Weekly Vulnerabilities Reports > January 21 to 27, 2019

Overview

184 new vulnerabilities reported during this period, including 12 critical vulnerabilities and 16 high severity vulnerabilities. This weekly summary report vulnerabilities in 241 products from 59 vendors including Microsoft, Foxitsoftware, Cisco, Debian, and Redhat. Vulnerabilities are notably categorized as "Use After Free", "Cross-site Scripting", "Improper Input Validation", "Cross-Site Request Forgery (CSRF)", and "Out-of-bounds Read".

  • 168 reported vulnerabilities are remotely exploitables.
  • 13 reported vulnerabilities have public exploit available.
  • 29 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 158 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 83 reported vulnerabilities.
  • Cisco has the most reported critical vulnerabilities, with 9 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

12 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-01-22 CVE-2018-6444 Brocade
Netapp
OS Command Injection vulnerability in multiple products

A Vulnerability in Brocade Network Advisor versions before 14.1.0 could allow a remote unauthenticated attacker to execute arbitray code.

10.0
2019-01-23 CVE-2019-1641 Cisco Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco Webex Meetings Online and Webex Meetings Server

A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.

9.3
2019-01-23 CVE-2019-1640 Cisco Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco Webex Meetings Online and Webex Meetings Server

A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.

9.3
2019-01-23 CVE-2019-1639 Cisco Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco Webex Meetings Online and Webex Meetings Server

A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.

9.3
2019-01-23 CVE-2019-1638 Cisco Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco Webex Meetings Online and Webex Meetings Server

A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.

9.3
2019-01-23 CVE-2019-1637 Cisco Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco Webex Meetings Online and Webex Meetings Server

A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.

9.3
2019-01-23 CVE-2019-1636 Cisco OS Command Injection vulnerability in Cisco Webex Teams 3.0.4533

A vulnerability in the Cisco Webex Teams client, formerly Cisco Spark, could allow an attacker to execute arbitrary commands on a targeted system.

9.3
2019-01-21 CVE-2019-6499 Teradata Use of Hard-coded Credentials vulnerability in Teradata Viewpoint 16.20.00.02B80

Teradata Viewpoint before 14.0 and 16.20.00.02-b80 contains a hardcoded password of TDv1i2e3w4 for the viewpoint database account (in viewpoint-portal\conf\server.xml) that could potentially be exploited by malicious users to compromise the affected system.

9.3
2019-01-24 CVE-2018-12237 Symantec OS Command Injection vulnerability in Symantec Reporter

The Symantec Reporter CLI 10.1 prior to 10.1.5.6 and 10.2 prior to 10.2.1.8 is susceptible to an OS command injection vulnerability.

9.0
2019-01-24 CVE-2019-1652 Cisco Improper Input Validation vulnerability in Cisco Rv320 Firmware and Rv325 Firmware

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands.

9.0
2019-01-24 CVE-2019-1651 Cisco Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco Vsmart Controller

A vulnerability in the vContainer of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to cause a denial of service (DoS) condition and execute arbitrary code as the root user.

9.0
2019-01-24 CVE-2019-1650 Cisco Improper Input Validation vulnerability in Cisco products

A vulnerability in the Cisco SD-WAN Solution could allow an authenticated, remote attacker to overwrite arbitrary files on the underlying operating system of an affected device.

9.0

16 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-01-24 CVE-2018-18981 Rockwellautomation Out-of-bounds Write vulnerability in Rockwellautomation Factorytalk Services Platform

In Rockwell Automation FactoryTalk Services Platform 2.90 and earlier, a remote unauthenticated attacker could send numerous crafted packets to service ports resulting in memory consumption that could lead to a partial or complete denial-of-service condition to the affected services.

7.8
2019-01-24 CVE-2019-1647 Cisco Improper Access Control vulnerability in Cisco Sd-Wan and Vsmart Controller

A vulnerability in the Cisco SD-WAN Solution could allow an authenticated, adjacent attacker to bypass authentication and have direct unauthorized access to other vSmart containers.

7.7
2019-01-27 CVE-2019-6703 Calmar Webmedia Unspecified vulnerability in Calmar-Webmedia Total Donations

Incorrect access control in migla_ajax_functions.php in the Calmar Webmedia Total Donations plugin through 2.0.5 for WordPress allows unauthenticated attackers to update arbitrary WordPress option values, leading to site takeover.

7.5
2019-01-26 CVE-2019-6798 Phpmyadmin SQL Injection vulnerability in PHPmyadmin

An issue was discovered in phpMyAdmin before 4.8.5.

7.5
2019-01-25 CVE-2018-16881 Rsyslog
Redhat
Debian
Integer Overflow or Wraparound vulnerability in multiple products

A denial of service vulnerability was found in rsyslog in the imptcp module.

7.5
2019-01-25 CVE-2019-6805 S CMS SQL Injection vulnerability in S-Cms 3.0

SQL Injection was found in S-CMS version V3.0 via the alipay/alipayapi.php O_id parameter.

7.5
2019-01-23 CVE-2019-6713 Thinkcmf Code Injection vulnerability in Thinkcmf 5.0.190111

app\admin\controller\RouteController.php in ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code by using vectors involving portal/List/index and list/:id to inject this code into data\conf\route.php, as demonstrated by a file_put_contents call.

7.5
2019-01-23 CVE-2019-6706 LUA
Canonical
Use After Free vulnerability in multiple products

Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c.

7.5
2019-01-22 CVE-2019-6260 Aspeedtech
Netapp
The ASPEED ast2400 and ast2500 Baseband Management Controller (BMC) hardware and firmware implement Advanced High-performance Bus (AHB) bridges, which allow arbitrary read and write access to the BMC's physical address space from the host (or from the network in unusual cases where the BMC console uart is attached to a serial concentrator).
7.5
2019-01-22 CVE-2019-6339 Drupal
Debian
Improper Input Validation vulnerability in multiple products

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.

7.5
2019-01-22 CVE-2018-19635 Broadcom
CA
CA Service Desk Manager 14.1 and 17 contain a vulnerability that can allow a malicious actor to escalate privileges in the user interface.
7.5
2019-01-22 CVE-2019-6503 Chatopera Deserialization of Untrusted Data vulnerability in Chatopera Cosin 3.10.0

There is a deserialization vulnerability in Chatopera cosin v3.10.0.

7.5
2019-01-24 CVE-2018-16098 Lenovo
Microsoft
Unquoted Search Path or Element vulnerability in Lenovo products

In some Lenovo ThinkPads, an unquoted search path vulnerability was found in various versions of the Synaptics Pointing Device driver which could allow unauthorized code execution as a low privilege user.

7.2
2019-01-24 CVE-2018-18363 Symantec Unspecified vulnerability in Symantec Norton APP Lock

Norton App Lock prior to 1.4.0.445 can be susceptible to a bypass exploit.

7.2
2019-01-24 CVE-2019-1648 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco products

A vulnerability in the user group configuration of the Cisco SD-WAN Solution could allow an authenticated, local attacker to gain elevated privileges on an affected device.

7.2
2019-01-24 CVE-2019-1646 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco products

A vulnerability in the local CLI of the Cisco SD-WAN Solution could allow an authenticated, local attacker to escalate privileges and modify device configuration files.

7.2

150 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-01-27 CVE-2019-6977 Libgd
PHP
Debian
Canonical
Netapp
Out-of-bounds Write vulnerability in multiple products

gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer overflow.

6.8
2019-01-24 CVE-2018-17707 Epicgames OS Command Injection vulnerability in Epicgames Launcher

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Epic Games Launcher versions prior to 8.2.2.

6.8
2019-01-24 CVE-2018-17705 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17704 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17703 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17702 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17701 Foxitsoftware
Microsoft
Out-of-bounds Read vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PhantomPDF 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17700 Foxitsoftware
Microsoft
Out-of-bounds Read vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PhantomPDF 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17698 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PhantomPDF 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17697 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17696 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17695 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PhantomPDF 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17694 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PhantomPDF 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17693 Foxitsoftware
Microsoft
Out-of-bounds Read vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PhantomPDF 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17692 Foxitsoftware
Microsoft
Out-of-bounds Write vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PhantomPDF 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17691 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PhantomPDF 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17690 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PhantomPDF 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17689 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PhantomPDF 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17688 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PhantomPDF 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17687 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PhantomPDF 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17685 Foxitsoftware
Microsoft
Incorrect Type Conversion or Cast vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17684 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17683 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17682 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17681 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17680 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17679 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17678 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17677 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17676 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17675 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17674 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17673 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17672 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17671 Foxitsoftware
Microsoft
Out-of-bounds Read vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17670 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17669 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17668 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17667 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17666 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17665 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17664 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17663 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17662 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17661 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17660 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17659 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17658 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17657 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17656 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17655 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17654 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17653 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17652 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17651 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17650 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17649 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17648 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17647 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17646 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17645 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17644 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17643 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17642 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17641 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17640 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17639 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17638 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17637 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17636 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17635 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17634 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17633 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17632 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17631 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17630 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.1.0.5096.

6.8
2019-01-24 CVE-2018-17629 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.1.0.5096.

6.8
2019-01-24 CVE-2018-17628 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17627 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17626 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297.

6.8
2019-01-24 CVE-2018-17625 Foxitsoftware
Microsoft
Use After Free vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.1.0.5096.

6.8
2019-01-23 CVE-2017-17835 Apache Cross-Site Request Forgery (CSRF) vulnerability in Apache Airflow

In Apache Airflow 1.8.2 and earlier, a CSRF vulnerability allowed for a remote command injection on a default install of Airflow.

6.8
2019-01-23 CVE-2019-3587 Mcafee Untrusted Search Path vulnerability in Mcafee Total Protection 4.0.161.1/4.6

DLL Search Order Hijacking vulnerability in Microsoft Windows client in McAfee Total Protection (MTP) Prior to 16.0.18 allows local users to execute arbitrary code via execution from a compromised folder.

6.8
2019-01-22 CVE-2018-19019 Omron Incorrect Type Conversion or Cast vulnerability in Omron Cx-Supervisor 3.5

A type confusion vulnerability exists when processing project files in CX-Supervisor (Versions 3.42 and prior).

6.8
2019-01-22 CVE-2018-19017 Omron Use After Free vulnerability in Omron Cx-Supervisor 3.5

Several use after free vulnerabilities have been identified in CX-Supervisor (Versions 3.42 and prior).

6.8
2019-01-22 CVE-2018-19011 Omron Code Injection vulnerability in Omron Cx-Supervisor 3.5

CX-Supervisor (Versions 3.42 and prior) can execute code that has been injected into a project file.

6.8
2019-01-22 CVE-2019-6510 Creditease SEC Cross-Site Request Forgery (CSRF) vulnerability in Creditease-Sec Insight

An issue was discovered in creditease-sec insight through 2018-09-11.

6.8
2019-01-22 CVE-2019-6509 Creditease SEC Cross-Site Request Forgery (CSRF) vulnerability in Creditease-Sec Insight

An issue was discovered in creditease-sec insight through 2018-09-11.

6.8
2019-01-22 CVE-2019-6508 Creditease SEC Cross-Site Request Forgery (CSRF) vulnerability in Creditease-Sec Insight

An issue was discovered in creditease-sec insight through 2018-09-11.

6.8
2019-01-22 CVE-2019-6507 Creditease SEC Cross-Site Request Forgery (CSRF) vulnerability in Creditease-Sec Insight

An issue was discovered in creditease-sec insight through 2018-09-11.

6.8
2019-01-23 CVE-2018-15459 Cisco Unspecified vulnerability in Cisco Identity Services Engine 2.3(0.298)/2.5(0.1)

A vulnerability in the administrative web interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to gain additional privileges on an affected device.

6.5
2019-01-23 CVE-2019-6708 Phpshe SQL Injection vulnerability in PHPshe 1.7

PHPSHE 1.7 has SQL injection via the admin.php?mod=order state parameter.

6.5
2019-01-23 CVE-2019-6707 Phpshe SQL Injection vulnerability in PHPshe 1.7

PHPSHE 1.7 has SQL injection via the admin.php?mod=product&act=state product_id[] parameter.

6.5
2019-01-23 CVE-2017-15720 Apache Improper Input Validation vulnerability in Apache Airflow

In Apache Airflow 1.8.2 and earlier, an authenticated user can execute code remotely on the Airflow webserver by creating a special object.

6.5
2019-01-23 CVE-2019-6691 Phpwind SQL Injection vulnerability in PHPwind 9.0.2.170426

phpwind 9.0.2.170426 UTF8 allows SQL Injection via the admin.php?m=backup&c=backup&a=doback tabledb[] parameter, related to the "--backup database" option.

6.5
2019-01-22 CVE-2018-14666 Redhat Incorrect Authorization vulnerability in Redhat Satellite

An improper authorization flaw was found in the Smart Class feature of Foreman.

6.5
2019-01-22 CVE-2019-1003004 Jenkins
Redhat
An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java that allows attackers to extend the duration of active HTTP sessions indefinitely even though the user account may have been deleted in the mean time.
6.5
2019-01-22 CVE-2019-1003003 Jenkins
Redhat
An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never expire, allowing e.g.
6.5
2019-01-22 CVE-2019-1003002 Jenkins
Redhat
7PK - Security Features vulnerability in multiple products

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in pipeline-model-definition/src/main/groovy/org/jenkinsci/plugins/pipeline/modeldefinition/parser/Converter.groovy that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

6.5
2019-01-22 CVE-2019-1003001 Jenkins
Redhat
7PK - Security Features vulnerability in multiple products

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShellFactory.java that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

6.5
2019-01-22 CVE-2019-1003000 Jenkins
Redhat
7PK - Security Features vulnerability in multiple products

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java that allows attackers with the ability to provide sandboxed scripts to execute arbitrary code on the Jenkins master JVM.

6.5
2019-01-24 CVE-2019-6486 Golang
Debian
Opensuse
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.

6.4
2019-01-22 CVE-2019-6338 Drupal
Debian
Deserialization of Untrusted Data vulnerability in multiple products

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library.

6.0
2019-01-25 CVE-2018-19023 Hetronic Improper Authentication vulnerability in Hetronic products

Hetronic Nova-M prior to verson r161 uses fixed codes that are reproducible by sniffing and re-transmission.

5.8
2019-01-25 CVE-2019-6956 Audiocoding
Debian
Out-of-bounds Read vulnerability in multiple products

An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8.

5.8
2019-01-24 CVE-2019-6780 Kaine Open Redirect vulnerability in Kaine Wise Chat

The Wise Chat plugin before 2.7 for WordPress mishandles external links because rendering/filters/post/WiseChatLinksPostFilter.php omits noopener and noreferrer.

5.8
2019-01-24 CVE-2019-6779 Chshcms Cross-Site Request Forgery (CSRF) vulnerability in Chshcms Cscms 4.1.8

Cscms 4.1.8 allows admin.php/links/save CSRF to add, modify, or delete friend links.

5.8
2019-01-21 CVE-2019-6498 Labapart Out-of-bounds Read vulnerability in Labapart Gattlib 0.2

GattLib 0.2 has a stack-based buffer over-read in gattlib_connect in dbus/gattlib.c because strncpy is misused.

5.8
2019-01-26 CVE-2019-6976 Libvips Project Use of Uninitialized Resource vulnerability in Libvips Project Libvips

libvips before 8.7.4 generates output images from uninitialized memory locations when processing corrupted input image data because iofuncs/memory.c does not zero out allocated memory.

5.0
2019-01-25 CVE-2018-20743 Mumble
Debian
Improper Input Validation vulnerability in multiple products

murmur in Mumble through 1.2.19 before 2018-08-31 mishandles multiple concurrent requests that are persisted in the database, which allows remote attackers to cause a denial of service (daemon hang or crash) via a message flood.

5.0
2019-01-25 CVE-2017-18359 Postgis
Debian
Improper Input Validation vulnerability in multiple products

PostGIS 2.x before 2.3.3, as used with PostgreSQL, allows remote attackers to cause a denial of service via crafted ST_AsX3D function input, as demonstrated by an abnormal server termination for "SELECT ST_AsX3D('LINESTRING EMPTY');" because empty geometries are mishandled.

5.0
2019-01-24 CVE-2019-1669 Cisco Protection Mechanism Failure vulnerability in Cisco Firepower Threat Defense 6.3.0/6.4.0

A vulnerability in the data acquisition (DAQ) component of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured access control policies or cause a denial of service (DoS) condition.

5.0
2019-01-24 CVE-2019-1653 Cisco Improper Access Control vulnerability in Cisco Rv320 Firmware and Rv325 Firmware

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information.

5.0
2019-01-24 CVE-2018-20742 Ucbrise Out-of-bounds Write vulnerability in Ucbrise Opaque

An issue was discovered in UC Berkeley RISE Opaque before 2018-12-01.

5.0
2019-01-23 CVE-2019-1644 Cisco Resource Exhaustion vulnerability in Cisco IOT Field Network Director 4.3(0.20)

A vulnerability in the UDP protocol implementation for Cisco IoT Field Network Director (IoT-FND) could allow an unauthenticated, remote attacker to exhaust system resources, resulting in a denial of service (DoS) condition.

5.0
2019-01-23 CVE-2019-6719 MZ Automation Use After Free vulnerability in Mz-Automation Libiec61850 1.3.1

An issue has been found in libIEC61850 v1.3.1.

5.0
2019-01-23 CVE-2018-20245 Apache Improper Certificate Validation vulnerability in Apache Airflow

The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) prior to Apache Airflow 1.10.1 was misconfigured and contained improper checking of exceptions which disabled server certificate checking.

5.0
2019-01-23 CVE-2017-17836 Apache Credentials Management vulnerability in Apache Airflow

In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow.

5.0
2019-01-23 CVE-2018-1751 IBM
Linux
Microsoft
Inadequate Encryption Strength vulnerability in IBM Security KEY Lifecycle Manager

IBM Security Key Lifecycle Manager 3.0 through 3.0.0.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

5.0
2019-01-22 CVE-2018-6445 Brocade
Netapp
A Vulnerability in Brocade Network Advisor versions before 14.0.3 could allow a remote unauthenticated attacker to export the current user database which includes the encrypted (not hashed) password of the systems.
5.0
2019-01-22 CVE-2018-19634 Broadcom
CA
CA Service Desk Manager 14.1 and 17 contain a vulnerability that can allow a malicious actor to access survey information.
5.0
2019-01-22 CVE-2019-6502 Opensc Project Memory Leak vulnerability in Opensc Project Opensc 0.19.0

sc_context_create in ctx.c in libopensc in OpenSC 0.19.0 has a memory leak, as demonstrated by a call from eidenv.

5.0
2019-01-21 CVE-2019-6500 Axway Path Traversal vulnerability in Axway File Tranfer Direct 2.7.1

In Axway File Transfer Direct 2.7.1, an unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request with %2e instead of '.' characters, as demonstrated by an initial /h2hdocumentation//%2e%2e/ substring.

5.0
2019-01-25 CVE-2019-3819 Linux
Debian
Canonical
Opensuse
Infinite Loop vulnerability in multiple products

A flaw was found in the Linux kernel in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may enter an infinite loop with certain parameters passed from a userspace.

4.9
2019-01-22 CVE-2018-19013 Omron Command Injection vulnerability in Omron Cx-Supervisor 3.5

An attacker could inject commands to delete files and/or delete the contents of a file on CX-Supervisor (Versions 3.42 and prior) through a specially crafted project file.

4.9
2019-01-24 CVE-2019-1656 Cisco Improper Input Validation vulnerability in Cisco Enterprise NFV Infrastructure Software 3.9.1

A vulnerability in the CLI of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to access the shell of the underlying Linux operating system on the affected device.

4.6
2019-01-24 CVE-2018-1959 IBM Use of Hard-coded Credentials vulnerability in IBM Security Identity Manager

IBM Security Identity Manager 7.0.1 Virtual Appliance contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

4.6
2019-01-21 CVE-2016-10739 GNU
Opensuse
Improper Input Validation vulnerability in multiple products

In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.

4.6
2019-01-26 CVE-2019-6799 Phpmyadmin
Debian
An issue was discovered in phpMyAdmin before 4.8.5.
4.3
2019-01-25 CVE-2019-6966 Axiosys Allocation of Resources Without Limits or Throttling vulnerability in Axiosys Bento4 1.5.1628

An issue was discovered in Bento4 1.5.1-628.

4.3
2019-01-25 CVE-2019-6804 Pagerduty Cross-site Scripting vulnerability in Pagerduty Rundeck

An XSS issue was discovered on the Job Edit page in Rundeck Community Edition before 3.0.13, related to assets/javascripts/workflowStepEditorKO.js and views/execution/_wfitemEdit.gsp.

4.3
2019-01-25 CVE-2019-6803 Typora Cross-site Scripting vulnerability in Typora

typora through 0.9.9.20.3 beta has XSS, with resultant remote command execution, via the left outline bar.

4.3
2019-01-25 CVE-2019-6802 Python CRLF Injection vulnerability in Python Pypiserver

CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI.

4.3
2019-01-24 CVE-2019-1668 Cisco Cross-site Scripting vulnerability in Cisco Socialminer 11.6(1)/11.6(2)/12.0(1)

A vulnerability in the chat feed feature of Cisco SocialMiner could allow an unauthenticated, remote attacker to perform cross-site scripting (XSS) attacks against a user of the web-based user interface of an affected system.

4.3
2019-01-24 CVE-2019-1658 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Unified Intelligence Center 11.6(1)

A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device.

4.3
2019-01-24 CVE-2019-1655 Cisco Cross-site Scripting vulnerability in Cisco Webex Meetings Server 2.8

A vulnerability in the web-based management interface of Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface of the affected software.

4.3
2019-01-24 CVE-2019-6777 Zoneminder Cross-site Scripting vulnerability in Zoneminder 1.32.3

An issue was discovered in ZoneMinder v1.32.3.

4.3
2019-01-24 CVE-2018-17699 Foxitsoftware
Microsoft
Information Exposure vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.2.0.9297.

4.3
2019-01-24 CVE-2018-17686 Foxitsoftware
Microsoft
Information Exposure vulnerability in Foxitsoftware Phantompdf and Reader

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.2.0.9297.

4.3
2019-01-23 CVE-2019-1643 Cisco Cross-site Scripting vulnerability in Cisco Prime Infrastructure 3.2.0

A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected software.

4.3
2019-01-23 CVE-2019-1642 Cisco Cross-site Scripting vulnerability in Cisco Firepower Management Center 6.2.3/6.3.0

A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected software.

4.3
2019-01-23 CVE-2018-15455 Cisco Cross-site Scripting vulnerability in Cisco Identity Services Engine 2.2(0.910)/2.3(0.905)/2.4(0.903)

A vulnerability in the logging component of Cisco Identity Services Engine could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks.

4.3
2019-01-22 CVE-2018-6443 Brocade
Netapp
Credentials Management vulnerability in multiple products

A vulnerability in Brocade Network Advisor Versions before 14.3.1 could allow an unauthenticated, remote attacker to log in to the JBoss Administration interface of an affected system using an undocumented user credentials and install additional JEE applications.

4.3
2019-01-24 CVE-2019-1657 Cisco Credentials Management vulnerability in Cisco AMP Threat Grid Appliance and AMP Threat Grid Cloud

A vulnerability in Cisco AMP Threat Grid could allow an authenticated, remote attacker to access sensitive information.

4.0
2019-01-23 CVE-2018-1000997 Jenkins Path Traversal vulnerability in Jenkins

A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/org/kohsuke/stapler/Facet.java, groovy/src/main/java/org/kohsuke/stapler/jelly/groovy/GroovyFacet.java, jelly/src/main/java/org/kohsuke/stapler/jelly/JellyFacet.java, jruby/src/main/java/org/kohsuke/stapler/jelly/jruby/JRubyFacet.java, jsp/src/main/java/org/kohsuke/stapler/jsp/JSPFacet.java that allows attackers to render routable objects using any view in Jenkins, exposing internal information about those objects not intended to be viewed, such as their toString() representation.

4.0
2019-01-23 CVE-2018-0187 Cisco Information Exposure vulnerability in Cisco Identity Services Engine 2.4(0.901.1)/2.4(0.901)

A vulnerability in the Admin portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain confidential information for privileged accounts.

4.0
2019-01-23 CVE-2018-2026 IBM Information Exposure vulnerability in IBM Financial Transaction Manager 3.2.1.0

IBM Financial Transaction Manager 3.2.1 for Digital Payments could allow an authenticated user to obtain a directory listing of internal product files.

4.0
2019-01-22 CVE-2017-6923 Drupal Missing Authorization vulnerability in Drupal

In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters.

4.0
2019-01-22 CVE-2017-6922 Drupal
Debian
Files or Directories Accessible to External Parties vulnerability in multiple products

In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users.

4.0
2019-01-22 CVE-2018-13374 Fortinet Incorrect Permission Assignment for Critical Resource vulnerability in Fortinet Fortios

A Improper Access Control in Fortinet FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4 allows attacker to obtain the LDAP server login credentials configured in FortiGate via pointing a LDAP server connectivity test request to a rogue LDAP server instead of the configured one.

4.0

6 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-01-23 CVE-2019-3584 Mcafee Improper Authentication vulnerability in Mcafee Mvision Endpoint

Exploitation of Authentication vulnerability in MVision Endpoint in McAfee MVision Endpoint Prior to 1811 Update 1 (18.11.31.62) allows authenticated administrator users --> administrators to Remove MVision Endpoint via unspecified vectors.

3.6
2019-01-23 CVE-2018-15614 Avaya Cross-site Scripting vulnerability in Avaya IP Office 10.0/10.1/11.0

A vulnerability in the one-x Portal component of IP Office could allow an authenticated user to perform stored cross site scripting attacks via fields in the Conference Scheduler Service that could affect other application users.

3.5
2019-01-25 CVE-2018-19021 Emerson Improper Restriction of Excessive Authentication Attempts vulnerability in Emerson Deltav

A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service.

3.3
2019-01-24 CVE-2019-1645 Cisco Information Exposure vulnerability in Cisco Connected Mobile Experiences 10.2(1.0)

A vulnerability in the Cisco Connected Mobile Experiences (CMX) software could allow an unauthenticated, adjacent attacker to access sensitive data on an affected device.

3.3
2019-01-25 CVE-2018-19009 Pilz Credentials Management vulnerability in Pilz Pnozmulti Configurator

Pilz PNOZmulti Configurator prior to version 10.9 allows an authenticated attacker with local access to the system containing the PNOZmulti Configurator software to view sensitive credential data in clear-text.

2.1
2019-01-24 CVE-2018-5497 Netapp Information Exposure vulnerability in Netapp Clustered Data Ontap

Clustered Data ONTAP versions prior to 9.1P16, 9.3P10 and 9.4P5 are susceptible to a vulnerability which discloses sensitive information to an unauthorized user.

2.1