Weekly Vulnerabilities Reports > January 7 to 13, 2019

Overview

394 new vulnerabilities reported during this period, including 45 critical vulnerabilities and 92 high severity vulnerabilities. This weekly summary report vulnerabilities in 612 products from 97 vendors including Google, Redhat, Debian, Microsoft, and Apple. Vulnerabilities are notably categorized as "Improper Input Validation", "Cross-site Scripting", "Information Exposure", "OS Command Injection", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".

  • 314 reported vulnerabilities are remotely exploitables.
  • 27 reported vulnerabilities have public exploit available.
  • 104 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 315 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 84 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 15 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

45 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-01-11 CVE-2018-4258 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

In macOS High Sierra before 10.13.5, a buffer overflow was addressed with improved bounds checking.

10.0
2019-01-11 CVE-2018-4257 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

In macOS High Sierra before 10.13.5, a buffer overflow was addressed with improved size validation.

10.0
2019-01-11 CVE-2018-4254 Apple Improper Input Validation vulnerability in Apple mac OS X

In macOS High Sierra before 10.13.5, an input validation issue existed in the kernel.

10.0
2019-01-11 CVE-2018-4189 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

In iOS before 11.2.5, macOS High Sierra before 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan, watchOS before 4.2.2, and tvOS before 11.2.5, a memory corruption issue exists and was addressed with improved memory handling.

10.0
2019-01-11 CVE-2018-4169 Apple Out-of-bounds Read vulnerability in Apple mac OS X 10.13.0/10.13.1/10.13.2

In macOS High Sierra before 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan, an out-of-bounds read was addressed with improved input validation.

10.0
2019-01-10 CVE-2018-16803 Cimtechniques SQL Injection vulnerability in Cimtechniques Cimscan

In CIMTechniques CIMScan 6.x through 6.2, the SOAP WSDL parser allows attackers to execute SQL code.

10.0
2019-01-09 CVE-2018-16184 Ricoh OS Command Injection vulnerability in Ricoh products

RICOH Interactive Whiteboard D2200 V1.6 to V2.2, D5500 V1.6 to V2.2, D5510 V1.6 to V2.2, and the display versions with RICOH Interactive Whiteboard Controller Type1 V1.6 to V2.2 attached (D5520, D6500, D6510, D7500, D8400) allows remote attackers to execute arbitrary commands via unspecified vectors.

10.0
2019-01-09 CVE-2018-16167 Jpcert OS Command Injection vulnerability in Jpcert Logontracer

LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.

10.0
2019-01-08 CVE-2019-0586 Microsoft Out-of-bounds Write vulnerability in Microsoft Exchange Server 2016/2019

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka "Microsoft Exchange Memory Corruption Vulnerability." This affects Microsoft Exchange Server.

10.0
2019-01-11 CVE-2018-4298 Apple Unspecified vulnerability in Apple products

In macOS High Sierra before 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan, a permissions issue existed in Remote Management.

9.8
2019-01-10 CVE-2017-1002157 Redhat Improper Input Validation vulnerability in Redhat Modulemd

modulemd 1.3.1 and earlier uses an unsafe function for processing externally provided data, leading to remote code execution.

9.8
2019-01-09 CVE-2018-6127 Google
Debian
Redhat
Use After Free vulnerability in multiple products

Early free of object in use in IndexDB in Google Chrome prior to 67.0.3396.62 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

9.6
2019-01-09 CVE-2018-16068 Google
Debian
Redhat
Improper Input Validation vulnerability in multiple products

Missing validation in Mojo in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

9.6
2019-01-09 CVE-2017-15402 Google Improper Input Validation vulnerability in Google Chrome

Using an ID that can be controlled by a compromised renderer which allows any frame to overwrite the page_state of any other frame in the same process in Navigation in Google Chrome on Chrome OS prior to 62.0.3202.74 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

9.6
2019-01-11 CVE-2018-4330 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple Iphone OS

In iOS before 11.4, a memory corruption issue exists and was addressed with improved memory handling.

9.3
2019-01-11 CVE-2016-7576 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple Iphone OS

In iOS before 9.3.3, a memory corruption issue existed in the kernel.

9.3
2019-01-08 CVE-2019-0585 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory, aka "Microsoft Word Remote Code Execution Vulnerability." This affects Word, Microsoft Office, Microsoft Office Word Viewer, Office 365 ProPlus, Microsoft SharePoint, Microsoft Office Online Server, Microsoft Word, Microsoft SharePoint Server.

9.3
2019-01-08 CVE-2019-0584 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka "Jet Database Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

9.3
2019-01-08 CVE-2019-0583 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka "Jet Database Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

9.3
2019-01-08 CVE-2019-0582 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka "Jet Database Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

9.3
2019-01-08 CVE-2019-0581 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka "Jet Database Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

9.3
2019-01-08 CVE-2019-0580 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka "Jet Database Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

9.3
2019-01-08 CVE-2019-0579 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka "Jet Database Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

9.3
2019-01-08 CVE-2019-0578 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka "Jet Database Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

9.3
2019-01-08 CVE-2019-0577 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka "Jet Database Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

9.3
2019-01-08 CVE-2019-0576 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka "Jet Database Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

9.3
2019-01-08 CVE-2019-0575 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka "Jet Database Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

9.3
2019-01-08 CVE-2019-0546 Microsoft Unspecified vulnerability in Microsoft Visual Studio 2017 15.9

A remote code execution vulnerability exists in Visual Studio when the C++ compiler improperly handles specific combinations of C++ constructs, aka "Visual Studio Remote Code Execution Vulnerability." This affects Microsoft Visual Studio.

9.3
2019-01-08 CVE-2019-0541 Microsoft Command Injection vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that the MSHTML engine inproperly validates input, aka "MSHTML Engine Remote Code Execution Vulnerability." This affects Microsoft Office, Microsoft Office Word Viewer, Internet Explorer 9, Internet Explorer 11, Microsoft Excel Viewer, Internet Explorer 10, Office 365 ProPlus.

9.3
2019-01-08 CVE-2019-0538 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka "Jet Database Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

9.3
2019-01-13 CVE-2019-6250 Zeromq
Debian
Integer Overflow or Wraparound vulnerability in multiple products

A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1.

9.0
2019-01-09 CVE-2018-16194 NEC OS Command Injection vulnerability in NEC Aterm Wf1200Cr Firmware and Aterm Wg1200Cr Firmware

Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 and earlier, Aterm WG1200CR firmware Ver1.0.1 and earlier) allows authenticated attackers to execute arbitrary OS commands via unspecified vectors.

9.0
2019-01-09 CVE-2018-0639 NEC OS Command Injection vulnerability in NEC Aterm Hc100Rc Firmware

Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via tools_firmware.cgi date parameter, time parameter, and offset parameter.

9.0
2019-01-09 CVE-2018-0638 NEC OS Command Injection vulnerability in NEC Aterm Hc100Rc Firmware

Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via import.cgi encKey parameter.

9.0
2019-01-09 CVE-2018-0637 NEC OS Command Injection vulnerability in NEC Aterm Hc100Rc Firmware

Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via export.cgi encKey parameter.

9.0
2019-01-09 CVE-2018-0636 NEC OS Command Injection vulnerability in NEC Aterm Hc100Rc Firmware

Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via FactoryPassword parameter of a certain URL, different URL from CVE-2018-0634.

9.0
2019-01-09 CVE-2018-0635 NEC OS Command Injection vulnerability in NEC Aterm Hc100Rc Firmware

Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via filename parameter.

9.0
2019-01-09 CVE-2018-0634 NEC OS Command Injection vulnerability in NEC Aterm Hc100Rc Firmware

Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via FactoryPassword parameter or bootmode parameter of a certain URL.

9.0
2019-01-09 CVE-2018-0631 NEC OS Command Injection vulnerability in NEC Aterm W300P Firmware

Aterm W300P Ver1.0.13 and earlier allows attacker with administrator rights to execute arbitrary OS commands via targetAPSsid parameter.

9.0
2019-01-09 CVE-2018-0630 NEC OS Command Injection vulnerability in NEC Aterm W300P Firmware

Aterm W300P Ver1.0.13 and earlier allows attacker with administrator rights to execute arbitrary OS commands via sysCmd parameter.

9.0
2019-01-09 CVE-2018-0629 NEC OS Command Injection vulnerability in NEC Aterm W300P Firmware

Aterm W300P Ver1.0.13 and earlier allows attacker with administrator rights to execute arbitrary OS commands via HTTP request and response.

9.0
2019-01-09 CVE-2018-0628 NEC OS Command Injection vulnerability in NEC Aterm Wg1200Hp Firmware

Aterm WG1200HP firmware Ver1.0.31 and earlier allows attacker with administrator rights to execute arbitrary OS commands via HTTP request and response.

9.0
2019-01-09 CVE-2018-0627 NEC OS Command Injection vulnerability in NEC Aterm Wg1200Hp Firmware

Aterm WG1200HP firmware Ver1.0.31 and earlier allows attacker with administrator rights to execute arbitrary OS commands via targetAPSsid parameter.

9.0
2019-01-09 CVE-2018-0626 NEC OS Command Injection vulnerability in NEC Aterm Wg1200Hp Firmware

Aterm WG1200HP firmware Ver1.0.31 and earlier allows attacker with administrator rights to execute arbitrary OS commands via sysCmd in formWsc parameter.

9.0
2019-01-09 CVE-2018-0625 NEC OS Command Injection vulnerability in NEC Aterm Wg1200Hp Firmware

Aterm WG1200HP firmware Ver1.0.31 and earlier allows attacker with administrator rights to execute arbitrary OS commands via formSysCmd parameter.

9.0

92 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-01-11 CVE-2018-4262 Apple
Canonical
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

In Safari before 11.1.2, iTunes before 12.8 for Windows, iOS before 11.4.1, tvOS before 11.4.1, iCloud for Windows before 7.6, multiple memory corruption issues were addressed with improved memory handling.

8.8
2019-01-11 CVE-2018-4213 Apple
Canonical
Webkitgtk
Improper Input Validation vulnerability in multiple products

In iOS before 11.3, Safari before 11.1, iCloud for Windows before 7.4, tvOS before 11.3, watchOS before 4.3, iTunes before 12.7.4 for Windows, unexpected interaction causes an ASSERT failure.

8.8
2019-01-11 CVE-2018-4212 Apple
Canonical
Webkitgtk
In iOS before 11.3, Safari before 11.1, iCloud for Windows before 7.4, tvOS before 11.3, watchOS before 4.3, iTunes before 12.7.4 for Windows, unexpected interaction causes an ASSERT failure.
8.8
2019-01-11 CVE-2018-4210 Apple
Canonical
Webkitgtk
Improper Validation of Array Index vulnerability in multiple products

In iOS before 11.3, Safari before 11.1, tvOS before 11.3, watchOS before 4.3, iTunes before 12.7.4 for Windows, an array indexing issue existed in the handling of a function in javascript core.

8.8
2019-01-11 CVE-2018-4209 Apple
Canonical
Webkit
Improper Input Validation vulnerability in multiple products

In iOS before 11.3, Safari before 11.1, iCloud for Windows before 7.4, tvOS before 11.3, watchOS before 4.3, iTunes before 12.7.4 for Windows, unexpected interaction causes an ASSERT failure.

8.8
2019-01-11 CVE-2018-4208 Apple
Canonical
Webkitgtk
Improper Input Validation vulnerability in multiple products

In iOS before 11.3, Safari before 11.1, iCloud for Windows before 7.4, tvOS before 11.3, watchOS before 4.3, iTunes before 12.7.4 for Windows, unexpected interaction causes an ASSERT failure.

8.8
2019-01-11 CVE-2018-4207 Apple
Canonical
Webkitgtk
Improper Input Validation vulnerability in multiple products

In iOS before 11.3, Safari before 11.1, iCloud for Windows before 7.4, tvOS before 11.3, watchOS before 4.3, iTunes before 12.7.4 for Windows, unexpected interaction causes an ASSERT failure.

8.8
2019-01-11 CVE-2019-6128 Libtiff
Canonical
Opensuse
Debian
Memory Leak vulnerability in multiple products

The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10 has a memory leak, as demonstrated by pal2rgb.

8.8
2019-01-09 CVE-2018-1000418 Atlassian Incorrect Authorization vulnerability in Atlassian Hipchat

An improper authorization vulnerability exists in Jenkins HipChat Plugin 2.2.0 and earlier in HipChatNotifier.java that allows attackers with Overall/Read access to send test notifications to an attacker-specified HipChat server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

8.8
2019-01-09 CVE-2018-6174 Google
Debian
Redhat
Integer Overflow or Wraparound vulnerability in multiple products

Integer overflows in Swiftshader in Google Chrome prior to 68.0.3440.75 potentially allowed a remote attacker to execute arbitrary code via a crafted HTML page.

8.8
2019-01-09 CVE-2018-6170 Google
Debian
Redhat
Incorrect Type Conversion or Cast vulnerability in multiple products

A bad cast in PDFium in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

8.8
2019-01-09 CVE-2018-6162 Google
Debian
Redhat
Deserialization of Untrusted Data vulnerability in multiple products

Improper deserialization in WebGL in Google Chrome on Mac prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2019-01-09 CVE-2018-6153 Google
Debian
Redhat
Out-of-bounds Write vulnerability in multiple products

A precision error in Skia in Google Chrome prior to 68.0.3440.75 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page.

8.8
2019-01-09 CVE-2018-6151 Google
Debian
Redhat
Out-of-bounds Read vulnerability in multiple products

Bad cast in DevTools in Google Chrome on Win, Linux, Mac, Chrome OS prior to 66.0.3359.117 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted Chrome Extension.

8.8
2019-01-09 CVE-2018-6144 Google
Debian
Redhat
Out-of-bounds Write vulnerability in multiple products

Off-by-one error in PDFium in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform an out of bounds memory write via a crafted PDF file.

8.8
2019-01-09 CVE-2018-6141 Google
Debian
Redhat
Out-of-bounds Read vulnerability in multiple products

Insufficient validation of an image filter in Skia in Google Chrome prior to 67.0.3396.62 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory read via a crafted HTML page.

8.8
2019-01-09 CVE-2018-6140 Google
Debian
Redhat
Improper Input Validation vulnerability in multiple products

Allowing the chrome.debugger API to attach to Web UI pages in DevTools in Google Chrome prior to 67.0.3396.62 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension.

8.8
2019-01-09 CVE-2018-6139 Google
Debian
Redhat
Improper Input Validation vulnerability in multiple products

Insufficient target checks on the chrome.debugger API in DevTools in Google Chrome prior to 67.0.3396.62 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension.

8.8
2019-01-09 CVE-2018-6126 Google
Debian
Redhat
Out-of-bounds Write vulnerability in multiple products

A precision error in Skia in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.

8.8
2019-01-09 CVE-2018-6124 Google
Debian
Redhat
Incorrect Type Conversion or Cast vulnerability in multiple products

Type confusion in ReadableStreams in Blink in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page.

8.8
2019-01-09 CVE-2018-6120 Google
Debian
Redhat
Integer Overflow or Wraparound vulnerability in multiple products

An integer overflow that could lead to an attacker-controlled heap out-of-bounds write in PDFium in Google Chrome prior to 66.0.3359.170 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file.

8.8
2019-01-09 CVE-2018-6111 Google
Debian
Redhat
Improper Input Validation vulnerability in multiple products

An object lifetime issue in the developer tools network handler in Google Chrome prior to 66.0.3359.117 allowed a local attacker to execute arbitrary code via a crafted HTML page.

8.8
2019-01-09 CVE-2018-6106 Google
Debian
Redhat
Data Processing Errors vulnerability in multiple products

An asynchronous generator may return an incorrect state in V8 in Google Chrome prior to 66.0.3359.117 allowing a remote attacker to potentially exploit object corruption via a crafted HTML page.

8.8
2019-01-09 CVE-2018-6056 Google
Debian
Redhat
Incorrect Type Conversion or Cast vulnerability in multiple products

Type confusion could lead to a heap out-of-bounds write in V8 in Google Chrome prior to 64.0.3282.168 allowing a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

8.8
2019-01-09 CVE-2018-20066 Google Use After Free vulnerability in Google Chrome

Incorrect object lifecycle in Extensions in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2019-01-09 CVE-2018-20065 Google Improper Input Validation vulnerability in Google Chrome

Handling of URI action in PDFium in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to initiate potentially unsafe navigations without a user gesture via a crafted PDF file.

8.8
2019-01-09 CVE-2018-17461 Google
Debian
Redhat
Out-of-bounds Read vulnerability in multiple products

An out of bounds read in PDFium in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform an out of bounds memory read via a crafted PDF file.

8.8
2019-01-09 CVE-2018-17458 Google
Redhat
Improper Validation of Array Index vulnerability in multiple products

An improper update of the WebAssembly dispatch table in WebAssembly in Google Chrome prior to 69.0.3497.92 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

8.8
2019-01-09 CVE-2018-17457 Google Use After Free vulnerability in Google Chrome

An object lifecycle issue in Blink could lead to a use after free in WebAudio in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

8.8
2019-01-09 CVE-2018-16085 Google Use After Free vulnerability in Google Chrome

A use after free in ResourceCoordinator in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2019-01-09 CVE-2018-16083 Google
Redhat
Out-of-bounds Read vulnerability in multiple products

An out of bounds read in forward error correction code in WebRTC in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.

8.8
2019-01-09 CVE-2018-16076 Google
Redhat
Out-of-bounds Read vulnerability in multiple products

Missing bounds check in PDFium in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to perform an out of bounds memory read via a crafted PDF file.

8.8
2019-01-09 CVE-2018-16071 Google
Redhat
Use After Free vulnerability in multiple products

A use after free in WebRTC in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially exploit heap corruption via a crafted video file.

8.8
2019-01-09 CVE-2018-16065 Google
Debian
Redhat
Use After Free vulnerability in multiple products

A Javascript reentrancy issues that caused a use-after-free in V8 in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

8.8
2019-01-09 CVE-2017-15428 Google Out-of-bounds Write vulnerability in Google Chrome

Insufficient data validation in V8 builtins string generator could lead to out of bounds read and write access in V8 in Google Chrome prior to 62.0.3202.94 and allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

8.8
2019-01-09 CVE-2017-15401 Google Out-of-bounds Write vulnerability in Google Chrome

A memory corruption bug in WebAssembly could lead to out of bounds read and write through V8 in WebAssembly in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

8.8
2019-01-09 CVE-2016-9651 Google
Redhat
Code Injection vulnerability in multiple products

A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55.0.2883.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

8.8
2019-01-09 CVE-2016-10403 Google Out-of-bounds Read vulnerability in Google Chrome

Insufficient data validation on image data in PDFium in Google Chrome prior to 51.0.2704.63 allowed a remote attacker to perform an out of bounds memory read via a crafted PDF file.

8.8
2019-01-09 CVE-2019-0542 Xtermjs
Redhat
Code Injection vulnerability in multiple products

A remote code execution vulnerability exists in Xterm.js when the component mishandles special characters, aka "Xterm Remote Code Execution Vulnerability." This affects xterm.js.

8.8
2019-01-09 CVE-2018-16201 Toshiba Use of Hard-coded Credentials vulnerability in Toshiba Hem-Gw16A Firmware and Hem-Gw26A Firmware

Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier uses hard-coded credentials, which may allow an attacker on the same network segment to login to the administrators settings screen and change the configuration or execute arbitrary OS commands.

8.3
2019-01-09 CVE-2018-16195 NEC OS Command Injection vulnerability in NEC Aterm Wf1200Cr Firmware and Aterm Wg1200Cr Firmware

Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 and earlier, Aterm WG1200CR firmware Ver1.0.1 and earlier) allows an attacker on the same network segment to execute arbitrary OS commands via SOAP interface of UPnP.

8.3
2019-01-09 CVE-2018-16186 Ricoh Use of Hard-coded Credentials vulnerability in Ricoh products

RICOH Interactive Whiteboard D2200 V1.1 to V2.2, D5500 V1.1 to V2.2, D5510 V1.1 to V2.2, the display versions with RICOH Interactive Whiteboard Controller Type1 V1.1 to V2.2 attached (D5520, D6500, D6510, D7500, D8400), and the display versions with RICOH Interactive Whiteboard Controller Type2 V3.0 to V3.1.10137.0 attached (D5520, D6510, D7500, D8400) uses hard-coded credentials, which may allow an attacker on the same network segments to login to the administrators settings screen and change the configuration.

8.3
2019-01-10 CVE-2018-20683 Gitolite Improper Input Validation vulnerability in Gitolite

commands/rsync in Gitolite before 3.6.11, if .gitolite.rc enables rsync, mishandles the rsync command line, which allows attackers to have a "bad" impact by triggering use of an option other than -v, -n, -q, or -P.

8.1
2019-01-11 CVE-2018-16865 Systemd Project
Redhat
Debian
Canonical
Oracle
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket.

7.8
2019-01-11 CVE-2018-16864 Systemd Project
Redhat
Debian
Canonical
Oracle
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog.

7.8
2019-01-11 CVE-2018-4404 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple Iphone OS

In iOS before 11.4 and macOS High Sierra before 10.13.5, a memory corruption issue exists and was addressed with improved memory handling.

7.8
2019-01-10 CVE-2018-15460 Cisco Allocation of Resources Without Limits or Throttling vulnerability in Cisco Asyncos

A vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to cause the CPU utilization to increase to 100 percent, causing a denial of service (DoS) condition on an affected device.

7.8
2019-01-10 CVE-2018-15453 Cisco Out-of-bounds Write vulnerability in Cisco Email Security Appliance Firmware 11.0.1401/11.1.0131

A vulnerability in the Secure/Multipurpose Internet Mail Extensions (S/MIME) Decryption and Verification or S/MIME Public Key Harvesting features of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause an affected device to corrupt system memory.

7.8
2019-01-09 CVE-2018-6084 Google
Debian
Redhat
Improper Input Validation vulnerability in multiple products

Insufficiently sanitized distributed objects in Updater in Google Chrome on macOS prior to 66.0.3359.117 allowed a local attacker to execute arbitrary code via an executable file.

7.8
2019-01-09 CVE-2017-15404 Google Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Google Chrome

An ability to process crash dumps under root privileges and inappropriate symlinks handling could lead to a local privilege escalation in Crash Reporting in Google Chrome on Chrome OS prior to 61.0.3163.113 allowed a local attacker to perform privilege escalation via a crafted HTML page.

7.8
2019-01-09 CVE-2018-0677 Panasonic OS Command Injection vulnerability in Panasonic Bn-Sdwbp3 Firmware

BN-SDWBP3 firmware version 1.0.9 and earlier allows attacker with administrator rights on the same network segment to execute arbitrary OS commands via unspecified vectors.

7.7
2019-01-08 CVE-2019-0551 Microsoft Improper Input Validation vulnerability in Microsoft products

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, aka "Windows Hyper-V Remote Code Execution Vulnerability." This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers.

7.7
2019-01-08 CVE-2019-0550 Microsoft Improper Input Validation vulnerability in Microsoft products

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, aka "Windows Hyper-V Remote Code Execution Vulnerability." This affects Windows 10 Servers, Windows 10, Windows Server 2019.

7.7
2019-01-08 CVE-2019-0568 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore.

7.6
2019-01-08 CVE-2019-0567 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore.

7.6
2019-01-08 CVE-2019-0565 Microsoft Out-of-bounds Write vulnerability in Microsoft Edge

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge.

7.6
2019-01-08 CVE-2019-0539 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore.

7.6
2019-01-13 CVE-2019-6246 Svgpp Out-of-bounds Read vulnerability in Svgpp 1.2.3

An issue was discovered in SVG++ (aka svgpp) 1.2.3.

7.5
2019-01-11 CVE-2018-4281 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple Swiftnio

In SwiftNIO before 1.8.0, a buffer overflow was addressed with improved size validation.

7.5
2019-01-11 CVE-2017-13889 Apple Improper Authentication vulnerability in Apple mac OS X 10.13.0/10.13.1/10.13.2

In macOS High Sierra before 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan, a logic error existed in the validation of credentials.

7.5
2019-01-10 CVE-2019-5893 Nelson IT SQL Injection vulnerability in Nelson-It Open Source ERP 6.3.1

Nelson Open Source ERP v6.3.1 allows SQL Injection via the db/utils/query/data.xml query parameter.

7.5
2019-01-10 CVE-2019-5886 Shopxo Improper Locking vulnerability in Shopxo 1.2.0

An issue was discovered in ShopXO 1.2.0.

7.5
2019-01-10 CVE-2018-0181 Cisco Missing Authentication for Critical Function vulnerability in Cisco products

A vulnerability in the Redis implementation used by the Cisco Policy Suite for Mobile and Cisco Policy Suite Diameter Routing Agent software could allow an unauthenticated, remote attacker to modify key-value pairs for short-lived events stored by the Redis server.

7.5
2019-01-09 CVE-2019-5882 Irssi
Canonical
Use After Free vulnerability in multiple products

Irssi 1.1.x before 1.1.2 has a use after free when hidden lines are expired from the scroll buffer.

7.5
2019-01-09 CVE-2018-16203 Pgpool Unspecified vulnerability in Pgpool Pgpooladmin

PgpoolAdmin 4.0 and earlier allows remote attackers to bypass the login authentication and obtain the administrative privilege of the PostgreSQL database via unspecified vectors.

7.5
2019-01-09 CVE-2018-16188 Ricoh SQL Injection vulnerability in Ricoh products

SQL injection vulnerability in the RICOH Interactive Whiteboard D2200 V1.3 to V2.2, D5500 V1.3 to V2.2, D5510 V1.3 to V2.2, the display versions with RICOH Interactive Whiteboard Controller Type1 V1.3 to V2.2 attached (D5520, D6500, D6510, D7500, D8400), and the display versions with RICOH Interactive Whiteboard Controller Type2 V3.0 to V3.1.10137.0 attached (D5520, D6510, D7500, D8400) allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

7.5
2019-01-09 CVE-2018-16168 Jpcert Code Injection vulnerability in Jpcert Logontracer

LogonTracer 1.2.0 and earlier allows remote attackers to conduct Python code injection attacks via unspecified vectors.

7.5
2019-01-09 CVE-2018-0705 Cybozu Path Traversal vulnerability in Cybozu Dezie

Directory traversal vulnerability in Cybozu Dezie 8.0.2 to 8.1.2 allows remote attackers to read arbitrary files via HTTP requests.

7.5
2019-01-09 CVE-2018-0670 MNC Improper Authentication vulnerability in MNC Inplc-Rt

INplc-RT 3.08 and earlier allows remote attackers to bypass authentication to execute an arbitrary command through the protocol-compliant traffic.

7.5
2019-01-09 CVE-2018-0669 MNC Improper Authentication vulnerability in MNC Inplc-Rt

INplc-RT 3.08 and earlier allows remote attackers to bypass authentication to execute an arbitrary command through the protocol-compliant traffic.

7.5
2019-01-09 CVE-2018-0668 MNC Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in MNC Inplc-Rt

Buffer overflow in INplc-RT 3.08 and earlier allows remote attackers to cause denial-of-service (DoS) condition that may result in executing arbtrary code via unspecified vectors.

7.5
2019-01-09 CVE-2018-0651 Yokogawa Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Yokogawa products

Buffer overflow in the license management function of YOKOGAWA products (iDefine for ProSafe-RS R1.16.3 and earlier, STARDOM VDS R7.50 and earlier, STARDOM FCN/FCJ Simulator R4.20 and earlier, ASTPLANNER R15.01 and earlier, TriFellows V5.04 and earlier) allows remote attackers to stop the license management function or execute an arbitrary program via unspecified vectors.

7.5
2019-01-09 CVE-2018-6158 Google
Debian
Redhat
Race Condition vulnerability in multiple products

A race condition in Oilpan in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

7.5
2019-01-09 CVE-2019-5748 Traccar XXE vulnerability in Traccar Server 4.2

In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks.

7.5
2019-01-09 CVE-2019-5747 Busybox
Canonical
Out-of-bounds Read vulnerability in multiple products

An issue was discovered in BusyBox through 1.30.0.

7.5
2019-01-09 CVE-2019-3581 Mcafee Improper Input Validation vulnerability in Mcafee web Gateway

Improper input validation in the proxy component of McAfee Web Gateway 7.8.2.0 and later allows remote attackers to cause a denial of service via a crafted HTTP request parameter.

7.5
2019-01-09 CVE-2018-20675 Dlink Improper Authentication vulnerability in Dlink products

D-Link DIR-822 C1 before v3.11B01Beta, DIR-822-US C1 before v3.11B01Beta, DIR-850L A* before v1.21B08Beta, DIR-850L B* before v2.22B03Beta, and DIR-880L A* before v1.20B02Beta devices allow authentication bypass.

7.5
2019-01-08 CVE-2019-0547 Microsoft Out-of-bounds Write vulnerability in Microsoft Windows 10 1803

A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client, aka "Windows DHCP Client Remote Code Execution Vulnerability." This affects Windows 10, Windows 10 Servers.

7.5
2019-01-08 CVE-2019-0247 SAP Code Injection vulnerability in SAP Cloud Connector

SAP Cloud Connector, before version 2.11.3, allows an attacker to inject code that can be executed by the application.

7.5
2019-01-08 CVE-2019-0246 SAP Missing Authentication for Critical Function vulnerability in SAP Cloud Connector

SAP Cloud Connector, before version 2.11.3, does not perform any authentication checks for functionalities that require user identity.

7.5
2019-01-08 CVE-2019-5720 Frontaccounting SQL Injection vulnerability in Frontaccounting 2.4.6

includes/db/class.reflines_db.inc in FrontAccounting 2.4.6 contains a SQL Injection vulnerability in the reference field that can allow the attacker to grab the entire database of the application via the void_transaction.php filterType parameter.

7.5
2019-01-07 CVE-2018-1320 Apache
Debian
F5
Oracle
Improper Certificate Validation vulnerability in multiple products

Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class.

7.5
2019-01-07 CVE-2018-11788 Apache XXE vulnerability in Apache Karaf

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder.

7.5
2019-01-09 CVE-2018-17470 Google
Debian
Redhat
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

A heap buffer overflow in GPU in Google Chrome prior to 70.0.3538.67 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

7.4
2019-01-09 CVE-2018-16081 Google
Redhat
Missing Authorization vulnerability in multiple products

Allowing the chrome.debugger API to run on file:// URLs in DevTools in Google Chrome prior to 69.0.3497.81 allowed an attacker who convinced a user to install a malicious extension to access files on the local file system without file access permission via a crafted Chrome Extension.

7.4
2019-01-09 CVE-2017-15403 Google Command Injection vulnerability in Google Chrome

Insufficient data validation in crosh could lead to a command injection under chronos privileges in Networking in Google Chrome on Chrome OS prior to 61.0.3163.113 allowed a local attacker to execute arbitrary code via a crafted HTML page.

7.3
2019-01-11 CVE-2018-4183 Apple Unspecified vulnerability in Apple mac OS X

In macOS High Sierra before 10.13.5, an access issue was addressed with additional sandbox restrictions.

7.2
2019-01-11 CVE-2018-4182 Apple Unspecified vulnerability in Apple mac OS X

In macOS High Sierra before 10.13.5, an access issue was addressed with additional sandbox restrictions on CUPS.

7.2
2019-01-10 CVE-2018-5412 Imperva Unspecified vulnerability in Imperva Securesphere 12.0.0.50

Imperva SecureSphere running v12.0.0.50 is vulnerable to local arbitrary code execution, escaping sealed-mode.

7.2
2019-01-07 CVE-2018-5410 Dokan Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dokan Project Dokan

Dokan, versions between 1.0.0.5000 and 1.2.0.1000, are vulnerable to a stack-based buffer overflow in the dokan1.sys driver.

7.2
2019-01-10 CVE-2018-0282 Cisco Unspecified vulnerability in Cisco IOS and IOS XE

A vulnerability in the TCP socket code of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

7.1
2019-01-09 CVE-2017-15405 Google Race Condition vulnerability in Google Chrome

Inappropriate symlink handling and a race condition in the stateful recovery feature implementation could lead to a persistance established by a malicious code running with root privileges in cryptohomed in Google Chrome on Chrome OS prior to 61.0.3163.113 allowed a local attacker to execute arbitrary code via a crafted HTML page.

7.0

213 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-01-13 CVE-2019-6249 Hucart Cross-Site Request Forgery (CSRF) vulnerability in Hucart 5.7.4

An issue was discovered in HuCart v5.7.4.

6.8
2019-01-13 CVE-2019-6247 Antigrain
Svgpp
Out-of-bounds Write vulnerability in multiple products

An issue was discovered in Anti-Grain Geometry (AGG) 2.4 as used in SVG++ (aka svgpp) 1.2.3.

6.8
2019-01-13 CVE-2019-6245 Antigrain
Svgpp
Debian
Out-of-bounds Write vulnerability in multiple products

An issue was discovered in Anti-Grain Geometry (AGG) 2.4 as used in SVG++ (aka svgpp) 1.2.3.

6.8
2019-01-12 CVE-2019-6244 Usualtool Cross-Site Request Forgery (CSRF) vulnerability in Usualtool Usualtoolcms 8.0

An issue was discovered in UsualToolCMS 8.0.

6.8
2019-01-11 CVE-2018-4194 Apple
Microsoft
Out-of-bounds Read vulnerability in Apple products

In iOS before 11.4, iCloud for Windows before 7.5, watchOS before 4.3.1, iTunes before 12.7.5 for Windows, and macOS High Sierra before 10.13.5, an out-of-bounds read was addressed with improved input validation.

6.8
2019-01-11 CVE-2018-4147 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

In iCloud for Windows before 7.3, Safari before 11.0.3, iTunes before 12.7.3 for Windows, and iOS before 11.2.5, multiple memory corruption issues exist and were addressed with improved memory handling.

6.8
2019-01-10 CVE-2018-5403 Imperva Improper Authentication vulnerability in Imperva Securesphere 13.0.10/13.1.10/13.2.10

Imperva SecureSphere gateway (GW) running v13, for both pre-First Time Login or post-First Time Login (FTL), if the attacker knows the basic authentication passwords, the GW may be vulnerable to RCE through specially crafted requests, from the web access management interface.

6.8
2019-01-10 CVE-2018-0461 Cisco Code Injection vulnerability in Cisco IP Phone 8800 Series Firmware 12.5(1)

A vulnerability in the Cisco IP Phone 8800 Series Software could allow an unauthenticated, remote attacker to conduct an arbitrary script injection attack on an affected device.

6.8
2019-01-09 CVE-2018-16185 Ricoh Improper Input Validation vulnerability in Ricoh products

RICOH Interactive Whiteboard D2200 V1.1 to V2.2, D5500 V1.1 to V2.2, D5510 V1.1 to V2.2, the display versions with RICOH Interactive Whiteboard Controller Type1 V1.1 to V2.2 attached (D5520, D6500, D6510, D7500, D8400), and the display versions with RICOH Interactive Whiteboard Controller Type2 V3.0 to V3.1.10137.0 attached (D5520, D6510, D7500, D8400) allows remote attackers to execute a malicious program.

6.8
2019-01-09 CVE-2018-16183 Panasonic
Microsoft
Unquoted Search Path or Element vulnerability in Panasonic products

An unquoted search path vulnerability in some pre-installed applications on Panasonic PC run on Windows 7 (32bit), Windows 7 (64bit), Windows 8 (64bit), Windows 8.1 (64bit), Windows 10 (64bit) delivered in or later than October 2009 allow local users to gain privileges via a Trojan horse executable file and execute arbitrary code with eleveted privileges.

6.8
2019-01-09 CVE-2018-16182 Rakuten SEC Untrusted Search Path vulnerability in Rakuten-Sec Market Speed

Untrusted search path vulnerability in the installer of MARKET SPEED Ver.16.4 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

6.8
2019-01-09 CVE-2018-16176 Jaea Untrusted Search Path vulnerability in Jaea Mapping Tool 2.0.1.6/2.0.1.7

Untrusted search path vulnerability in Installer of Mapping Tool 2.0.1.6 and 2.0.1.7 allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.

6.8
2019-01-09 CVE-2018-16171 Cybozu
Microsoft
Path Traversal vulnerability in Cybozu Remote Service Manager

Directory traversal vulnerability in Cybozu Remote Service 3.0.0 to 3.1.8 allows remote attackers to execute Java code file on the server via unspecified vectors.

6.8
2019-01-09 CVE-2018-16166 Jpcert XXE vulnerability in Jpcert Logontracer

LogonTracer 1.2.0 and earlier allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.

6.8
2019-01-09 CVE-2018-0689 Epson HTTP Response Splitting vulnerability in Epson products

HTTP header injection vulnerability in SEIKO EPSON printers and scanners (DS-570W firmware versions released prior to 2018 March 13, DS-780N firmware versions released prior to 2018 March 13, EP-10VA firmware versions released prior to 2017 September 4, EP-30VA firmware versions released prior to 2017 June 19, EP-707A firmware versions released prior to 2017 August 1, EP-708A firmware versions released prior to 2017 August 7, EP-709A firmware versions released prior to 2017 June 12, EP-777A firmware versions released prior to 2017 August 1, EP-807AB/AW/AR firmware versions released prior to 2017 August 1, EP-808AB/AW/AR firmware versions released prior to 2017 August 7, EP-879AB/AW/AR firmware versions released prior to 2017 June 12, EP-907F firmware versions released prior to 2017 August 1, EP-977A3 firmware versions released prior to 2017 August 1, EP-978A3 firmware versions released prior to 2017 August 7, EP-979A3 firmware versions released prior to 2017 June 12, EP-M570T firmware versions released prior to 2017 September 6, EW-M5071FT firmware versions released prior to 2017 November 2, EW-M660FT firmware versions released prior to 2018 April 19, EW-M770T firmware versions released prior to 2017 September 6, PF-70 firmware versions released prior to 2018 April 20, PF-71 firmware versions released prior to 2017 July 18, PF-81 firmware versions released prior to 2017 September 14, PX-048A firmware versions released prior to 2017 July 4, PX-049A firmware versions released prior to 2017 September 11, PX-437A firmware versions released prior to 2017 July 24, PX-M350F firmware versions released prior to 2018 February 23, PX-M5040F firmware versions released prior to 2017 November 20, PX-M5041F firmware versions released prior to 2017 November 20, PX-M650A firmware versions released prior to 2017 October 17, PX-M650F firmware versions released prior to 2017 October 17, PX-M680F firmware versions released prior to 2017 June 29, PX-M7050F firmware versions released prior to 2017 October 13, PX-M7050FP firmware versions released prior to 2017 October 13, PX-M7050FX firmware versions released prior to 2017 November 7, PX-M7070FX firmware versions released prior to 2017 April 27, PX-M740F firmware versions released prior to 2017 December 4, PX-M741F firmware versions released prior to 2017 December 4, PX-M780F firmware versions released prior to 2017 June 29, PX-M781F firmware versions released prior to 2017 June 27, PX-M840F firmware versions released prior to 2017 November 16, PX-M840FX firmware versions released prior to 2017 December 8, PX-M860F firmware versions released prior to 2017 October 25, PX-S05B/W firmware versions released prior to 2018 March 9, PX-S350 firmware versions released prior to 2018 February 23, PX-S5040 firmware versions released prior to 2017 November 20, PX-S7050 firmware versions released prior to 2018 February 21, PX-S7050PS firmware versions released prior to 2018 February 21, PX-S7050X firmware versions released prior to 2017 November 7, PX-S7070X firmware versions released prior to 2017 April 27, PX-S740 firmware versions released prior to 2017 December 3, PX-S840 firmware versions released prior to 2017 November 16, PX-S840X firmware versions released prior to 2017 December 8, PX-S860 firmware versions released prior to 2017 December 7) may allow a remote attackers to lead a user to a phishing site or execute an arbitrary script on the user's web browser.

6.8
2019-01-09 CVE-2018-0667 MNC Untrusted Search Path vulnerability in MNC Inplc-Rt SDK Express and Inplc SDK Pro+

Untrusted search path vulnerability in Installer of INplc SDK Express 3.08 and earlier and Installer of INplc SDK Pro+ 3.08 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

6.8
2019-01-08 CVE-2019-0574 Microsoft Link Following vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations, aka "Windows Data Sharing Service Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers.

6.8
2019-01-08 CVE-2019-0573 Microsoft Missing Authorization vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations, aka "Windows Data Sharing Service Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers.

6.8
2019-01-08 CVE-2019-0572 Microsoft Link Following vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations, aka "Windows Data Sharing Service Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers.

6.8
2019-01-08 CVE-2019-0571 Microsoft Use of Incorrectly-Resolved Name or Reference vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations, aka "Windows Data Sharing Service Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers.

6.8
2019-01-08 CVE-2019-0566 Microsoft Missing Authorization vulnerability in Microsoft Edge

An elevation of privilege vulnerability exists in Microsoft Edge Browser Broker COM object, aka "Microsoft Edge Elevation of Privilege Vulnerability." This affects Microsoft Edge.

6.8
2019-01-10 CVE-2018-4033 Macpaw Improper Input Validation vulnerability in Macpaw Cleanmymac X 4.04

The CleanMyMac X software contains an exploitable privilege escalation vulnerability due to improper input validation.

6.6
2019-01-10 CVE-2018-4032 Macpaw Improper Input Validation vulnerability in Macpaw Cleanmymac X 4.04

An exploitable privilege escalation vulnerability exists in the way the CleanMyMac X software improperly validates inputs.

6.6
2019-01-11 CVE-2019-6129 Libpng Memory Leak vulnerability in Libpng 1.6.36

png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp.

6.5
2019-01-11 CVE-2019-6127 Xiaocms SQL Injection vulnerability in Xiaocms 20141229

An issue was discovered in XiaoCms 20141229.

6.5
2019-01-10 CVE-2018-5413 Imperva Incorrect Permission Assignment for Critical Resource vulnerability in Imperva Securesphere 11.5/12.0/13.0

Imperva SecureSphere running v13.0, v12.0, or v11.5 allows low privileged users to add SSH login keys to the admin user, resulting in privilege escalation.

6.5
2019-01-09 CVE-2019-3498 Djangoproject
Debian
Canonical
Fedoraproject
Injection vulnerability in multiple products

In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.

6.5
2019-01-09 CVE-2018-16175 Thimpress SQL Injection vulnerability in Thimpress Learnpress

SQL injection vulnerability in the LearnPress prior to version 3.1.0 allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors.

6.5
2019-01-09 CVE-2018-16170 Cybozu
Microsoft
Path Traversal vulnerability in Cybozu Remote Service Manager

Directory traversal vulnerability in Cybozu Remote Service 3.0.0 to 3.1.8 for Windows allows remote authenticated attackers to read arbitrary files via unspecified vectors.

6.5
2019-01-09 CVE-2018-16169 Cybozu Unrestricted Upload of File with Dangerous Type vulnerability in Cybozu Remote Service Manager 3.0.0/3.0.1/3.1.0

Cybozu Remote Service 3.0.0 to 3.1.0 allows remote authenticated attackers to upload and execute Java code file on the server via unspecified vectors.

6.5
2019-01-09 CVE-2018-1000421 Apache Server-Side Request Forgery (SSRF) vulnerability in Apache Mesos

An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to an attacker-specified Mesos server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

6.5
2019-01-09 CVE-2018-1000420 Apache Incorrect Authorization vulnerability in Apache Mesos

An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins.

6.5
2019-01-09 CVE-2018-1000419 Atlassian Unspecified vulnerability in Atlassian Hipchat

An improper authorization vulnerability exists in Jenkins HipChat Plugin 2.2.0 and earlier in HipChatNotifier.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins.

6.5
2019-01-09 CVE-2018-0641 NEC Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in NEC Aterm Hc100Rc Firmware

Buffer overflow in Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary code via tools_system.cgi date parameter, time parameter, and offset parameter.

6.5
2019-01-09 CVE-2018-0640 NEC Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in NEC Aterm Hc100Rc Firmware

Buffer overflow in Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary code via netWizard.cgi date parameter, time parameter, and offset parameter.

6.5
2019-01-09 CVE-2018-0633 NEC Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in NEC Aterm W300P Firmware

Buffer overflow in Aterm W300P Ver1.0.13 and earlier allows attacker with administrator rights to execute arbitrary code via submit-url parameter.

6.5
2019-01-09 CVE-2018-0632 NEC Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in NEC Aterm W300P Firmware

Buffer overflow in Aterm W300P Ver1.0.13 and earlier allows attacker with administrator rights to execute arbitrary code via HTTP request and response.

6.5
2019-01-09 CVE-2018-6179 Google
Debian
Redhat
Information Exposure vulnerability in multiple products

Insufficient enforcement of file access permission in the activeTab case in Extensions in Google Chrome prior to 68.0.3440.75 allowed an attacker who convinced a user to install a malicious extension to access files on the local file system via a crafted Chrome Extension.

6.5
2019-01-09 CVE-2018-6175 Google
Debian
Redhat
Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
6.5
2019-01-09 CVE-2018-6173 Google
Debian
Redhat
Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
6.5
2019-01-09 CVE-2018-6172 Google
Debian
Redhat
Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
6.5
2019-01-09 CVE-2018-6169 Google
Debian
Redhat
Improper Input Validation vulnerability in multiple products

Lack of timeout on extension install prompt in Extensions in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to trigger installation of an unwanted extension via a crafted HTML page.

6.5
2019-01-09 CVE-2018-6167 Google
Debian
Redhat
Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
6.5
2019-01-09 CVE-2018-6166 Google
Debian
Redhat
Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
6.5
2019-01-09 CVE-2018-6165 Google
Debian
Redhat
Incorrect handling of reloads in Navigation in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
6.5
2019-01-09 CVE-2018-6164 Google
Debian
Redhat
Information Exposure vulnerability in multiple products

Insufficient origin checks for CSS content in Blink in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

6.5
2019-01-09 CVE-2018-6163 Google
Debian
Redhat
Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
6.5
2019-01-09 CVE-2018-6160 Google Improper Input Validation vulnerability in Google Chrome

JavaScript alert handling in Prompts in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

6.5
2019-01-09 CVE-2018-6143 Google
Debian
Redhat
Out-of-bounds Read vulnerability in multiple products

Insufficient validation in V8 in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.

6.5
2019-01-09 CVE-2018-6137 Google
Debian
Redhat
Information Exposure vulnerability in multiple products

CSS Paint API in Blink in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

6.5
2019-01-09 CVE-2018-6135 Google
Debian
Redhat
Lack of clearing the previous site before loading alerts from a new one in Blink in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
6.5
2019-01-09 CVE-2018-6133 Google
Debian
Redhat
Data Processing Errors vulnerability in multiple products

Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.

6.5
2019-01-09 CVE-2018-6123 Google
Debian
Redhat
Use After Free vulnerability in multiple products

A use after free in Blink in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.5
2019-01-09 CVE-2018-6117 Google
Debian
Redhat
Information Exposure vulnerability in multiple products

Confusing settings in Autofill in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

6.5
2019-01-09 CVE-2018-6114 Google
Debian
Redhat
Improper Input Validation vulnerability in multiple products

Incorrect enforcement of CSP for <object> tags in Blink in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to bypass content security policy via a crafted HTML page.

6.5
2019-01-09 CVE-2018-6113 Google
Debian
Redhat
Improper Input Validation vulnerability in multiple products

Improper handling of pending navigation entries in Navigation in Google Chrome on iOS prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via a crafted HTML page.

6.5
2019-01-09 CVE-2018-6109 Google
Debian
Redhat
Information Exposure vulnerability in multiple products

readAsText() can indefinitely read the file picked by the user, rather than only once at the time the file is picked in File API in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to access data on the user file system without explicit consent via a crafted HTML page.

6.5
2019-01-09 CVE-2018-6100 Google
Debian
Redhat
Data Processing Errors vulnerability in multiple products

Incorrect handling of confusable characters in URL Formatter in Google Chrome on macOS prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.

6.5
2019-01-09 CVE-2018-6097 Google
Debian
Redhat
Data Processing Errors vulnerability in multiple products

Incorrect handling of asynchronous methods in Fullscreen in Google Chrome on macOS prior to 66.0.3359.117 allowed a remote attacker to enter full screen without showing a warning via a crafted HTML page.

6.5
2019-01-09 CVE-2018-6096 Google
Debian
Redhat
Improper Input Validation vulnerability in multiple products

A JavaScript focused window could overlap the fullscreen notification in Fullscreen in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to obscure the full screen warning via a crafted HTML page.

6.5
2019-01-09 CVE-2018-6093 Google
Debian
Redhat
Information Exposure vulnerability in multiple products

Insufficient origin checks in Blink in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

6.5
2019-01-09 CVE-2018-6091 Google
Debian
Redhat
Data Processing Errors vulnerability in multiple products

Service Workers can intercept any request made by an <embed> or <object> tag in Fetch API in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

6.5
2019-01-09 CVE-2018-20070 Google Improper Input Validation vulnerability in Google Chrome

Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.

6.5
2019-01-09 CVE-2018-17459 Google
Redhat
Incorrect handling of clicks in the omnibox in Navigation in Google Chrome prior to 69.0.3497.92 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
6.5
2019-01-09 CVE-2018-16088 Google
Redhat
Improper Input Validation vulnerability in multiple products

A missing check for JS-simulated input events in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to download arbitrary files with no user input via a crafted HTML page.

6.5
2019-01-09 CVE-2018-16082 Google
Redhat
Out-of-bounds Read vulnerability in multiple products

An out of bounds read in Swiftshader in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.

6.5
2019-01-09 CVE-2018-16080 Google Improper Input Validation vulnerability in Google Chrome

A missing check for popup window handling in Fullscreen in Google Chrome on macOS prior to 69.0.3497.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

6.5
2019-01-09 CVE-2018-16078 Google
Redhat
Information Exposure vulnerability in multiple products

Unsafe handling of credit card details in Autofill in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

6.5
2019-01-09 CVE-2018-16072 Google Origin Validation Error vulnerability in Google Chrome

A missing origin check related to HLS manifests in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass same origin policy via a crafted HTML page.

6.5
2019-01-09 CVE-2018-16067 Google
Debian
Redhat
Use After Free vulnerability in multiple products

A use after free in WebAudio in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.5
2019-01-09 CVE-2018-16066 Google
Debian
Redhat
Use After Free vulnerability in multiple products

A use after free in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.5
2019-01-09 CVE-2018-20674 Dlink Unspecified vulnerability in Dlink products

D-Link DIR-822 C1 before v3.11B01Beta, DIR-822-US C1 before v3.11B01Beta, DIR-850L A* before v1.21B08Beta, DIR-850L B* before v2.22B03Beta, and DIR-880L A* before v1.20B02Beta devices allow authenticated remote command execution.

6.5
2019-01-08 CVE-2019-0243 SAP Missing Authorization vulnerability in SAP Bw/4Hana 1.0

Under some circumstances, masterdata maintenance in SAP BW/4HANA (fixed in DW4CORE version 1.0 (SP08)) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

6.5
2019-01-08 CVE-2018-2484 SAP Missing Authorization vulnerability in SAP products

SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

6.5
2019-01-07 CVE-2018-11798 Apache File and Directory Information Exposure vulnerability in Apache Thrift

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.

6.5
2019-01-10 CVE-2018-20684 Winscp Improper Input Validation vulnerability in Winscp

In WinSCP before 5.14 beta, due to missing validation, the scp implementation would accept arbitrary files sent by the server, potentially overwriting unrelated files.

6.4
2019-01-10 CVE-2019-5887 Shopxo Path Traversal vulnerability in Shopxo 1.2.0

An issue was discovered in ShopXO 1.2.0.

6.4
2019-01-09 CVE-2018-1000408 Jenkins Unspecified vulnerability in Jenkins

A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that allows attackers without Overall/Read permission to access a specific URL on instances using the built-in Jenkins user database security realm that results in the creation of an ephemeral user record in memory.

6.4
2019-01-09 CVE-2018-0704 Cybozu Path Traversal vulnerability in Cybozu Office

Directory traversal vulnerability in Cybozu Office 10.0.0 to 10.8.1 allows remote attackers to delete arbitrary files via Keitai Screen.

6.4
2019-01-09 CVE-2018-0703 Cybozu Path Traversal vulnerability in Cybozu Office

Directory traversal vulnerability in Cybozu Office 10.0.0 to 10.8.1 allows remote attackers to delete arbitrary files via HTTP requests.

6.4
2019-01-09 CVE-2018-0702 Cybozu Path Traversal vulnerability in Cybozu Mailwise

Directory traversal vulnerability in Cybozu Mailwise 5.0.0 to 5.4.5 allows remote attackers to delete arbitrary files via unspecified vectors.

6.4
2019-01-10 CVE-2017-1002152 Redhat Cross-site Scripting vulnerability in Redhat Bodhi

Bodhi 2.9.0 and lower is vulnerable to cross-site scripting resulting in code injection caused by incorrect validation of bug titles.

6.1
2019-01-09 CVE-2018-20071 Google Cross-site Scripting vulnerability in Google Chrome

Insufficiently strict origin checks during JIT payment app installation in Payments in Google Chrome prior to 70.0.3538.67 allowed a remote attacker to install a service worker for a domain that can host attacker controled files via a crafted HTML page.

6.1
2019-01-09 CVE-2018-16084 Google
Redhat
Cross-site Scripting vulnerability in multiple products

The default selected dialog button in CustomHandlers in Google Chrome prior to 69.0.3497.81 allowed a remote attacker who convinced the user to perform certain operations to open external programs via a crafted HTML page.

6.1
2019-01-09 CVE-2018-20677 Getbootstrap Cross-site Scripting vulnerability in Getbootstrap Bootstrap

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

6.1
2019-01-09 CVE-2018-20676 Getbootstrap Cross-site Scripting vulnerability in Getbootstrap Bootstrap

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

6.1
2019-01-09 CVE-2018-16200 Toshiba OS Command Injection vulnerability in Toshiba Hem-Gw16A Firmware and Hem-Gw26A Firmware

Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier allows an attacker on the same network segment to execute arbitrary OS commands.

5.8
2019-01-09 CVE-2018-16198 Toshiba Unspecified vulnerability in Toshiba Hem-Gw16A Firmware and Hem-Gw26A Firmware

Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier may allow an attacker on the same network segment to access a non-documented developer screen to perform operations on the affected device.

5.8
2019-01-09 CVE-2018-16191 EC Cube Open Redirect vulnerability in Ec-Cube

Open redirect vulnerability in EC-CUBE (EC-CUBE 3.0.0, EC-CUBE 3.0.1, EC-CUBE 3.0.2, EC-CUBE 3.0.3, EC-CUBE 3.0.4, EC-CUBE 3.0.5, EC-CUBE 3.0.6, EC-CUBE 3.0.7, EC-CUBE 3.0.8, EC-CUBE 3.0.9, EC-CUBE 3.0.10, EC-CUBE 3.0.11, EC-CUBE 3.0.12, EC-CUBE 3.0.12-p1, EC-CUBE 3.0.13, EC-CUBE 3.0.14, EC-CUBE 3.0.15, EC-CUBE 3.0.16) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

5.8
2019-01-09 CVE-2018-16181 DAJ HTTP Response Splitting vulnerability in DAJ I-Filter

HTTP header injection vulnerability in i-FILTER Ver.9.50R05 and earlier may allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks that may result in an arbitrary script injection or setting an arbitrary cookie values via unspecified vectors.

5.8
2019-01-09 CVE-2018-16174 Thimpress Open Redirect vulnerability in Thimpress Learnpress

Open redirect vulnerability in LearnPress prior to version 3.1.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

5.8
2019-01-09 CVE-2018-16172 Cybozu Improper Restriction of Rendered UI Layers or Frames vulnerability in Cybozu Remote Service Manager

Improper countermeasure against clickjacking attack in client certificates management screen was discovered in Cybozu Remote Service 3.0.0 to 3.1.8, that allows remote attackers to trick a user to delete the registered client certificate.

5.8
2019-01-09 CVE-2018-1000417 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Email Extension Template

A cross-site request forgery vulnerability exists in Jenkins Email Extension Template Plugin 1.0 and earlier in ExtEmailTemplateManagement.java that allows creating or removing templates.

5.8
2019-01-09 CVE-2018-1000414 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Config File Provider

A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions.

5.8
2019-01-09 CVE-2018-1000409 Jenkins Session Fixation vulnerability in Jenkins

A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalidating the existing session and creating a new one when a user signed up for a new user account.

5.8
2019-01-09 CVE-2018-0688 Epson Open Redirect vulnerability in Epson products

Open redirect vulnerability in SEIKO EPSON printers and scanners (DS-570W firmware versions released prior to 2018 March 13, DS-780N firmware versions released prior to 2018 March 13, EP-10VA firmware versions released prior to 2017 September 4, EP-30VA firmware versions released prior to 2017 June 19, EP-707A firmware versions released prior to 2017 August 1, EP-708A firmware versions released prior to 2017 August 7, EP-709A firmware versions released prior to 2017 June 12, EP-777A firmware versions released prior to 2017 August 1, EP-807AB/AW/AR firmware versions released prior to 2017 August 1, EP-808AB/AW/AR firmware versions released prior to 2017 August 7, EP-879AB/AW/AR firmware versions released prior to 2017 June 12, EP-907F firmware versions released prior to 2017 August 1, EP-977A3 firmware versions released prior to 2017 August 1, EP-978A3 firmware versions released prior to 2017 August 7, EP-979A3 firmware versions released prior to 2017 June 12, EP-M570T firmware versions released prior to 2017 September 6, EW-M5071FT firmware versions released prior to 2017 November 2, EW-M660FT firmware versions released prior to 2018 April 19, EW-M770T firmware versions released prior to 2017 September 6, PF-70 firmware versions released prior to 2018 April 20, PF-71 firmware versions released prior to 2017 July 18, PF-81 firmware versions released prior to 2017 September 14, PX-048A firmware versions released prior to 2017 July 4, PX-049A firmware versions released prior to 2017 September 11, PX-437A firmware versions released prior to 2017 July 24, PX-M350F firmware versions released prior to 2018 February 23, PX-M5040F firmware versions released prior to 2017 November 20, PX-M5041F firmware versions released prior to 2017 November 20, PX-M650A firmware versions released prior to 2017 October 17, PX-M650F firmware versions released prior to 2017 October 17, PX-M680F firmware versions released prior to 2017 June 29, PX-M7050F firmware versions released prior to 2017 October 13, PX-M7050FP firmware versions released prior to 2017 October 13, PX-M7050FX firmware versions released prior to 2017 November 7, PX-M7070FX firmware versions released prior to 2017 April 27, PX-M740F firmware versions released prior to 2017 December 4, PX-M741F firmware versions released prior to 2017 December 4, PX-M780F firmware versions released prior to 2017 June 29, PX-M781F firmware versions released prior to 2017 June 27, PX-M840F firmware versions released prior to 2017 November 16, PX-M840FX firmware versions released prior to 2017 December 8, PX-M860F firmware versions released prior to 2017 October 25, PX-S05B/W firmware versions released prior to 2018 March 9, PX-S350 firmware versions released prior to 2018 February 23, PX-S5040 firmware versions released prior to 2017 November 20, PX-S7050 firmware versions released prior to 2018 February 21, PX-S7050PS firmware versions released prior to 2018 February 21, PX-S7050X firmware versions released prior to 2017 November 7, PX-S7070X firmware versions released prior to 2017 April 27, PX-S740 firmware versions released prior to 2017 December 3, PX-S840 firmware versions released prior to 2017 November 16, PX-S840X firmware versions released prior to 2017 December 8, PX-S860 firmware versions released prior to 2017 December 7) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the web interface of the affected product.

5.8
2019-01-09 CVE-2018-0676 Panasonic Improper Authentication vulnerability in Panasonic Bn-Sdwbp3 Firmware

BN-SDWBP3 firmware version 1.0.9 and earlier allows an attacker on the same network segment to bypass authentication to access to the management screen and execute an arbitrary command via unspecified vectors.

5.8
2019-01-07 CVE-2018-5481 Netapp Missing Encryption of Sensitive Data vulnerability in Netapp Oncommand Unified Manager

OnCommand Unified Manager for 7-Mode (core package) prior to 5.2.4 uses cookies that lack the secure attribute in certain circumstances making it vulnerable to impersonation via man-in-the-middle (MITM) attacks.

5.8
2019-01-11 CVE-2019-6131 Artifex Uncontrolled Recursion vulnerability in Artifex Mupdf 1.14.0

svg-run.c in Artifex MuPDF 1.14.0 has infinite recursion with stack consumption in svg_run_use_symbol, svg_run_element, and svg_run_use, as demonstrated by mutool.

5.5
2019-01-11 CVE-2019-6130 Artifex Range Error vulnerability in Artifex Mupdf 1.14.0

Artifex MuPDF 1.14.0 has a SEGV in the function fz_load_page of the fitz/document.c file, as demonstrated by mutool.

5.5
2019-01-09 CVE-2018-6147 Google
Debian
Redhat
Information Exposure vulnerability in multiple products

Lack of secure text entry mode in Browser UI in Google Chrome on Mac prior to 67.0.3396.62 allowed a local attacker to obtain potentially sensitive information from process memory via a local process.

5.5
2019-01-08 CVE-2019-5721 Wireshark Use After Free vulnerability in Wireshark

In Wireshark 2.4.0 to 2.4.11, the ENIP dissector could crash.

5.5
2019-01-08 CVE-2019-5719 Wireshark
Debian
Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products

In Wireshark 2.6.0 to 2.6.5 and 2.4.0 to 2.4.11, the ISAKMP dissector could crash.

5.5
2019-01-08 CVE-2019-5718 Wireshark
Debian
Out-of-bounds Read vulnerability in multiple products

In Wireshark 2.6.0 to 2.6.5 and 2.4.0 to 2.4.11, the RTSE dissector and other ASN.1 dissectors could crash.

5.5
2019-01-08 CVE-2019-5717 Wireshark
Debian
Improper Input Validation vulnerability in multiple products

In Wireshark 2.6.0 to 2.6.5 and 2.4.0 to 2.4.11, the P_MUL dissector could crash.

5.5
2019-01-08 CVE-2019-5716 Wireshark
Debian
Improper Input Validation vulnerability in multiple products

In Wireshark 2.6.0 to 2.6.5, the 6LoWPAN dissector could crash.

5.5
2019-01-09 CVE-2018-1000413 Jenkins Cross-site Scripting vulnerability in Jenkins Config File Provider

A cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in configfiles.jelly, providerlist.jelly that allows users with the ability to configure configuration files to insert arbitrary HTML into some pages in Jenkins.

5.4
2019-01-09 CVE-2018-6110 Google
Debian
Redhat
Improper Input Validation vulnerability in multiple products

Parsing documents as HTML in Downloads in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to cause Chrome to execute scripts via a local non-HTML page.

5.4
2019-01-10 CVE-2018-20685 Openbsd
Winscp
Netapp
Debian
Canonical
Redhat
Oracle
Fujitsu
Siemens
Incorrect Authorization vulnerability in multiple products

In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of .

5.3
2019-01-09 CVE-2018-16079 Google
Redhat
Race Condition vulnerability in multiple products

A race condition between permission prompts and navigations in Prompts in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

5.3
2019-01-09 CVE-2018-0678 Panasonic Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Panasonic Bn-Sdwbp3 Firmware

Buffer overflow in BN-SDWBP3 firmware version 1.0.9 and earlier allows an attacker on the same network segment to execute arbitrary code via unspecified vectors.

5.2
2019-01-09 CVE-2018-0666 Yamaha Unspecified vulnerability in Yamaha products

Yamaha routers RT57i Rev.8.00.95 and earlier, RT58i Rev.9.01.51 and earlier, NVR500 Rev.11.00.36 and earlier, RTX810 Rev.11.01.31 and earlier, allow an administrative user to embed arbitrary scripts to the configuration data through a certain form field of the configuration page, which may be executed on another administrative user's web browser.

5.2
2019-01-09 CVE-2018-0665 Yamaha Unspecified vulnerability in Yamaha products

Yamaha routers RT57i Rev.8.00.95 and earlier, RT58i Rev.9.01.51 and earlier, NVR500 Rev.11.00.36 and earlier, RTX810 Rev.11.01.31 and earlier, allow an administrative user to embed arbitrary scripts to the configuration data through a certain form field of the configuration page, which may be executed on another administrative user's web browser.

5.2
2019-01-12 CVE-2019-3803 Pivotal Software Information Exposure vulnerability in Pivotal Software Concourse

Pivotal Concourse, all versions prior to 4.2.2, puts the user access token in a url during the login flow.

5.0
2019-01-11 CVE-2018-4277 Apple Improper Input Validation vulnerability in Apple products

In iOS before 11.4.1, watchOS before 4.3.2, tvOS before 11.4.1, Safari before 11.1.1, macOS High Sierra before 10.13.6, a spoofing issue existed in the handling of URLs.

5.0
2019-01-11 CVE-2018-4217 Apple Information Exposure vulnerability in Apple mac OS X

In macOS High Sierra before 10.13.5, a privacy issue in the handling of Open Directory records was addressed with improved indexing.

5.0
2019-01-11 CVE-2018-4186 Apple Information Exposure vulnerability in Apple Safari

In Safari before 11.1, an information leakage issue existed in the handling of downloads in Safari Private Browsing.

5.0
2019-01-11 CVE-2018-4185 Apple Information Exposure vulnerability in Apple products

In iOS before 11.3, tvOS before 11.3, watchOS before 4.3, and macOS before High Sierra 10.13.4, an information disclosure issue existed in the transition of program state.

5.0
2019-01-11 CVE-2017-13888 Apple Incorrect Type Conversion or Cast vulnerability in Apple Iphone OS

In iOS before 11.2, a type confusion issue was addressed with improved memory handling.

5.0
2019-01-11 CVE-2017-13887 Apple Key Management Errors vulnerability in Apple mac OS X

In macOS High Sierra before 10.13.2, a logic issue existed in APFS when deleting keys during hibernation.

5.0
2019-01-11 CVE-2019-6138 MZ Automation Memory Leak vulnerability in Mz-Automation Libiec61850 1.3.1

An issue has been found in libIEC61850 v1.3.1.

5.0
2019-01-11 CVE-2019-6137 MZ Automation NULL Pointer Dereference vulnerability in Mz-Automation Lib60870 2.1.1

An issue was discovered in lib60870 2.1.1.

5.0
2019-01-11 CVE-2019-6136 MZ Automation Unspecified vulnerability in Mz-Automation Libiec61850 1.3.1

An issue has been found in libIEC61850 v1.3.1.

5.0
2019-01-11 CVE-2019-6135 MZ Automation Memory Leak vulnerability in Mz-Automation Libiec61850 1.3.1

An issue has been found in libIEC61850 v1.3.1.

5.0
2019-01-11 CVE-2018-15464 Cisco Resource Exhaustion vulnerability in Cisco ASR 900 Series Software 16.6.2

A vulnerability in Cisco 900 Series Aggregation Services Router (ASR) software could allow an unauthenticated, remote attacker to cause a partial denial of service (DoS) condition on an affected device.

5.0
2019-01-11 CVE-2019-6132 Axiosys Memory Leak vulnerability in Axiosys Bento4 1.5.1627

An issue was discovered in Bento4 v1.5.1-627.

5.0
2019-01-11 CVE-2019-6126 Advance Peer TO Peer MLM Script Project Forced Browsing vulnerability in Advance Peer TO Peer MLM Script Project Advance Peer TO Peer MLM Script 1.7.0

The Admin Panel of PHP Scripts Mall Advance Peer to Peer MLM Script v1.7.0 allows remote attackers to bypass intended access restrictions by directly navigating to admin/dashboard.php or admin/user.php, as demonstrated by disclosure of information about users and staff.

5.0
2019-01-10 CVE-2018-15458 Cisco Allocation of Resources Without Limits or Throttling vulnerability in Cisco Firepower Management Center 6.2.2/6.2.3/6.3.0

A vulnerability in the Shell Access Filter feature of Cisco Firepower Management Center (FMC), when used in conjunction with remote authentication, could allow an unauthenticated, remote attacker to cause high disk utilization, resulting in a denial of service (DoS) condition.

5.0
2019-01-09 CVE-2018-16202 Ionicframework Path Traversal vulnerability in Ionicframework Ionic web View

Directory traversal vulnerability in cordova-plugin-ionic-webview versions prior to 2.2.0 (not including 2.0.0-beta.0, 2.0.0-beta.1, 2.0.0-beta.2, and 2.1.0-0) allows remote attackers to access arbitrary files via unspecified vectors.

5.0
2019-01-09 CVE-2018-16196 Yokogawa Improper Input Validation vulnerability in Yokogawa products

Multiple Yokogawa products that contain Vnet/IP Open Communication Driver (CENTUM CS 3000(R3.05.00 - R3.09.50), CENTUM CS 3000 Entry Class(R3.05.00 - R3.09.50), CENTUM VP(R4.01.00 - R6.03.10), CENTUM VP Entry Class(R4.01.00 - R6.03.10), Exaopc(R3.10.00 - R3.75.00), PRM(R2.06.00 - R3.31.00), ProSafe-RS(R1.02.00 - R4.02.00), FAST/TOOLS(R9.02.00 - R10.02.00), B/M9000 VP(R6.03.01 - R8.01.90)) allows remote attackers to cause a denial of service attack that may result in stopping Vnet/IP Open Communication Driver's communication via unspecified vectors.

5.0
2019-01-09 CVE-2018-16178 Cybozu Unspecified vulnerability in Cybozu Garoon

Cybozu Garoon 3.0.0 to 4.10.0 allows remote attackers to bypass access restriction to view information available only for a sign-on user via Single sign-on function.

5.0
2019-01-09 CVE-2018-20679 Busybox
Canonical
Out-of-bounds Read vulnerability in multiple products

An issue was discovered in BusyBox before 1.30.0.

5.0
2019-01-08 CVE-2019-5725 Qibosoft Server-Side Request Forgery (SSRF) vulnerability in Qibosoft 7.0

qibosoft through V7 allows remote attackers to read arbitrary files via the member/index.php main parameter, as demonstrated by SSRF to a URL on the same web site to read a .sql file.

5.0
2019-01-08 CVE-2019-0564 Microsoft Data Processing Errors vulnerability in Microsoft Asp.Net Core 2.1

A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka "ASP.NET Core Denial of Service Vulnerability." This affects ASP.NET Core 2.1.

5.0
2019-01-08 CVE-2019-0548 Microsoft Data Processing Errors vulnerability in Microsoft Asp.Net Core 2.1/2.2

A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka "ASP.NET Core Denial of Service Vulnerability." This affects ASP.NET Core 2.2, ASP.NET Core 2.1.

5.0
2019-01-08 CVE-2019-0545 Microsoft Information Exposure vulnerability in Microsoft .Net Core and .Net Framework

An information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross-origin Resource Sharing (CORS) configurations, aka ".NET Framework Information Disclosure Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.7/4.7.1/4.7.2, .NET Core 2.1, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, .NET Core 2.2, Microsoft .NET Framework 4.7.2.

5.0
2019-01-08 CVE-2019-0249 SAP Unspecified vulnerability in SAP Landscape Management 3.0

Under certain conditions SAP Landscape Management (VCM 3.0) allows an attacker to access information which would otherwise be restricted.

5.0
2019-01-08 CVE-2019-0241 SAP Unspecified vulnerability in SAP Agentry SDK and Work Manager

SAP Work and Inventory Manager (Agentry_SDK , before 7.0, 7.1) allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.

5.0
2019-01-08 CVE-2019-0240 SAP Unspecified vulnerability in SAP Businessobjects Mobile

SAP Business Objects Mobile for Android (before 6.3.5) application allows an attacker to provide malicious input in the form of a SAP BI link, preventing legitimate users from accessing the application by crashing it.

5.0
2019-01-08 CVE-2018-2499 SAP Unspecified vulnerability in SAP products

A security weakness in SAP Financial Consolidation Cube Designer (BOBJ_EADES fixed in versions 8.0, 10.1) may allow an attacker to discover the password hash of an admin user.

5.0
2019-01-07 CVE-2015-9275 ARC Project Path Traversal vulnerability in ARC Project ARC 5.21Q

ARC 5.21q allows directory traversal via a full pathname in an archive file.

5.0
2019-01-07 CVE-2019-5488 Earclink SQL Injection vulnerability in Earclink Espcms-P8

EARCLINK ESPCMS-P8 has SQL injection in the install_pack/index.php?ac=Member&at=verifyAccount verify_key parameter.

5.0
2019-01-11 CVE-2018-4181 Apple
Canonical
Debian
In macOS High Sierra before 10.13.5, an issue existed in CUPS.
4.9
2019-01-10 CVE-2018-4047 Macpaw Improper Input Validation vulnerability in Macpaw Cleanmymac X 4.04

An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation.

4.9
2019-01-10 CVE-2018-4045 Macpaw Improper Input Validation vulnerability in Macpaw Cleanmymac X 4.04

An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation.

4.9
2019-01-10 CVE-2018-4044 Macpaw Improper Input Validation vulnerability in Macpaw Cleanmymac X 4.04

An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation.

4.9
2019-01-10 CVE-2018-4043 Macpaw Improper Input Validation vulnerability in Macpaw Cleanmymac X 4.04

An exploitable privilege escalation vulnerability exists in the Clean My Mac X, version 4.04, helper service due to improper input validation.

4.9
2019-01-10 CVE-2018-4042 Macpaw Improper Input Validation vulnerability in Macpaw Cleanmymac X 4.04

An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation.

4.9
2019-01-10 CVE-2018-4041 Macpaw Improper Input Validation vulnerability in Macpaw Cleanmymac X 4.04

An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation.

4.9
2019-01-10 CVE-2018-4035 Macpaw Improper Input Validation vulnerability in Macpaw Cleanmymac X 4.04

The CleanMyMac X software contains an exploitable privilege escalation vulnerability that exists due to improper input validation.

4.9
2019-01-10 CVE-2018-4034 Macpaw Improper Input Validation vulnerability in Macpaw Cleanmymac X 4.04

The CleanMyMac X software contains an exploitable privilege escalation vulnerability that exists due to improper input validation.

4.9
2019-01-11 CVE-2018-4180 Apple
Debian
Canonical
In macOS High Sierra before 10.13.5, an issue existed in CUPS.
4.6
2019-01-10 CVE-2019-0088 Intel Unspecified vulnerability in Intel System Support Utility

Insufficient path checking in Intel(R) System Support Utility for Windows before 2.5.0.15 may allow an authenticated user to potentially enable an escalation of privilege via local access.

4.6
2019-01-10 CVE-2018-3703 Intel
Microsoft
Incorrect Permission Assignment for Critical Resource vulnerability in Intel SSD Data Center Tool

Improper directory permissions in the installer for the Intel(R) SSD Data Center Tool for Windows before v3.0.17 may allow authenticated users to potentially enable an escalation of privilege via local access.

4.6
2019-01-10 CVE-2018-12177 Intel Incorrect Permission Assignment for Critical Resource vulnerability in Intel Proset/Wireless Software

Improper directory permissions in the ZeroConfig service in Intel(R) PROSet/Wireless WiFi Software before version 20.90.0.7 may allow an authorized user to potentially enable escalation of privilege via local access.

4.6
2019-01-10 CVE-2017-3718 Intel Unspecified vulnerability in Intel products

Improper setting of device configuration in system firmware for Intel(R) NUC kits may allow a privileged user to potentially enable escalation of privilege via physical access.

4.6
2019-01-09 CVE-2018-0671 MNC Improper Privilege Management vulnerability in MNC Inplc-Rt

Privilege escalation vulnerability in INplc-RT 3.08 and earlier allows an attacker with administrator rights to execute arbitrary code on the Windows system via unspecified vectors.

4.6
2019-01-08 CVE-2019-0570 Microsoft Use After Free vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory, aka "Windows Runtime Elevation of Privilege Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows Server 2019, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers.

4.6
2019-01-08 CVE-2019-0552 Microsoft Incorrect Authorization vulnerability in Microsoft products

An elevation of privilege exists in Windows COM Desktop Broker, aka "Windows COM Elevation of Privilege Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2019, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers.

4.6
2019-01-08 CVE-2019-0543 Microsoft Improper Authentication vulnerability in Microsoft products

An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka "Microsoft Windows Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

4.6
2019-01-11 CVE-2019-6133 Polkit Project
Debian
Redhat
Canonical
Race Condition vulnerability in multiple products

In PolicyKit (aka polkit) 0.115, the "start time" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached.

4.4
2019-01-10 CVE-2018-18098 Intel
Microsoft
Incorrect Permission Assignment for Critical Resource vulnerability in Intel SGX Platform Software and SGX SDK

Improper file verification in install routine for Intel(R) SGX SDK and Platform Software for Windows before 2.2.100 may allow an escalation of privilege via local access.

4.4
2019-01-09 CVE-2018-16177 NTT West Uncontrolled Search Path Element vulnerability in Ntt-West Fall Creators Update

Untrusted search path vulnerability in The installer of Windows 10 Fall Creators Update Modify module for Security Measures tool allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

4.4
2019-01-08 CVE-2019-0555 Microsoft Missing Authorization vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the Microsoft XmlDocument class that could allow an attacker to escape from the AppContainer sandbox in the browser, aka "Microsoft XmlDocument Elevation of Privilege Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows Server 2019, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers.

4.4
2019-01-13 CVE-2019-6248 Citysearch Hotfrog Gelbeseiten Clone Script Project Cross-site Scripting vulnerability in Citysearch / Hotfrog / Gelbeseiten Clone Script Project Citysearch / Hotfrog / Gelbeseiten Clone Script 2.0.1

PHP Scripts Mall Citysearch / Hotfrog / Gelbeseiten Clone Script 2.0.1 has Reflected XSS via the srch parameter, as demonstrated by restaurants-details.php.

4.3
2019-01-13 CVE-2018-16206 Ohtanz Cross-site Scripting vulnerability in Ohtanz Spam-Byebye

Cross-site scripting vulnerability in WordPress plugin spam-byebye 2.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2019-01-12 CVE-2019-6243 Frog CMS Project Cross-site Scripting vulnerability in Frog CMS Project Frog CMS 0.9.5

Frog CMS 0.9.5 allows XSS via the forgot password page (aka the /admin/?/login/forgot URI).

4.3
2019-01-11 CVE-2018-4278 Apple
Canonical
In Safari before 11.1.2, iTunes before 12.8 for Windows, iOS before 11.4.1, tvOS before 11.4.1, iCloud for Windows before 7.6, sound fetched through audio elements may be exfiltrated cross-origin.
4.3
2019-01-11 CVE-2017-2411 Apple 7PK - Security Features vulnerability in Apple Iphone OS

In iOS before 11.2, exchange rates were retrieved from HTTP rather than HTTPS.

4.3
2019-01-11 CVE-2017-13891 Apple Improper Input Validation vulnerability in Apple Iphone OS

In iOS before 11.2, an inconsistent user interface issue was addressed through improved state management.

4.3
2019-01-11 CVE-2016-4642 Apple 7PK - Security Features vulnerability in Apple TV, Iphone OS and mac OS

In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, proxy authentication incorrectly reported HTTP proxies received credentials securely.

4.3
2019-01-11 CVE-2018-15467 Cisco Cross-site Scripting vulnerability in Cisco Telepresence Management Suite 15.7

A vulnerability in the web-based management interface of Cisco TelePresence Management Suite (TMS) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

4.3
2019-01-11 CVE-2018-15466 Cisco Missing Authentication for Critical Function vulnerability in Cisco Policy Suite for Mobile 12.0.0

A vulnerability in the Graphite web interface of the Policy and Charging Rules Function (PCRF) of Cisco Policy Suite (CPS) could allow an unauthenticated, remote attacker to access the Graphite web interface.

4.3
2019-01-10 CVE-2018-15461 Cisco Cross-site Scripting vulnerability in Cisco Webex Business Suite

A vulnerability in the MyWebex component of Cisco Webex Business Suite could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack.

4.3
2019-01-10 CVE-2018-15457 Cisco Cross-site Scripting vulnerability in Cisco Prime Infrastructure 3.5

A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system.

4.3
2019-01-10 CVE-2019-5884 Std42 Information Exposure vulnerability in Std42 Elfinder

php/elFinder.class.php in elFinder before 2.1.45 leaks information if PHP's curl extension is enabled and safe_mode or open_basedir is not set.

4.3
2019-01-09 CVE-2018-16199 Toshiba Cross-site Scripting vulnerability in Toshiba Hem-Gw16A Firmware and Hem-Gw26A Firmware

Cross-site scripting vulnerability in Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier allows an remote attacker to inject arbitrary web script or HTML via unspecified vectors.

4.3
2019-01-09 CVE-2018-16187 Ricoh Improper Certificate Validation vulnerability in Ricoh products

The RICOH Interactive Whiteboard D2200 V1.3 to V2.2, D5500 V1.3 to V2.2, D5510 V1.3 to V2.2, the display versions with RICOH Interactive Whiteboard Controller Type1 V1.3 to V2.2 attached (D5520, D6500, D6510, D7500, D8400), and the display versions with RICOH Interactive Whiteboard Controller Type2 V3.0 to V3.1.10137.0 attached (D5520, D6510, D7500, D8400) does not verify its server certificates, which allows man-in-the-middle attackers to eversdrop on encrypted communication.

4.3
2019-01-09 CVE-2018-16180 DAJ Cross-site Scripting vulnerability in DAJ I-Filter

Cross-site scripting vulnerability in i-FILTER Ver.9.50R05 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2019-01-09 CVE-2018-16179 Mizuhobank Improper Certificate Validation vulnerability in Mizuhobank Mizuho Direct Application 3.13.0

The Mizuho Direct App for Android version 3.13.0 and earlier does not verify server certificates, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

4.3
2019-01-09 CVE-2018-16173 Thimpress Cross-site Scripting vulnerability in Thimpress Learnpress

Cross-site scripting vulnerability in LearnPress prior to version 3.1.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2019-01-09 CVE-2018-16165 Jpcert Cross-site Scripting vulnerability in Jpcert Logontracer

Cross-site scripting vulnerability in LogonTracer 1.2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2019-01-09 CVE-2018-1000426 Jenkins Cross-site Scripting vulnerability in Jenkins GIT Changelog

A cross-site scripting vulnerability exists in Jenkins Git Changelog Plugin 2.6 and earlier in GitChangelogSummaryDecorator/summary.jelly, GitChangelogLeftsideBuildDecorator/badge.jelly, GitLogJiraFilterPostPublisher/config.jelly, GitLogBasicChangelogPostPublisher/config.jelly that allows attackers able to control the Git history parsed by the plugin to have Jenkins render arbitrary HTML on some pages.

4.3
2019-01-09 CVE-2018-1000416 Jobconfighistory Project Cross-site Scripting vulnerability in Jobconfighistory Project Jobconfighistory

A reflected cross-site scripting vulnerability exists in Jenkins Job Config History Plugin 2.18 and earlier in all Jelly files that shows arbitrary attacker-specified HTML in Jenkins to users with Job/Configure access.

4.3
2019-01-09 CVE-2018-1000411 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Junit

A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result.

4.3
2019-01-09 CVE-2018-1000407 Jenkins Cross-site Scripting vulnerability in Jenkins

A cross-site scripting vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/Api.java that allows attackers to specify URLs to Jenkins that result in rendering arbitrary attacker-controlled HTML by Jenkins.

4.3
2019-01-09 CVE-2016-10736 Devpups Cross-site Scripting vulnerability in Devpups Social PUG

The "Social Pug - Easy Social Share Buttons" plugin before 1.2.6 for WordPress allows XSS via the wp-admin/admin.php?page=dpsp-toolkit dpsp_message_class parameter.

4.3
2019-01-09 CVE-2018-6178 Google
Debian
Redhat
Improper Restriction of Rendered UI Layers or Frames vulnerability in multiple products

Eliding from the wrong side in an infobar in DevTools in Google Chrome prior to 68.0.3440.75 allowed an attacker who convinced a user to install a malicious extension to Hide Chrome Security UI via a crafted Chrome Extension.

4.3
2019-01-09 CVE-2018-6112 Google
Debian
Redhat
Use of Incorrectly-Resolved Name or Reference vulnerability in multiple products

Making URLs clickable and allowing them to be styled in DevTools in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

4.3
2019-01-09 CVE-2018-20069 Google Unspecified vulnerability in Google Chrome

Failure to prevent navigation to top frame to data URLs in Navigation in Google Chrome on iOS prior to 71.0.3578.80 allowed a remote attacker to confuse the user about the origin of the current page via a crafted HTML page.

4.3
2019-01-09 CVE-2018-20068 Google Improper Input Validation vulnerability in Google Chrome

Incorrect handling of 304 status codes in Navigation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to confuse the user about the origin of the current page via a crafted HTML page.

4.3
2019-01-09 CVE-2018-20067 Google Unspecified vulnerability in Google Chrome

A renderer initiated back navigation was incorrectly allowed to cancel a browser initiated one in Navigation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to confuse the user about the origin of the current page via a crafted HTML page.

4.3
2019-01-09 CVE-2018-16087 Google Incorrect Permission Assignment for Critical Resource vulnerability in Google Chrome

Lack of proper state tracking in Permissions in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

4.3
2019-01-09 CVE-2016-10735 Getbootstrap Cross-site Scripting vulnerability in Getbootstrap Bootstrap

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

4.3
2019-01-08 CVE-2019-0561 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when Microsoft Word macro buttons are used improperly, aka "Microsoft Word Information Disclosure Vulnerability." This affects Microsoft Word, Office 365 ProPlus, Microsoft Office, Word.

4.3
2019-01-08 CVE-2019-0560 Microsoft Unspecified vulnerability in Microsoft Office, Office 365 Proplus and Outlook

An information disclosure vulnerability exists when Microsoft Office improperly discloses the contents of its memory, aka "Microsoft Office Information Disclosure Vulnerability." This affects Office 365 ProPlus, Microsoft Office.

4.3
2019-01-08 CVE-2019-0559 Microsoft Unspecified vulnerability in Microsoft Office, Office 365 Proplus and Outlook

An information disclosure vulnerability exists when Microsoft Outlook improperly handles certain types of messages, aka "Microsoft Outlook Information Disclosure Vulnerability." This affects Office 365 ProPlus, Microsoft Office, Microsoft Outlook.

4.3
2019-01-08 CVE-2019-0537 Microsoft Unspecified vulnerability in Microsoft Visual Studio 2010/2012

An information disclosure vulnerability exists when Visual Studio improperly discloses arbitrary file contents if the victim opens a malicious .vscontent file, aka "Microsoft Visual Studio Information Disclosure Vulnerability." This affects Microsoft Visual Studio.

4.3
2019-01-08 CVE-2019-0248 SAP Unspecified vulnerability in SAP Basis and Netweaver

Under certain conditions SAP Gateway of ABAP Application Server (fixed in SAP_GWFND 7.5, 7.51, 7.52, 7.53; SAP_BASIS 7.5) allows an attacker to access information which would otherwise be restricted.

4.3
2019-01-08 CVE-2019-0238 SAP Cross-site Scripting vulnerability in SAP Hybris

SAP Commerce (previously known as SAP Hybris Commerce), before version 6.7, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

4.3
2019-01-12 CVE-2018-20699 Docker
Redhat
Resource Exhaustion vulnerability in multiple products

Docker Engine before 18.09 allows attackers to cause a denial of service (dockerd memory consumption) via a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemon_unix.go, pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go.

4.0
2019-01-11 CVE-2017-13886 Apple Unspecified vulnerability in Apple mac OS X

In macOS High Sierra before 10.13.2, an access issue existed with privileged WiFi system configuration.

4.0
2019-01-11 CVE-2016-4644 Apple Information Exposure vulnerability in Apple TV, Iphone OS and mac OS

In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, a downgrade issue existed with HTTP authentication credentials saved in Keychain.

4.0
2019-01-11 CVE-2016-4643 Apple Information Exposure vulnerability in Apple TV, Iphone OS and mac OS

In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, a validation issue existed in the parsing of 407 responses.

4.0
2019-01-10 CVE-2018-15456 Cisco Insufficiently Protected Credentials vulnerability in Cisco Identity Services Engine

A vulnerability in the Admin Portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to view saved passwords in plain text.

4.0
2019-01-10 CVE-2018-0484 Cisco Unspecified vulnerability in Cisco IOS 16.6.2/16.6.4

A vulnerability in the access control logic of the Secure Shell (SSH) server of Cisco IOS and IOS XE Software may allow connections sourced from a virtual routing and forwarding (VRF) instance despite the absence of the vrf-also keyword in the access-class configuration.

4.0
2019-01-10 CVE-2019-5892 Frrouting Interpretation Conflict vulnerability in Frrouting

bgpd in FRRouting FRR (aka Free Range Routing) 2.x and 3.x before 3.0.4, 4.x before 4.0.1, 5.x before 5.0.2, and 6.x before 6.0.2 (not affecting Cumulus Linux or VyOS), when ENABLE_BGP_VNC is used for Virtual Network Control, allows remote attackers to cause a denial of service (peering session flap) via attribute 255 in a BGP UPDATE packet.

4.0
2019-01-10 CVE-2018-0474 Cisco Insufficiently Protected Credentials vulnerability in Cisco Unified Communications Manager 10.5(2.14076.1)

A vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an authenticated, remote attacker to view digest credentials in clear text.

4.0
2019-01-09 CVE-2018-1000422 Atlassian Server-Side Request Forgery (SSRF) vulnerability in Atlassian Crowd2

An improper authorization vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java that allows attackers to have Jenkins perform a connection test, connecting to an attacker-specified server with attacker-specified credentials and connection settings.

4.0
2019-01-09 CVE-2018-1000412 Jenkins Incorrect Authorization vulnerability in Jenkins Jira

An improper authorization vulnerability exists in Jenkins Jira Plugin 3.0.1 and earlier in JiraSite.java that allows attackers with Overall/Read access to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

4.0
2019-01-09 CVE-2018-1000406 Jenkins Path Traversal vulnerability in Jenkins

A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.

4.0
2019-01-08 CVE-2019-0588 Microsoft Incorrect Permission Assignment for Critical Resource vulnerability in Microsoft Exchange Server

An information disclosure vulnerability exists when the Microsoft Exchange PowerShell API grants calendar contributors more view permissions than intended, aka "Microsoft Exchange Information Disclosure Vulnerability." This affects Microsoft Exchange Server.

4.0
2019-01-08 CVE-2018-1932 IBM Information Exposure vulnerability in IBM API Connect

IBM API Connect 5.0.0.0 through 5.0.8.4 is affected by a vulnerability in the role-based access control in the management server that could allow an authenticated user to obtain highly sensitive information.

4.0

44 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-01-09 CVE-2018-20681 Mate Desktop Information Exposure vulnerability in Mate-Desktop Mate-Screensaver

mate-screensaver before 1.20.2 in MATE Desktop Environment allows physically proximate attackers to view screen content and possibly control applications.

3.6
2019-01-13 CVE-2018-20703 Cubecart Cross-site Scripting vulnerability in Cubecart 6.2.2

CubeCart 6.2.2 has Reflected XSS via a /{ADMIN-FILE}/ query string.

3.5
2019-01-13 CVE-2018-16887 Redhat
Theforeman
Cross-site Scripting vulnerability in multiple products

A cross-site scripting (XSS) flaw was found in the katello component of Satellite.

3.5
2019-01-10 CVE-2018-0483 Cisco Cross-site Scripting vulnerability in Cisco Jabber 10.0(0)

A vulnerability in Cisco Jabber Client Framework (JCF) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of an affected system.

3.5
2019-01-10 CVE-2018-0482 Cisco Cross-site Scripting vulnerability in Cisco Prime Infrastructure 3.5(0.0)

A vulnerability in the web-based management interface of Cisco Prime Network Control System could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of the affected system.

3.5
2019-01-09 CVE-2018-20682 Fork CMS Cross-site Scripting vulnerability in Fork-Cms Fork CMS 5.0.6

Fork CMS 5.0.6 allows stored XSS via the private/en/settings facebook_admin_ids parameter (aka "Admin ids" input in the Facebook section).

3.5
2019-01-09 CVE-2018-16205 Weseek Cross-site Scripting vulnerability in Weseek Growi

Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via New Page modal.

3.5
2019-01-09 CVE-2018-16204 Google XML Sitemaps Project Cross-site Scripting vulnerability in Google XML Sitemaps Project Google XML Sitemaps

Cross-site scripting vulnerability in Google XML Sitemaps Version 4.0.9 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

3.5
2019-01-09 CVE-2018-16193 NEC Cross-site Scripting vulnerability in NEC Aterm Wf1200Cr Firmware and Aterm Wg1200Cr Firmware

Cross-site scripting vulnerability in Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 and earlier, Aterm WG1200CR firmware Ver1.0.1 and earlier) allows authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

3.5
2019-01-09 CVE-2018-16164 WEB Dorado Cross-site Scripting vulnerability in Web-Dorado Event Calendar WD

Cross-site scripting vulnerability in Event Calendar WD version 1.1.21 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

3.5
2019-01-09 CVE-2018-1000415 Rebuild Project Cross-site Scripting vulnerability in Rebuild Project Rebuild

A cross-site scripting vulnerability exists in Jenkins Rebuilder Plugin 1.28 and earlier in RebuildAction/BooleanParameterValue.jelly, RebuildAction/ExtendedChoiceParameterValue.jelly, RebuildAction/FileParameterValue.jelly, RebuildAction/LabelParameterValue.jelly, RebuildAction/ListSubversionTagsParameterValue.jelly, RebuildAction/MavenMetadataParameterValue.jelly, RebuildAction/NodeParameterValue.jelly, RebuildAction/PasswordParameterValue.jelly, RebuildAction/RandomStringParameterValue.jelly, RebuildAction/RunParameterValue.jelly, RebuildAction/StringParameterValue.jelly, RebuildAction/TextParameterValue.jelly, RebuildAction/ValidatingStringParameterValue.jelly that allows users with Job/Configuration permission to insert arbitrary HTML into rebuild forms.

3.5
2019-01-09 CVE-2018-0698 Weseek Cross-site Scripting vulnerability in Weseek Growi

Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

3.5
2019-01-09 CVE-2018-20680 Frog CMS Project Cross-site Scripting vulnerability in Frog CMS Project Frog CMS 0.9.5

Frog CMS 0.9.5 has XSS in the admin/?/page/edit/1 body field.

3.5
2019-01-08 CVE-2019-0562 Microsoft Unspecified vulnerability in Microsoft Sharepoint Enterprise Server and Sharepoint Server

An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint Elevation of Privilege Vulnerability." This affects Microsoft SharePoint Server, Microsoft SharePoint.

3.5
2019-01-08 CVE-2019-0558 Microsoft Cross-site Scripting vulnerability in Microsoft Business Productivity Servers and Sharepoint Server

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint Server, Microsoft SharePoint, Microsoft Business Productivity Servers.

3.5
2019-01-08 CVE-2019-0557 Microsoft Cross-site Scripting vulnerability in Microsoft Sharepoint Server 2016

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint.

3.5
2019-01-08 CVE-2019-0556 Microsoft Cross-site Scripting vulnerability in Microsoft Sharepoint Server 2013

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint.

3.5
2019-01-08 CVE-2019-0245 SAP Cross-site Scripting vulnerability in SAP products

SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

3.5
2019-01-08 CVE-2019-0244 SAP Cross-site Scripting vulnerability in SAP products

SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

3.5
2019-01-08 CVE-2018-1918 IBM Cross-site Scripting vulnerability in IBM Jazz Reporting Service

IBM Jazz Reporting Service (JRS) 6.0.3, 6.0.4, 6.0.5, and 6.0.6 is vulnerable to cross-site scripting.

3.5
2019-01-11 CVE-2018-16866 Systemd Project
Debian
Canonical
Netapp
Redhat
Out-of-bounds Read vulnerability in multiple products

An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'.

3.3
2019-01-10 CVE-2018-0449 Cisco Incorrect Permission Assignment for Critical Resource vulnerability in Cisco Jabber 12.1(0)

A vulnerability in the Cisco Jabber Client Framework (JCF) software, installed as part of the Cisco Jabber for Mac client, could allow an authenticated, local attacker to corrupt arbitrary files on an affected device that has elevated privileges.

3.3
2019-01-09 CVE-2018-16197 Toshiba Unspecified vulnerability in Toshiba Hem-Gw16A Firmware and Hem-Gw26A Firmware

Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier allows an attacker on the same network segment to bypass access restriction to access the information and files stored on the affected device.

3.3
2019-01-09 CVE-2018-16192 NEC Information Exposure vulnerability in NEC Aterm Wf1200Cr Firmware and Aterm Wg1200Cr Firmware

Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 and earlier, Aterm WG1200CR firmware Ver1.0.1 and earlier) allow an attacker on the same network segment to obtain information registered on the device via unspecified vectors.

3.3
2019-01-11 CVE-2018-4256 Apple Out-of-bounds Read vulnerability in Apple mac OS X

In macOS High Sierra before 10.13.5, an out-of-bounds read was addressed with improved input validation.

2.1
2019-01-11 CVE-2018-4255 Apple Out-of-bounds Read vulnerability in Apple mac OS X

In macOS High Sierra before 10.13.5, an out-of-bounds read was addressed with improved input validation.

2.1
2019-01-11 CVE-2018-4179 Apple Information Exposure vulnerability in Apple mac OS X

In macOS High Sierra before 10.13.4, there was an issue with the handling of smartcard PINs.

2.1
2019-01-10 CVE-2018-12167 Intel Improper Input Validation vulnerability in Intel Optane SSD DC P4800X Firmware

Firmware update routine in bootloader for Intel(R) Optane(TM) SSD DC P4800X before version E2010435 may allow a privileged user to potentially enable a denial of service via local access.

2.1
2019-01-10 CVE-2018-12166 Intel Improper Input Validation vulnerability in Intel Optane SSD DC P4800X Firmware

Insufficient write protection in firmware for Intel(R) Optane(TM) SSD DC P4800X before version E2010435 may allow a privileged user to potentially enable a denial of service via local access.

2.1
2019-01-10 CVE-2018-4046 Macpaw Improper Input Validation vulnerability in Macpaw Cleanmymac X 4.04

An exploitable denial-of-service vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation.

2.1
2019-01-10 CVE-2018-4037 Macpaw Improper Input Validation vulnerability in Macpaw Cleanmymac X 4.04

The CleanMyMac X software contains an exploitable privilege escalation vulnerability due to improper input validation.

2.1
2019-01-10 CVE-2018-4036 Macpaw Improper Input Validation vulnerability in Macpaw Cleanmymac X 4.04

The CleanMyMac X software contains an exploitable privilege escalation vulnerability due to improper input validation.

2.1
2019-01-09 CVE-2018-1000425 Sonarsource Insufficiently Protected Credentials vulnerability in Sonarsource Sonarqube Scanner

An insufficiently protected credentials vulnerability exists in Jenkins SonarQube Scanner Plugin 2.8 and earlier in SonarInstallation.java that allows attackers with local file system access to obtain the credentials used to connect to SonarQube.

2.1
2019-01-09 CVE-2018-1000424 Jfrog Insufficiently Protected Credentials vulnerability in Jfrog Artifactory

An insufficiently protected credentials vulnerability exists in Jenkins Artifactory Plugin 2.16.1 and earlier in ArtifactoryBuilder.java, CredentialsConfig.java that allows attackers with local file system access to obtain old credentials configured for the plugin before it integrated with Credentials Plugin.

2.1
2019-01-09 CVE-2018-1000423 Atlassian Insufficiently Protected Credentials vulnerability in Atlassian Crowd2

An insufficiently protected credentials vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java, CrowdConfigurationService.java that allows attackers with local file system access to obtain the credentials used to connect to Crowd 2.

2.1
2019-01-09 CVE-2018-1000410 Jenkins Information Exposure vulnerability in Jenkins

An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers with Overall/Administer permission or access to the local file system to obtain credentials entered by users if the form submission could not be successfully processed.

2.1
2019-01-08 CVE-2019-0622 Microsoft Improper Authentication vulnerability in Microsoft Skype 8.35

An elevation of privilege vulnerability exists when Skype for Andriod fails to properly handle specific authentication requests, aka "Skype for Android Elevation of Privilege Vulnerability." This affects Skype 8.35.

2.1
2019-01-08 CVE-2019-0569 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

2.1
2019-01-08 CVE-2019-0554 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

2.1
2019-01-08 CVE-2019-0553 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when Windows Subsystem for Linux improperly handles objects in memory, aka "Windows Subsystem for Linux Information Disclosure Vulnerability." This affects Windows 10 Servers, Windows 10, Windows Server 2019.

2.1
2019-01-08 CVE-2019-0549 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

2.1
2019-01-08 CVE-2019-0536 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

2.1
2019-01-08 CVE-2018-1993 IBM Information Exposure vulnerability in IBM Spectrum Scale

IBM Spectrum Scale (GPFS) 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, and 5.0.0 where the use of Local Read Only Cache (LROC) is enabled may caused read operation on a file to return data from a different file.

2.1
2019-01-07 CVE-2019-5489 Linux
Netapp
Cleartext Transmission of Sensitive Information vulnerability in multiple products

The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information.

2.1