Weekly Vulnerabilities Reports > February 11 to 17, 2019
Overview
191 new vulnerabilities reported during this period, including 22 critical vulnerabilities and 36 high severity vulnerabilities. This weekly summary report vulnerabilities in 353 products from 106 vendors including Google, SAP, Dlink, Redhat, and Fedoraproject. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Read", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "OS Command Injection", and "Improper Input Validation".
- 148 reported vulnerabilities are remotely exploitables.
- 8 reported vulnerabilities have public exploit available.
- 70 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 148 reported vulnerabilities are exploitable by an anonymous user.
- Google has the most reported vulnerabilities, with 24 reported vulnerabilities.
- Dlink has the most reported critical vulnerabilities, with 8 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
22 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-02-13 | CVE-2019-5909 | Yokogawa | Improper Authentication vulnerability in Yokogawa products License Manager Service of YOKOGAWA products (CENTUM VP (R5.01.00 - R6.06.00), CENTUM VP Entry Class (R5.01.00 - R6.06.00), ProSafe-RS (R3.01.00 - R4.04.00), PRM (R4.01.00 - R4.02.00), B/M9000 VP(R7.01.01 - R8.02.03)) allows remote attackers to bypass access restriction to send malicious files to the PC where License Manager Service runs via unspecified vectors. | 10.0 |
2019-02-11 | CVE-2018-9583 | Out-of-bounds Write vulnerability in Google Android In bta_ag_parse_cmer of bta_ag_cmd.cc in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out-of-bounds write due to a missing bounds check. | 10.0 | |
2019-02-15 | CVE-2019-4059 | IBM | Insufficiently Protected Credentials vulnerability in IBM Rational Clearcase IBM Rational ClearCase 1.0.0.0 GIT connector does not sufficiently protect the document database password. | 9.8 |
2019-02-15 | CVE-2019-8341 | Pocoo Opensuse | Code Injection vulnerability in multiple products An issue was discovered in Jinja2 2.10. | 9.8 |
2019-02-13 | CVE-2019-6543 | Aveva | Missing Authentication for Critical Function vulnerability in Aveva Indusoft web Studio and Intouch Machine Edition 2014 AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. | 9.8 |
2019-02-12 | CVE-2018-19645 | Microfocus | Improper Authentication vulnerability in Microfocus Solutions Business Manager An Authentication Bypass issue exists in Solutions Business Manager (SBM) (formerly Serena Business Manager (SBM)) versions prior to 11.5. | 9.8 |
2019-02-12 | CVE-2019-6527 | Kunbus | Improper Authentication vulnerability in Kunbus Pr100088 Modbus Gateway Firmware 1.0.10232/1.1.13166 PR100088 Modbus gateway versions prior to Release R02 (or Software Version 1.1.13166) may allow an attacker to be able to change the password for an admin user who is currently or previously logged in, provided the device has not been restarted. | 9.8 |
2019-02-15 | CVE-2013-5654 | Yingzhipython Project | Improper Access Control vulnerability in Yingzhipython Project Yingzhipython 1.9 Vulnerability in YingZhi Python Programming Language v1.9 allows arbitrary anonymous uploads to the phone's storage | 9.4 |
2019-02-15 | CVE-2013-2516 | Fileutils Project | Command Injection vulnerability in Fileutils Project Fileutils Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell. | 9.3 |
2019-02-13 | CVE-2018-6271 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android NVIDIA Tegra OpenMax driver (libnvomx) contains a vulnerability in which the software delivers extra data with the buffer and does not properly validated the extra data, which may lead to denial of service or escalation of privileges. | 9.3 | |
2019-02-13 | CVE-2018-6268 | Use After Free vulnerability in Google Android NVIDIA Tegra library contains a vulnerability in libnvmmlite_video.so, where referencing memory after it has been freed may lead to denial of service or possible escalation of privileges. | 9.3 | |
2019-02-13 | CVE-2018-6267 | Improper Input Validation vulnerability in Google Android NVIDIA Tegra OpenMax driver (libnvomx) contains a vulnerability in which the software does not validate or incorrectly validates input that can affect the control flow or data flow of a program, which may lead to denial of service or escalation of privileges. | 9.3 | |
2019-02-13 | CVE-2019-6539 | WE CON | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in We-Con Levistudiou 1.8.29/1.8.44 Several heap-based buffer overflow vulnerabilities in WECON LeviStudioU version 1.8.56 and prior have been identified, which may allow arbitrary code execution. | 9.3 |
2019-02-12 | CVE-2019-6533 | Kunbus | Missing Authentication for Critical Function vulnerability in Kunbus Pr100088 Modbus Gateway Firmware 1.0.10232/1.1.13166 Registers used to store Modbus values can be read and written from the web interface without authentication in the PR100088 Modbus gateway versions prior to Release R02 (or Software Version 1.1.13166). | 9.1 |
2019-02-13 | CVE-2019-8319 | Dlink | OS Command Injection vulnerability in Dlink Dir-878 Firmware 1.12A1 An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. | 9.0 |
2019-02-13 | CVE-2019-8318 | Dlink | OS Command Injection vulnerability in Dlink Dir-878 Firmware 1.12A1 An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. | 9.0 |
2019-02-13 | CVE-2019-8317 | Dlink | OS Command Injection vulnerability in Dlink Dir-878 Firmware 1.12A1 An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. | 9.0 |
2019-02-13 | CVE-2019-8316 | Dlink | OS Command Injection vulnerability in Dlink Dir-878 Firmware 1.12A1 An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. | 9.0 |
2019-02-13 | CVE-2019-8315 | Dlink | OS Command Injection vulnerability in Dlink Dir-878 Firmware 1.12A1 An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. | 9.0 |
2019-02-13 | CVE-2019-8314 | Dlink | OS Command Injection vulnerability in Dlink Dir-878 Firmware 1.12A1 An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. | 9.0 |
2019-02-13 | CVE-2019-8313 | Dlink | OS Command Injection vulnerability in Dlink Dir-878 Firmware 1.12A1 An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. | 9.0 |
2019-02-13 | CVE-2019-8312 | Dlink | OS Command Injection vulnerability in Dlink Dir-878 Firmware 1.12A1 An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. | 9.0 |
36 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-02-15 | CVE-2019-0257 | SAP | Missing Authorization vulnerability in SAP products Customizing functionality of SAP NetWeaver AS ABAP Platform (fixed in versions from 7.0 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.53, from 7.74 to 7.75) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | 8.8 |
2019-02-11 | CVE-2019-5736 | Docker Linuxfoundation Redhat Linuxcontainers HP Netapp Apache Opensuse D2Iq Fedoraproject Canonical Microfocus | OS Command Injection vulnerability in multiple products runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. | 8.6 |
2019-02-15 | CVE-2019-6974 | Linux Debian Canonical F5 Redhat | Use After Free vulnerability in multiple products In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free. | 8.1 |
2019-02-13 | CVE-2018-15781 | Dell | Use of Hard-coded Credentials vulnerability in Dell Wyse Thinlinux 2.0 The Dell Wyse Password Encoder in ThinLinux2 versions prior to 2.1.0.01 contain a Hard-coded Cryptographic Key vulnerability. | 7.9 |
2019-02-17 | CVE-2019-8383 | Advancemame Debian Fedoraproject Redhat | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products An issue was discovered in AdvanceCOMP through 2.1. | 7.8 |
2019-02-17 | CVE-2019-8381 | Broadcom Fedoraproject | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products An issue was discovered in Tcpreplay 4.3.1. | 7.8 |
2019-02-17 | CVE-2019-8379 | Advancemame Debian Fedoraproject Redhat | NULL Pointer Dereference vulnerability in multiple products An issue was discovered in AdvanceCOMP through 2.1. | 7.8 |
2019-02-17 | CVE-2019-8377 | Broadcom Fedoraproject | NULL Pointer Dereference vulnerability in multiple products An issue was discovered in Tcpreplay 4.3.1. | 7.8 |
2019-02-17 | CVE-2019-8376 | Broadcom Fedoraproject | NULL Pointer Dereference vulnerability in multiple products An issue was discovered in Tcpreplay 4.3.1. | 7.8 |
2019-02-15 | CVE-2019-8343 | Nasm | Use After Free vulnerability in Nasm Netwide Assembler 2.14.02 In Netwide Assembler (NASM) 2.14.02, there is a use-after-free in paste_tokens in asm/preproc.c. | 7.8 |
2019-02-17 | CVE-2019-8393 | Hotels Server Project | SQL Injection vulnerability in Hotels Server Project Hotels Server 20181105 Hotels_Server through 2018-11-05 has SQL Injection via the API because the controller/api/login.php telephone parameter is mishandled. | 7.5 |
2019-02-17 | CVE-2019-8395 | Zohocorp | Path Traversal vulnerability in Zohocorp Manageengine Servicedesk Plus An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request. | 7.5 |
2019-02-16 | CVE-2019-8360 | Themerig | SQL Injection vulnerability in Themerig Find A Place CMS Directory 1.5 Themerig Find a Place CMS Directory 1.5 has SQL Injection via the find/assets/external/data_2.php cate parameter. | 7.5 |
2019-02-15 | CVE-2015-4615 | Easy2Map | SQL Injection vulnerability in Easy2Map Easy2Map-Photos 1.09 Vulnerability in Easy2map-photos WordPress Plugin v1.09 allows SQL Injection via unsanitized mapTemplateName, mapName, mapSettingsXML, parentCSSXML, photoCSSXML, mapCSSXML, mapHTML,mapID variables | 7.5 |
2019-02-15 | CVE-2019-0261 | SAP | Missing Authentication for Critical Function vulnerability in SAP Landscape Management 3.0 Under certain circumstances, SAP HANA Extended Application Services, advanced model (XS advanced) does not perform authentication checks properly for XS advanced platform and business users. | 7.5 |
2019-02-15 | CVE-2019-0259 | SAP | Unrestricted Upload of File with Dangerous Type vulnerability in SAP Businessobjects 4.2/4.3 SAP BusinessObjects, versions 4.2 and 4.3, (Visual Difference) allows an attacker to upload any file (including script files) without proper file format validation. | 7.5 |
2019-02-13 | CVE-2019-5916 | D Circle | Expression Language Injection vulnerability in D-Circle Power EGG Input validation issue in POWER EGG(Ver 2.0.1, Ver 2.02 Patch 3 and earlier, Ver 2.1 Patch 4 and earlier, Ver 2.2 Patch 7 and earlier, Ver 2.3 Patch 9 and earlier, Ver 2.4 Patch 13 and earlier, Ver 2.5 Patch 12 and earlier, Ver 2.6 Patch 8 and earlier, Ver 2.7 Patch 6 and earlier, Ver 2.7 Government Edition Patch 7 and earlier, Ver 2.8 Patch 6 and earlier, Ver 2.8c Patch 5 and earlier, Ver 2.9 Patch 4 and earlier) allows remote attackers to execute EL expression on the server via unspecified vectors. | 7.5 |
2019-02-13 | CVE-2019-6545 | Aveva | Unspecified vulnerability in Aveva Indusoft web Studio and Intouch Machine Edition 2014 AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. | 7.5 |
2019-02-12 | CVE-2019-7743 | Joomla | Expression Language Injection vulnerability in Joomla Joomla! An issue was discovered in Joomla! before 3.9.3. | 7.5 |
2019-02-11 | CVE-2019-7736 | Dlink | Forced Browsing vulnerability in Dlink Dir-600M Firmware 3.04 D-Link DIR-600M C1 3.04 devices allow authentication bypass via a direct request to the wan.htm page. | 7.5 |
2019-02-11 | CVE-2019-7731 | Mywebsql | Code Injection vulnerability in Mywebsql 3.7 MyWebSQL 3.7 has a remote code execution (RCE) vulnerability after an attacker writes shell code into the database, and executes the Backup Database function with a .php filename for the backup's archive file. | 7.5 |
2019-02-11 | CVE-2018-12549 | Eclipse Redhat | Improper Input Validation vulnerability in multiple products In Eclipse OpenJ9 version 0.11.0, the OpenJ9 JIT compiler may incorrectly omit a null check on the receiver object of an Unsafe call when accelerating it. | 7.5 |
2019-02-11 | CVE-2018-12547 | Eclipse Redhat | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter. | 7.5 |
2019-02-11 | CVE-2019-6975 | Djangoproject Canonical Fedoraproject | Allocation of Resources Without Limits or Throttling vulnerability in multiple products Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function. | 7.5 |
2019-02-11 | CVE-2019-7720 | Taogogo | Code Injection vulnerability in Taogogo Taocms 20140524 taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php db_name parameter and then making a config.php request. | 7.5 |
2019-02-11 | CVE-2019-7719 | Nibbleblog | Code Injection vulnerability in Nibbleblog 4.0.5 Nibbleblog 4.0.5 allows eval injection by placing PHP code in the install.php username parameter and then making a content/private/shadow.php request. | 7.5 |
2019-02-11 | CVE-2018-20779 | Traq | SQL Injection vulnerability in Traq 3.7.1 Traq 3.7.1 allows SQL Injection via a tickets?search= URI. | 7.5 |
2019-02-12 | CVE-2019-5596 | Freebsd | Unspecified vulnerability in Freebsd 11.2/12.0 In FreeBSD 11.2-STABLE after r338618 and before r343786, 12.0-STABLE before r343781, and 12.0-RELEASE before 12.0-RELEASE-p3, a bug in the reference count implementation for UNIX domain sockets can cause a file structure to be incorrectly released potentially allowing a malicious local user to gain root privileges or escape from a jail. | 7.2 |
2019-02-11 | CVE-2018-13889 | Use After Free vulnerability in Google Android In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Heap memory was accessed after it was freed | 7.2 | |
2019-02-11 | CVE-2018-13888 | Qualcomm | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Qualcomm products There is potential for memory corruption in the RIL daemon due to de reference of memory outside the allocated array length in RIL in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in versions MDM9206, MDM9607, MDM9635M, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM439, SDM630, SDM660, ZZ_QCS605. | 7.2 |
2019-02-11 | CVE-2018-12014 | Use After Free vulnerability in Google Android In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Null pointer dereference vulnerability may occur due to missing NULL assignment in NAT module of freed pointer. | 7.2 | |
2019-02-11 | CVE-2018-11962 | Use After Free vulnerability in Google Android In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Use-after-free issue in heap while loading audio effects config in audio effects factory. | 7.2 | |
2019-02-11 | CVE-2018-11888 | Qualcomm | Missing Authorization vulnerability in Qualcomm products Unauthorized access may be allowed by the SCP11 Crypto Services TA will processing commands from other TA in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile and Snapdragon Voice & Music in versions MDM9607, MDM9650, MDM9655, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 650/52, SD 820, SD 820A, SD 835, SD 8CX, SDM439, Snapdragon_High_Med_2016. | 7.2 |
2019-02-11 | CVE-2018-11855 | Qualcomm | Integer Overflow or Wraparound vulnerability in Qualcomm products If an end user makes use of SCP11 sample OCE code without modification it could lead to a buffer overflow when transmitting a CAPDU in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT and Snapdragon Mobile in versions MDM9607, MDM9650, MDM9655, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 636, SD 820, SD 820A, SD 835, SD 8CX, SDA660, SDM630, SDM660. | 7.2 |
2019-02-11 | CVE-2018-11847 | Qualcomm | Improper Input Validation vulnerability in Qualcomm products Malicious TA can tag QSEE kernel memory and map to EL0, there by corrupting the physical memory as well it can be used to corrupt the QSEE kernel and compromise the whole TEE in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables and Snapdragon Wired Infrastructure and Networking in versions IPQ8074, MDM9206, MDM9607, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCA8081, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 650/52, SD 820, SD 820A, SD 835, SD 8CX, SDM439 and Snapdragon_High_Med_2016 | 7.2 |
2019-02-12 | CVE-2019-1688 | Cisco | Use of Hard-coded Credentials vulnerability in Cisco Network Assurance Engine 3.0(1) A vulnerability in the management web interface of Cisco Network Assurance Engine (NAE) could allow an unauthenticated, local attacker to gain unauthorized access or cause a Denial of Service (DoS) condition on the server. | 7.1 |
113 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-02-17 | CVE-2019-8382 | Axiosys | NULL Pointer Dereference vulnerability in Axiosys Bento4 1.5.1628 An issue was discovered in Bento4 1.5.1-628. | 6.8 |
2019-02-17 | CVE-2019-8380 | Axiosys | NULL Pointer Dereference vulnerability in Axiosys Bento4 1.5.1628 An issue was discovered in Bento4 1.5.1-628. | 6.8 |
2019-02-17 | CVE-2019-8378 | Axiosys | Out-of-bounds Read vulnerability in Axiosys Bento4 1.5.1628 An issue was discovered in Bento4 1.5.1-628. | 6.8 |
2019-02-16 | CVE-2019-8358 | Hiawatha Webserver | Path Traversal vulnerability in Hiawatha-Webserver Hiawatha In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled. | 6.8 |
2019-02-15 | CVE-2019-0267 | SAP | Cross-Site Request Forgery (CSRF) vulnerability in SAP Manufacturing Integration and Intelligence 15.0/15.1/15.2 SAP Manufacturing Integration and Intelligence, versions 15.0, 15.1 and 15.2, (Illuminator Servlet) currently does not provide Anti-XSRF tokens. | 6.8 |
2019-02-15 | CVE-2019-8347 | Beescms | Cross-Site Request Forgery (CSRF) vulnerability in Beescms 4.0 BEESCMS 4.0 has a CSRF vulnerability to add arbitrary VIP accounts via the admin/admin_member.php?action=add&nav=add_web_user&admin_p_nav=user URI. | 6.8 |
2019-02-13 | CVE-2018-19008 | ABB | Improper Input Validation vulnerability in ABB Cp400Pb Firmware The TextEditor 2.0 in ABB CP400 Panel Builder versions 2.0.7.05 and earlier contain a vulnerability in the file parser of the Text Editor wherein the application doesn't properly prevent the insertion of specially crafted files which could allow arbitrary code execution. | 6.8 |
2019-02-13 | CVE-2019-5913 | Micco Microsoft | Untrusted Search Path vulnerability in Micco Lhmelting Untrusted search path vulnerability in the installer of LHMelting (LHMelting for Win32 Ver 1.65.3.6 and earlier) allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | 6.8 |
2019-02-13 | CVE-2019-5912 | Micco Microsoft | Untrusted Search Path vulnerability in Micco Unarj32.Dll Untrusted search path vulnerability in the installer of UNARJ32.DLL (UNARJ32.DLL for Win32 Ver 1.10.1.25 and earlier) allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | 6.8 |
2019-02-13 | CVE-2019-5911 | Micco Microsoft | Untrusted Search Path vulnerability in Micco Unlha32.Dll Untrusted search path vulnerability in the installer of UNLHA32.DLL (UNLHA32.DLL for Win32 Ver 2.67.1.2 and earlier) allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | 6.8 |
2019-02-13 | CVE-2018-16190 | Micco Microsoft | Untrusted Search Path vulnerability in Micco products Untrusted search path vulnerability in UNARJ32.DLL for Win32, LHMelting for Win32, and LMLzh32.DLL (UNARJ32.DLL for Win32 Ver 1.10.1.25 and earlier, LHMelting for Win32 Ver 1.65.3.6 and earlier, LMLzh32.DLL Ver 2.67.1.2 and earlier) allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | 6.8 |
2019-02-13 | CVE-2018-16189 | Micco Microsoft | Untrusted Search Path vulnerability in Micco Unlha32.Dll Untrusted search path vulnerability in Self-Extracting Archives created by UNLHA32.DLL prior to Ver 3.00 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | 6.8 |
2019-02-13 | CVE-2018-20253 | Rarlab | Out-of-bounds Write vulnerability in Rarlab Winrar In WinRAR versions prior to and including 5.60, There is an out-of-bounds write vulnerability during parsing of a crafted LHA / LZH archive formats. | 6.8 |
2019-02-13 | CVE-2019-6541 | WE CON | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in We-Con Levistudiou 1.8.29/1.8.44 A memory corruption vulnerability has been identified in WECON LeviStudioU version 1.8.56 and prior, which may allow arbitrary code execution. | 6.8 |
2019-02-13 | CVE-2019-6537 | WE CON | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in We-Con Levistudiou 1.8.29/1.8.44 Multiple stack-based buffer overflow vulnerabilities in WECON LeviStudioU version 1.8.56 and prior may be exploited when parsing strings within project files. | 6.8 |
2019-02-11 | CVE-2019-7747 | Dbninja | Session Fixation vulnerability in Dbninja 3.2.7 DbNinja 3.2.7 allows session fixation via the data.php sessid parameter. | 6.8 |
2019-02-11 | CVE-2019-7737 | Verydows | Cross-Site Request Forgery (CSRF) vulnerability in Verydows 2.0 A CSRF vulnerability was found in Verydows v2.0 that can add an admin account via index.php?m=backend&c=admin&a=add&step=submit. | 6.8 |
2019-02-11 | CVE-2019-7722 | PMD Project | XXE vulnerability in PMD Project PMD PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. | 6.8 |
2019-02-11 | CVE-2019-7718 | Metinfo | Race Condition vulnerability in Metinfo An issue was discovered in Metinfo 6.x. | 6.8 |
2019-02-11 | CVE-2018-20780 | Traq | Cross-Site Request Forgery (CSRF) vulnerability in Traq 3.7.1 Traq 3.7.1 allows admin/users/new CSRF to create an admin account (aka group_id=1). | 6.8 |
2019-02-17 | CVE-2019-8422 | Pbootcms | SQL Injection vulnerability in Pbootcms 1.3.2 A SQL Injection vulnerability exists in PbootCMS v1.3.2 via the description parameter in apps\admin\controller\content\ContentController.php. | 6.5 |
2019-02-17 | CVE-2019-8421 | Bagesoft | SQL Injection vulnerability in Bagesoft Bagecms 3.1.3/3.1.4 upload/protected/modules/admini/views/post/index.php in BageCMS through 3.1.4 allows SQL Injection via the title or titleAlias parameter. | 6.5 |
2019-02-17 | CVE-2019-8412 | Feifeicms | Path Traversal vulnerability in Feifeicms 4.0.181010 FeiFeiCms 4.0.181010 on Windows allows remote attackers to read or delete arbitrary files via index.php?s=Admin-Data-Down-id-..\ or index.php?s=Admin-Data-Del-id-..\ directory traversal. | 6.5 |
2019-02-15 | CVE-2019-0258 | SAP | Missing Authorization vulnerability in SAP Disclosure Management 10.01 SAP Disclosure Management, version 10.01, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | 6.5 |
2019-02-11 | CVE-2018-20775 | Frog CMS Project | Code Injection vulnerability in Frog CMS Project Frog CMS 0.9.5 admin/?/plugin/file_manager in Frog CMS 0.9.5 allows PHP code execution by creating a new .php file containing PHP code, and then visiting this file under the public/ URI. | 6.5 |
2019-02-11 | CVE-2018-20773 | Frog CMS Project | Code Injection vulnerability in Frog CMS Project Frog CMS 0.9.5 Frog CMS 0.9.5 allows PHP code execution by visiting admin/?/page/edit/1 and inserting additional <?php lines. | 6.5 |
2019-02-11 | CVE-2018-20772 | Frog CMS Project | Code Injection vulnerability in Frog CMS Project Frog CMS 0.9.5 Frog CMS 0.9.5 allows PHP code execution via <?php to the admin/?/layout/edit/1 URI. | 6.5 |
2019-02-17 | CVE-2019-8411 | Zzcms | Path Traversal vulnerability in Zzcms 2018 admin/dl_data.php in zzcms 2018 (2018-10-19) allows remote attackers to delete arbitrary files via action=del&filename=../ directory traversal. | 6.4 |
2019-02-15 | CVE-2018-1727 | IBM | XXE vulnerability in IBM Infosphere Information Server IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. | 6.4 |
2019-02-11 | CVE-2019-6489 | Lexmark | Unspecified vulnerability in Lexmark products Certain Lexmark CX, MX, X, XC, XM, XS, and 6500e devices before 2019-02-11 allow remote attackers to erase stored shortcuts. | 6.4 |
2019-02-11 | CVE-2018-20242 | Apache | Cross-site Scripting vulnerability in Apache Jspwiki A carefully crafted URL could trigger an XSS vulnerability on Apache JSPWiki, from versions up to 2.10.5, which could lead to session hijacking. | 6.1 |
2019-02-15 | CVE-2018-1701 | IBM | Unspecified vulnerability in IBM products IBM InfoSphere Information Server 11.7 could allow an authenciated user under specialized conditions to inject commands into the installation process that would execute on the WebSphere Application Server. | 6.0 |
2019-02-12 | CVE-2018-19018 | Omron | Access of Uninitialized Pointer vulnerability in Omron Cx-Supervisor 3.5 An access of uninitialized pointer vulnerability in CX-Supervisor (Versions 3.42 and prior) could lead to type confusion when processing project files. | 6.0 |
2019-02-17 | CVE-2016-10742 | Zabbix Debian | Open Redirect vulnerability in multiple products Zabbix before 2.2.21rc1, 3.x before 3.0.13rc1, 3.1.x and 3.2.x before 3.2.10rc1, and 3.3.x and 3.4.x before 3.4.4rc1 allows open redirect via the request parameter. | 5.8 |
2019-02-17 | CVE-2019-7399 | Amazon | Origin Validation Error vulnerability in Amazon Fire OS 5.3.6.3 Amazon Fire OS before 5.3.6.4 allows a man-in-the-middle attack against HTTP requests for "Terms of Use" and Privacy pages. | 5.8 |
2019-02-13 | CVE-2019-5915 | Osstech | Open Redirect vulnerability in Osstech Openam 13.0/13.0.0120 Open redirect vulnerability in OpenAM (Open Source Edition) 13.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted page. | 5.8 |
2019-02-11 | CVE-2019-7738 | C P SUB Project | Cross-Site Request Forgery (CSRF) vulnerability in C.P.Sub Project C.P.Sub 5.1/5.2 C.P.Sub before 5.3 allows CSRF via a manage.php?p=article_del&id= URI. | 5.8 |
2019-02-13 | CVE-2019-5914 | Nttdocomo | NULL Pointer Dereference vulnerability in Nttdocomo V20 PRO L-01J Firmware L01J20C/L01J20D V20 PRO L-01J software version L01J20c and L01J20d has a NULL pointer exception flaw that can be used by an attacker to cause the device to crash on the same network range via a specially crafted access point. | 5.7 |
2019-02-17 | CVE-2019-8407 | Hongcms Project | Path Traversal vulnerability in Hongcms Project Hongcms 3.0.0 HongCMS 3.0.0 allows arbitrary file read and write operations via a ../ in the filename parameter to the admin/index.php/language/edit URI. | 5.5 |
2019-02-15 | CVE-2019-0255 | SAP | Improper Input Validation vulnerability in SAP products SAP NetWeaver AS ABAP Platform, Krnl64nuc 7.74, krnl64UC 7.73, 7.74, Kernel 7.73, 7.74, 7.75, fails to validate type of installation for an ABAP Server system correctly. | 5.5 |
2019-02-13 | CVE-2018-20238 | Atlassian | Session Fixation vulnerability in Atlassian Crowd Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability. | 5.5 |
2019-02-13 | CVE-2019-3610 | Mcafee | Information Exposure vulnerability in Mcafee True KEY 3.1.9211.0 Data Leakage Attacks vulnerability in Microsoft Windows client in McAfee True Key (TK) 3.1.9211.0 and earlier allows local users to expose confidential data via specially crafted malware. | 5.5 |
2019-02-11 | CVE-2018-20587 | Bitcoinknots Bitcoin | Bitcoin Core 0.12.0 through 0.17.1 and Bitcoin Knots 0.12.0 through 0.17.x before 0.17.1.knots20181229 have Incorrect Access Control. | 5.5 |
2019-02-17 | CVE-2019-7649 | Cmswing | Inadequate Encryption Strength vulnerability in Cmswing 1.3.7 global.encryptPassword in bootstrap/global.js in CMSWing 1.3.7 relies on multiple MD5 operations for password hashing. | 5.0 |
2019-02-17 | CVE-2018-20782 | Globee | Improper Input Validation vulnerability in Globee Woocommerce 1.0.1/1.1.0/1.1.1 The GloBee plugin before 1.1.2 for WooCommerce mishandles IPN messages. | 5.0 |
2019-02-17 | CVE-2019-8392 | Dlink | Unspecified vulnerability in Dlink Dir-823G Firmware 1.02B03 An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03. | 5.0 |
2019-02-16 | CVE-2019-8362 | Dedecms | Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms 5.5/5.6/5.7 DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as "1.jpg.php" (because input validation only checks that .jpg, .png, or .gif is present as a substring, and does not otherwise check the file name or content). | 5.0 |
2019-02-15 | CVE-2019-8354 | Sound Exchange Project Debian Canonical | Integer Overflow or Wraparound vulnerability in multiple products An issue was discovered in SoX 14.4.2. | 5.0 |
2019-02-15 | CVE-2015-4617 | Easy2Map | Path Traversal vulnerability in Easy2Map Easy2Map-Photos 1.09 Vulnerability in Easy2map-photos WordPress Plugin v1.09 MapPinImageUpload.php and MapPinIconSave.php allows path traversal when specifying file names creating files outside of the upload directory. | 5.0 |
2019-02-15 | CVE-2013-2565 | Mambo Foundation | Path Traversal vulnerability in Mambo-Foundation Mambo CMS 4.6.5 A vulnerability in Mambo CMS v4.6.5 where the scripts thumbs.php, editorFrame.php, editor.php, images.php, manager.php discloses the root path of the webserver. | 5.0 |
2019-02-15 | CVE-2017-1695 | IBM | Inadequate Encryption Strength vulnerability in IBM Qradar Security Information and Event Manager IBM QRadar SIEM 7.2 and 7.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 5.0 |
2019-02-15 | CVE-2019-0266 | SAP | Information Exposure Through Log Files vulnerability in SAP Hana Extended Application Services 1.0 Under certain conditions SAP HANA Extended Application Services, version 1.0, advanced model (XS advanced) writes credentials of platform users to a trace file of the SAP HANA system. | 5.0 |
2019-02-13 | CVE-2019-8337 | Marlam | Improper Certificate Validation vulnerability in Marlam Mpop and Msmtp In msmtp 1.8.2 and mpop 1.4.3, when tls_trust_file has its default configuration, certificate-verification results are not properly checked. | 5.0 |
2019-02-13 | CVE-2019-5910 | Housegate | Path Traversal vulnerability in Housegate House Gate 1.7.8 Directory traversal vulnerability in HOUSE GATE App for iOS 1.7.8 and earlier allows remote attackers to read arbitrary files via unspecified vectors. | 5.0 |
2019-02-13 | CVE-2018-20164 | Uaparser | Incorrect Regular Expression vulnerability in Uaparser User Agent Parser-Core An issue was discovered in regex.yaml (aka regexes.yaml) in UA-Parser UAP-Core before 0.6.0. | 5.0 |
2019-02-12 | CVE-2017-0938 | UI | Improper Input Validation vulnerability in UI Airos and Edgemax Firmware Denial of Service attack in airMAX < 8.3.2 , airMAX < 6.0.7 and EdgeMAX < 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks. | 5.0 |
2019-02-12 | CVE-2019-7550 | Jforum | Information Exposure Through an Error Message vulnerability in Jforum 2.1.8 In JForum 2.1.8, an unauthenticated, remote attacker can enumerate whether a user exists by using the "create user" function. | 5.0 |
2019-02-12 | CVE-2018-5499 | Atto | Improper Input Validation vulnerability in Atto Fibrebridge 7500N Firmware 2.95 ATTO FibreBridge 7500N firmware version 2.95 is susceptible to a vulnerability which allows attackers to cause a Denial of Service (DoS). | 5.0 |
2019-02-11 | CVE-2018-9592 | Out-of-bounds Read vulnerability in Google Android In mca_ccb_hdl_rsp of mca_cact.cc in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out of bounds read due to a missing bounds check. | 5.0 | |
2019-02-11 | CVE-2018-9591 | Out-of-bounds Read vulnerability in Google Android In bta_hh_ctrl_dat_act of bta_hh_act.cc in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out of bounds read due to a missing bounds check. | 5.0 | |
2019-02-11 | CVE-2018-9590 | Out-of-bounds Read vulnerability in Google Android In add_attr of sdp_discovery.c in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out of bounds read due to a missing bounds check. | 5.0 | |
2019-02-11 | CVE-2018-18569 | Dundas | Server-Side Request Forgery (SSRF) vulnerability in Dundas BI 5.0.1.1010 The Dundas BI server before 5.0.1.1010 is vulnerable to a Server-Side Request Forgery attack, allowing an attacker to forge arbitrary requests (with certain restrictions) that will be executed on behalf of the attacker, via the viewUrl parameter of the "export the dashboard as an image" feature. | 5.0 |
2019-02-11 | CVE-2018-17542 | Hgiga | SQL Injection vulnerability in Hgiga Oaklouds Mailsherlock SQL Injection exists in MailSherlock before 1.5.235 for OAKlouds allows an unauthenticated user to extract the subjects of the emails of other users within the enterprise via the select_mid parameter in an letgo.cgi request. | 5.0 |
2019-02-11 | CVE-2019-7733 | Live555 | Integer Overflow or Wraparound vulnerability in Live555 Streaming Media 0.95 In Live555 0.95, there is a buffer overflow via a large integer in a Content-Length HTTP header because handleRequestBytes has an unrestricted memmove. | 5.0 |
2019-02-11 | CVE-2019-7732 | Live555 | Memory Leak vulnerability in Live555 Streaming Media 0.95 In Live555 0.95, a setup packet can cause a memory leak leading to DoS because, when there are multiple instances of a single field (username, realm, nonce, uri, or response), only the last instance can ever be freed. | 5.0 |
2019-02-11 | CVE-2018-15588 | Freron | Authentication Bypass by Spoofing vulnerability in Freron Mailmate MailMate before 1.11.3 mishandles a suspicious HTML/MIME structure in a signed/encrypted email. | 5.0 |
2019-02-11 | CVE-2019-7721 | Nconsulting | Unrestricted Upload of File with Dangerous Type vulnerability in Nconsulting Nc-Cms 3.5 lib/NCCms.class.php in nc-cms 3.5 allows upload of .php files via the index.php?action=save name and editordata parameters. | 5.0 |
2019-02-11 | CVE-2018-20776 | Frog CMS Project | Information Exposure vulnerability in Frog CMS Project Frog CMS 0.9.5 Frog CMS 0.9.5 provides a directory listing for a /public request. | 5.0 |
2019-02-17 | CVE-2019-8413 | MI | NULL Pointer Dereference vulnerability in MI MIX 2 Firmware 4.4.78 On Xiaomi MIX 2 devices with the 4.4.78 kernel, a NULL pointer dereference in the ioctl interface of the device file /dev/elliptic1 or /dev/elliptic0 causes a system crash via IOCTL 0x4008c575 (aka decimal 1074316661). | 4.9 |
2019-02-11 | CVE-2019-7730 | Mywebsql | Cross-Site Request Forgery (CSRF) vulnerability in Mywebsql 3.7 MyWebSQL 3.7 has a Cross-site request forgery (CSRF) vulnerability for deleting a database via the /?q=wrkfrm&type=databases URI. | 4.9 |
2019-02-17 | CVE-2019-8389 | Musicloud Project | Information Exposure vulnerability in Musicloud Project Musicloud 1.6 A file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. | 4.8 |
2019-02-11 | CVE-2018-9585 | Out-of-bounds Write vulnerability in Google Android In nfc_ncif_proc_get_routing of nfc_ncif.cc in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out of bounds write due to a missing bounds check. | 4.6 | |
2019-02-11 | CVE-2018-9584 | Out-of-bounds Write vulnerability in Google Android In nfc_ncif_set_config_status of nfc_ncif.cc in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out of bounds write due to a missing bounds check. | 4.6 | |
2019-02-11 | CVE-2018-9582 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android 8.0/8.1/9.0 In package installer in Android-8.0, Android-8.1 and Android-9, there is a possible bypass of the unknown source warning due to a confused deputy scenario. | 4.6 | |
2019-02-11 | CVE-2018-13893 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Out of bound mask range access caused by using possible old value of msg mask table count while copying masks to userspace. | 4.6 | |
2019-02-11 | CVE-2018-12010 | Out-of-bounds Write vulnerability in Google Android In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Absence of length sanity check may lead to possible stack overflow resulting in memory corruption in trustzone region. | 4.6 | |
2019-02-11 | CVE-2018-11899 | Qualcomm | Improper Validation of Array Index vulnerability in Qualcomm products While processing radio connection status change events, Radio index is not properly validated in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile and Snapdragon Voice & Music in versions MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24. | 4.6 |
2019-02-12 | CVE-2019-8308 | Flatpak Debian Redhat | Exposure of Resource to Wrong Sphere vulnerability in multiple products Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file. | 4.4 |
2019-02-11 | CVE-2018-9587 | Files or Directories Accessible to External Parties vulnerability in Google Android In savePhotoFromUriToUri of ContactPhotoUtils.java in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is possible unauthorized access to files within the contact app due to a confused deputy scenario. | 4.4 | |
2019-02-11 | CVE-2018-9586 | Race Condition vulnerability in Google Android In run of InstallPackageTask.java in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, it is possible that package verification is turned off and remains off due to a race condition. | 4.4 | |
2019-02-17 | CVE-2019-8419 | Vnote Project | Cross-site Scripting vulnerability in Vnote Project Vnote 2.2 VNote 2.2 has XSS via a new text note. | 4.3 |
2019-02-17 | CVE-2019-8400 | ORY | Cross-site Scripting vulnerability in ORY Hydra ORY Hydra before v1.0.0-rc.3+oryOS.9 has Reflected XSS via the oauth2/fallbacks/error error_hint parameter. | 4.3 |
2019-02-17 | CVE-2019-8398 | Hdfgroup | Out-of-bounds Read vulnerability in Hdfgroup Hdf5 1.10.4 An issue was discovered in the HDF HDF5 1.10.4 library. | 4.3 |
2019-02-17 | CVE-2019-8397 | Hdfgroup | Out-of-bounds Read vulnerability in Hdfgroup Hdf5 1.10.4 An issue was discovered in the HDF HDF5 1.10.4 library. | 4.3 |
2019-02-17 | CVE-2019-8396 | Hdfgroup | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Hdfgroup Hdf5 A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 through 1.10.4 library allows attackers to cause a denial of service via a crafted HDF5 file. | 4.3 |
2019-02-16 | CVE-2019-8363 | Verydows | Cross-site Scripting vulnerability in Verydows 2.0 Verydows 2.0 has XSS via the index.php?c=main a parameter, as demonstrated by an a=index[XSS] value. | 4.3 |
2019-02-16 | CVE-2019-8361 | Responsive Video News Script Project | Cross-site Scripting vulnerability in Responsive Video News Script Project Responsive Video News Script PHP Scripts Mall Responsive Video News Script has XSS via the Search Bar. | 4.3 |
2019-02-15 | CVE-2019-8357 | Sound Exchange Project | NULL Pointer Dereference vulnerability in Sound Exchange Project Sound Exchange 14.4.2 An issue was discovered in SoX 14.4.2. | 4.3 |
2019-02-15 | CVE-2019-8356 | Sound Exchange Project | Improper Validation of Array Index vulnerability in Sound Exchange Project Sound Exchange 14.4.2 An issue was discovered in SoX 14.4.2. | 4.3 |
2019-02-15 | CVE-2019-8355 | Sound Exchange Project | Integer Overflow or Wraparound vulnerability in Sound Exchange Project Sound Exchange 14.4.2 An issue was discovered in SoX 14.4.2. | 4.3 |
2019-02-15 | CVE-2019-0251 | SAP | Cross-site Scripting vulnerability in SAP Businessobjects 4.2/4.3 The Fiori Launchpad of SAP BusinessObjects, before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | 4.3 |
2019-02-15 | CVE-2019-8345 | Estrongs | Open Redirect vulnerability in Estrongs ES File Explorer File Manager 4.1.9.7.4 The Help feature in the ES File Explorer File Manager application 4.1.9.7.4 for Android allows session hijacking by a Man-in-the-middle attacker on the local network because HTTPS is not used, and an attacker's web site is displayed in a WebView with no information about the URL. | 4.3 |
2019-02-14 | CVE-2019-6589 | F5 | Cross-site Scripting vulnerability in F5 products On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.3, 12.1.0-12.1.3.7, and 11.6.0-11.6.3.2, a reflected Cross Site Scripting (XSS) vulnerability is present in an undisclosed page of the BIG-IP TMUI (Traffic Management User Interface) also known as the BIG-IP configuration utility. | 4.3 |
2019-02-13 | CVE-2018-12409 | Tibco | Cross-site Scripting vulnerability in Tibco Silver Fabric The SOAP Admin API component of TIBCO Software Inc.'s TIBCO Silver Fabric contains a vulnerability that may allow reflected cross-site scripting (XSS) attacks. | 4.3 |
2019-02-13 | CVE-2019-8335 | Schoolcms | Cross-site Scripting vulnerability in Schoolcms 2.3.1 An issue was discovered in SchoolCMS 2.3.1. | 4.3 |
2019-02-13 | CVE-2019-8334 | Schoolcms | Cross-site Scripting vulnerability in Schoolcms 2.3.1 An issue was discovered in SchoolCMS 2.3.1. | 4.3 |
2019-02-12 | CVE-2019-7744 | Joomla | Cross-site Scripting vulnerability in Joomla Joomla! An issue was discovered in Joomla! before 3.9.3. | 4.3 |
2019-02-12 | CVE-2019-7742 | Joomla | Cross-site Scripting vulnerability in Joomla Joomla! An issue was discovered in Joomla! before 3.9.3. | 4.3 |
2019-02-12 | CVE-2019-7741 | Joomla | Cross-site Scripting vulnerability in Joomla Joomla! An issue was discovered in Joomla! before 3.9.3. | 4.3 |
2019-02-12 | CVE-2019-7740 | Joomla | Cross-site Scripting vulnerability in Joomla Joomla! An issue was discovered in Joomla! before 3.9.3. | 4.3 |
2019-02-12 | CVE-2019-7739 | Joomla | Unspecified vulnerability in Joomla Joomla! An issue was discovered in Joomla! before 3.9.3. | 4.3 |
2019-02-12 | CVE-2019-7753 | Verydows | Cross-site Scripting vulnerability in Verydows 2.0 Verydows 2.0 has XSS via the index.php?m=api&c=stats&a=count referrer parameter. | 4.3 |
2019-02-11 | CVE-2019-7748 | Dbninja | Cross-site Scripting vulnerability in Dbninja 3.2.7 _includes\online.php in DbNinja 3.2.7 allows XSS via the data.php task parameter if _users/admin/tasks.php exists. | 4.3 |
2019-02-11 | CVE-2018-15587 | Gnome Debian | Improper Verification of Cryptographic Signature vulnerability in multiple products GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment. | 4.3 |
2019-02-11 | CVE-2018-15586 | Enigmail | Improper Verification of Cryptographic Signature vulnerability in Enigmail Enigmail before 2.0.6 is prone to to OpenPGP signatures being spoofed for arbitrary messages using a PGP/INLINE signature wrapped within a specially crafted multipart HTML email. | 4.3 |
2019-02-11 | CVE-2018-20778 | Frog CMS Project | Cross-site Scripting vulnerability in Frog CMS Project Frog CMS 0.9.5 admin/?/plugin/file_manager in Frog CMS 0.9.5 allows XSS by creating a new file containing a crafted attribute of an IMG element. | 4.3 |
2019-02-17 | CVE-2019-8418 | Seacms | Unspecified vulnerability in Seacms 7.2 SeaCMS 7.2 mishandles member.php?mod=repsw4 requests. | 4.0 |
2019-02-17 | CVE-2019-8408 | Onefilecms | Unspecified vulnerability in Onefilecms 3.6.13 OneFileCMS 3.6.13 allows remote attackers to modify onefilecms.php by clicking the Copy button twice. | 4.0 |
2019-02-17 | CVE-2019-8394 | Zohocorp | Unrestricted Upload of File with Dangerous Type vulnerability in Zohocorp Manageengine Servicedesk Plus Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization. | 4.0 |
2019-02-15 | CVE-2019-0265 | SAP | XXE vulnerability in SAP products SLD Registration of ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | 4.0 |
2019-02-13 | CVE-2018-20237 | Atlassian | Exposure of Resource to Wrong Sphere vulnerability in Atlassian Confluence Data Center and Confluence Server Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to download a deleted page via the word export feature. | 4.0 |
2019-02-13 | CVE-2018-13404 | Atlassian | Server-Side Request Forgery (SSRF) vulnerability in Atlassian Jira and Jira Server The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.13.0 before version 7.13.1 allows remote attackers who have administrator rights to determine the existence of internal hosts & open ports and in some cases obtain service information from internal network resources via a Server Side Request Forgery (SSRF) vulnerability. | 4.0 |
2019-02-12 | CVE-2019-6549 | Kunbus | Credentials Management vulnerability in Kunbus Pr100088 Modbus Gateway Firmware 1.1.13166 An attacker could retrieve plain-text credentials stored in a XML file on PR100088 Modbus gateway versions prior to Release R02 (or Software Version 1.1.13166) through FTP. | 4.0 |
20 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2019-02-15 | CVE-2018-1895 | IBM | Cross-site Scripting vulnerability in IBM products IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site scripting. | 3.5 |
2019-02-15 | CVE-2019-0262 | SAP | Cross-site Scripting vulnerability in SAP Businessobjects BI Platform 4.10/4.20 SAP WebIntelligence BILaunchPad, versions 4.10, 4.20, does not sufficiently encode user-controlled inputs in generated HTML reports, resulting in Cross-Site Scripting (XSS) vulnerability. | 3.5 |
2019-02-15 | CVE-2019-0254 | SAP | Cross-site Scripting vulnerability in SAP Disclosure Management SAP Disclosure Management (before version 10.1 Stack 1301) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | 3.5 |
2019-02-13 | CVE-2018-20232 | Atlassian | Cross-site Scripting vulnerability in Atlassian Jira and Jira Server The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location that could be manipulated by the up_projectid widget preference setting. | 3.5 |
2019-02-13 | CVE-2018-13403 | Atlassian | Cross-site Scripting vulnerability in Atlassian Jira and Jira Server The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a saved filter when displayed on a Jira dashboard. | 3.5 |
2019-02-13 | CVE-2018-0696 | Osstech | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Osstech Openam 13.0/13.0.0120 OpenAM (Open Source Edition) 13.0 and later does not properly manage sessions, which allows remote authenticated attackers to change the security questions and reset the login password via unspecified vectors. | 3.5 |
2019-02-12 | CVE-2018-19020 | Omron | Out-of-bounds Read vulnerability in Omron Cx-Supervisor 3.5 When CX-Supervisor (Versions 3.42 and prior) processes project files and tampers with the value of an offset, an attacker can force the application to read a value outside of an array. | 3.5 |
2019-02-12 | CVE-2019-3923 | Tenable | Cross-site Scripting vulnerability in Tenable Nessus Nessus versions 8.2.1 and earlier were found to contain a stored XSS vulnerability due to improper validation of user-supplied input. | 3.5 |
2019-02-11 | CVE-2018-20777 | Frog CMS Project | Cross-site Scripting vulnerability in Frog CMS Project Frog CMS 0.9.5 Frog CMS 0.9.5 has XSS via the admin/?/snippet/edit/1 Body field. | 3.5 |
2019-02-11 | CVE-2018-20774 | Frog CMS Project | Cross-site Scripting vulnerability in Frog CMS Project Frog CMS 0.9.5 Frog CMS 0.9.5 has XSS via the admin/?/layout/edit/1 Body field. | 3.5 |
2019-02-11 | CVE-2018-9594 | Out-of-bounds Read vulnerability in Google Android In llcp_link_proc_agf_pdu of llcp_link.cc in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out of bounds read due to an integer overflow. | 3.3 | |
2019-02-11 | CVE-2018-9593 | Out-of-bounds Read vulnerability in Google Android In llcp_dlc_proc_i_pdu of llcp_dlc.cc in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out of bounds read due to an incorrect bounds check. | 3.3 | |
2019-02-11 | CVE-2018-9588 | Out-of-bounds Read vulnerability in Google Android In avdt_scb_hdl_report of avdt_scb_act.cc in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out of bounds read due to a missing bounds check. | 3.3 | |
2019-02-15 | CVE-2019-0256 | SAP | Unspecified vulnerability in SAP Business ONE 1.2.12 Under certain conditions SAP Business One Mobile Android App, version 1.2.12, allows an attacker to access information which would otherwise be restricted. | 2.1 |
2019-02-13 | CVE-2019-3782 | Cloudfoundry | Insufficiently Protected Credentials vulnerability in Cloudfoundry Credhub CLI Cloud Foundry CredHub CLI, versions prior to 2.2.1, inadvertently writes authentication credentials provided via environment variables to its persistent config file. | 2.1 |
2019-02-12 | CVE-2018-20781 | Gnome Canonical Oracle | Insufficiently Protected Credentials vulnerability in multiple products In pam/gkr-pam-module.c in GNOME Keyring before 3.27.2, the user's password is kept in a session-child process spawned from the LightDM daemon. | 2.1 |
2019-02-12 | CVE-2019-5595 | Freebsd | Improper Input Validation vulnerability in Freebsd 11.2/12.0 In FreeBSD before 11.2-STABLE(r343782), 11.2-RELEASE-p9, 12.0-STABLE(r343781), and 12.0-RELEASE-p3, kernel callee-save registers are not properly sanitized before return from system calls, potentially allowing some kernel data used in the system call to be exposed. | 2.1 |
2019-02-11 | CVE-2018-9589 | Out-of-bounds Read vulnerability in Google Android In ieee802_11_rx_wnmsleep_req of wnm_ap.c in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out of bounds read due to a missing bounds check. | 2.1 | |
2019-02-11 | CVE-2018-12011 | Use of Uninitialized Resource vulnerability in Google Android In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Uninitialized data for socket address leads to information exposure. | 2.1 | |
2019-02-11 | CVE-2018-12006 | Information Exposure vulnerability in Google Android In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Users with no extra privileges can potentially access leaked data due to uninitialized padding present in display function. | 2.1 |