Weekly Vulnerabilities Reports > February 18 to 24, 2019

Overview

201 new vulnerabilities reported during this period, including 5 critical vulnerabilities and 31 high severity vulnerabilities. This weekly summary report vulnerabilities in 204 products from 90 vendors including Debian, Redhat, Google, Fedoraproject, and Intel. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Read", "Improper Input Validation", "Out-of-bounds Write", and "Use After Free".

  • 172 reported vulnerabilities are remotely exploitables.
  • 18 reported vulnerabilities have public exploit available.
  • 59 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 170 reported vulnerabilities are exploitable by an anonymous user.
  • Debian has the most reported vulnerabilities, with 41 reported vulnerabilities.
  • Netis Systems has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

5 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-02-24 CVE-2019-9082 Thinkphp
Opensourcebms
Zzzcms
Improper Input Validation vulnerability in multiple products

ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

10.0
2019-02-21 CVE-2018-20122 Fastweb OS Command Injection vulnerability in Fastweb Fastgate Firmware 1.0.1B

The web interface on FASTGate Fastweb devices with firmware through 0.00.47_FW_200_Askey 2017-05-17 (software through 1.0.1b) exposed a CGI binary that is vulnerable to a command injection vulnerability that can be exploited to achieve remote code execution with root privileges.

10.0
2019-02-20 CVE-2019-8950 Dasannetworks USE of Hard-Coded Credentials vulnerability in Dasannetworks H665 Firmware 1.46P10028

The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices with firmware 1.46p1-0028 allows an attacker to login to the admin account via TELNET.

10.0
2019-02-18 CVE-2019-8917 Solarwinds Unspecified vulnerability in Solarwinds Orion Network Performance Monitor

SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service.

10.0
2019-02-21 CVE-2019-8985 Netis Systems Missing Authentication FOR Critical Function vulnerability in Netis-Systems Wf2411 Firmware and Wf2880 Firmware

On Netis WF2411 with firmware 2.1.36123 and other Netis WF2xxx devices (possibly WF2411 through WF2880), there is a stack-based buffer overflow that does not require authentication.

9.0

31 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-02-20 CVE-2018-15380 Cisco OS Command Injection vulnerability in Cisco Hyperflex HX Data Platform 3.0(1A)/3.5(1A)

A vulnerability in the cluster service manager of Cisco HyperFlex Software could allow an unauthenticated, adjacent attacker to execute commands as the root user.

8.3
2019-02-22 CVE-2019-9003 Linux
Netapp
USE After Free vulnerability in Linux Kernel

In the Linux kernel before 4.20.5, attackers can trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a "service ipmievd restart" loop.

7.8
2019-02-21 CVE-2019-8980 Linux
Canonical
Opensuse
Debian
Memory Leak vulnerability in multiple products

A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures.

7.8
2019-02-20 CVE-2018-5819 Libraw
Debian
Resource Exhaustion vulnerability in multiple products

An error within the "parse_sinar_ia()" function (internal/dcraw_common.cpp) within LibRaw versions prior to 0.19.1 can be exploited to exhaust available CPU resources.

7.8
2019-02-20 CVE-2018-20030 Libexif Project Resource Exhaustion vulnerability in Libexif Project Libexif 0.6.21

An error when processing the EXIF_IFD_INTEROPERABILITY and EXIF_IFD_EXIF tags within libexif version 0.6.21 can be exploited to exhaust available CPU resources.

7.8
2019-02-24 CVE-2019-9081 Laravel Deserialization of Untrusted Data vulnerability in Laravel Framework

The Illuminate component of Laravel Framework 5.7.x has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the PendingCommand class in PendingCommand.php.

7.5
2019-02-24 CVE-2019-8375 Webkitgtk
Opensuse
Canonical
Buffer Errors vulnerability in Webkitgtk and Webkitgtk+

The UIProcess subsystem in WebKit, as used in WebKitGTK through 2.23.90 and WebKitGTK+ through 2.22.6 and other products, does not prevent the script dialog size from exceeding the web view size, which allows remote attackers to cause a denial of service (Buffer Overflow) or possibly have unspecified other impact, related to UIProcess/API/gtk/WebKitScriptDialogGtk.cpp, UIProcess/API/gtk/WebKitScriptDialogImpl.cpp, and UIProcess/API/gtk/WebKitWebViewGtk.cpp, as demonstrated by GNOME Web (aka Epiphany).

7.5
2019-02-23 CVE-2019-9047 Fizzday SQL Injection vulnerability in Fizzday Gorose 1.0.4

GoRose v1.0.4 has SQL Injection when the order_by or group_by parameter can be controlled.

7.5
2019-02-22 CVE-2019-9025 PHP
Netapp
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

An issue was discovered in PHP 7.3.x before 7.3.1.

7.5
2019-02-22 CVE-2019-9023 PHP
Debian
Canonical
Netapp
Opensuse
Out-Of-Bounds Read vulnerability in PHP

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1.

7.5
2019-02-22 CVE-2019-9021 PHP
Debian
Canonical
Netapp
Opensuse
Out-Of-Bounds Read vulnerability in PHP

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1.

7.5
2019-02-22 CVE-2019-9020 PHP
Debian
Canonical
Netapp
Opensuse
USE After Free vulnerability in PHP

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1.

7.5
2019-02-22 CVE-2018-20784 Linux Infinite Loop vulnerability in Linux Kernel

In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq's, which allows attackers to cause a denial of service (infinite loop in update_blocked_averages) or possibly have unspecified other impact by inducing a high load.

7.5
2019-02-22 CVE-2019-9002 Tiny Issue Project
Pixeline
Code Injection vulnerability in multiple products

An issue was discovered in Tiny Issue 1.3.1 and pixeline Bugs through 1.3.2c.

7.5
2019-02-21 CVE-2019-8996 Signiant Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Signiant Manager+Agents

In Signiant Manager+Agents before 13.5, the implementation of the set command has a Buffer Overflow.

7.5
2019-02-21 CVE-2018-1944 IBM USE of Hard-Coded Credentials vulnerability in IBM Security Identity Governance and Intelligence 5.2.2.1

IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

7.5
2019-02-21 CVE-2019-8979 Kohanaframework SQL Injection vulnerability in Kohanaframework Kohana

Kohana through 3.3.6 has SQL Injection when the order_by() parameter can be controlled.

7.5
2019-02-20 CVE-2019-8948 Papercut Injection vulnerability in Papercut MF and Papercut NG

PaperCut MF before 18.3.6 and PaperCut NG before 18.3.6 allow script injection via the user interface, aka PC-15163.

7.5
2019-02-20 CVE-2019-7164 Sqlalchemy
Debian
SQL Injection vulnerability in multiple products

SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.

7.5
2019-02-18 CVE-2019-7629 Tintin Project Out-Of-Bounds Write vulnerability in Tintin++ Project Tintin++ and Wintin++

Stack-based buffer overflow in the strip_vt102_codes function in TinTin++ 2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrary code by sending a long message to the client.

7.5
2019-02-18 CVE-2019-8908 Wtcms Project Code Injection vulnerability in Wtcms Project Wtcms 1.0

An issue was discovered in WTCMS 1.0.

7.5
2019-02-18 CVE-2019-0101 Intel Unspecified vulnerability in Intel Unite 3.2/3.2.91.51/3.3

Authentication bypass in the Intel Unite(R) solution versions 3.2 through 3.3 may allow an unauthenticated user to potentially enable escalation of privilege to the Intel Unite(R) Solution administrative portal via network access.

7.5
2019-02-18 CVE-2019-8429 Zoneminder SQL Injection vulnerability in Zoneminder

ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter.

7.5
2019-02-18 CVE-2019-8428 Zoneminder SQL Injection vulnerability in Zoneminder

ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.php groupSql parameter, as demonstrated by a newGroup[MonitorIds][] value.

7.5
2019-02-18 CVE-2019-8427 Zoneminder OS Command Injection vulnerability in Zoneminder

daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters.

7.5
2019-02-18 CVE-2019-8424 Zoneminder SQL Injection vulnerability in Zoneminder

ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter.

7.5
2019-02-18 CVE-2019-8423 Zoneminder SQL Injection vulnerability in Zoneminder

ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter.

7.5
2019-02-21 CVE-2019-1664 Cisco Improper Access Control vulnerability in Cisco Hyperflex HX Data Platform

A vulnerability in the hxterm service of Cisco HyperFlex Software could allow an unauthenticated, local attacker to gain root access to all nodes in the cluster.

7.2
2019-02-21 CVE-2018-20146 Liquidware Unspecified vulnerability in Liquidware Flexapp and Profileunity

An issue was discovered in Liquidware ProfileUnity before 6.8.0 with Liquidware FlexApp before 6.8.0.

7.2
2019-02-20 CVE-2019-3475 Microfocus
Suse
Improper Privilege Management vulnerability in Microfocus Filr 3.0

A local privilege escalation vulnerability in the famtd component of Micro Focus Filr 3.0 allows a local attacker authenticated as a low privilege user to escalate to root.

7.2
2019-02-18 CVE-2019-8912 Linux
Redhat
USE After Free vulnerability in Linux Kernel

In the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.

7.2

144 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-02-18 CVE-2019-8372 LG Link Following vulnerability in LG Lha.Sys

The LHA.sys driver before 1.1.1811.2101 in LG Device Manager exposes functionality that allows low-privileged users to read and write arbitrary physical memory via specially crafted IOCTL requests and elevate system privileges.

6.9
2019-02-24 CVE-2019-9077 GNU
Netapp
Out-Of-Bounds Write vulnerability in multiple products

An issue was discovered in GNU Binutils 2.32.

6.8
2019-02-24 CVE-2019-9075 GNU
Netapp
Out-Of-Bounds Write vulnerability in multiple products

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32.

6.8
2019-02-24 CVE-2019-9070 GNU
Netapp
Out-Of-Bounds Read vulnerability in multiple products

An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32.

6.8
2019-02-23 CVE-2019-9040 S CMS Cross-Site Request Forgery (CSRF) vulnerability in S-Cms 3.0

S-CMS PHP v3.0 has a CSRF vulnerability to add a new admin user via the admin/ajax.php?type=admin&action=add URI, a related issue to CVE-2018-19332.

6.8
2019-02-21 CVE-2019-6340 Drupal Deserialization of Untrusted Data vulnerability in Drupal

Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10.

6.8
2019-02-21 CVE-2019-8982 Wavemaker Server-Side Request Forgery (SSRF) vulnerability in Wavemaker Wavemarker Studio 6.6

com/wavemaker/studio/StudioService.java in WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent&inUrl= value, leading to disclosure of local files and SSRF.

6.8
2019-02-19 CVE-2019-5783 Google
Debian
Improper Input Validation vulnerability in Google Chrome

Missing URI encoding of untrusted input in DevTools in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to perform a Dangling Markup Injection attack via a crafted HTML page.

6.8
2019-02-19 CVE-2019-5782 Google
Debian
Redhat
Fedoraproject
Improper Input Validation vulnerability in Google Chrome

Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

6.8
2019-02-19 CVE-2019-5774 Google
Linux
Debian
Redhat
Fedoraproject
Improper Input Validation vulnerability in Google Chrome

Omission of the .desktop filetype from the Safe Browsing checklist in SafeBrowsing in Google Chrome on Linux prior to 72.0.3626.81 allowed an attacker who convinced a user to download a .desktop file to execute arbitrary code via a downloaded .desktop file.

6.8
2019-02-19 CVE-2019-5772 Google
Debian
Redhat
Fedoraproject
USE After Free vulnerability in multiple products

Sharing of objects over calls into JavaScript runtime in PDFium in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

6.8
2019-02-19 CVE-2019-5771 Google
Redhat
Fedoraproject
An incorrect JIT of GLSL shaders in SwiftShader in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code via a crafted HTML page.
6.8
2019-02-19 CVE-2019-5770 Google
Debian
Redhat
Fedoraproject
Out-Of-Bounds Read vulnerability in Google Chrome

Insufficient input validation in WebGL in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.

6.8
2019-02-19 CVE-2019-5769 Google
Redhat
Debian
Fedoraproject
Improper Input Validation vulnerability in Google Chrome

Incorrect handling of invalid end character position when front rendering in Blink in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2019-02-19 CVE-2019-5764 Google
Debian
Redhat
Fedoraproject
USE After Free vulnerability in multiple products

Incorrect pointer management in WebRTC in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2019-02-19 CVE-2019-5763 Google
Debian
Redhat
Fedoraproject
Improper Check FOR Unusual OR Exceptional Conditions vulnerability in multiple products

Failure to check error conditions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2019-02-19 CVE-2019-5762 Google
Debian
Redhat
Fedoraproject
Buffer Errors vulnerability in Google Chrome

Inappropriate memory management when caching in PDFium in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file.

6.8
2019-02-19 CVE-2019-5761 Google
Redhat
Fedoraproject
Out-Of-Bounds Write vulnerability in multiple products

Incorrect object lifecycle management in SwiftShader in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2019-02-19 CVE-2019-5760 Google
Redhat
Fedoraproject
Debian
USE After Free vulnerability in multiple products

Insufficient checks of pointer validity in WebRTC in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2019-02-19 CVE-2019-5759 Google
Apple
Debian
Redhat
Fedoraproject
USE After Free vulnerability in Google Chrome

Incorrect lifetime handling in HTML select elements in Google Chrome on Android and Mac prior to 72.0.3626.81 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

6.8
2019-02-19 CVE-2019-5758 Google
Debian
Redhat
Fedoraproject
Out-Of-Bounds Write vulnerability in multiple products

Incorrect object lifecycle management in Blink in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2019-02-19 CVE-2019-5757 Google
Debian
Redhat
Fedoraproject
Incorrect Type Conversion OR Cast vulnerability in Google Chrome

An incorrect object type assumption in SVG in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page.

6.8
2019-02-19 CVE-2019-5756 Google
Debian
Redhat
Fedoraproject
USE After Free vulnerability in Google Chrome

Inappropriate memory management when caching in PDFium in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file.

6.8
2019-02-18 CVE-2019-8910 Wtcms Project Cross-Site Request Forgery (CSRF) vulnerability in Wtcms Project Wtcms 1.0

An issue was discovered in WTCMS 1.0.

6.8
2019-02-18 CVE-2019-8907 File Project
Debian
Opensuse
Canonical
Out-Of-Bounds Write vulnerability in multiple products

do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact.

6.8
2019-02-18 CVE-2019-8906 File Project
Canonical
Opensuse
Apple
Out-Of-Bounds Read vulnerability in multiple products

do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read because memcpy is misused.

6.8
2019-02-18 CVE-2019-8905 Debian
File Project
Canonical
Opensuse
Out-Of-Bounds Read vulnerability in multiple products

do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360.

6.8
2019-02-18 CVE-2019-8904 File Project
Canonical
Out-Of-Bounds Read vulnerability in multiple products

do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf.

6.8
2019-02-18 CVE-2019-6453 Mirc Argument Injection OR Modification vulnerability in Mirc

mIRC before 7.55 allows remote command execution by using argument injection through custom URI protocol handlers.

6.8
2019-02-23 CVE-2019-9050 Pluck CMS Unrestricted Upload of File With Dangerous Type vulnerability in Pluck-Cms Pluck 4.7.9

An issue was discovered in Pluck 4.7.9-dev1.

6.5
2019-02-23 CVE-2019-9042 Sitemagic Unrestricted Upload of File With Dangerous Type vulnerability in Sitemagic CMS 4.4

** DISPUTED ** An issue was discovered in Sitemagic CMS v4.4.

6.5
2019-02-23 CVE-2019-9041 Zzzcms Code Injection vulnerability in Zzzcms Zzzphp 1.6.1

An issue was discovered in ZZZCMS zzzphp V1.6.1.

6.5
2019-02-20 CVE-2019-1003024 Jenkins
Redhat
7PK - Security Features vulnerability in multiple products

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

6.5
2019-02-20 CVE-2019-8954 Indexhibit Improper Input Validation vulnerability in Indexhibit 2.1.5

In Indexhibit 2.1.5, remote attackers can execute arbitrary code via the v parameter (in conjunction with the id parameter) in a upd_jxcode=true action to the ndxzstudio/?a=system URI.

6.5
2019-02-20 CVE-2019-8942 Wordpress
Debian
Code Injection vulnerability in Wordpress

WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring.

6.5
2019-02-19 CVE-2019-8933 Dedecms Unrestricted Upload of File With Dangerous Type vulnerability in Dedecms 5.7

In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on New Template, and modifying the filename from ../index.html to ../index.php.

6.5
2019-02-23 CVE-2019-9037 Matio Project Out-Of-Bounds Read vulnerability in Matio Project Matio 1.5.13

An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13.

6.4
2019-02-23 CVE-2019-9035 Matio Project Out-Of-Bounds Read vulnerability in Matio Project Matio 1.5.13

An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13.

6.4
2019-02-23 CVE-2019-9034 Matio Project Out-Of-Bounds Read vulnerability in Matio Project Matio 1.5.13

An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13.

6.4
2019-02-23 CVE-2019-9033 Matio Project Out-Of-Bounds Read vulnerability in Matio Project Matio 1.5.13

An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13.

6.4
2019-02-23 CVE-2019-9030 Matio Project Out-Of-Bounds Read vulnerability in Matio Project Matio 1.5.13

An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13.

6.4
2019-02-23 CVE-2019-9028 Matio Project Out-Of-Bounds Read vulnerability in Matio Project Matio 1.5.13

An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13.

6.4
2019-02-22 CVE-2019-9015 Mopcms Path Traversal vulnerability in Mopcms 20181130

A Path Traversal vulnerability was discovered in MOPCMS through 2018-11-30, leading to deletion of unexpected critical files.

6.4
2019-02-21 CVE-2019-1662 Cisco Improper Authentication vulnerability in Cisco Prime Collaboration Assurance

A vulnerability in the Quality of Voice Reporting (QOVR) service of Cisco Prime Collaboration Assurance (PCA) Software could allow an unauthenticated, remote attacker to access the system as a valid user.

6.4
2019-02-21 CVE-2019-1684 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco products

A vulnerability in the Cisco Discovery Protocol or Link Layer Discovery Protocol (LLDP) implementation for the Cisco IP Phone 7800 and 8800 Series could allow an unauthenticated, adjacent attacker to cause an affected phone to reload unexpectedly, resulting in a temporary denial of service (DoS) condition.

6.1
2019-02-23 CVE-2019-9062 Online Food Ordering Script Project Cross-Site Request Forgery (CSRF) vulnerability in Online Food Ordering Script Project Online Food Ordering Script 1.0

PHP Scripts Mall Online Food Ordering Script 1.0 has Cross-Site Request Forgery (CSRF) in my-account.php.

6.0
2019-02-23 CVE-2019-9052 Pluck CMS Cross-Site Request Forgery (CSRF) vulnerability in Pluck-Cms Pluck 4.7.9

An issue was discovered in Pluck 4.7.9-dev1.

5.8
2019-02-23 CVE-2019-9051 Pluck CMS Cross-Site Request Forgery (CSRF) vulnerability in Pluck-Cms Pluck 4.7.9

An issue was discovered in Pluck 4.7.9-dev1.

5.8
2019-02-23 CVE-2019-9049 Pluck CMS Cross-Site Request Forgery (CSRF) vulnerability in Pluck-Cms Pluck 4.7.9

An issue was discovered in Pluck 4.7.9-dev1.

5.8
2019-02-23 CVE-2019-9048 Pluck CMS Cross-Site Request Forgery (CSRF) vulnerability in Pluck-Cms Pluck 4.7.9

An issue was discovered in Pluck 4.7.9-dev1.

5.8
2019-02-21 CVE-2018-1945 IBM Improper Input Validation vulnerability in IBM Security Identity Governance and Intelligence 5.2.2.1

IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance could allow a remote attacker to hijack the clicking action of the victim.

5.8
2019-02-21 CVE-2019-1659 Cisco Improper Certificate Validation vulnerability in Cisco Prime Infrastructure

A vulnerability in the Identity Services Engine (ISE) integration feature of Cisco Prime Infrastructure (PI) could allow an unauthenticated, remote attacker to perform a man-in-the-middle attack against the Secure Sockets Layer (SSL) tunnel established between ISE and PI.

5.8
2019-02-20 CVE-2018-19106 Avinetworks Open Redirect vulnerability in Avinetworks AVI Vantage

Avi Vantage before 17.2.13 uses an invalid URL encoding during a redirect operation, aka AV-33959.

5.8
2019-02-19 CVE-2019-5755 Google
Debian
Redhat
Fedoraproject
Numeric Errors vulnerability in Google Chrome

Incorrect handling of negative zero in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page.

5.8
2019-02-18 CVE-2019-0102 Intel Session Fixation vulnerability in Intel Data Center Manager

Insufficient session authentication in web server for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an unauthenticated user to potentially enable escalation of privilege via network access.

5.8
2019-02-21 CVE-2019-1700 Cisco Resource Management Errors vulnerability in Cisco Firepower 9000 Firmware 2.2(200.8)

A vulnerability in field-programmable gate array (FPGA) ingress buffer management for the Cisco Firepower 9000 Series with the Cisco Firepower 2-port 100G double-width network module (PID: FPR9K-DNM-2X100G) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition.

5.7
2019-02-22 CVE-2019-7728 Bosch Improper Certificate Validation vulnerability in Bosch Smart Camera

An issue was discovered in the Bosch Smart Camera App before 1.3.1 for Android.

5.1
2019-02-24 CVE-2018-20786 Leonerd Null Pointer Dereference vulnerability in Leonerd Libvterm

libvterm through 0+bzr726, as used in Vim and other products, mishandles certain out-of-memory conditions, leading to a denial of service (application crash), related to screen.c, state.c, and vterm.c.

5.0
2019-02-23 CVE-2019-9064 CAB Booking Script Project Path Traversal vulnerability in CAB Booking Script Project CAB Booking Script 1.0.3

PHP Scripts Mall Cab Booking Script 1.0.3 allows Directory Traversal into the parent directory of a jpg or png file.

5.0
2019-02-23 CVE-2014-10079 Vembu Information Exposure vulnerability in Vembu Storegrid 4.4

In Vembu StoreGrid 4.4.x, the front page of the server web interface leaks the private IP address in the "ipaddress" hidden form value of the HTML source code, which is disclosed because of incorrect processing of an index.php/ trailing slash.

5.0
2019-02-23 CVE-2019-9038 Matio Project Out-Of-Bounds Read vulnerability in Matio Project Matio 1.5.13

An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13.

5.0
2019-02-23 CVE-2019-9036 Matio Project Out-Of-Bounds Write vulnerability in Matio Project Matio 1.5.13

An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13.

5.0
2019-02-23 CVE-2019-9032 Matio Project Out-Of-Bounds Write vulnerability in Matio Project Matio 1.5.13

An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13.

5.0
2019-02-23 CVE-2019-9031 Matio Project Null Pointer Dereference vulnerability in Matio Project Matio 1.5.13

An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13.

5.0
2019-02-23 CVE-2019-9029 Matio Project Out-Of-Bounds Read vulnerability in Matio Project Matio 1.5.13

An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13.

5.0
2019-02-23 CVE-2019-9027 Matio Project Out-Of-Bounds Write vulnerability in Matio Project Matio 1.5.13

An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13.

5.0
2019-02-23 CVE-2019-9026 Matio Project Out-Of-Bounds Write vulnerability in Matio Project Matio 1.5.13

An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13.

5.0
2019-02-22 CVE-2019-9024 PHP
Debian
Canonical
Netapp
Opensuse
Out-Of-Bounds Read vulnerability in PHP

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1.

5.0
2019-02-22 CVE-2019-9022 PHP
Debian
Canonical
Netapp
Out-Of-Bounds Read vulnerability in multiple products

An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2.

5.0
2019-02-22 CVE-2019-9004 Eclipse Memory Leak vulnerability in Eclipse Wakaama 1.0

In Eclipse Wakaama (formerly liblwm2m) 1.0, core/er-coap-13/er-coap-13.c in lwm2mserver in the LWM2M server mishandles invalid options, leading to a memory leak.

5.0
2019-02-21 CVE-2019-8955 Torproject Allocation of Resources Without Limits OR Throttling vulnerability in Torproject TOR

In Tor before 0.3.3.12, 0.3.4.x before 0.3.4.11, 0.3.5.x before 0.3.5.8, and 0.4.x before 0.4.0.2-alpha, remote denial of service against Tor clients and relays can occur via memory exhaustion in the KIST cell scheduler.

5.0
2019-02-21 CVE-2019-1691 Cisco Improper Handling of Exceptional Conditions vulnerability in Cisco Firepower Threat Defense

A vulnerability in the detection engine of Cisco Firepower Threat Defense Software could allow an unauthenticated, remote attacker to cause the unexpected restart of the SNORT detection engine, resulting in a denial of service (DoS) condition.

5.0
2019-02-21 CVE-2019-1681 Cisco Path Traversal vulnerability in Cisco IOS XR

A vulnerability in the TFTP service of Cisco Network Convergence System 1000 Series software could allow an unauthenticated, remote attacker to retrieve arbitrary files from the targeted device, possibly resulting in information disclosure.

5.0
2019-02-21 CVE-2019-1666 Cisco Improper Access Control vulnerability in Cisco Hyperflex HX Data Platform

A vulnerability in the Graphite service of Cisco HyperFlex software could allow an unauthenticated, remote attacker to retrieve data from the Graphite service.

5.0
2019-02-21 CVE-2018-20783 PHP
Opensuse
Out-Of-Bounds Read vulnerability in PHP

In PHP before 5.6.39, 7.x before 7.0.33, 7.1.x before 7.1.25, and 7.2.x before 7.2.13, a buffer over-read in PHAR reading functions may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse a .phar file.

5.0
2019-02-21 CVE-2018-1946 IBM Inadequate Encryption Strength vulnerability in IBM Security Identity Governance and Intelligence 5.2.2.1

IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.

5.0
2019-02-21 CVE-2013-7469 Seafile Inadequate Encryption Strength vulnerability in Seafile

Seafile through 6.2.11 always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.

5.0
2019-02-20 CVE-2019-3924 Mikrotik Confused Deputy vulnerability in Mikrotik Routeros

MikroTik RouterOS before 6.43.12 (stable) and 6.42.12 (long-term) is vulnerable to an intermediary vulnerability.

5.0
2019-02-20 CVE-2018-5818 Libraw
Debian
Infinite Loop vulnerability in multiple products

An error within the "parse_rollei()" function (internal/dcraw_common.cpp) within LibRaw versions prior to 0.19.1 can be exploited to trigger an infinite loop.

5.0
2019-02-20 CVE-2018-5817 Libraw
Debian
Incorrect Type Conversion OR Cast vulnerability in multiple products

A type confusion error within the "unpacked_load_raw()" function within LibRaw versions prior to 0.19.1 (internal/dcraw_common.cpp) can be exploited to trigger an infinite loop.

5.0
2019-02-19 CVE-2018-20026 Codesys Unspecified vulnerability in Codesys products

Improper Communication Address Filtering exists in CODESYS V3 products versions prior V3.5.14.0.

5.0
2019-02-19 CVE-2018-20025 Codesys USE of Insufficiently Random Values vulnerability in Codesys products

Use of Insufficiently Random Values exists in CODESYS V3 products versions prior V3.5.14.0.

5.0
2019-02-18 CVE-2019-8919 Seafile Inadequate Encryption Strength vulnerability in Seafile Seadroid

The seadroid (aka Seafile Android Client) application through 2.2.13 for Android always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.

5.0
2019-02-18 CVE-2019-8909 Wtcms Project Resource Exhaustion vulnerability in Wtcms Project Wtcms 1.0

An issue was discovered in WTCMS 1.0.

5.0
2019-02-18 CVE-2019-8903 Totaljs Path Traversal vulnerability in Totaljs Total.Js

index.js in Total.js Platform before 3.2.3 allows path traversal.

5.0
2019-02-18 CVE-2019-8433 Jtbc Unrestricted Upload of File With Dangerous Type vulnerability in Jtbc PHP 3.0.1.8

JTBC(PHP) 3.0.1.8 allows Arbitrary File Upload via the console/#/console/file/manage.php?type=list URI, as demonstrated by a .php file.

5.0
2019-02-18 CVE-2019-8902 Idreamsoft Cross-Site Request Forgery (CSRF) vulnerability in Idreamsoft Icms

An issue was discovered in idreamsoft iCMS through 7.0.14.

4.9
2019-02-22 CVE-2019-9019 British Airways Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in British Airways Entertainment System

The British Airways Entertainment System, as installed on Boeing 777-36N(ER) and possibly other aircraft, does not prevent the USB charging/data-transfer feature from interacting with USB keyboard and mouse devices, which allows physically proximate attackers to conduct unanticipated attacks against Entertainment applications, as demonstrated by using mouse copy-and-paste actions to trigger a Chat buffer overflow or possibly have unspecified other impact.

4.6
2019-02-19 CVE-2019-5780 Google
Apple
Redhat
Debian
Fedoraproject
Improper Input Validation vulnerability in Google Chrome

Insufficient restrictions on what can be done with Apple Events in Google Chrome on macOS prior to 72.0.3626.81 allowed a local attacker to execute JavaScript via Apple Events.

4.6
2019-02-18 CVE-2019-0109 Intel Unspecified vulnerability in Intel Data Center Manager

Improper folder permissions in Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2019-02-18 CVE-2019-0107 Intel Unspecified vulnerability in Intel Data Center Manager

Insufficient user prompt in install routine for Intel(R) Data Center Manager SDK before version 5.0.2 may allow a privileged user to potentially enable escalation of privilege via local access.

4.6
2019-02-18 CVE-2019-0106 Intel Improper Input Validation vulnerability in Intel Data Center Manager

Insufficient run protection in install routine for Intel(R) Data Center Manager SDK before version 5.0.2 may allow a privileged user to potentially enable escalation of privilege via local access.

4.6
2019-02-18 CVE-2019-0105 Intel Incorrect Authorization vulnerability in Intel Data Center Manager

Insufficient file permissions checking in install routine for Intel(R) Data Center Manager SDK before version 5.0.2 may allow authenticated user to potentially enable escalation of privilege via local access.

4.6
2019-02-18 CVE-2018-3700 Intel
Microsoft
Code Injection vulnerability in Intel USB 3.0 Extensible Host Controller Driver

Code injection vulnerability in the installer for Intel(R) USB 3.0 eXtensible Host Controller Driver for Microsoft Windows 7 before version 5.0.4.43v2 may allow a user to potentially enable escalation of privilege via local access.

4.6
2019-02-23 CVE-2018-20785 Neatorobotics Unspecified vulnerability in Neatorobotics products

Secure boot bypass and memory extraction can be achieved on Neato Botvac Connected 2.2.0 devices.

4.4
2019-02-24 CVE-2019-9076 GNU
Netapp
Allocation of Resources Without Limits OR Throttling vulnerability in multiple products

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32.

4.3
2019-02-24 CVE-2019-9074 GNU
Netapp
Out-Of-Bounds Read vulnerability in multiple products

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32.

4.3
2019-02-24 CVE-2019-9073 GNU
Netapp
Allocation of Resources Without Limits OR Throttling vulnerability in multiple products

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32.

4.3
2019-02-24 CVE-2019-9072 GNU
Netapp
Allocation of Resources Without Limits OR Throttling vulnerability in multiple products

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32.

4.3
2019-02-24 CVE-2019-9071 GNU
Netapp
Uncontrolled Recursion vulnerability in multiple products

An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32.

4.3
2019-02-23 CVE-2014-10078 Vembu Cross-Site Scripting vulnerability in Vembu Storegrid 4.4

Vembu StoreGrid 4.4.x has XSS in interface/registercustomer/onlineregsuccess.php, interface/registerreseller/onlineregfailure.php, interface/registerclient/onlineregfailure.php, and interface/registercustomer/onlineregfailure.php.

4.3
2019-02-23 CVE-2018-18692 Semcosoft Cross-Site Scripting vulnerability in Semcosoft 5.3

A reflected Cross-Site scripting (XSS) vulnerability in SEMCO Semcosoft 5.3 allows remote attackers to inject arbitrary web scripts or HTML via the username parameter to the Login Form.

4.3
2019-02-22 CVE-2019-6485 Citrix USE of A Broken OR Risky Cryptographic Algorithm vulnerability in Citrix products

Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 allow remote attackers to obtain sensitive plaintext information because of a TLS Padding Oracle Vulnerability when CBC-based cipher suites are enabled.

4.3
2019-02-22 CVE-2019-9016 Mopcms Cross-Site Scripting vulnerability in Mopcms 20181130

An XSS vulnerability was discovered in MOPCMS through 2018-11-30.

4.3
2019-02-21 CVE-2019-1685 Cisco Cross-Site Scripting vulnerability in Cisco Unity Connection 12.5

A vulnerability in the Security Assertion Markup Language (SAML) single sign-on (SSO) interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device.

4.3
2019-02-21 CVE-2019-1665 Cisco Cross-Site Scripting vulnerability in Cisco Hyperflex HX Data Platform

A vulnerability in the web-based management interface of Cisco HyperFlex software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system.

4.3
2019-02-21 CVE-2018-1948 IBM Session Fixation vulnerability in IBM Security Identity Governance and Intelligence 5.2.2.1

IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance does not set the secure attribute on authorization tokens or session cookies.

4.3
2019-02-21 CVE-2018-1947 IBM Cross-Site Scripting vulnerability in IBM Security Identity Governance and Intelligence 5.2.2.1

IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance is vulnerable to cross-site scripting.

4.3
2019-02-21 CVE-2019-8984 Altn Cross-Site Scripting vulnerability in Altn Mdaemon

MDaemon Webmail 14.x through 18.x before 18.5.2 has XSS (issue 2 of 2).

4.3
2019-02-21 CVE-2019-8983 Altn Cross-Site Scripting vulnerability in Altn Mdaemon

MDaemon Webmail 14.x through 18.x before 18.5.2 has XSS (issue 1 of 2).

4.3
2019-02-21 CVE-2018-6687 Mcafee
Microsoft
Infinite Loop vulnerability in Mcafee Getsusp 3.0.0.461

Loop with Unreachable Exit Condition ('Infinite Loop') in McAfee GetSusp (GetSusp) 3.0.0.461 and earlier allows attackers to DoS a manual GetSusp scan via while scanning a specifically crafted file .

4.3
2019-02-20 CVE-2019-8953 Netgate Cross-Site Scripting vulnerability in Netgate Haproxy

The HAProxy package before 0.59_16 for pfSense has XSS via the desc (aka Description) or table_actionsaclN parameter, related to haproxy_listeners.php and haproxy_listeners_edit.php.

4.3
2019-02-20 CVE-2019-8331 Getbootstrap
F5
Redhat
Cross-Site Scripting vulnerability in multiple products

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

4.3
2019-02-19 CVE-2019-5781 Google
Debian
Redhat
Fedoraproject
Improper Input Validation vulnerability in Google Chrome

Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.

4.3
2019-02-19 CVE-2019-5779 Google
Debian
Redhat
Fedoraproject
Missing Authorization vulnerability in multiple products

Insufficient policy validation in ServiceWorker in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

4.3
2019-02-19 CVE-2019-5778 Google
Debian
Redhat
Fedoraproject
Cross-Site Scripting vulnerability in Google Chrome

A missing case for handling special schemes in permission request checks in Extensions in Google Chrome prior to 72.0.3626.81 allowed an attacker who convinced a user to install a malicious extension to bypass extension permission checks for privileged pages via a crafted Chrome Extension.

4.3
2019-02-19 CVE-2019-5777 Google
Redhat
Debian
Fedoraproject
Improper Input Validation vulnerability in Google Chrome

Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.

4.3
2019-02-19 CVE-2019-5776 Google
Debian
Redhat
Fedoraproject
Improper Input Validation vulnerability in Google Chrome

Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.

4.3
2019-02-19 CVE-2019-5775 Google
Debian
Redhat
Fedoraproject
Improper Input Validation vulnerability in Google Chrome

Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.

4.3
2019-02-19 CVE-2019-5773 Google
Debian
Redhat
Fedoraproject
Improper Input Validation vulnerability in Google Chrome

Insufficient origin validation in IndexedDB in Google Chrome prior to 72.0.3626.81 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page.

4.3
2019-02-19 CVE-2019-5768 Google
Debian
Redhat
Fedoraproject
Improper Privilege Management vulnerability in multiple products

DevTools API not correctly gating on extension capability in DevTools in Google Chrome prior to 72.0.3626.81 allowed an attacker who convinced a user to install a malicious extension to read local files via a crafted Chrome Extension.

4.3
2019-02-19 CVE-2019-5767 Google
Debian
Redhat
Fedoraproject
Improper Restriction of Rendered UI Layers OR Frames vulnerability in multiple products

Insufficient protection of permission UI in WebAPKs in Google Chrome on Android prior to 72.0.3626.81 allowed an attacker who convinced the user to install a malicious application to access privacy/security sensitive web APIs via a crafted APK.

4.3
2019-02-19 CVE-2019-5766 Google
Debian
Redhat
Fedoraproject
Incorrect handling of origin taint checking in Canvas in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
4.3
2019-02-19 CVE-2019-5765 Google
Redhat
Debian
Fedoraproject
Cleartext Storage of Sensitive Information vulnerability in multiple products

An exposed debugging endpoint in the browser in Google Chrome on Android prior to 72.0.3626.81 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted Intent.

4.3
2019-02-19 CVE-2019-5754 Google
Redhat
Fedoraproject
Debian
Cryptographic Issues vulnerability in Google Chrome

Implementation error in QUIC Networking in Google Chrome prior to 72.0.3626.81 allowed an attacker running or able to cause use of a proxy server to obtain cleartext of transport encryption via malicious network proxy.

4.3
2019-02-19 CVE-2019-8939 Tautulli Cross-Site Scripting vulnerability in Tautulli 2.1.26

data/interfaces/default/history.html in Tautulli 2.1.26 has XSS via a crafted Plex username that is mishandled when constructing the History page.

4.3
2019-02-18 CVE-2019-8911 Wtcms Project Cross-Site Scripting vulnerability in Wtcms Project Wtcms 1.0

An issue was discovered in WTCMS 1.0.

4.3
2019-02-18 CVE-2019-8434 Cmseasy Cross-Site Scripting vulnerability in Cmseasy 7.0

In CmsEasy 7.0, there is XSS via the ckplayer.php autoplay parameter.

4.3
2019-02-18 CVE-2019-8432 Cmseasy Cross-Site Scripting vulnerability in Cmseasy 7.0

In CmsEasy 7.0, there is XSS via the ckplayer.php url parameter.

4.3
2019-02-18 CVE-2019-8426 Zoneminder Cross-Site Scripting vulnerability in Zoneminder

skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter.

4.3
2019-02-18 CVE-2019-8425 Zoneminder Cross-Site Scripting vulnerability in Zoneminder

includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages.

4.3
2019-02-23 CVE-2019-9065 Custom T Shirt Ecommerce Script Project Improper Input Validation vulnerability in Custom T-Shirt Ecommerce Script Project Custom T-Shirt Ecommerce Script 3.1.1

PHP Scripts Mall Custom T-Shirt Ecommerce Script 3.1.1 allows parameter tampering of the payment amount.

4.0
2019-02-23 CVE-2019-9063 Auction Website Script Project Improper Input Validation vulnerability in Auction Website Script Project Auction Website Script 2.0.4

PHP Scripts Mall Auction website script 2.0.4 allows parameter tampering of the payment amount.

4.0
2019-02-21 CVE-2019-1698 Cisco XXE vulnerability in Cisco IOT Field Network Director

A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system.

4.0
2019-02-21 CVE-2018-2006 IBM Path Traversal vulnerability in IBM Robotic Process Automation With Automation Anywhere 11.0.0.0/11.0.0.1/11.0.0.2

IBM Robotic Process Automation with Automation Anywhere 11 could allow a remote attacker to traverse directories on the system.

4.0
2019-02-21 CVE-2018-1950 IBM Information Exposure vulnerability in IBM Security Identity Governance and Intelligence 5.2.2.1

IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance generates an error message that includes sensitive information about its environment, users, or associated data which could be used in further attacks against the system.

4.0
2019-02-21 CVE-2018-1949 IBM Information Exposure vulnerability in IBM Security Identity Governance and Intelligence 5.2.2.1

IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance discloses sensitive information to unauthorized users.

4.0
2019-02-20 CVE-2019-3474 Microfocus Path Traversal vulnerability in Microfocus Filr 3.0

A path traversal vulnerability in the web application component of Micro Focus Filr 3.x allows a remote attacker authenticated as a low privilege user to download arbitrary files from the Filr server.

4.0
2019-02-20 CVE-2019-1003028 Jenkins Server-Side Request Forgery (SSRF) vulnerability in Jenkins JMS Messaging

A server-side request forgery vulnerability exists in Jenkins JMS Messaging Plugin 1.1.1 and earlier in SSLCertificateAuthenticationMethod.java, UsernameAuthenticationMethod.java that allows attackers with Overall/Read permission to have Jenkins connect to a JMS endpoint.

4.0
2019-02-20 CVE-2019-1003027 Jenkins Server-Side Request Forgery (SSRF) vulnerability in Jenkins Octopusdeploy

A server-side request forgery vulnerability exists in Jenkins OctopusDeploy Plugin 1.8.1 and earlier in OctopusDeployPlugin.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL and obtain the HTTP response code if successful, and exception error message otherwise.

4.0
2019-02-20 CVE-2019-1003026 Jenkins Server-Side Request Forgery (SSRF) vulnerability in Jenkins Mattermost

A server-side request forgery vulnerability exists in Jenkins Mattermost Notification Plugin 2.6.2 and earlier in MattermostNotifier.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified Mattermost server and room and send a message.

4.0
2019-02-20 CVE-2019-1003025 Jenkins Information Exposure vulnerability in Jenkins Cloud Foundry

A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

4.0
2019-02-20 CVE-2019-8944 Octopus Information Exposure vulnerability in Octopus Deploy

An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.

4.0
2019-02-20 CVE-2019-8943 Wordpress Path Traversal vulnerability in Wordpress

WordPress through 5.0.3 allows Path Traversal in wp_crop_image().

4.0

21 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-02-24 CVE-2019-9078 Zzcms Cross-Site Scripting vulnerability in Zzcms 2019

zzcms 2019 has XSS via an arbitrary user/ask.php?do=modify parameter because inc/stopsqlin.php does not block a mixed-case string such as sCrIpT.

3.5
2019-02-23 CVE-2019-9066 PHP Appointment Booking Script Project Cross-Site Scripting vulnerability in PHP Appointment Booking Script Project PHP Appointment Booking Script 3.0.3

PHP Scripts Mall PHP Appointment Booking Script 3.0.3 allows HTML injection in a user profile.

3.5
2019-02-21 CVE-2019-5727 Splunk Cross-Site Scripting vulnerability in Splunk

Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x before 6.4.9, 6.3.x before 6.3.12, 6.2.x before 6.2.14, 6.1.x before 6.1.14, and 6.0.x before 6.0.15 and Splunk Light before 6.6.0 has Persistent XSS, aka SPL-138827.

3.5
2019-02-20 CVE-2018-20241 Atlassian Cross-Site Scripting vulnerability in Atlassian Crucible and Fisheye

The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the wbuser parameter.

3.5
2019-02-20 CVE-2018-20240 Atlassian Cross-Site Scripting vulnerability in Atlassian Crucible and Fisheye

The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter.

3.5
2019-02-19 CVE-2018-1996 IBM USE of A Broken OR Risky Cryptographic Algorithm vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could provide weaker than expected security, caused by the improper TLS configuration.

3.5
2019-02-19 CVE-2019-8935 O DYN Cross-Site Scripting vulnerability in O-Dyn Collabtive 3.1

Collabtive 3.1 allows XSS via the manageuser.php?action=profile id parameter.

3.5
2019-02-18 CVE-2019-8436 Txjia Cross-Site Scripting vulnerability in Txjia Imcat 4.5

imcat 4.5 has Stored XSS via the root/run/adm.php fm[instop][note] parameter.

3.5
2019-02-18 CVE-2019-8435 Phpmywind Cross-Site Scripting vulnerability in PHPmywind 5.5

admin/default.php in PHPMyWind v5.5 has XSS via an HTTP Host header.

3.5
2019-02-22 CVE-2019-7729 Bosch Incorrect Permission Assignment FOR Critical Resource vulnerability in Bosch Smart Camera

An issue was discovered in the Bosch Smart Camera App before 1.3.1 for Android.

2.1
2019-02-21 CVE-2019-1667 Cisco Insufficient Verification of Data Authenticity vulnerability in Cisco Hyperflex HX Data Platform

A vulnerability in the Graphite interface of Cisco HyperFlex software could allow an authenticated, local attacker to write arbitrary data to the Graphite interface.

2.1
2019-02-19 CVE-2018-9867 Sonicwall Incorrect Permission Assignment FOR Critical Resource vulnerability in Sonicwall Sonicos

In SonicWall SonicOS, administrators without full permissions can download imported certificates.

2.1
2019-02-19 CVE-2019-3812 Qemu
Fedoraproject
Canonical
Opensuse
Out-Of-Bounds Read vulnerability in multiple products

QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function.

2.1
2019-02-18 CVE-2019-0127 Intel
Linux
Unspecified vulnerability in Intel Openvino 2018

Logic error in the installer for Intel(R) OpenVINO(TM) 2018 R3 and before for Linux may allow a privileged user to potentially enable information disclosure via local access.

2.1
2019-02-18 CVE-2019-0112 Intel Improper Input Validation vulnerability in Intel Data Center Manager

Improper flow control in crypto routines for Intel(R) Data Center Manager SDK before version 5.0.2 may allow a privileged user to potentially enable a denial of service via local access.

2.1
2019-02-18 CVE-2019-0111 Intel Incorrect Permission Assignment FOR Critical Resource vulnerability in Intel Data Center Manager

Improper file permissions for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable information disclosure via local access.

2.1
2019-02-18 CVE-2019-0110 Intel Unspecified vulnerability in Intel Data Center Manager

Insufficient key management for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable information disclosure via local access.

2.1
2019-02-18 CVE-2019-0108 Intel Incorrect Permission Assignment FOR Critical Resource vulnerability in Intel Data Center Manager

Improper file permissions for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable disclosure of information via local access.

2.1
2019-02-18 CVE-2019-0104 Intel Unspecified vulnerability in Intel Data Center Manager

Insufficient file protection in uninstall routine for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable information disclosure via local access.

2.1
2019-02-18 CVE-2019-0103 Intel Unspecified vulnerability in Intel Data Center Manager

Insufficient file protection in install routine for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable information disclosure via local access.

2.1
2019-02-18 CVE-2018-12159 Intel Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Intel Proset/Wireless

Buffer overflow in the command-line interface for Intel(R) PROSet Wireless v20.50 and before may allow an authenticated user to potentially enable denial of service via local access.

2.1