0.3870

LAquis SCADA Versions 4.1.0.3870 and prior has a path traversal vulnerability, which may allow remote code execution.

6.8
2018-10-17 CVE-2018-3263 Oracle Unspecified vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Sudo).

6.8
2018-10-17 CVE-2018-3183 Oracle
Redhat
Debian
Canonical
HP
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Scripting).
6.8
2018-10-17 CVE-2018-3180 Oracle
Redhat
Debian
Canonical
HP
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JSSE).
6.8
2018-10-17 CVE-2018-2911 Oracle Unspecified vulnerability in Oracle Glassfish Server 3.1.2

Vulnerability in the Oracle GlassFish Server component of Oracle Fusion Middleware (subcomponent: Java Server Faces).

6.8
2018-10-15 CVE-2018-17980 Nomachine Untrusted Search Path vulnerability in Nomachine

NoMachine before 5.3.27 and 6.x before 6.3.6 allows attackers to gain privileges via a Trojan horse wintab32.dll file located in the same directory as a .nxs file, as demonstrated by a scenario where the .nxs file and the DLL are in the current working directory, and the Trojan horse code is executed.

6.8
2018-10-15 CVE-2018-15539 Agentejo Cross-Site Request Forgery (CSRF) vulnerability in Agentejo Cockpit

Agentejo Cockpit lacks an anti-CSRF protection mechanism.

6.8
2018-10-15 CVE-2018-18317 Dscms Project Cross-Site Request Forgery (CSRF) vulnerability in Dscms Project Dscms 1.1

DESHANG DSCMS 1.1 has CSRF via the public/index.php/admin/admin/add.html URI.

6.8
2018-10-15 CVE-2018-18316 Emlog Cross-Site Request Forgery (CSRF) vulnerability in Emlog 6.0.0

emlog v6.0.0 has CSRF via the admin/user.php?action=new URI.

6.8
2018-10-21 CVE-2018-18550 Serverscheck SQL Injection vulnerability in Serverscheck

ServersCheck Monitoring Software before 14.3.4 allows SQL Injection by an authenticated user.

6.5
2018-10-19 CVE-2018-12669 Sv3C Unspecified vulnerability in Sv3C H.264 POE IP Camera Firmware V2.3.4.2103S50Ntdb20170508B/V2.3.4.2103S50Ntdb20170823B

SV3C L-SERIES HD CAMERA V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B devices allow remote authenticated users to reset arbitrary accounts via a request to web/cgi-bin/hi3510/param.cgi.

6.5
2018-10-19 CVE-2018-18392 Moxa Unspecified vulnerability in Moxa Thingspro 2.1

Privilege Escalation via Broken Access Control in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.

6.5
2018-10-19 CVE-2018-18391 Moxa Unspecified vulnerability in Moxa Thingspro 2.1

User Privilege Escalation in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.

6.5
2018-10-17 CVE-2018-0420 Cisco Path Traversal vulnerability in Cisco Wireless LAN Controller Software 8.2(151.0)

A vulnerability in the web-based interface of Cisco Wireless LAN Controller Software could allow an authenticated, remote attacker to view sensitive information.

6.5
2018-10-17 CVE-2018-16232 Ipfire OS Command Injection vulnerability in Ipfire

An authenticated command injection vulnerability exists in IPFire Firewall before 2.21 Core Update 124 in backup.cgi.

6.5
2018-10-17 CVE-2018-3258 Oracle Unspecified vulnerability in Oracle Connector/J 5.1.40

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J).

6.5
2018-10-17 CVE-2018-3203 Oracle
Netapp
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).
6.5
2018-10-17 CVE-2018-3192 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Query).

6.5
2018-10-17 CVE-2018-3182 Oracle
Netapp
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML).
6.5
2018-10-17 CVE-2018-3165 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: SQR).

6.5
2018-10-17 CVE-2018-3145 Oracle
Netapp
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser).
6.5
2018-10-17 CVE-2018-3137 Oracle
Netapp
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).
6.5
2018-10-16 CVE-2018-10839 Qemu
Canonical
Debian
Stack-based Buffer Overflow vulnerability in multiple products

Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue.

6.5
2018-10-16 CVE-2018-18382 Coderpixel Unrestricted Upload of File with Dangerous Type vulnerability in Coderpixel Advanced HRM 1.6

Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.

6.5
2018-10-18 CVE-2018-18485 Phpshe Path Traversal vulnerability in PHPshe 1.7

An issue was discovered in PHPSHE 1.7.

6.4
2018-10-18 CVE-2018-12387 Redhat
Debian
Canonical
Mozilla
Improper Input Validation vulnerability in multiple products

A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout.

6.4
2018-10-17 CVE-2018-10933 Libssh
Canonical
Debian
Redhat
Netapp
Oracle
Improper Authentication vulnerability in multiple products

A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4.

6.4
2018-10-17 CVE-2018-3179 Oracle Unspecified vulnerability in Oracle Identity Manager 11.1.2.3.0/12.2.1.3.0

Vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware (subcomponent: Advanced Console).

6.4
2018-10-17 CVE-2018-3163 Oracle Unspecified vulnerability in Oracle Hospitality Cruise Fleet Management 9.0

Vulnerability in the Oracle Hospitality Cruise Fleet Management component of Oracle Hospitality Applications (subcomponent: Emergency Response System).

6.4
2018-10-17 CVE-2018-2887 Oracle Unspecified vulnerability in Oracle Micros Retail-J 12.1.2/13.0.0

Vulnerability in the MICROS Retail-J component of Oracle Retail Applications (subcomponent: Back Office).

6.4
2018-10-17 CVE-2018-3274 Oracle Unspecified vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel).

6.3
2018-10-15 CVE-2018-18073 Artifex
Debian
Canonical
Redhat
Information Exposure vulnerability in multiple products

Artifex Ghostscript allows attackers to bypass a sandbox protection mechanism by leveraging exposure of system operators in the saved execution stack in an error object.

6.3
2018-10-18 CVE-2018-18460 3CX Cross-site Scripting vulnerability in 3CX Live Chat 8.0.15

XSS exists in the wp-live-chat-support v8.0.15 plugin for WordPress via the modules/gdpr.php term parameter in a wp-admin/admin.php wplivechat-menu-gdpr-page request.

6.1
2018-10-17 CVE-2018-0441 Cisco Resource Exhaustion vulnerability in Cisco Access Points

A vulnerability in the 802.11r Fast Transition feature set of Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device.

6.1
2018-10-16 CVE-2018-18307 Alchemy CMS Cross-site Scripting vulnerability in Alchemy-Cms Alchemy CMS 4.1.0

A Stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image field.

6.1
2018-10-15 CVE-2018-18260 Tuzitio Cross-site Scripting vulnerability in Tuzitio Camaleon CMS 2.4.0

In the 2.4 version of Camaleon CMS, Stored XSS has been discovered.

6.1
2018-10-15 CVE-2018-18324 Control Webpanel Cross-site Scripting vulnerability in Control-Webpanel Webpanel 0.9.8.480

CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has XSS via the admin/fileManager2.php fm_current_dir parameter, or the admin/index.php module, service_start, service_fullstatus, service_restart, service_stop, or file (within the file_editor) parameter.

6.1
2018-10-18 CVE-2015-4630 Koha Cross-Site Request Forgery (CSRF) vulnerability in Koha

Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to (1) hijack the authentication of administrators for requests that create a user via a request to members/memberentry.pl or (2) give a user superlibrarian permission via a request to members/member-flags.pl or (3) hijack the authentication of arbitrary users for requests that conduct cross-site scripting (XSS) attacks via the addshelf parameter to opac-shelves.pl.

6.0
2018-10-17 CVE-2018-3294 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

6.0
2018-10-17 CVE-2018-3253 Oracle Unspecified vulnerability in Oracle Virtual Directory 11.1.1.7.0/11.1.1.9.0

Vulnerability in the Oracle Virtual Directory component of Oracle Fusion Middleware (subcomponent: Virtual Directory Manager).

6.0
2018-10-17 CVE-2018-3126 Oracle Unspecified vulnerability in Oracle Retail Xstore Point of Service 15.0.2/16.0.4/17.0.2

Vulnerability in the Oracle Retail Xstore Point of Service component of Oracle Retail Applications (subcomponent: Xenvironment).

6.0
2018-10-17 CVE-2018-3115 Oracle Unspecified vulnerability in Oracle Retail Sales Audit 15.0/16.0

Vulnerability in the Oracle Retail Sales Audit component of Oracle Retail Applications (subcomponent: Operational Insights).

6.0
2018-10-19 CVE-2018-18224 Opendesign
Oracle
Out-of-bounds Read vulnerability in multiple products

A vulnerability exists in the file reading procedure in Open Design Alliance Drawings SDK 2019Update1 on non-Windows platforms in which attackers could perform read operations past the end, or before the beginning, of the intended buffer.

5.8
2018-10-19 CVE-2018-18223 Opendesign
Oracle
Open Design Alliance Drawings SDK 2019Update1 has a vulnerability during the reading of malformed files, allowing attackers to obtain sensitive information from process memory or cause a crash.
5.8
2018-10-19 CVE-2018-12675 Sv3C Open Redirect vulnerability in Sv3C H.264 POE IP Camera Firmware V2.3.4.2103S50Ntdb20170508B/V2.3.4.2103S50Ntdb20170823B

The SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) does not perform origin checks on URLs that the camera's web interface redirects a user to.

5.8
2018-10-19 CVE-2018-18380 Bigtreecms Session Fixation vulnerability in Bigtreecms Bigtree CMS

A Session Fixation issue was discovered in Bigtree before 4.2.24.

5.8
2018-10-18 CVE-2018-12386 Redhat
Debian
Canonical
Mozilla
Incorrect Type Conversion or Cast vulnerability in multiple products

A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write.

5.8
2018-10-17 CVE-2018-15493 Vbulletin Open Redirect vulnerability in Vbulletin 5.4.3

vBulletin 5.4.3 has an Open Redirect.

5.8
2018-10-17 CVE-2018-3302 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

5.8
2018-10-17 CVE-2018-3301 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: PIA Core Technology).

5.8
2018-10-17 CVE-2018-3299 Oracle Unspecified vulnerability in Oracle Text 11.2.0.4/12.1.0.2/12.2.0.1

Vulnerability in the Oracle Text component of Oracle Database Server.

5.8
2018-10-17 CVE-2018-3281 Oracle Unspecified vulnerability in Oracle Primavera P6 Enterprise Project Portfolio Management

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Construction and Engineering Suite (subcomponent: Web Access).

5.8
2018-10-17 CVE-2018-3257 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: PIA Core Technology).

5.8
2018-10-17 CVE-2018-3255 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56/8.57

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Fluid Core).

5.8
2018-10-17 CVE-2018-3250 Oracle Unspecified vulnerability in Oracle Weblogic Server 10.3.6.0.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services).

5.8
2018-10-17 CVE-2018-3243 Oracle Unspecified vulnerability in Oracle Applications Framework

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: None).

5.8
2018-10-17 CVE-2018-3242 Oracle Unspecified vulnerability in Oracle Marketing

Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: Marketing Administration).

5.8
2018-10-17 CVE-2018-3241 Oracle Unspecified vulnerability in Oracle Primavera P6 Enterprise Project Portfolio Management

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Construction and Engineering Suite (subcomponent: Web Access).

5.8
2018-10-17 CVE-2018-3235 Oracle Unspecified vulnerability in Oracle Applications Manager

Vulnerability in the Oracle Applications Manager component of Oracle E-Business Suite (subcomponent: None).

5.8
2018-10-17 CVE-2018-3234 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

5.8
2018-10-17 CVE-2018-3233 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

5.8
2018-10-17 CVE-2018-3232 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

5.8
2018-10-17 CVE-2018-3231 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

5.8
2018-10-17 CVE-2018-3230 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

5.8
2018-10-17 CVE-2018-3229 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

5.8
2018-10-17 CVE-2018-3228 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

5.8
2018-10-17 CVE-2018-3227 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

5.8
2018-10-17 CVE-2018-3226 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

5.8
2018-10-17 CVE-2018-3225 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

5.8
2018-10-17 CVE-2018-3224 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

5.8
2018-10-17 CVE-2018-3223 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

5.8
2018-10-17 CVE-2018-3222 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

5.8
2018-10-17 CVE-2018-3221 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

5.8
2018-10-17 CVE-2018-3220 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

5.8
2018-10-17 CVE-2018-3219 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

5.8
2018-10-17 CVE-2018-3218 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

5.8
2018-10-17 CVE-2018-3217 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

5.8
2018-10-17 CVE-2018-3215 Oracle Unspecified vulnerability in Oracle Endeca Information Discovery Integrator 3.1.0/3.2.0

Vulnerability in the Oracle Endeca Information Discovery Integrator component of Oracle Fusion Middleware (subcomponent: Integrator ETL).

5.8
2018-10-17 CVE-2018-3207 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Portal).

5.8
2018-10-17 CVE-2018-3206 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Portal).

5.8
2018-10-17 CVE-2018-3205 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56/8.57

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Workflow).

5.8
2018-10-17 CVE-2018-3204 Oracle Unspecified vulnerability in Oracle Business Intelligence 12.2.1.3.0

Vulnerability in the Oracle Business Intelligence Enterprise Edition component of Oracle Fusion Middleware (subcomponent: Analytics Server).

5.8
2018-10-17 CVE-2018-3196 Oracle Unspecified vulnerability in Oracle Partner Management

Vulnerability in the Oracle Partner Management component of Oracle E-Business Suite (subcomponent: Partner Dashboard).

5.8
2018-10-17 CVE-2018-3194 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Activity Guide).

5.8
2018-10-17 CVE-2018-3193 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Activity Guide).

5.8
2018-10-17 CVE-2018-3190 Oracle Unspecified vulnerability in Oracle E-Business Intelligence 12.1.1/12.1.2/12.1.3

Vulnerability in the Oracle E-Business Intelligence component of Oracle E-Business Suite (subcomponent: Overview Page/Report Rendering).

5.8
2018-10-17 CVE-2018-3189 Oracle Unspecified vulnerability in Oracle Customer Interaction History 12.1.1/12.1.2/12.1.3

Vulnerability in the Oracle Customer Interaction History component of Oracle E-Business Suite (subcomponent: Outcome-Result).

5.8
2018-10-17 CVE-2018-3188 Oracle Unspecified vulnerability in Oracle Istore

Vulnerability in the Oracle iStore component of Oracle E-Business Suite (subcomponent: Web interface).

5.8
2018-10-17 CVE-2018-3178 Oracle Unspecified vulnerability in Oracle Hyperion Common Events 11.1.2.4

Vulnerability in the Hyperion Common Events component of Oracle Hyperion (subcomponent: User Interface).

5.8
2018-10-17 CVE-2018-3177 Oracle Unspecified vulnerability in Oracle Hyperion Common Events 11.1.2.4

Vulnerability in the Hyperion Common Events component of Oracle Hyperion (subcomponent: User Interface).

5.8
2018-10-17 CVE-2018-3176 Oracle Unspecified vulnerability in Oracle Hyperion Common Events 11.1.2.4

Vulnerability in the Hyperion Common Events component of Oracle Hyperion (subcomponent: User Interface).

5.8
2018-10-17 CVE-2018-3175 Oracle Unspecified vulnerability in Oracle Hyperion Common Events 11.1.2.4

Vulnerability in the Hyperion Common Events component of Oracle Hyperion (subcomponent: User Interface).

5.8
2018-10-17 CVE-2018-3164 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Elastic Search).

5.8
2018-10-17 CVE-2018-3154 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Portal).

5.8
2018-10-17 CVE-2018-3153 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56/8.57

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: PIA Core Technology).

5.8
2018-10-17 CVE-2018-3148 Oracle Unspecified vulnerability in Oracle Primavera Unifier

Vulnerability in the Primavera Unifier component of Oracle Construction and Engineering Suite (subcomponent: Web Access).

5.8
2018-10-17 CVE-2018-3146 Oracle Unspecified vulnerability in Oracle Ilearning 6.1/6.2

Vulnerability in the Oracle iLearning component of Oracle iLearning (subcomponent: Learner Administration).

5.8
2018-10-17 CVE-2018-3140 Oracle Unspecified vulnerability in Oracle Hyperion 11.1.2.4

Vulnerability in the Hyperion Essbase Administration Services component of Oracle Hyperion (subcomponent: EAS Console).

5.8
2018-10-17 CVE-2018-3138 Oracle Unspecified vulnerability in Oracle Application Object Library

Vulnerability in the Oracle Application Object Library component of Oracle E-Business Suite (subcomponent: Attachments / File Upload).

5.8
2018-10-17 CVE-2018-3132 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Rich Text Editor).

5.8
2018-10-17 CVE-2018-3059 Oracle Unspecified vulnerability in Oracle Siebel UI Framework 18.7/18.8/18.9

Vulnerability in the Siebel UI Framework component of Oracle Siebel CRM (subcomponent: UIF Open UI).

5.8
2018-10-17 CVE-2018-3011 Oracle Unspecified vulnerability in Oracle Trade Management

Vulnerability in the Oracle Trade Management component of Oracle E-Business Suite (subcomponent: User Interface).

5.8
2018-10-17 CVE-2018-0381 Cisco Improper Locking vulnerability in Cisco Aironet Access Points

A vulnerability in the Cisco Aironet Series Access Points (APs) software could allow an authenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition.

5.5
2018-10-17 CVE-2018-18409 Digitalcorpora
Fedoraproject
Canonical
Out-of-bounds Read vulnerability in multiple products

A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW 1.5.0, due to received incorrect values causing incorrect computation, leading to denial of service during an address_histogram call or a get_histogram call.

5.5
2018-10-17 CVE-2018-18407 Broadcom
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

A heap-based buffer over-read was discovered in the tcpreplay-edit binary of Tcpreplay 4.3.0 beta1, during the incremental checksum operation.

5.5
2018-10-17 CVE-2018-3247 Oracle
Netapp
Microsoft
Canonical
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Merge).
5.5
2018-10-17 CVE-2018-3236 Oracle Unspecified vulnerability in Oracle User Management

Vulnerability in the Oracle User Management component of Oracle E-Business Suite (subcomponent: Reports).

5.5
2018-10-17 CVE-2018-3195 Oracle
Netapp
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL).
5.5
2018-10-17 CVE-2018-3187 Oracle
Netapp
Microsoft
Canonical
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).
5.5
2018-10-17 CVE-2018-3185 Oracle
Netapp
Canonical
Mariadb
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB).
5.5
2018-10-17 CVE-2018-3168 Oracle Unspecified vulnerability in Oracle Identity Analytics 11.1.1.5.8

Vulnerability in the Oracle Identity Analytics component of Oracle Fusion Middleware (subcomponent: Core Components).

5.5
2018-10-17 CVE-2018-3158 Oracle Unspecified vulnerability in Oracle Hospitality Cruise Fleet Management 9.0

Vulnerability in the Oracle Hospitality Cruise Fleet Management component of Oracle Hospitality Applications (subcomponent: Emergency Response System).

5.5
2018-10-17 CVE-2018-3130 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Interaction HUB 9.1.0.0

Vulnerability in the PeopleSoft Enterprise Interaction Hub component of Oracle PeopleSoft Products (subcomponent: Application Portal).

5.5
2018-10-17 CVE-2018-3128 Oracle Unspecified vulnerability in Oracle Hospitality Reporting and Analytics 9.0/9.1

Vulnerability in the Oracle Hospitality Reporting and Analytics component of Oracle Food and Beverage Applications.

5.5
2018-10-15 CVE-2018-1747 IBM XXE vulnerability in IBM Security KEY Lifecycle Manager

IBM Security Key Lifecycle Manager 2.5, 2.6, 2.7, and 3.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data.

5.5
2018-10-15 CVE-2018-18309 GNU Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in GNU Binutils 2.31

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31.

5.5
2018-10-17 CVE-2018-0395 Cisco Improper Input Validation vulnerability in Cisco Firepower Extensible Operating System and Nx-Os

A vulnerability in the Link Layer Discovery Protocol (LLDP) implementation for Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition when the device unexpectedly reloads.

5.3
2018-10-17 CVE-2018-3174 Oracle
Netapp
Canonical
Debian
Mariadb
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs).
5.3
2018-10-17 CVE-2018-3209 Oracle Unspecified vulnerability in Oracle JDK and JRE

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JavaFX).

5.1
2018-10-17 CVE-2018-3169 Oracle
Redhat
Debian
Canonical
HP
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot).
5.1
2018-10-17 CVE-2018-3149 Oracle
Redhat
Debian
Canonical
HP
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI).
5.1
2018-10-20 CVE-2018-18541 Teeworlds
Debian
Improper Input Validation vulnerability in multiple products

In Teeworlds before 0.6.5, connection packets could be forged.

5.0
2018-10-19 CVE-2018-18428 TP Link Information Exposure vulnerability in Tp-Link Tl-Sc3130 Firmware 1.6.18P12121101

TP-Link TL-SC3130 1.6.18P12_121101 devices allow unauthenticated RTSP stream access, as demonstrated by a /jpg/image.jpg URI.

5.0
2018-10-19 CVE-2018-12673 Sv3C Information Exposure vulnerability in Sv3C H.264 POE IP Camera Firmware V2.3.4.2103S50Ntdb20170508B/V2.3.4.2103S50Ntdb20170823B

An attacker with remote access to the SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) web interface can disclose information about the camera including camera hardware, wireless network, and local area network information.

5.0
2018-10-19 CVE-2018-12671 Sv3C Information Exposure vulnerability in Sv3C H.264 POE IP Camera Firmware V2.3.4.2103S50Ntdb20170508B/V2.3.4.2103S50Ntdb20170823B

An attacker with remote access to the SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) web interface can disclose information about the camera including all password sets set within the camera.

5.0
2018-10-19 CVE-2018-18531 Kaptcha Project Use of Insufficiently Random Values vulnerability in Kaptcha Project Kaptcha 2.3.2

text/impl/DefaultTextCreator.java, text/impl/ChineseTextProducer.java, and text/impl/FiveLetterFirstNameTextCreator.java in kaptcha 2.3.2 use the Random (rather than SecureRandom) function for generating CAPTCHA values, which makes it easier for remote attackers to bypass intended access restrictions via a brute-force approach.

5.0
2018-10-19 CVE-2018-18394 Moxa Cleartext Storage of Sensitive Information vulnerability in Moxa Thingspro 2.1

Sensitive Information Stored in Clear Text in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.

5.0
2018-10-19 CVE-2018-18393 Moxa Unspecified vulnerability in Moxa Thingspro 2.1

Password Management Issue in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.

5.0
2018-10-19 CVE-2018-18390 Moxa Information Exposure vulnerability in Moxa Thingspro 2.1

User Enumeration in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.

5.0
2018-10-18 CVE-2018-18487 Gxlcms Information Exposure vulnerability in Gxlcms 2.0

In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, the database backup filename generation uses mt_rand() unsafely, resulting in predictable database backup file locations.

5.0
2018-10-18 CVE-2015-4632 Koha Path Traversal vulnerability in Koha

Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search.

5.0
2018-10-18 CVE-2018-12382 Mozilla
Google
Improper Input Validation vulnerability in Mozilla Firefox 62.0

The displayed addressbar URL can be spoofed on Firefox for Android using a javascript: URI in concert with JavaScript to insert text before the loaded domain name, scrolling the loaded domain out of view to the right.

5.0
2018-10-18 CVE-2018-12381 Mozilla
Microsoft
Externally Controlled Reference to a Resource in Another Sphere vulnerability in Mozilla Firefox and Firefox ESR

Manually dragging and dropping an Outlook email message into the browser will trigger a page navigation when the message's mail columns are incorrectly interpreted as a URL.

5.0
2018-10-17 CVE-2018-0443 Cisco Improper Input Validation vulnerability in Cisco Wireless LAN Controller Software 8.2(151.0)

A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol component of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

5.0
2018-10-17 CVE-2018-0442 Cisco Unspecified vulnerability in Cisco Wireless LAN Controller Software

A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol component of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.

5.0
2018-10-17 CVE-2018-14597 Broadcom Information Exposure vulnerability in Broadcom products

CA Technologies Identity Governance 12.6, 14.0, 14.1, and 14.2 and CA Identity Suite Virtual Appliance 14.0, 14.1, and 14.2 provide telling error messages that may allow remote attackers to enumerate account names.

5.0
2018-10-17 CVE-2018-0416 Cisco Improper Input Validation vulnerability in Cisco Wireless LAN Controller Software 8.5(130.0)/8.9(1.52)

A vulnerability in the web-based interface of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to view system information that under normal circumstances should be prohibited.

5.0
2018-10-17 CVE-2018-12821 Adobe Out-of-bounds Read vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.8 and below have an out of bounds read vulnerability.

5.0
2018-10-17 CVE-2018-12820 Adobe Out-of-bounds Read vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.8 and below have an out of bounds read vulnerability.

5.0
2018-10-17 CVE-2018-12819 Adobe Out-of-bounds Read vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.8 and below have an out of bounds read vulnerability.

5.0
2018-10-17 CVE-2018-12818 Adobe Out-of-bounds Read vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.8 and below have an out of bounds read vulnerability.

5.0
2018-10-17 CVE-2018-12816 Adobe Out-of-bounds Read vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.8 and below have an out of bounds read vulnerability.

5.0
2018-10-17 CVE-2018-7111 HP Unspecified vulnerability in HP Universal Internet of Things

A remote unauthorized access vulnerability was identified in HPE UIoT versions 1.5, 1.4.0, 1.4.1, 1.4.2, 1.2.4.2.

5.0
2018-10-17 CVE-2018-18434 Litemall Project Path Traversal vulnerability in Litemall Project Litemall 0.9.0

An issue was discovered in litemall 0.9.0.

5.0
2018-10-17 CVE-2018-3268 Oracle Unspecified vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: SMB Server).

5.0
2018-10-17 CVE-2018-3267 Oracle Unspecified vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: LFTP).

5.0
2018-10-17 CVE-2018-3261 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56/8.57

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker).

5.0
2018-10-17 CVE-2018-3254 Oracle Unspecified vulnerability in Oracle Webcenter Portal 11.1.1.9.0/12.2.1.3.0

Vulnerability in the Oracle WebCenter Portal component of Oracle Fusion Middleware (subcomponent: WebCenter Spaces Application).

5.0
2018-10-17 CVE-2018-3246 Oracle Unspecified vulnerability in Oracle products

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services).

5.0
2018-10-17 CVE-2018-3244 Oracle Unspecified vulnerability in Oracle Application Object Library

Vulnerability in the Oracle Application Object Library component of Oracle E-Business Suite (subcomponent: Attachments / File Upload).

5.0
2018-10-17 CVE-2018-3239 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker).

5.0
2018-10-17 CVE-2018-3237 Oracle Unspecified vulnerability in Oracle Applications Manager

Vulnerability in the Oracle Applications Manager component of Oracle E-Business Suite (subcomponent: Support Cart).

5.0
2018-10-17 CVE-2018-3214 Oracle
Redhat
Debian
Canonical
HP
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Sound).
5.0
2018-10-17 CVE-2018-3213 Oracle Unspecified vulnerability in Oracle Weblogic Server

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Docker Images).

5.0
2018-10-17 CVE-2018-3210 Oracle Unspecified vulnerability in Oracle Glassfish Server 3.1.2

Vulnerability in the Oracle GlassFish Server component of Oracle Fusion Middleware (subcomponent: Java Server Faces).

5.0
2018-10-17 CVE-2018-3202 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Performance Monitor).

5.0
2018-10-17 CVE-2018-3198 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56/8.57

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Portal).

5.0
2018-10-17 CVE-2018-3172 Oracle Unspecified vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: RPC).

5.0
2018-10-17 CVE-2018-3167 Oracle Unspecified vulnerability in Oracle Application Management Pack

Vulnerability in the Application Management Pack for Oracle E-Business Suite component of Oracle E-Business Suite (subcomponent: User Monitoring).

5.0
2018-10-17 CVE-2018-3152 Oracle Unspecified vulnerability in Oracle Glassfish Server 3.1.2

Vulnerability in the Oracle GlassFish Server component of Oracle Fusion Middleware (subcomponent: Administration).

5.0
2018-10-17 CVE-2018-3151 Oracle Unspecified vulnerability in Oracle Iprocurement

Vulnerability in the Oracle iProcurement component of Oracle E-Business Suite (subcomponent: E-Content Manager Catalog).

5.0
2018-10-17 CVE-2018-3141 Oracle Unspecified vulnerability in Oracle Hyperion 11.1.2.4

Vulnerability in the Hyperion Essbase Administration Services component of Oracle Hyperion (subcomponent: EAS Console).

5.0
2018-10-17 CVE-2018-2914 Oracle NULL Pointer Dereference vulnerability in Oracle Goldengate 12.1.2.1.0/12.2.0.2.0/12.3.0.1.0

Vulnerability in the Oracle GoldenGate component of Oracle GoldenGate (subcomponent: Manager).

5.0
2018-10-17 CVE-2018-2912 Oracle NULL Pointer Dereference vulnerability in Oracle Goldengate 12.1.2.1.0/12.2.0.2.0/12.3.0.1.0

Vulnerability in the Oracle GoldenGate component of Oracle GoldenGate (subcomponent: Manager).

5.0
2018-10-17 CVE-2018-2889 Oracle Unspecified vulnerability in Oracle Micros Retail-J 12.1.2

Vulnerability in the MICROS Retail-J component of Oracle Retail Applications (subcomponent: Internal Operations).

5.0
2018-10-16 CVE-2018-18385 Asciidoctor Infinite Loop vulnerability in Asciidoctor

Asciidoctor in versions < 1.5.8 allows remote attackers to cause a denial of service (infinite loop).

5.0
2018-10-16 CVE-2018-18377 Orange Missing Authorization vulnerability in Orange Airbox Firmware Y858Fl01.1604

goform/setReset on Orange AirBox Y858_FL_01.16_04 devices allows attackers to reset a router to factory settings, which can be used to login using the default admin:admin credentials.

5.0
2018-10-16 CVE-2018-18376 Orange Information Exposure vulnerability in Orange Airbox Firmware Y858Fl01.1604

goform/getWlanClientInfo in Orange AirBox Y858_FL_01.16_04 allows remote attackers to discover information about currently connected devices (hostnames, IP addresses, MAC addresses, and connection time) via the rand parameter.

5.0
2018-10-16 CVE-2018-18375 Orange Use of Insufficiently Random Values vulnerability in Orange Airbox Firmware Y858Fl01.1604

goform/getProfileList in Orange AirBox Y858_FL_01.16_04 allows attackers to extract APN data (name, number, username, and password) via the rand parameter.

5.0
2018-10-15 CVE-2018-18315 Mossle Unrestricted Upload of File with Dangerous Type vulnerability in Mossle Lemon 1.9.0

com/mossle/cdn/CdnController.java in lemon 1.9.0 allows attackers to upload arbitrary files because the copyMultipartFileToFile method in CdnUtils only checks for a ../ substring, and does not validate the file type and spaceName parameter.

5.0
2018-10-17 CVE-2018-3285 Oracle
Netapp
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Windows).
4.9
2018-10-17 CVE-2018-3282 Oracle
Netapp
Canonical
Debian
Mariadb
Redhat
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Storage Engines).
4.9
2018-10-17 CVE-2018-3280 Oracle
Netapp
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: JSON).
4.9
2018-10-17 CVE-2018-3279 Oracle
Netapp
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Roles).
4.9
2018-10-17 CVE-2018-3272 Oracle Unspecified vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel Zones Virtualized NIC Driver).

4.9
2018-10-17 CVE-2018-3238 Oracle Unspecified vulnerability in Oracle Webcenter Sites 11.1.1.8.0

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI).

4.9
2018-10-17 CVE-2018-3212 Oracle
Netapp
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Information Schema).
4.9
2018-10-17 CVE-2018-3186 Oracle
Netapp
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).
4.9
2018-10-17 CVE-2018-3171 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Partition).

4.9
2018-10-17 CVE-2018-3170 Oracle
Netapp
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL).
4.9
2018-10-17 CVE-2018-3122 Oracle Unspecified vulnerability in Oracle Retail Open Commerce Platform 5.3/6.0/6.0.1

Vulnerability in the Oracle Retail Open Commerce Platform component of Oracle Retail Applications (subcomponent: Integrations).

4.9
2018-10-16 CVE-2018-11020 Amazon Argument Injection or Modification vulnerability in Amazon Fire OS 4.5.5.3

kernel/omap/drivers/rpmsg/rpmsg_omx.c in the kernel component in Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device file /dev/rpmsg-omx1 with the command 3221772291, and cause a kernel crash.

4.9
2018-10-17 CVE-2018-0388 Cisco Cross-site Scripting vulnerability in Cisco Wireless LAN Controller Software 8.3(133.0)/8.3(135.0)/8.5(120.0)

A vulnerability in the web-based interface of Cisco Wireless LAN Controller (WLC) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web-based interface of an affected system.

4.8
2018-10-17 CVE-2018-3271 Oracle Unspecified vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel Zones).

4.7
2018-10-19 CVE-2018-18026 Iobit Out-of-bounds Write vulnerability in Iobit Malware Fighter

IMFCameraProtect.sys in IObit Malware Fighter 6.2 (and possibly lower versions) is vulnerable to a stack-based buffer overflow.

4.6
2018-10-18 CVE-2018-11080 EMC Incorrect Permission Assignment for Critical Resource vulnerability in EMC Secure Remote Services 3.0/3.02/3.03

Dell EMC Secure Remote Services, versions prior to 3.32.00.08, contains Improper File Permission Vulnerabilities.

4.6
2018-10-18 CVE-2018-12379 Redhat
Debian
Mozilla
Out-of-bounds Write vulnerability in multiple products

When the Mozilla Updater opens a MAR format file which contains a very long item filename, an out-of-bounds write can be triggered, leading to a potentially exploitable crash.

4.6
2018-10-16 CVE-2018-13399 Atlassian Incorrect Permission Assignment for Critical Resource vulnerability in Atlassian Crucible and Fisheye

The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.

4.6
2018-10-15 CVE-2018-15592 Ivanti Improper Privilege Management vulnerability in Ivanti Workspace Control

An issue was discovered in Ivanti Workspace Control before 10.3.10.0 and RES One Workspace.

4.6
2018-10-15 CVE-2018-15591 Ivanti Exposure of Resource to Wrong Sphere vulnerability in Ivanti Workspace Control

An issue was discovered in Ivanti Workspace Control before 10.3.10.0 and RES One Workspace.

4.6
2018-10-18 CVE-2018-12385 Redhat
Debian
Canonical
Mozilla
Improper Input Validation vulnerability in multiple products

A potentially exploitable crash in TransportSecurityInfo used for SSL can be triggered by data stored in the local cache in the user profile directory.

4.4
2018-10-17 CVE-2018-3298 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.4
2018-10-17 CVE-2018-3297 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.4
2018-10-17 CVE-2018-3296 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.4
2018-10-17 CVE-2018-3295 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.4
2018-10-17 CVE-2018-3293 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.4
2018-10-17 CVE-2018-3292 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.4
2018-10-17 CVE-2018-3291 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.4
2018-10-17 CVE-2018-3290 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.4
2018-10-17 CVE-2018-3289 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.4
2018-10-17 CVE-2018-3288 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.4
2018-10-17 CVE-2018-3287 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.4
2018-10-17 CVE-2018-3284 Oracle
Canonical
Netapp
Mariadb
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB).
4.4
2018-10-17 CVE-2018-3266 Oracle Unspecified vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Verified Boot).

4.4
2018-10-17 CVE-2018-3265 Oracle Unspecified vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Zones).

4.4
2018-10-17 CVE-2018-3160 Oracle Unspecified vulnerability in Oracle Hospitality Cruise Shipboard Property Management System 8.0

Vulnerability in the Oracle Hospitality Cruise Shipboard Property Management System component of Oracle Hospitality Applications (subcomponent: OHC Admin, OHC Management).

4.4
2018-10-17 CVE-2018-2909 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.4
2018-10-21 CVE-2018-18545 Fiyo Project Cross-site Scripting vulnerability in Fiyo CMS 2.0.7

Fiyo CMS 2.0.7 has XSS via the dapur\apps\app_user\edit_user.php name parameter.

4.3
2018-10-21 CVE-2018-18544 Graphicsmagick
Imagemagick
Opensuse
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

There is a memory leak in the function WriteMSLImage of coders/msl.c in ImageMagick 7.0.8-13 Q16, and the function ProcessMSLScript of coders/msl.c in GraphicsMagick before 1.3.31.

4.3
2018-10-20 CVE-2018-18540 Teakki Cross-site Scripting vulnerability in Teakki 2.7

TeaKKi 2.7 allows XSS via a crafted onerror attribute for a picture's URL.

4.3
2018-10-19 CVE-2018-18521 Elfutils Project
Debian
Redhat
Opensuse
Canonical
Divide By Zero vulnerability in multiple products

Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.

4.3
2018-10-19 CVE-2018-18520 Elfutils Project
Debian
Canonical
Opensuse
Redhat
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174.

4.3
2018-10-19 CVE-2018-15315 F5 Cross-site Scripting vulnerability in F5 products

On F5 BIG-IP 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a reflected Cross Site Scripting (XSS) vulnerability in an undisclosed Configuration Utility page.

4.3
2018-10-19 CVE-2018-15314 F5 Cross-site Scripting vulnerability in F5 Big-Ip Advanced Firewall Manager

On F5 BIG-IP AFM 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a Reflected Cross Site Scripting vulnerability in undisclosed TMUI page.

4.3
2018-10-19 CVE-2018-15313 F5 Cross-site Scripting vulnerability in F5 Big-Ip Advanced Firewall Manager

On F5 BIG-IP AFM 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a Reflected Cross Site Scripting vulnerability in undisclosed TMUI page.

4.3
2018-10-19 CVE-2018-15312 F5 Cross-site Scripting vulnerability in F5 products

On F5 BIG-IP 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, a reflected Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an authenticated user to execute JavaScript for the currently logged-in user.

4.3
2018-10-18 CVE-2018-18484 GNU Uncontrolled Recursion vulnerability in GNU Binutils 2.31

An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.

4.3
2018-10-18 CVE-2018-18482 Libpg Query Project Missing Release of Resource after Effective Lifetime vulnerability in Libpg Query Project Libpg Query 101.0.2

An issue was discovered in libpg_query 10-1.0.2.

4.3
2018-10-18 CVE-2018-18481 Libopencad Project Out-of-bounds Read vulnerability in Libopencad Project Libopencad 0.2.0

A heap-based buffer over-read exists in libopencad 0.2.0 in the ReadCHAR function in lib/dwg/io.cpp, resulting in an application crash.

4.3
2018-10-18 CVE-2018-18480 Libopencad Project Out-of-bounds Read vulnerability in Libopencad Project Libopencad 0.2.0

A heap-based buffer over-read exists in libopencad 0.2.0 in the ReadMCHAR function in lib/dwg/io.cpp, resulting in an application crash.

4.3
2018-10-18 CVE-2018-18478 Librenms Cross-site Scripting vulnerability in Librenms

Persistent Cross-Site Scripting (XSS) issues in LibreNMS before 1.44 allow remote attackers to inject arbitrary web script or HTML via the dashboard_name parameter in the /ajax_form.php resource, related to html/includes/forms/add-dashboard.inc.php, html/includes/forms/delete-dashboard.inc.php, and html/includes/forms/edit-dashboard.inc.php.

4.3
2018-10-18 CVE-2018-12374 Mozilla
Redhat
Debian
Canonical
Information Exposure vulnerability in multiple products

Plaintext of decrypted emails can leak through by user submitting an embedded form by pressing enter key within a text input field.

4.3
2018-10-18 CVE-2018-12373 Mozilla
Redhat
Debian
Canonical
Information Exposure vulnerability in multiple products

dDecrypted S/MIME parts hidden with CSS or the plaintext HTML tag can leak plaintext when included in a HTML reply/forward.

4.3
2018-10-18 CVE-2018-12372 Mozilla
Redhat
Debian
Canonical
Information Exposure vulnerability in multiple products

Decrypted S/MIME parts, when included in HTML crafted for an attack, can leak plaintext when included in a a HTML reply/forward.

4.3
2018-10-18 CVE-2018-12367 Debian
Canonical
Mozilla
Improper Input Validation vulnerability in multiple products

In the previous mitigations for Spectre, the resolution or precision of various methods was reduced to counteract the ability to measure precise time intervals.

4.3
2018-10-18 CVE-2018-12366 Redhat
Debian
Canonical
Mozilla
Out-of-bounds Read vulnerability in multiple products

An invalid grid size during QCMS (color profile) transformations can result in the out-of-bounds read interpreted as a float value.

4.3
2018-10-18 CVE-2018-12365 Redhat
Debian
Canonical
Mozilla
Information Exposure vulnerability in multiple products

A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction.

4.3
2018-10-18 CVE-2018-12358 Mozilla
Canonical
Information Exposure vulnerability in multiple products

Service workers can use redirection to avoid the tainting of cross-origin resources in some instances, allowing a malicious site to read responses which are supposed to be opaque.

4.3
2018-10-18 CVE-2018-18459 Xpdfreader NULL Pointer Dereference vulnerability in Xpdfreader Xpdf 4.00

The function DCTStream::getBlock in Stream.cc in Xpdf 4.00 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted pdf file, as demonstrated by pdftoppm.

4.3
2018-10-18 CVE-2018-18458 Xpdfreader NULL Pointer Dereference vulnerability in Xpdfreader Xpdf 4.00

The function DCTStream::decodeImage in Stream.cc in Xpdf 4.00 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted pdf file, as demonstrated by pdftoppm.

4.3
2018-10-18 CVE-2018-18457 Xpdfreader NULL Pointer Dereference vulnerability in Xpdfreader Xpdf 4.00

The function DCTStream::readScan in Stream.cc in Xpdf 4.00 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted pdf file, as demonstrated by pdftoppm.

4.3
2018-10-18 CVE-2018-18456 Xpdfreader Out-of-bounds Read vulnerability in Xpdfreader Xpdf 4.00

The function Object::isName() in Object.h (called from Gfx::opSetFillColorN) in Xpdf 4.00 allows remote attackers to cause a denial of service (stack-based buffer over-read) via a crafted pdf file, as demonstrated by pdftoppm.

4.3
2018-10-18 CVE-2018-18455 Xpdfreader Out-of-bounds Read vulnerability in Xpdfreader Xpdf 4.00

The GfxImageColorMap class in GfxState.cc in Xpdf 4.00 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted pdf file, as demonstrated by pdftoppm.

4.3
2018-10-18 CVE-2018-18454 Xpdfreader Out-of-bounds Read vulnerability in Xpdfreader Xpdf 4.00

CCITTFaxStream::readRow() in Stream.cc in Xpdf 4.00 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted pdf file, as demonstrated by pdftoppm.

4.3
2018-10-17 CVE-2018-15438 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Prime Collaboration Assurance 12.1

A vulnerability in the web-based management interface of Cisco Prime Collaboration Assurance could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system.

4.3
2018-10-17 CVE-2018-15435 Cisco Cross-site Scripting vulnerability in Cisco Socialminer 11.6(1)

A vulnerability in the web-based management interface of Cisco SocialMiner could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface.

4.3
2018-10-17 CVE-2018-18443 ILM Missing Release of Resource after Effective Lifetime vulnerability in ILM Openexr 2.3.0

OpenEXR 2.3.0 has a memory leak in ThreadPool in IlmBase/IlmThread/IlmThreadPool.cpp, as demonstrated by exrmultiview.

4.3
2018-10-17 CVE-2018-15973 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager

Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a stored cross-site scripting vulnerability.

4.3
2018-10-17 CVE-2018-15972 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager

Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a stored cross-site scripting vulnerability.

4.3
2018-10-17 CVE-2018-15971 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager

Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a reflected cross-site scripting vulnerability.

4.3
2018-10-17 CVE-2018-15970 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager

Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a reflected cross-site scripting vulnerability.

4.3
2018-10-17 CVE-2018-15969 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager 6.3.0/6.4.0

Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a stored cross-site scripting vulnerability.

4.3
2018-10-17 CVE-2018-18372 Kaasoft Cross-site Scripting vulnerability in Kaasoft Library CMS 2.1.1

A Stored XSS vulnerability has been discovered in KAASoft Library CMS - Powerful Book Management System 2.1.1 via the /admin/book/create/ title parameter.

4.3
2018-10-17 CVE-2018-18262 Zohocorp Cross-site Scripting vulnerability in Zohocorp Manageengine Opmanager 12.3

Zoho ManageEngine OpManager 12.3 before build 123214 has XSS.

4.3
2018-10-17 CVE-2018-17964 Aryanic Cross-site Scripting vulnerability in Aryanic Highportal 12.5

Aryanic HighPortal 12.5 has XSS via an Add Tags action.

4.3
2018-10-17 CVE-2018-7110 HPE
Redhat
Race Condition vulnerability in HPE Service Governance Framework 4.2/4.3

A remote unauthorized disclosure of information vulnerability was identified in HPE Service Governance Framework (SGF) version 4.2, 4.3.

4.3
2018-10-17 CVE-2018-3286 Oracle
Netapp
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges).
4.3
2018-10-17 CVE-2018-3262 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56/8.57

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Stylesheet).

4.3
2018-10-17 CVE-2018-3256 Oracle Unspecified vulnerability in Oracle Email Center

Vulnerability in the Oracle Email Center component of Oracle E-Business Suite (subcomponent: Message Display).

4.3
2018-10-17 CVE-2018-3248 Oracle Unspecified vulnerability in Oracle Weblogic Server 10.3.6.0.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services).

4.3
2018-10-17 CVE-2018-3157 Oracle Unspecified vulnerability in Oracle JDK and JRE

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Sound).

4.3
2018-10-17 CVE-2018-3150 Oracle Unspecified vulnerability in Oracle JDK and JRE

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Utility).

4.3
2018-10-17 CVE-2018-3147 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

4.3
2018-10-17 CVE-2018-3144 Oracle
Netapp
Microsoft
Canonical
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Audit).
4.3
2018-10-17 CVE-2018-3135 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Portal).

4.3
2018-10-17 CVE-2018-3129 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56/8.57

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Portal).

4.3
2018-10-17 CVE-2018-3127 Oracle Unspecified vulnerability in Oracle Demantra Demand Management 12.2/7.3.5

Vulnerability in the Oracle Demantra Demand Management component of Oracle Supply Chain Products Suite (subcomponent: Product Security).

4.3
2018-10-16 CVE-2018-18308 Bigtreecms Cross-site Scripting vulnerability in Bigtreecms Bigtree CMS 4.2.23

In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area).

4.3
2018-10-16 CVE-2018-18384 Unzip Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Unzip Project Unzip 6.0

Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value, because a buffer size is 10 and is supposed to be 12.

4.3
2018-10-15 CVE-2018-18259 Luya Cross-site Scripting vulnerability in Luya CMS 1.0.12

Stored XSS has been discovered in version 1.0.12 of the LUYA CMS software via /admin/api-cms-nav/create-page.

4.3
2018-10-15 CVE-2018-17533 Teltonika Cross-site Scripting vulnerability in Teltonika Rut900 Firmware, Rut950 Firmware and Rut955 Firmware

Teltonika RUT9XX routers with firmware before 00.05.01.1 are prone to cross-site scripting vulnerabilities in hotspotlogin.cgi due to insufficient user input sanitization.

4.3
2018-10-15 CVE-2018-15538 Agentejo Cross-site Scripting vulnerability in Agentejo Cockpit

Agentejo Cockpit has multiple Cross-Site Scripting vulnerabilities.

4.3
2018-10-15 CVE-2017-5934 Moinmo
Canonical
Debian
Opensuse
Cross-site Scripting vulnerability in multiple products

Cross-site scripting (XSS) vulnerability in the link dialogue in GUI editor in MoinMoin before 1.9.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2018-10-15 CVE-2018-15378 Clamav
Debian
Canonical
Out-of-bounds Read vulnerability in multiple products

A vulnerability in ClamAV versions prior to 0.100.2 could allow an attacker to cause a denial of service (DoS) condition.

4.3
2018-10-15 CVE-2018-18361 Nconsulting Cross-site Scripting vulnerability in Nconsulting Nc-Cms

An issue was discovered in nc-cms through 2017-03-10.

4.3
2018-10-15 CVE-2018-18310 Elfutils Project
Debian
Redhat
Opensuse
Canonical
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174.

4.3
2018-10-15 CVE-2018-18296 Metinfo Cross-site Scripting vulnerability in Metinfo 6.1.2

MetInfo 6.1.2 has XSS via the /admin/index.php bigclass parameter in an n=column&a=doadd action.

4.3
2018-10-17 CVE-2018-3278 Oracle
Netapp
Microsoft
Canonical
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: RBR).
4.0
2018-10-17 CVE-2018-3277 Oracle
Netapp
Canonical
Mariadb
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB).
4.0
2018-10-17 CVE-2018-3276 Oracle
Netapp
Microsoft
Canonical
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached).
4.0
2018-10-17 CVE-2018-3269 Oracle Unspecified vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: SMB Server).

4.0
2018-10-17 CVE-2018-3251 Oracle
Netapp
Canonical
Debian
Mariadb
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB).
4.0
2018-10-17 CVE-2018-3249 Oracle Unspecified vulnerability in Oracle Weblogic Server 10.3.6.0.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services).

4.0
2018-10-17 CVE-2018-3208 Oracle Unspecified vulnerability in Oracle Hyperion Data Relationship Management 11.1.2.4.345

Vulnerability in the Hyperion Data Relationship Management component of Oracle Hyperion (subcomponent: Access and Security).

4.0
2018-10-17 CVE-2018-3200 Oracle
Netapp
Canonical
Mariadb
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB).
4.0
2018-10-17 CVE-2018-3173 Oracle
Netapp
Canonical
Mariadb
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB).
4.0
2018-10-17 CVE-2018-3166 Oracle Unspecified vulnerability in Oracle Hospitality Cruise Fleet Management 9.0

Vulnerability in the Oracle Hospitality Cruise Fleet Management component of Oracle Hospitality Applications (subcomponent: Emergency Response System).

4.0
2018-10-17 CVE-2018-3162 Oracle
Netapp
Canonical
Mariadb
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB).
4.0
2018-10-17 CVE-2018-3161 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Partition).

4.0
2018-10-17 CVE-2018-3156 Oracle
Canonical
Debian
Netapp
Mariadb
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB).
4.0
2018-10-17 CVE-2018-3155 Oracle
Netapp
Microsoft
Canonical
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser).
4.0
2018-10-17 CVE-2018-3143 Oracle
Netapp
Canonical
Debian
Mariadb
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB).
4.0
2018-10-17 CVE-2018-3142 Oracle Unspecified vulnerability in Oracle Hyperion 11.1.2.4

Vulnerability in the Hyperion Essbase Administration Services component of Oracle Hyperion (subcomponent: EAS Console).

4.0
2018-10-17 CVE-2018-3133 Oracle
Netapp
Canonical
Debian
Mariadb
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser).
4.0
2018-10-17 CVE-2018-2971 Oracle Unspecified vulnerability in Oracle Applications Framework

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: REST Services).

4.0
2018-10-17 CVE-2018-2902 Oracle Unspecified vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.3.0.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Console).

4.0
2018-10-15 CVE-2018-1744 IBM Path Traversal vulnerability in IBM Security KEY Lifecycle Manager

IBM Security Key Lifecycle Manager 2.5, 2.6, 2.7, and 3.0 could allow a remote attacker to traverse directories on the system.

4.0

39 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2018-10-17 CVE-2018-3264 Oracle Unspecified vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel).

3.6
2018-10-17 CVE-2018-3159 Oracle Unspecified vulnerability in Oracle Hospitality Cruise Fleet Management 9.0

Vulnerability in the Oracle Hospitality Cruise Fleet Management component of Oracle Hospitality Applications (subcomponent: Sender and Receiver).

3.6
2018-10-17 CVE-2018-3131 Oracle Unspecified vulnerability in Oracle Hospitality Gift and Loyalty 9.0

Vulnerability in the Oracle Hospitality Gift and Loyalty component of Oracle Food and Beverage Applications.

3.6
2018-10-19 CVE-2018-18419 Ardawan Cross-site Scripting vulnerability in Ardawan User Management 1.1

Stored XSS has been discovered in the upload section of ARDAWAN.COM User Management 1.1, as demonstrated by a .jpg filename to the /account URI.

3.5
2018-10-19 CVE-2018-18417 Creativeitem Cross-site Scripting vulnerability in Creativeitem Ekushey Project Manager 3.1

In the 3.1 version of Ekushey Project Manager CRM, Stored XSS has been discovered in the input and upload sections, as demonstrated by the name parameter to the index.php/admin/client/create URI.

3.5
2018-10-19 CVE-2018-18416 Pokkho Cross-site Scripting vulnerability in Pokkho Lango 1.0

LANGO Codeigniter Multilingual Script 1.0 has XSS in the input and upload sections, as demonstrated by the site_name parameter to the admin/settings/update URI.

3.5
2018-10-19 CVE-2018-12672 Sv3C Cross-site Scripting vulnerability in Sv3C H.264 POE IP Camera Firmware V2.3.4.2103S50Ntdb20170508B

The SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B) does not perform proper validation on user-supplied input and is vulnerable to cross-site scripting attacks.

3.5
2018-10-18 CVE-2015-4631 Koha Cross-site Scripting vulnerability in Koha

Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-search.pl; the (2) value parameter to authorities/authorities-home.pl; the (3) delay parameter to acqui/lateorders.pl; the (4) authtypecode or (5) tagfield to admin/auth_subfields_structure.pl; the (6) tagfield parameter to admin/marc_subfields_structure.pl; the (7) limit parameter to catalogue/search.pl; the (8) bookseller_filter, (9) callnumber_filter, (10) EAN_filter, (11) ISSN_filter, (12) publisher_filter, or (13) title_filter parameter to serials/serials-search.pl; or the (14) author, (15) collectiontitle, (16) copyrightdate, (17) isbn, (18) manageddate_from, (19) manageddate_to, (20) publishercode, (21) suggesteddate_from, or (22) suggesteddate_to parameter to suggestion/suggestion.pl; or the (23) direction, (24) display or (25) addshelf parameter to opac-shelves.pl.

3.5
2018-10-17 CVE-2018-18373 Schiocco Cross-site Scripting vulnerability in Schiocco Support Board - Chat and Help Desk 1.2.3

In the Schiocco "Support Board - Chat And Help Desk" plugin 1.2.3 for WordPress, a Stored XSS vulnerability has been discovered in file upload areas in the Chat and Help Desk sections via the msg parameter in a /wp-admin/admin-ajax.php sb_ajax_add_message action.

3.5
2018-10-17 CVE-2018-18433 Destoon Cross-site Scripting vulnerability in Destoon B2B 7.0

An issue was discovered in DESTOON B2B 7.0.

3.5
2018-10-17 CVE-2018-18431 Destoon Cross-site Scripting vulnerability in Destoon B2B 7.0

An issue was discovered in DESTOON B2B 7.0.

3.5
2018-10-17 CVE-2018-18430 Destoon Cross-site Scripting vulnerability in Destoon B2B 7.0

An issue was discovered in DESTOON B2B 7.0.

3.5
2018-10-17 CVE-2018-3283 Oracle
Netapp
Microsoft
Canonical
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Logging).
3.5
2018-10-17 CVE-2018-3184 Oracle Unspecified vulnerability in Oracle Hyperion Bi+ 11.1.2.4

Vulnerability in the Hyperion BI+ component of Oracle Hyperion (subcomponent: IQR - Foundation Services).

3.5
2018-10-16 CVE-2018-1777 IBM Cross-site Scripting vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting.

3.5
2018-10-16 CVE-2018-18381 Zblogcn Cross-site Scripting vulnerability in Zblogcn Z-Blogphp 1.5.2.1935

Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.

3.5
2018-10-16 CVE-2018-18374 Metinfo Cross-site Scripting vulnerability in Metinfo 6.1.2

XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.

3.5
2018-10-17 CVE-2018-3211 Oracle Unspecified vulnerability in Oracle JDK and JRE

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Serviceability).

3.3
2018-10-19 CVE-2018-12674 Sv3C Cleartext Transmission of Sensitive Information vulnerability in Sv3C H.264 POE IP Camera Firmware V2.3.4.2103S50Ntdb20170508B/V2.3.4.2103S50Ntdb20170823B

The SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) stores the username and password within the cookies of a session.

2.9
2018-10-17 CVE-2018-15395 Cisco Unspecified vulnerability in Cisco Wireless LAN Controller Software 8.5(120.0)

A vulnerability in the authentication and authorization checking mechanisms of Cisco Wireless LAN Controller (WLC) Software could allow an authenticated, adjacent attacker to gain network access to a Cisco TrustSec domain.

2.7
2018-10-17 CVE-2018-3139 Oracle
Redhat
Debian
Canonical
HP
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking).
2.6
2018-10-17 CVE-2018-3136 Oracle
Redhat
Debian
Canonical
HP
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security).
2.6
2018-10-17 CVE-2018-3134 Oracle Unspecified vulnerability in Oracle Agile Product Lifecycle Management for Process 6.2.0.0

Vulnerability in the Oracle Agile Product Lifecycle Management for Process component of Oracle Supply Chain Products Suite (subcomponent: User Group Management).

2.6
2018-10-19 CVE-2018-18438 Qemu
Redhat
Integer Overflow or Wraparound vulnerability in multiple products

Qemu has integer overflows because IOReadHandler and its associated functions use a signed integer data type for a size value.

2.1
2018-10-19 CVE-2018-15316 F5 Unspecified vulnerability in F5 products

In F5 BIG-IP APM 13.0.0-13.1.1.1, APM Client 7.1.5-7.1.6, and/or Edge Client 7101-7160, the BIG-IP APM Edge Client component loads the policy library with user permission and bypassing the endpoint checks.

2.1
2018-10-18 CVE-2018-15765 Dell Information Exposure vulnerability in Dell EMC Secure Remote Services

Dell EMC Secure Remote Services, versions prior to 3.32.00.08, contains an Information Exposure vulnerability.

2.1
2018-10-18 CVE-2018-11079 EMC Insufficiently Protected Credentials vulnerability in EMC Secure Remote Services 3.0/3.02/3.03

Dell EMC Secure Remote Services, versions prior to 3.32.00.08, contains a Plaintext Password Storage vulnerability.

2.1
2018-10-18 CVE-2018-1518 IBM Inadequate Encryption Strength vulnerability in IBM products

IBM InfoSphere Information Server 11.7 is affected by a weak password encryption vulnerability that could allow a local user to obtain highly sensitive information.

2.1
2018-10-18 CVE-2018-12383 Redhat
Debian
Canonical
Mozilla
Insufficiently Protected Credentials vulnerability in multiple products

If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible.

2.1
2018-10-17 CVE-2018-18386 Linux
Canonical
Incorrect Type Conversion or Cast vulnerability in Linux Kernel

drivers/tty/n_tty.c in the Linux kernel before 4.14.11 allows local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ.

2.1
2018-10-17 CVE-2018-7989 Huawei Improper Authentication vulnerability in Huawei Mate 10 PRO Firmware

Huawei Mate 10 pro smartphones with the versions before BLA-AL00B 8.1.0.326(C00) have an improper authentication vulnerability.

2.1
2018-10-17 CVE-2018-7924 Huawei Incorrect Permission Assignment for Critical Resource vulnerability in Huawei Anne-Al00 Firmware 8.0.0.151(C00)

Anne-AL00 Huawei phones with versions earlier than 8.0.0.151(C00) have an information leak vulnerability.

2.1
2018-10-17 CVE-2018-3181 Oracle Unspecified vulnerability in Oracle Hospitality Cruise Shipboard Property Management System 8.0

Vulnerability in the Oracle Hospitality Cruise Shipboard Property Management System component of Oracle Hospitality Applications (subcomponent: OHC ENOAD).

2.1
2018-10-15 CVE-2018-12154 Intel Infinite Loop vulnerability in Intel Graphics Driver

Denial of Service in Unified Shader Compiler in Intel Graphics Drivers before 10.18.x.5056 (aka 15.33.x.5056), 10.18.x.5057 (aka 15.36.x.5057) and 20.19.x.5058 (aka 15.40.x.5058) may allow an unprivileged user to potentially create an infinite loop and crash an application via local access.

2.1
2018-10-15 CVE-2018-15593 Ivanti Unspecified vulnerability in Ivanti Workspace Control

An issue was discovered in Ivanti Workspace Control before 10.3.10.0 and RES One Workspace.

2.1
2018-10-15 CVE-2018-15590 Ivanti Unspecified vulnerability in Ivanti Workspace Control

An issue was discovered in Ivanti Workspace Control before 10.3.0.0 and RES One Workspace, when file and folder security are configured.

2.1
2018-10-19 CVE-2018-18398 Xfce Out-of-bounds Read vulnerability in Xfce Thunar and Xfce

Xfce Thunar 1.6.15, when Xfce 4.12 is used, mishandles the IBus-Unikey input method for file searches within File Manager, leading to an out-of-bounds read and SEGV.

1.9
2018-10-17 CVE-2018-2922 Oracle Unspecified vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel).

1.9
2018-10-17 CVE-2018-3270 Oracle Unspecified vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel).

1.2