Weekly Vulnerabilities Reports > March 4 to 10, 2019

Overview

326 new vulnerabilities reported during this period, including 43 critical vulnerabilities and 83 high severity vulnerabilities. This weekly summary report vulnerabilities in 220 products from 95 vendors including Microsoft, Apple, Uvnc, Cisco, and Opensuse. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Cross-site Scripting", "Improper Input Validation", "Out-of-bounds Read", and "SQL Injection".

  • 279 reported vulnerabilities are remotely exploitables.
  • 24 reported vulnerabilities have public exploit available.
  • 94 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 246 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 86 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 19 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

43 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-03-07 CVE-2019-9121 Motorola OS Command Injection vulnerability in Motorola C1 Firmware and M2 Firmware

An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively.

10.0
2019-03-07 CVE-2019-9120 Motorola OS Command Injection vulnerability in Motorola C1 Firmware and M2 Firmware

An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively.

10.0
2019-03-07 CVE-2019-9119 Motorola OS Command Injection vulnerability in Motorola C1 Firmware and M2 Firmware

An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively.

10.0
2019-03-07 CVE-2019-9118 Motorola OS Command Injection vulnerability in Motorola C1 Firmware and M2 Firmware

An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively.

10.0
2019-03-07 CVE-2019-9117 Motorola OS Command Injection vulnerability in Motorola C1 Firmware and M2 Firmware

An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively.

10.0
2019-03-05 CVE-2019-6563 Moxa Information Exposure vulnerability in Moxa products

Moxa IKS and EDS generate a predictable cookie calculated with an MD5 hash, allowing an attacker to capture the administrator's password, which could lead to a full compromise of the device.

10.0
2019-03-05 CVE-2018-19725 Adobe
Apple
Microsoft
Improper Privilege Management vulnerability in Adobe Acrobat DC and Acrobat Reader DC

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a security bypass vulnerability.

10.0
2019-03-08 CVE-2019-1003034 Jenkins
Redhat
A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy that allows attackers with control over Job DSL definitions to execute arbitrary code on the Jenkins master JVM.
9.9
2019-03-08 CVE-2019-1003032 Jenkins Unspecified vulnerability in Jenkins Email Extension

A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/emailext/plugins/content/EmailExtScript.java, src/main/java/hudson/plugins/emailext/plugins/content/ScriptContent.java, src/main/java/hudson/plugins/emailext/plugins/trigger/AbstractScriptTrigger.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM.

9.9
2019-03-08 CVE-2019-1003031 Jenkins
Redhat
A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM.
9.9
2019-03-08 CVE-2019-1003030 Jenkins
Redhat
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.
9.9
2019-03-08 CVE-2019-1003029 Jenkins
Redhat
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.
9.9
2019-03-08 CVE-2019-9636 Python
Fedoraproject
Opensuse
Debian
Canonical
Redhat
Oracle
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization.
9.8
2019-03-08 CVE-2019-9631 Freedesktop
Fedoraproject
Debian
Out-of-bounds Read vulnerability in multiple products

Poppler 0.74.0 has a heap-based buffer over-read in the CairoRescaleBox.cc downsample_row_box_filter function.

9.8
2019-03-07 CVE-2019-0192 Apache
Netapp
Deserialization of Untrusted Data vulnerability in multiple products

In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request.

9.8
2019-03-05 CVE-2019-3918 Nokia Use of Hard-coded Credentials vulnerability in Nokia I-240W-Q Gpon ONT Firmware 3Fe54567Bozj19

The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 contains multiple hard coded credentials for the Telnet and SSH interfaces.

9.8
2019-03-05 CVE-2019-6557 Moxa Classic Buffer Overflow vulnerability in Moxa products

Several buffer overflow vulnerabilities have been identified in Moxa IKS and EDS, which may allow remote code execution.

9.8
2019-03-05 CVE-2019-4032 IBM SQL Injection vulnerability in IBM Financial Transaction Manager

IBM Financial Transaction Manager for Digital Payments for Multi-Platform 3.1.0 is vulnerable to SQL injection.

9.8
2019-03-08 CVE-2018-20236 Atlassian Command Injection vulnerability in Atlassian Sourcetree

There was an command injection vulnerability in Sourcetree for Windows from version 0.5a before version 3.0.10 via URI handling.

9.3
2019-03-05 CVE-2019-0728 Microsoft Code Injection vulnerability in Microsoft Visual Studio Code

A remote code execution vulnerability exists in Visual Studio Code when it process environment variables after opening a project, aka 'Visual Studio Code Remote Code Execution Vulnerability'.

9.3
2019-03-05 CVE-2019-0724 Microsoft Unspecified vulnerability in Microsoft Exchange Server

An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of Privilege Vulnerability'.

9.3
2019-03-05 CVE-2019-0675 Microsoft Unspecified vulnerability in Microsoft Office 2010

A remote code execution vulnerability exists when the Microsoft Office Access Connectivity Engine improperly handles objects in memory, aka 'Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability'.

9.3
2019-03-05 CVE-2019-0674 Microsoft Unspecified vulnerability in Microsoft Office and Office 365 Proplus

A remote code execution vulnerability exists when the Microsoft Office Access Connectivity Engine improperly handles objects in memory, aka 'Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability'.

9.3
2019-03-05 CVE-2019-0673 Microsoft Unspecified vulnerability in Microsoft Office and Office 365 Proplus

A remote code execution vulnerability exists when the Microsoft Office Access Connectivity Engine improperly handles objects in memory, aka 'Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability'.

9.3
2019-03-05 CVE-2019-0672 Microsoft Unspecified vulnerability in Microsoft Office and Office 365 Proplus

A remote code execution vulnerability exists when the Microsoft Office Access Connectivity Engine improperly handles objects in memory, aka 'Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability'.

9.3
2019-03-05 CVE-2019-0671 Microsoft Unspecified vulnerability in Microsoft Office and Office 365 Proplus

A remote code execution vulnerability exists when the Microsoft Office Access Connectivity Engine improperly handles objects in memory, aka 'Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability'.

9.3
2019-03-05 CVE-2019-0662 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory, aka 'GDI+ Remote Code Execution Vulnerability'.

9.3
2019-03-05 CVE-2019-0625 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-03-05 CVE-2019-0618 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory, aka 'GDI+ Remote Code Execution Vulnerability'.

9.3
2019-03-05 CVE-2019-0613 Microsoft Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft .Net Framework and Visual Studio 2017

A remote code execution vulnerability exists in .NET Framework and Visual Studio software when the software fails to check the source markup of a file.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user, aka '.NET Framework and Visual Studio Remote Code Execution Vulnerability'.

9.3
2019-03-05 CVE-2019-0599 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-03-05 CVE-2019-0598 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-03-05 CVE-2019-0597 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-03-05 CVE-2019-0596 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-03-05 CVE-2019-0595 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

9.3
2019-03-05 CVE-2019-6218 Apple Out-of-bounds Write vulnerability in Apple Iphone OS, mac OS X and Tvos

A memory corruption issue was addressed with improved input validation.

9.3
2019-03-05 CVE-2019-6213 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A buffer overflow was addressed with improved bounds checking.

9.3
2019-03-05 CVE-2019-6210 Apple Out-of-bounds Write vulnerability in Apple products

A memory corruption issue was addressed with improved input validation.

9.3
2019-03-05 CVE-2019-6522 Moxa Out-of-bounds Read vulnerability in Moxa products

Moxa IKS and EDS fails to properly check array bounds which may allow an attacker to read device memory on arbitrary addresses, and may allow an attacker to retrieve sensitive data or cause device reboot.

9.1
2019-03-08 CVE-2018-20235 Atlassian Unspecified vulnerability in Atlassian Sourcetree

There was an argument injection vulnerability in Atlassian Sourcetree for Windows from version 0.5a before version 3.0.15 via filenames in Mercurial repositories.

9.0
2019-03-08 CVE-2018-20234 Atlassian Argument Injection or Modification vulnerability in Atlassian Sourcetree

There was an argument injection vulnerability in Atlassian Sourcetree for macOS from version 1.2 before version 3.1.1 via filenames in Mercurial repositories.

9.0
2019-03-05 CVE-2019-0633 Microsoft Data Processing Errors vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests, aka 'Windows SMB Remote Code Execution Vulnerability'.

9.0
2019-03-05 CVE-2019-0630 Microsoft Data Processing Errors vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests, aka 'Windows SMB Remote Code Execution Vulnerability'.

9.0

83 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-03-08 CVE-2019-1003039 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Appdynamics

An insufficiently protected credentials vulnerability exists in JenkinsAppDynamics Dashboard Plugin 1.0.14 and earlier in src/main/java/nl/codecentric/jenkins/appd/AppDynamicsResultsPublisher.java that allows attackers without permission to obtain passwords configured in jobs to obtain them.

8.8
2019-03-08 CVE-2019-1003033 Jenkins Unspecified vulnerability in Jenkins Groovy

A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.1 and earlier in pom.xml, src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.

8.8
2019-03-05 CVE-2019-3920 Nokia Command Injection vulnerability in Nokia I-240W-Q Gpon ONT Firmware 3Fe54567Bozj19

The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 is vulnerable to authenticated command injection via crafted HTTP request sent by a remote, authenticated attacker to /GponForm/device_Form?script/.

8.8
2019-03-05 CVE-2019-3919 Nokia Command Injection vulnerability in Nokia I-240W-Q Gpon ONT Firmware 3Fe54567Bozj19

The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 is vulnerable to command injection via crafted HTTP request sent by a remote, authenticated attacker to /GponForm/usb_restore_Form?script/.

8.8
2019-03-05 CVE-2019-6561 Moxa Cross-Site Request Forgery (CSRF) vulnerability in Moxa products

Cross-site request forgery has been identified in Moxa IKS and EDS, which may allow for the execution of unauthorized actions on the device.

8.8
2019-03-07 CVE-2018-18808 Tibco Race Condition vulnerability in Tibco products

The domain management component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a race-condition vulnerability that may allow any users with domain save privileges to gain superuser privileges.

8.5
2019-03-07 CVE-2019-3712 Dell Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dell products

Dell WES Wyse Device Agent versions prior to 14.1.2.9 and Dell Wyse ThinLinux HAgent versions prior to 5.4.55 00.10 contain a buffer overflow vulnerability.

8.3
2019-03-08 CVE-2019-1003038 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Repository Connector

An insufficiently protected credentials vulnerability exists in Jenkins Repository Connector Plugin 1.2.4 and earlier in src/main/java/org/jvnet/hudson/plugins/repositoryconnector/ArtifactDeployer.java, src/main/java/org/jvnet/hudson/plugins/repositoryconnector/Repository.java, src/main/java/org/jvnet/hudson/plugins/repositoryconnector/UserPwd.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g.

7.8
2019-03-07 CVE-2019-1599 Cisco Resource Management Errors vulnerability in Cisco Nx-Os

A vulnerability in the network stack of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device.

7.8
2019-03-06 CVE-2019-9599 Airdroid Improper Input Validation vulnerability in Airdroid

The AirDroid application through 4.2.1.6 for Android allows remote attackers to cause a denial of service (service crash) via many simultaneous sdctl/comm/lite_auth/ requests.

7.8
2019-03-05 CVE-2018-19639 Opensuse Unspecified vulnerability in Opensuse Supportutils 3.0.1095.51.1

If supportutils before version 3.1-5.7.1 is run with -v to perform rpm verification and the attacker manages to manipulate the rpm listing (e.g.

7.8
2019-03-05 CVE-2018-19636 Opensuse Improper Input Validation vulnerability in Opensuse Supportutils 3.0.1095.51.1

Supportutils, before version 3.1-5.7.1, when run with command line argument -A searched the file system for a ndspath binary.

7.8
2019-03-05 CVE-2019-0655 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-03-05 CVE-2019-0652 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-03-05 CVE-2019-0651 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-03-05 CVE-2019-0650 Microsoft Out-of-bounds Write vulnerability in Microsoft Edge

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka 'Microsoft Edge Memory Corruption Vulnerability'.

7.6
2019-03-05 CVE-2019-0645 Microsoft Out-of-bounds Write vulnerability in Microsoft Edge

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka 'Microsoft Edge Memory Corruption Vulnerability'.

7.6
2019-03-05 CVE-2019-0644 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-03-05 CVE-2019-0642 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-03-05 CVE-2019-0640 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-03-05 CVE-2019-0634 Microsoft Out-of-bounds Write vulnerability in Microsoft Edge

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka 'Microsoft Edge Memory Corruption Vulnerability'.

7.6
2019-03-05 CVE-2019-0610 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-03-05 CVE-2019-0607 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-03-05 CVE-2019-0606 Microsoft Out-of-bounds Write vulnerability in Microsoft Internet Explorer 11

A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory, aka 'Internet Explorer Memory Corruption Vulnerability'.

7.6
2019-03-05 CVE-2019-0605 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-03-05 CVE-2019-0593 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-03-05 CVE-2019-0591 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-03-05 CVE-2019-0590 Microsoft Out-of-bounds Write vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2019-03-09 CVE-2019-9641 PHP
Debian
Canonical
Opensuse
Netapp
Use of Uninitialized Resource vulnerability in multiple products

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3.

7.5
2019-03-08 CVE-2019-8280 Uvnc Out-of-bounds Write vulnerability in Uvnc Ultravnc

UltraVNC revision 1203 has out-of-bounds access vulnerability in VNC client inside RAW decoder, which can potentially result code execution.

7.5
2019-03-08 CVE-2019-8275 Uvnc
Siemens
UltraVNC revision 1211 has multiple improper null termination vulnerabilities in VNC server code, which result in out-of-bound data being accessed by remote users.
7.5
2019-03-08 CVE-2019-8274 Uvnc
Siemens
Out-of-bounds Write vulnerability in multiple products

UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer offer handler, which can potentially in result code execution.

7.5
2019-03-08 CVE-2019-8273 Uvnc
Siemens
Out-of-bounds Write vulnerability in multiple products

UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer request handler, which can potentially result in code execution.

7.5
2019-03-08 CVE-2019-8272 Uvnc
Siemens
Off-by-one Error vulnerability in multiple products

UltraVNC revision 1211 has multiple off-by-one vulnerabilities in VNC server code, which can potentially result in code execution.

7.5
2019-03-08 CVE-2019-8271 Uvnc
Siemens
Out-of-bounds Write vulnerability in multiple products

UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer handler, which can potentially result code execution.

7.5
2019-03-08 CVE-2019-8268 Uvnc
Siemens
Off-by-one Error vulnerability in multiple products

UltraVNC revision 1206 has multiple off-by-one vulnerabilities in VNC client code connected with improper usage of ClientConnection::ReadString function, which can potentially result code execution.

7.5
2019-03-08 CVE-2019-8266 Uvnc Out-of-bounds Read vulnerability in Uvnc Ultravnc

UltraVNC revision 1207 has multiple out-of-bounds access vulnerabilities connected with improper usage of ClientConnection::Copybuffer function in VNC client code, which can potentially result in code execution.

7.5
2019-03-08 CVE-2019-8265 Uvnc Out-of-bounds Write vulnerability in Uvnc Ultravnc

UltraVNC revision 1207 has multiple out-of-bounds access vulnerabilities connected with improper usage of SETPIXELS macro in VNC client code, which can potentially result in code execution.

7.5
2019-03-08 CVE-2019-8264 Uvnc Out-of-bounds Write vulnerability in Uvnc Ultravnc

UltraVNC revision 1203 has out-of-bounds access vulnerability in VNC client inside Ultra2 decoder, which can potentially result in code execution.

7.5
2019-03-08 CVE-2017-3164 Apache Server-Side Request Forgery (SSRF) vulnerability in Apache Solr

Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive).

7.5
2019-03-07 CVE-2018-17988 Layerbb SQL Injection vulnerability in Layerbb 1.1.1/1.1.3

LayerBB 1.1.1 and 1.1.3 has SQL Injection via the search.php search_query parameter.

7.5
2019-03-07 CVE-2018-17412 Zzcms SQL Injection vulnerability in Zzcms 8.3

zzcms v8.3 contains a SQL Injection vulnerability in /user/logincheck.php via an X-Forwarded-For HTTP header.

7.5
2019-03-07 CVE-2018-16809 Dolibarr SQL Injection vulnerability in Dolibarr

An issue was discovered in Dolibarr through 7.0.0.

7.5
2019-03-07 CVE-2018-18815 Tibco Incorrect Authorization vulnerability in Tibco products

The REST API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a vulnerability that theoretically allows unauthenticated users to bypass authorization checks for portions of the HTTP interface to the JasperReports Server.

7.5
2019-03-07 CVE-2019-5019 Rainbowpdf Out-of-bounds Write vulnerability in Rainbowpdf Office Server Document Converter 7.0

A heap-based overflow vulnerability exists in the PowerPoint document conversion function of Rainbow PDF Office Server Document Converter V7.0 Pro R1 (7,0,2018,1113).

7.5
2019-03-07 CVE-2019-1598 Cisco Improper Input Validation vulnerability in Cisco Firepower Extensible Operating System and Nx-Os

Multiple vulnerabilities in the implementation of the Lightweight Directory Access Protocol (LDAP) feature in Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.

7.5
2019-03-07 CVE-2019-1597 Cisco Improper Input Validation vulnerability in Cisco Firepower Extensible Operating System and Nx-Os

Multiple vulnerabilities in the implementation of the Lightweight Directory Access Protocol (LDAP) feature in Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.

7.5
2019-03-07 CVE-2018-11783 Apache Information Exposure vulnerability in Apache Traffic Server

sslheaders plugin extracts information from the client certificate and sets headers in the request based on the configuration of the plugin.

7.5
2019-03-07 CVE-2019-9626 Phpshe SQL Injection vulnerability in PHPshe 1.7

PHPSHE 1.7 allows module/index/cart.php pintuan_id SQL Injection to index.php.

7.5
2019-03-07 CVE-2019-9623 Fengoffice Unrestricted Upload of File with Dangerous Type vulnerability in Fengoffice Feng Office 3.7.0.5

Feng Office 3.7.0.5 allows remote attackers to execute arbitrary code via "<!--#exec cmd=" in a .shtml file to ck_upload_handler.php.

7.5
2019-03-06 CVE-2019-0200 Apache Unspecified vulnerability in Apache Qpid Broker-J

A Denial of Service vulnerability was found in Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0 which allows an unauthenticated attacker to crash the broker instance by sending specially crafted commands using AMQP protocol versions below 1.0 (AMQP 0-8, 0-9, 0-91 and 0-10).

7.5
2019-03-06 CVE-2019-0187 Apache Deserialization of Untrusted Data vulnerability in Apache Jmeter 4.0/5.0

Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options).

7.5
2019-03-06 CVE-2019-9594 Bluecms Project SQL Injection vulnerability in Bluecms Project Bluecms 1.6

BlueCMS 1.6 allows SQL Injection via the user_id parameter in an uploads/admin/user.php?act=edit request.

7.5
2019-03-05 CVE-2019-9578 Yubico Use of Uninitialized Resource vulnerability in Yubico Libu2F-Host

In devs.c in Yubico libu2f-host before 1.1.8, the response to init is misparsed, leaking uninitialized stack memory back to the device.

7.5
2019-03-05 CVE-2019-0729 Microsoft Insufficient Entropy in PRNG vulnerability in Microsoft Java Software Development KIT

An Elevation of Privilege vulnerability exists in the way Azure IoT Java SDK generates symmetric keys for encryption, allowing an attacker to predict the randomness of the key, aka 'Azure IoT Java SDK Elevation of Privilege Vulnerability'.

7.5
2019-03-05 CVE-2019-0626 Microsoft Out-of-bounds Write vulnerability in Microsoft products

A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP server, aka 'Windows DHCP Server Remote Code Execution Vulnerability'.

7.5
2019-03-05 CVE-2019-0604 Microsoft Improper Input Validation vulnerability in Microsoft products

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'.

7.5
2019-03-05 CVE-2019-3922 Nokia Out-of-bounds Write vulnerability in Nokia I-240W-Q Gpon ONT Firmware 3Fe54567Bozj19

The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 is vulnerable to a stack buffer overflow via crafted HTTP POST request sent by a remote, unauthenticated attacker to /GponForm/fsetup_Form.

7.5
2019-03-05 CVE-2018-11793 Apache Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apache Mesos

When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, and 1.7.0 might overflow the stack due to unbounded recursion.

7.5
2019-03-05 CVE-2019-8262 Uvnc
Siemens
Out-of-bounds Write vulnerability in multiple products

UltraVNC revision 1203 has multiple heap buffer overflow vulnerabilities in VNC client code inside Ultra decoder, which results in code execution.

7.5
2019-03-05 CVE-2019-8261 Uvnc Out-of-bounds Read vulnerability in Uvnc Ultravnc

UltraVNC revision 1199 has a out-of-bounds read vulnerability in VNC code inside client CoRRE decoder, caused by multiplication overflow.

7.5
2019-03-05 CVE-2019-8260 Uvnc Out-of-bounds Read vulnerability in Uvnc Ultravnc

UltraVNC revision 1199 has a out-of-bounds read vulnerability in VNC client RRE decoder code, caused by multiplication overflow.

7.5
2019-03-05 CVE-2019-8258 Uvnc
Siemens
Out-of-bounds Write vulnerability in multiple products

UltraVNC revision 1198 has a heap buffer overflow vulnerability in VNC client code which results code execution.

7.5
2019-03-05 CVE-2018-15361 Uvnc Out-of-bounds Write vulnerability in Uvnc Ultravnc

UltraVNC revision 1198 has a buffer underflow vulnerability in VNC client code, which can potentially result in code execution.

7.5
2019-03-04 CVE-2019-6235 Apple Out-of-bounds Write vulnerability in Apple products

A memory corruption issue was addressed with improved validation.

7.5
2019-03-04 CVE-2019-9566 Flarumchina SQL Injection vulnerability in Flarumchina 0.1.0

FlarumChina v0.1.0-beta.7C has SQL injection via a /?q= request.

7.5
2019-03-04 CVE-2019-9552 Eloan Project Path Traversal vulnerability in Eloan Project Eloan 20180920/3.0

Eloan V3.0 through 2018-09-20 allows remote attackers to list files via a direct request to the p2p/api/ or p2p/lib/ or p2p/images/ URI.

7.5
2019-03-06 CVE-2019-1543 Openssl Use of Insufficiently Random Values vulnerability in Openssl

ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation.

7.4
2019-03-08 CVE-2019-5015 Pixar Unspecified vulnerability in Pixar Renderman 22.3.0

A local privilege escalation vulnerability exists in the Mac OS X version of Pixar Renderman 22.3.0's Install Helper helper tool.

7.2
2019-03-08 CVE-2019-1609 Cisco Command Injection vulnerability in Cisco Nx-Os

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device.

7.2
2019-03-08 CVE-2019-1608 Cisco Command Injection vulnerability in Cisco Nx-Os

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device.

7.2
2019-03-08 CVE-2019-1607 Cisco Command Injection vulnerability in Cisco Nx-Os

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device.

7.2
2019-03-08 CVE-2019-1606 Cisco Command Injection vulnerability in Cisco Nx-Os

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device.

7.2
2019-03-08 CVE-2019-1605 Cisco Improper Input Validation vulnerability in Cisco Nx-Os

A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary code as root.

7.2
2019-03-08 CVE-2018-4054 Pixar Improper Input Validation vulnerability in Pixar Renderman 22.2.0

A local privilege escalation vulnerability exists in the install helper tool of the Mac OS X version of Pixar Renderman, version 22.2.0.

7.2
2019-03-08 CVE-2019-1604 Cisco Improper Authorization vulnerability in Cisco Nx-Os

A vulnerability in the user account management interface of Cisco NX-OS Software could allow an authenticated, local attacker to gain elevated privileges on an affected device.

7.2
2019-03-08 CVE-2019-1602 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco Nx-Os

A vulnerability in the filesystem permissions of Cisco NX-OS Software could allow an authenticated, local attacker to access sensitive data that could be used to elevate their privileges to administrator.

7.2
2019-03-08 CVE-2019-1601 Cisco Improper Access Control vulnerability in Cisco Nx-Os

A vulnerability in the filesystem permissions of Cisco NX-OS Software could allow an authenticated, local attacker to gain read and write access to a critical configuration file.

7.2
2019-03-07 CVE-2019-1596 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco Nx-Os

A vulnerability in the Bash shell implementation for Cisco NX-OS Software could allow an authenticated, local attacker to escalate their privilege level to root.

7.2
2019-03-06 CVE-2019-1593 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco Nx-Os

A vulnerability in the Bash shell implementation for Cisco NX-OS Software could allow an authenticated, local attacker to escalate their privilege level by executing commands authorized to other user roles.

7.2
2019-03-06 CVE-2019-1591 Cisco Command Injection vulnerability in Cisco Nx-Os

A vulnerability in a specific CLI command implementation of Cisco Nexus 9000 Series ACI Mode Switch Software could allow an authenticated, local attacker to escape a restricted shell on an affected device.

7.2
2019-03-06 CVE-2019-1585 Cisco Configuration vulnerability in Cisco products

A vulnerability in the controller authorization functionality of Cisco Nexus 9000 Series ACI Mode Switch Software could allow an authenticated, local attacker to escalate standard users with root privilege on an affected device.

7.2
2019-03-05 CVE-2019-0623 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2

172 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-03-08 CVE-2019-9627 Cyberark Out-of-bounds Write vulnerability in Cyberark Endpoint Privilege Manager 10.2.1.603

A buffer overflow in the kernel driver CybKernelTracker.sys in CyberArk Endpoint Privilege Manager versions prior to 10.7 allows an attacker (without Administrator privileges) to escalate privileges or crash the machine by loading an image, such as a DLL, with a long path.

6.9
2019-03-05 CVE-2019-0656 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'.

6.9
2019-03-08 CVE-2019-9634 Golang Uncontrolled Search Path Element vulnerability in Golang GO

Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection.

6.8
2019-03-07 CVE-2019-8437 Njiandan CMS Project Cross-Site Request Forgery (CSRF) vulnerability in Njiandan-Cms Project Njiandan-Cms 20130522/20130523

njiandan-cms through 2013-05-23 has index.php/admin/user_new CSRF to add an administrator.

6.8
2019-03-07 CVE-2019-6710 Zyxel Cross-Site Request Forgery (CSRF) vulnerability in Zyxel Nbg-418N Firmware 1.00(Aaxm.6)C0

Zyxel NBG-418N v2 v1.00(AAXM.4)C0 devices allow login.cgi CSRF.

6.8
2019-03-07 CVE-2018-18449 Phome Cross-Site Request Forgery (CSRF) vulnerability in Phome Empirecms 7.5

EmpireCMS 7.5 allows CSRF for adding a user account via an enews=AddUser action to e/admin/user/ListUser.php, a similar issue to CVE-2018-16339.

6.8
2019-03-07 CVE-2018-17429 Jtbc Cross-Site Request Forgery (CSRF) vulnerability in Jtbc 3.0

/console/account/manage.php?type=action&action=add in JTBC v3.0(C) has CSRF for adding an administrator account.

6.8
2019-03-07 CVE-2017-12447 Gnome
Canonical
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Gnome Gdk-Pixbuf and Nautilus

GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus 3.14.3 on Ubuntu 16.04, allows attackers to cause a denial of service (stack corruption) or possibly have unspecified other impact via a crafted file folder.

6.8
2019-03-07 CVE-2013-7468 Simplemachines Code Injection vulnerability in Simplemachines Simple Machines Forum 2.0.4

Simple Machines Forum (SMF) 2.0.4 allows PHP Code Injection via the index.php?action=admin;area=languages;sa=editlang dictionary parameter.

6.8
2019-03-07 CVE-2019-9625 Directadmin Cross-Site Request Forgery (CSRF) vulnerability in Directadmin 1.55

JBMC DirectAdmin 1.55 allows CSRF via the /CMD_ACCOUNT_ADMIN URI to create a new admin account.

6.8
2019-03-07 CVE-2019-9624 Webmin Improper Privilege Management vulnerability in Webmin 1.900

Webmin 1.900 allows remote attackers to execute arbitrary code by leveraging the "Java file manager" and "Upload and Download" privileges to upload a crafted .cgi file via the /updown/upload.cgi URI.

6.8
2019-03-06 CVE-2019-9589 Glyphandcog NULL Pointer Dereference vulnerability in Glyphandcog Xpdfreader 4.01

There is a NULL pointer dereference vulnerability in PSOutputDev::setupResources() located in PSOutputDev.cc in Xpdf 4.01.

6.8
2019-03-06 CVE-2019-9588 Glyphandcog Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Glyphandcog Xpdfreader 4.01

There is an Invalid memory access in gAtomicIncrement() located at GMutex.h in Xpdf 4.01.

6.8
2019-03-06 CVE-2019-9587 Glyphandcog Resource Exhaustion vulnerability in Glyphandcog Xpdfreader 4.01

There is a stack consumption issue in md5Round1() located in Decrypt.cc in Xpdf 4.01.

6.8
2019-03-05 CVE-2019-8336 Hashicorp Unspecified vulnerability in Hashicorp Consul 1.4.0/1.4.1/1.4.2

HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters, because a token with literally "<hidden>" as its secret is used in unusual circumstances.

6.8
2019-03-05 CVE-2019-0649 Microsoft Unspecified vulnerability in Microsoft Chakracore and Edge

A vulnerability exists in Microsoft Chakra JIT server, aka 'Scripting Engine Elevation of Privileged Vulnerability'.

6.8
2019-03-05 CVE-2019-6234 Apple
Microsoft
Webkitgtk
Out-of-bounds Write vulnerability in multiple products

A memory corruption issue was addressed with improved memory handling.

6.8
2019-03-05 CVE-2019-6233 Apple
Microsoft
Out-of-bounds Write vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

6.8
2019-03-05 CVE-2019-6230 Apple Improper Initialization vulnerability in Apple products

A memory initialization issue was addressed with improved memory handling.

6.8
2019-03-05 CVE-2019-6227 Apple
Microsoft
Out-of-bounds Write vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

6.8
2019-03-05 CVE-2019-6226 Apple
Microsoft
Out-of-bounds Write vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-03-05 CVE-2019-6225 Apple Out-of-bounds Write vulnerability in Apple Iphone OS, mac OS X and Tvos

A memory corruption issue was addressed with improved validation.

6.8
2019-03-05 CVE-2019-6224 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A buffer overflow issue was addressed with improved memory handling.

6.8
2019-03-05 CVE-2019-6221 Apple
Microsoft
Out-of-bounds Read vulnerability in Apple Iphone OS, Itunes and mac OS X

An out-of-bounds read was addressed with improved bounds checking.

6.8
2019-03-05 CVE-2019-6217 Apple
Microsoft
Out-of-bounds Write vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-03-05 CVE-2019-6216 Apple
Microsoft
Out-of-bounds Write vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-03-05 CVE-2019-6215 Apple
Microsoft
Canonical
Type Confusion vulnerability in multiple products

A type confusion issue was addressed with improved memory handling.

6.8
2019-03-05 CVE-2019-6214 Apple Type Confusion vulnerability in Apple products

A type confusion issue was addressed with improved memory handling.

6.8
2019-03-05 CVE-2019-6212 Apple
Microsoft
Canonical
Out-of-bounds Write vulnerability in multiple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-03-05 CVE-2019-6211 Apple Out-of-bounds Write vulnerability in Apple Iphone OS and mac OS X

A memory corruption issue was addressed with improved state management.

6.8
2019-03-05 CVE-2019-6205 Apple Out-of-bounds Write vulnerability in Apple Iphone OS, mac OS X and Tvos

A memory corruption issue was addressed with improved lock state checking.

6.8
2019-03-05 CVE-2019-6202 Apple Out-of-bounds Read vulnerability in Apple Iphone OS, mac OS X and Watchos

An out-of-bounds read was addressed with improved bounds checking.

6.8
2019-03-08 CVE-2019-1003037 Jenkins Missing Authorization vulnerability in Jenkins Azure VM Agents

An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

6.5
2019-03-08 CVE-2019-3780 Cloudfoundry Insufficiently Protected Credentials vulnerability in Cloudfoundry Container Runtime

Cloud Foundry Container Runtime, versions prior to 0.28.0, deploys K8s worker nodes that contains a configuration file with IAAS credentials.

6.5
2019-03-07 CVE-2019-9185 Boltcms Unrestricted Upload of File with Dangerous Type vulnerability in Boltcms Bolt

Controller/Async/FilesystemManager.php in the filemanager in Bolt before 3.6.5 allows remote attackers to execute arbitrary PHP code by renaming a previously uploaded file to have a .php extension.

6.5
2019-03-07 CVE-2018-17420 Zrlog SQL Injection vulnerability in Zrlog 2.0.3

An issue was discovered in ZrLog 2.0.3.

6.5
2019-03-07 CVE-2018-17418 Monstra Unrestricted Upload of File with Dangerous Type vulnerability in Monstra 3.0.4

Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 123.PhP filename, because plugins\box\filesmanager\filesmanager.admin.php mishandles the forbidden_types variable.

6.5
2019-03-07 CVE-2018-17416 Zzcms SQL Injection vulnerability in Zzcms 8.3

A SQL injection vulnerability exists in zzcms v8.3 via the /admin/adclass.php bigclassid parameter.

6.5
2019-03-07 CVE-2018-17415 Zzcms SQL Injection vulnerability in Zzcms 8.3

zzcms V8.3 has a SQL injection in /user/zs_elite.php via the id parameter.

6.5
2019-03-07 CVE-2018-17414 Zzcms SQL Injection vulnerability in Zzcms 8.3

zzcms v8.3 has a SQL injection in /user/jobmanage.php via the bigclass parameter.

6.5
2019-03-07 CVE-2018-14498 Mozilla
Libjpeg Turbo
Fedoraproject
Debian
Opensuse
Out-of-bounds Read vulnerability in multiple products

get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.

6.5
2019-03-07 CVE-2013-7466 Simplemachines Path Traversal vulnerability in Simplemachines Simple Machines Forum 2.0.4

Simple Machines Forum (SMF) 2.0.4 allows local file inclusion, with resultant remote code execution, in install.php via ../ directory traversal in the db_type parameter if install.php remains present after installation.

6.5
2019-03-07 CVE-2018-18809 Tibco Path Traversal vulnerability in Tibco products

The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system.

6.5
2019-03-06 CVE-2019-9617 Ofcms Project Unrestricted Upload of File with Dangerous Type vulnerability in Ofcms Project Ofcms

An issue was discovered in OFCMS before 1.1.3.

6.5
2019-03-06 CVE-2019-9616 Ofcms Project Use of Incorrectly-Resolved Name or Reference vulnerability in Ofcms Project Ofcms

An issue was discovered in OFCMS before 1.1.3.

6.5
2019-03-06 CVE-2019-9615 Ofcms Project SQL Injection vulnerability in Ofcms Project Ofcms

An issue was discovered in OFCMS before 1.1.3.

6.5
2019-03-06 CVE-2019-9614 Ofcms Project Improper Input Validation vulnerability in Ofcms Project Ofcms

An issue was discovered in OFCMS before 1.1.3.

6.5
2019-03-06 CVE-2019-9613 Ofcms Project Unrestricted Upload of File with Dangerous Type vulnerability in Ofcms Project Ofcms

An issue was discovered in OFCMS before 1.1.3.

6.5
2019-03-06 CVE-2019-9612 Ofcms Project Unrestricted Upload of File with Dangerous Type vulnerability in Ofcms Project Ofcms

An issue was discovered in OFCMS before 1.1.3.

6.5
2019-03-06 CVE-2019-9609 Ofcms Project Unrestricted Upload of File with Dangerous Type vulnerability in Ofcms Project Ofcms

An issue was discovered in OFCMS before 1.1.3.

6.5
2019-03-06 CVE-2019-9608 Ofcms Project Unrestricted Upload of File with Dangerous Type vulnerability in Ofcms Project Ofcms

An issue was discovered in OFCMS before 1.1.3.

6.5
2019-03-06 CVE-2019-9581 Twinkletoessoftware Unrestricted Upload of File with Dangerous Type vulnerability in Twinkletoessoftware Booked 2.7.5

phpscheduleit Booked Scheduler 2.7.5 allows arbitrary file upload via the Favicon field, leading to execution of arbitrary Web/custom-favicon.php PHP code, because Presenters/Admin/ManageThemePresenter.php does not ensure an image file extension.

6.5
2019-03-05 CVE-2019-0668 Microsoft Cross-site Scripting vulnerability in Microsoft Sharepoint Enterprise Server 2013/2016

An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft SharePoint Elevation of Privilege Vulnerability'.

6.5
2019-03-05 CVE-2019-0594 Microsoft Improper Input Validation vulnerability in Microsoft products

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'.

6.5
2019-03-05 CVE-2019-3921 Nokia Out-of-bounds Write vulnerability in Nokia I-240W-Q Gpon ONT Firmware 3Fe54567Bozj19

The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 is vulnerable to a stack buffer overflow via crafted HTTP POST request sent by a remote, authenticated attacker to /GponForm/usb_Form?script/.

6.5
2019-03-05 CVE-2019-6559 Moxa Resource Exhaustion vulnerability in Moxa products

Moxa IKS and EDS allow remote authenticated users to cause a denial of service via a specially crafted packet, which may cause the switch to crash.

6.5
2019-03-05 CVE-2019-6528 Psigridconnect Cross-site Scripting vulnerability in Psigridconnect products

PSI GridConnect GmbH Telecontrol Gateway and Smart Telecontrol Unit family, IEC104 Security Proxy versions Telecontrol Gateway 3G Versions 4.2.21, 5.0.27, 5.1.19, 6.0.16 and prior, and Telecontrol Gateway XS-MU Versions 4.2.21, 5.0.27, 5.1.19, 6.0.16 and prior, and Telecontrol Gateway VM Versions 4.2.21, 5.0.27, 5.1.19, 6.0.16 and prior, and Smart Telecontrol Unit TCG Versions 5.0.27, 5.1.19, 6.0.16 and prior, and IEC104 Security Proxy Version 2.2.10 and prior The web application browser interprets input as active HTML, JavaScript, or VBScript, which could allow an attacker to execute arbitrary code.

6.5
2019-03-05 CVE-2019-9572 Schoolcms Unrestricted Upload of File with Dangerous Type vulnerability in Schoolcms 2.3.1

SchoolCMS version 2.3.1 allows file upload via the theme upload feature at admin.php?m=admin&c=theme&a=upload by using the .zip extension along with the _Static substring, changing the Content-Type to application/zip, and placing PHP code after the ZIP header.

6.5
2019-03-04 CVE-2019-9568 Incsub SQL Injection vulnerability in Incsub Forminator

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/admin.php?page=forminator-entries entry[] parameter if the attacker has the delete permission.

6.5
2019-03-07 CVE-2019-3778 Pivotal Software
Oracle
Open Redirect vulnerability in multiple products

Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code.

6.4
2019-03-04 CVE-2019-9565 Druide Unspecified vulnerability in Druide Antidote 10.0/8.0/9.0

Druide Antidote RX, HD, 8 before 8.05.2287, 9 before 9.5.3937 and 10 before 10.1.2147 allows remote attackers to steal NTLM hashes or perform SMB relay attacks upon a direct launch of the product, or upon an indirect launch via an integration such as Chrome, Firefox, Word, Outlook, etc.

6.4
2019-03-06 CVE-2019-1595 Cisco Improper Control of Dynamically-Managed Code Resources vulnerability in Cisco Nx-Os

A vulnerability in the Fibre Channel over Ethernet (FCoE) protocol implementation in Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device.

6.1
2019-03-06 CVE-2019-1594 Cisco Improper Input Validation vulnerability in Cisco Nx-Os

A vulnerability in the 802.1X implementation for Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device.

6.1
2019-03-06 CVE-2019-9593 Mitel Cross-site Scripting vulnerability in Mitel Connect Onsite 18.82.2000.0

A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Connect ONSITE 18.82.2000.0 allows remote attackers to inject arbitrary web script or HTML via the page parameter.

6.1
2019-03-06 CVE-2019-9592 Mitel Cross-site Scripting vulnerability in Mitel Connect Onsite 19.45.1602.0

A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Connect ONSITE 19.45.1602.0 allows remote attackers to inject arbitrary web script or HTML via the url parameter.

6.1
2019-03-06 CVE-2019-9591 Mitel Cross-site Scripting vulnerability in Mitel Connect Onsite 18.82.2000.0/19.45.1602.0

A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Connect ONSITE before 19.49.1500.0 allows remote attackers to inject arbitrary web script or HTML via the brandUrl parameter.

6.1
2019-03-05 CVE-2019-6565 Moxa Cross-site Scripting vulnerability in Moxa products

Moxa IKS and EDS fails to properly validate user input, giving unauthenticated and authenticated attackers the ability to perform XSS attacks, which may be used to send a malicious script.

6.1
2019-03-04 CVE-2019-9567 Incsub Cross-site Scripting vulnerability in Incsub Forminator

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a poll.

6.1
2019-03-05 CVE-2019-4063 IBM Cleartext Transmission of Sensitive Information vulnerability in IBM Sterling B2B Integrator

IBM Sterling B2B Integrator 5.2.0.1 through 6.0.0.0 Standard Edition could allow highly sensitive information to be transmitted in plain text.

5.9
2019-03-07 CVE-2018-17422 Dotcms Open Redirect vulnerability in Dotcms

dotCMS before 5.0.2 has open redirects via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter.

5.8
2019-03-06 CVE-2019-9603 1234N Cross-Site Request Forgery (CSRF) vulnerability in 1234N Minicms 1.10

MiniCMS 1.10 allows mc-admin/post.php?state=publish&delete= CSRF to delete articles, a different vulnerability than CVE-2018-18891.

5.8
2019-03-05 CVE-2019-0686 Microsoft Unspecified vulnerability in Microsoft Exchange Server

An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of Privilege Vulnerability'.

5.8
2019-03-05 CVE-2019-0670 Microsoft Improper Input Validation vulnerability in Microsoft products

A spoofing vulnerability exists in Microsoft SharePoint when the application does not properly parse HTTP content, aka 'Microsoft SharePoint Spoofing Vulnerability'.

5.8
2019-03-05 CVE-2018-1939 IBM Open Redirect vulnerability in IBM Cloud Private 3.1.1

IBM Cloud Private 3.1.1 could allow a remote attacker to conduct phishing attacks, using an open redirect attack.

5.8
2019-03-05 CVE-2018-1875 IBM Open Redirect vulnerability in IBM products

IBM InfoSphere Information Governance Catalog 11.3, 11.5, and 11.7 could allow a remote attacker to conduct phishing attacks, using an open redirect attack.

5.8
2019-03-05 CVE-2019-6200 Apple Out-of-bounds Read vulnerability in Apple Iphone OS and mac OS X

An out-of-bounds read was addressed with improved input validation.

5.8
2019-03-05 CVE-2019-0635 Microsoft Improper Input Validation vulnerability in Microsoft products

An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system, aka 'Windows Hyper-V Information Disclosure Vulnerability'.

5.5
2019-03-05 CVE-2019-9213 Linux
Debian
Redhat
Opensuse
Canonical
NULL Pointer Dereference vulnerability in multiple products

In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms.

5.5
2019-03-05 CVE-2018-19640 Opensuse Improper Input Validation vulnerability in Opensuse Supportutils 3.0.1095.51.1

If the attacker manages to create files in the directory used to collect log files in supportutils before version 3.1-5.7.1 (e.g.

5.5
2019-03-05 CVE-2018-19637 Opensuse Link Following vulnerability in Opensuse Supportutils 3.0.1095.51.1

Supportutils, before version 3.1-5.7.1, wrote data to static file /tmp/supp_log, allowing local attackers to overwrite files on systems without symlink protection

5.5
2019-03-06 CVE-2019-4030 IBM Cross-site Scripting vulnerability in IBM products

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting.

5.4
2019-03-05 CVE-2019-4029 IBM Cross-site Scripting vulnerability in IBM Sterling B2B Integrator

IBM Sterling B2B Integrator 5.2.0.1 through 6.0.0.0 is vulnerable to cross-site scripting.

5.4
2019-03-05 CVE-2019-4028 IBM Cross-site Scripting vulnerability in IBM Sterling B2B Integrator

IBM Sterling B2B Integrator 5.2.0.1 through 6.0.0.0 is vulnerable to cross-site scripting.

5.4
2019-03-05 CVE-2019-4027 IBM Cross-site Scripting vulnerability in IBM Sterling B2B Integrator

IBM Sterling B2B Integrator 5.2.0.1 through 6.0.0.0 is vulnerable to cross-site scripting.

5.4
2019-03-09 CVE-2019-9640 PHP
Canonical
Debian
Opensuse
Netapp
Redhat
Out-of-bounds Read vulnerability in multiple products

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3.

5.0
2019-03-09 CVE-2019-9639 PHP
Debian
Canonical
Opensuse
Netapp
Redhat
Missing Initialization of Resource vulnerability in multiple products

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3.

5.0
2019-03-09 CVE-2019-9638 PHP
Debian
Canonical
Opensuse
Netapp
Redhat
Out-of-bounds Read vulnerability in multiple products

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3.

5.0
2019-03-09 CVE-2019-9637 PHP
Debian
Canonical
Opensuse
Netapp
Permissions, Privileges, and Access Controls vulnerability in PHP

An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3.

5.0
2019-03-08 CVE-2019-8277 Uvnc
Siemens
Improper Initialization vulnerability in multiple products

UltraVNC revision 1211 contains multiple memory leaks (CWE-665) in VNC server code, which allows an attacker to read stack memory and can be abused for information disclosure.

5.0
2019-03-08 CVE-2019-8276 Uvnc
Siemens
Out-of-bounds Write vulnerability in multiple products

UltraVNC revision 1211 has a stack buffer overflow vulnerability in VNC server code inside file transfer request handler, which can result in Denial of Service (DoS).

5.0
2019-03-08 CVE-2019-8270 Uvnc Out-of-bounds Read vulnerability in Uvnc Ultravnc

UltraVNC revision 1210 has out-of-bounds read vulnerability in VNC client code inside Ultra decoder, which results in a denial of service (DoS) condition.

5.0
2019-03-08 CVE-2019-8269 Uvnc
Siemens
Out-of-bounds Write vulnerability in multiple products

UltraVNC revision 1206 has stack-based Buffer overflow vulnerability in VNC client code inside FileTransfer module, which leads to a denial of service (DoS) condition.

5.0
2019-03-08 CVE-2019-8267 Uvnc Out-of-bounds Read vulnerability in Uvnc Ultravnc

UltraVNC revision 1207 has out-of-bounds read vulnerability in VNC client code inside TextChat module, which results in a denial of service (DoS) condition.

5.0
2019-03-08 CVE-2019-9632 Esafenet Unspecified vulnerability in Esafenet Electronic Document Security Management System V3/V5

ESAFENET CDG V3 and V5 has an arbitrary file download vulnerability via the fileName parameter in download.jsp because the InstallationPack parameter is mishandled in a /CDGServer3/ClientAjax request.

5.0
2019-03-07 CVE-2019-7175 Imagemagick
Opensuse
Debian
Canonical
Memory Leak vulnerability in multiple products

In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c.

5.0
2019-03-07 CVE-2018-17419 DNS Library Project NULL Pointer Dereference vulnerability in DNS Library Project DNS Library

An issue was discovered in setTA in scan_rr.go in the Miek Gieben DNS library before 1.0.10 for Go.

5.0
2019-03-07 CVE-2019-3777 Pivotal Software Improper Certificate Validation vulnerability in Pivotal Software Application Service

Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs.

5.0
2019-03-06 CVE-2019-9607 Medical Store Script Project Path Traversal vulnerability in Medical Store Script Project Medical Store Script 3.0.3

PHP Scripts Mall Medical Store Script 3.0.3 allows Path Traversal by navigating to the parent directory of a jpg or png file.

5.0
2019-03-06 CVE-2019-9601 Apowersoft Improper Input Validation vulnerability in Apowersoft Apowermanager 3.1.7

The ApowerManager application through 3.1.7 for Android allows remote attackers to cause a denial of service via many simultaneous /?Key=PhoneRequestAuthorization requests.

5.0
2019-03-06 CVE-2019-9600 Theolivetree Improper Input Validation vulnerability in Theolivetree FTP Server

The Olive Tree FTP Server (aka com.theolivetree.ftpserver) application through 1.32 for Android allows remote attackers to cause a denial of service via a client that makes many connection attempts and drops certain packets.

5.0
2019-03-06 CVE-2019-9590 Tengcon Improper Input Validation vulnerability in Tengcon T-920 PLC Firmware 5.5

An issue was discovered on TENGCONTROL T-920 PLC v5.5 devices.

5.0
2019-03-05 CVE-2019-9555 Sagemcom Insufficient Entropy vulnerability in Sagemcom F@St 5260 Firmware 0.4.39

Sagemcom F@st 5260 routers using firmware version 0.4.39, in WPA mode, default to using a PSK that is generated from a 2-part wordlist of known values and a nonce with insufficient entropy.

5.0
2019-03-05 CVE-2019-0741 Microsoft Information Exposure Through Log Files vulnerability in Microsoft Java Software Development KIT

An information disclosure vulnerability exists in the way Azure IoT Java SDK logs sensitive information, aka 'Azure IoT Java SDK Information Disclosure Vulnerability'.

5.0
2019-03-05 CVE-2019-0637 Microsoft Unspecified vulnerability in Microsoft products

A security feature bypass vulnerability exists when Windows Defender Firewall incorrectly applies firewall profiles to cellular network connections, aka 'Windows Defender Firewall Security Feature Bypass Vulnerability'.

5.0
2019-03-05 CVE-2019-9574 Mishubd Missing Authorization vulnerability in Mishubd WP Human Resource Management

The WP Human Resource Management plugin before 2.2.6 for WordPress does not ensure that a leave modification occurs in the context of the Administrator or HR Manager role.

5.0
2019-03-05 CVE-2019-9573 Mishubd Data Processing Errors vulnerability in Mishubd WP Human Resource Management

The WP Human Resource Management plugin before 2.2.6 for WordPress mishandles leave applications.

5.0
2019-03-05 CVE-2019-3917 Nokia Forced Browsing vulnerability in Nokia I-240W-Q Gpon ONT Firmware 3Fe54567Bozj19

The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 allows a remote, unauthenticated attacker to enable telnetd on the router via a crafted HTTP request.

5.0
2019-03-05 CVE-2019-6524 Moxa Improper Restriction of Excessive Authentication Attempts vulnerability in Moxa products

Moxa IKS and EDS do not implement sufficient measures to prevent multiple failed authentication attempts, which may allow an attacker to discover passwords via brute force attack.

5.0
2019-03-05 CVE-2019-6520 Moxa Unspecified vulnerability in Moxa products

Moxa IKS and EDS does not properly check authority on server side, which results in a read-only user being able to perform arbitrary configuration changes.

5.0
2019-03-05 CVE-2019-6518 Moxa Missing Encryption of Sensitive Data vulnerability in Moxa products

Moxa IKS and EDS store plaintext passwords, which may allow sensitive information to be read by someone with access to the device.

5.0
2019-03-05 CVE-2019-6223 Apple Unspecified vulnerability in Apple Iphone OS and mac OS X

A logic issue existed in the handling of Group FaceTime calls.

5.0
2019-03-05 CVE-2019-6219 Apple Improper Input Validation vulnerability in Apple Iphone OS, mac OS X and Watchos

A denial of service issue was addressed with improved validation.

5.0
2019-03-05 CVE-2019-8259 Uvnc
Siemens
Memory Leak vulnerability in multiple products

UltraVNC revision 1198 contains multiple memory leaks (CWE-655) in VNC client code, which allow an attacker to read stack memory and can be abused for information disclosure.

5.0
2019-03-04 CVE-2018-5482 Netapp Missing Encryption of Sensitive Data vulnerability in Netapp Snapcenter Server

NetApp SnapCenter Server prior to 4.1 does not set the secure flag for a sensitive cookie in an HTTPS session which can allow the transmission of the cookie in plain text over an unencrypted channel.

5.0
2019-03-04 CVE-2019-6206 Apple Information Exposure vulnerability in Apple Iphone OS

An issue existed with autofill resuming after it was canceled.

5.0
2019-03-04 CVE-2019-9563 Bluemind Data Processing Errors vulnerability in Bluemind

In BlueMind 3.5.x before 3.5.11 Hotfix 7 and 4.x before 4.0-beta3, the contact application mishandles temporary uploads.

5.0
2019-03-05 CVE-2018-19638 Opensuse Link Following vulnerability in Opensuse Supportutils 3.0.1095.51.1

In supportutils, before version 3.1-5.7.1 and if pacemaker is installed on the system, an unprivileged user could have overwritten arbitrary files in the directory that is used by supportutils to collect the log files.

4.7
2019-03-08 CVE-2019-1603 Cisco Improper Authorization vulnerability in Cisco Nx-Os

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to escalate lower-level privileges to the administrator level.

4.6
2019-03-05 CVE-2019-0632 Microsoft Unspecified vulnerability in Microsoft products

A security feature bypass vulnerability exists in Windows which could allow an attacker to bypass Device Guard, aka 'Windows Security Feature Bypass Vulnerability'.

4.6
2019-03-05 CVE-2019-0631 Microsoft Unspecified vulnerability in Microsoft products

A security feature bypass vulnerability exists in Windows which could allow an attacker to bypass Device Guard, aka 'Windows Security Feature Bypass Vulnerability'.

4.6
2019-03-05 CVE-2019-0627 Microsoft Unspecified vulnerability in Microsoft products

A security feature bypass vulnerability exists in Windows which could allow an attacker to bypass Device Guard, aka 'Windows Security Feature Bypass Vulnerability'.

4.6
2019-03-07 CVE-2019-1600 Cisco Incorrect Permission Assignment for Critical Resource vulnerability in Cisco Firepower Extensible Operating System and Nx-Os

A vulnerability in the file system permissions of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to access sensitive information that is stored in the file system of an affected system.

4.4
2019-03-05 CVE-2019-0659 Microsoft Unspecified vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Storage Service improperly handles file operations, aka 'Windows Storage Service Elevation of Privilege Vulnerability'.

4.4
2019-03-10 CVE-2019-9646 Codepeople Cross-site Scripting vulnerability in Codepeople Contact Form Email

The Contact Form Email plugin before 1.2.66 for WordPress allows wp-admin/admin.php item XSS, related to cp_admin_int_edition.inc.php in the "custom edition area."

4.3
2019-03-09 CVE-2019-9580 Stackstorm Cross-site Scripting vulnerability in Stackstorm

In st2web in StackStorm Web UI before 2.9.3 and 2.10.x before 2.10.3, it is possible to bypass the CORS protection mechanism via a "null" origin value, potentially leading to XSS.

4.3
2019-03-08 CVE-2019-1003036 Jenkins Missing Authorization vulnerability in Jenkins Azure VM Agents

A data modification vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgent.java that allows attackers with Overall/Read permission to attach a public IP address to an Azure VM agent.

4.3
2019-03-08 CVE-2019-1003035 Jenkins Missing Authorization vulnerability in Jenkins Azure VM Agents

An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgentTemplate.java, src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to perform the 'verify configuration' form validation action, thereby obtaining limited information about the Azure configuration.

4.3
2019-03-08 CVE-2018-20187 Botan Project Key Management Errors vulnerability in Botan Project Botan

A side-channel issue was discovered in Botan before 2.9.0.

4.3
2019-03-08 CVE-2019-9633 Gnome Improper Input Validation vulnerability in Gnome Glib 2.59.2

gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent GTask remains alive during the execution of a connection-attempting enumeration, which allows remote attackers to cause a denial of service (g_socket_client_connected_callback mishandling and application crash) via a crafted web site, as demonstrated by GNOME Web (aka Epiphany).

4.3
2019-03-07 CVE-2019-9598 Chshcms Cross-Site Request Forgery (CSRF) vulnerability in Chshcms Cscms 4.1

An issue was discovered in Cscms 4.1.0.

4.3
2019-03-07 CVE-2019-7661 Phpmywind Cross-site Scripting vulnerability in PHPmywind

An issue was discovered in PHPMyWind 5.5.

4.3
2019-03-07 CVE-2019-7660 Phpmywind Cross-site Scripting vulnerability in PHPmywind

An issue was discovered in PHPMyWind 5.5.

4.3
2019-03-07 CVE-2018-17421 Zrlog Cross-site Scripting vulnerability in Zrlog 2.0.3

An issue was discovered in ZrLog 2.0.3.

4.3
2019-03-07 CVE-2018-17413 Zzcms Cross-site Scripting vulnerability in Zzcms 8.3

XSS exists in zzcms v8.3 via the /uploadimg_form.php noshuiyin parameter.

4.3
2019-03-07 CVE-2018-16808 Dolibarr Cross-site Scripting vulnerability in Dolibarr

An issue was discovered in Dolibarr through 7.0.0.

4.3
2019-03-07 CVE-2018-16804 Ucms Project Cross-site Scripting vulnerability in Ucms Project Ucms 1.4.6

An issue was discovered in UCMS 1.4.6.

4.3
2019-03-07 CVE-2018-14499 Hyphp Cross-site Scripting vulnerability in Hyphp Hybbs 2.2/20160308

An issue was found in HYBBS through 2016-03-08.

4.3
2019-03-07 CVE-2013-7467 Simplemachines Cross-site Scripting vulnerability in Simplemachines Simple Machines Forum 2.0.4

Simple Machines Forum (SMF) 2.0.4 allows XSS via the index.php?action=pm;sa=settings;save sa parameter.

4.3
2019-03-06 CVE-2019-9595 Appcms Cross-site Scripting vulnerability in Appcms 2.0.101

AppCMS 2.0.101 allows XSS via the upload/callback.php params parameter.

4.3
2019-03-05 CVE-2019-0676 Microsoft Unspecified vulnerability in Microsoft Internet Explorer 10/11

An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.An attacker who successfully exploited this vulnerability could test for the presence of files on disk, aka 'Internet Explorer Information Disclosure Vulnerability'.

4.3
2019-03-05 CVE-2019-0669 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory, aka 'Microsoft Excel Information Disclosure Vulnerability'.

4.3
2019-03-05 CVE-2019-0664 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'.

4.3
2019-03-05 CVE-2019-0660 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'.

4.3
2019-03-05 CVE-2019-0658 Microsoft Unspecified vulnerability in Microsoft Chakracore and Edge

An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft Edge, aka 'Scripting Engine Information Disclosure Vulnerability'.

4.3
2019-03-05 CVE-2019-0657 Microsoft Improper Input Validation vulnerability in Microsoft products

A vulnerability exists in certain .Net Framework API's and Visual Studio in the way they parse URL's, aka '.NET Framework and Visual Studio Spoofing Vulnerability'.

4.3
2019-03-05 CVE-2019-0654 Microsoft Unspecified vulnerability in Microsoft Edge and Internet Explorer

A spoofing vulnerability exists when Microsoft browsers improperly handles specific redirects, aka 'Microsoft Browser Spoofing Vulnerability'.

4.3
2019-03-05 CVE-2019-0648 Microsoft Unspecified vulnerability in Microsoft Edge

An information disclosure vulnerability exists when Chakra improperly discloses the contents of its memory, which could provide an attacker with information to further compromise the user's computer or data.To exploit the vulnerability, an attacker must know the memory address of where the object was created.The update addresses the vulnerability by changing the way certain functions handle objects in memory, aka Scripting Engine Information Disclosure Vulnerability.

4.3
2019-03-05 CVE-2019-0643 Microsoft Unspecified vulnerability in Microsoft Edge

An information disclosure vulnerability exists in the way that Microsoft Edge handles cross-origin requests, aka 'Microsoft Edge Information Disclosure Vulnerability'.

4.3
2019-03-05 CVE-2019-0641 Microsoft Unspecified vulnerability in Microsoft Edge

A security feature bypass vulnerability exists in Microsoft Edge handles whitelisting, aka 'Microsoft Edge Security Feature Bypass Vulnerability'.

4.3
2019-03-05 CVE-2019-0619 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'.

4.3
2019-03-05 CVE-2019-0616 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'.

4.3
2019-03-05 CVE-2019-0615 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'.

4.3
2019-03-05 CVE-2019-0602 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'.

4.3
2019-03-05 CVE-2019-0540 Microsoft Open Redirect vulnerability in Microsoft products

A security feature bypass vulnerability exists when Microsoft Office does not validate URLs.An attacker could send a victim a specially crafted file, which could trick the victim into entering credentials, aka 'Microsoft Office Security Feature Bypass Vulnerability'.

4.3
2019-03-05 CVE-2019-9576 Adenion Cross-site Scripting vulnerability in Adenion Blog2Social

The Blog2Social plugin before 5.0.3 for WordPress allows wp-admin/admin.php?page=blog2social-ship XSS.

4.3
2019-03-05 CVE-2019-9575 Quizandsurveymaster Cross-site Scripting vulnerability in Quizandsurveymaster Quiz and Survey Master 6.0.4

The Quiz And Survey Master plugin 6.0.4 for WordPress allows wp-admin/admin.php?page=mlw_quiz_results quiz_id XSS.

4.3
2019-03-05 CVE-2019-6231 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved bounds checking.

4.3
2019-03-05 CVE-2019-6229 Apple
Microsoft
Cross-site Scripting vulnerability in Apple products

A logic issue was addressed with improved validation.

4.3
2019-03-05 CVE-2019-6228 Apple Cross-site Scripting vulnerability in Apple Iphone OS and Safari

A cross-site scripting issue existed in Safari.

4.3
2019-03-05 CVE-2019-6220 Apple Out-of-bounds Read vulnerability in Apple mac OS X

An out-of-bounds read was addressed with improved input validation.

4.3
2019-03-05 CVE-2019-6209 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read issue existed that led to the disclosure of kernel memory.

4.3
2019-03-05 CVE-2019-6208 Apple Improper Initialization vulnerability in Apple Iphone OS, mac OS X and TV OS

A memory initialization issue was addressed with improved memory handling.

4.3
2019-03-05 CVE-2019-8263 Uvnc
Siemens
Out-of-bounds Write vulnerability in multiple products

UltraVNC revision 1205 has stack-based buffer overflow vulnerability in VNC client code inside ShowConnInfo routine, which leads to a denial of service (DoS) condition.

4.3
2019-03-08 CVE-2019-3779 Cloudfoundry Permissions, Privileges, and Access Controls vulnerability in Cloudfoundry Container Runtime

Cloud Foundry Container Runtime, versions prior to 0.29.0, deploys Kubernetes clusters utilize the same CA (Certificate Authority) to sign and trust certs for ETCD as used by the Kubernetes API.

4.0
2019-03-07 CVE-2019-8986 Tibco Unspecified vulnerability in Tibco Jasperreports Server

The SOAP API component vulnerability of TIBCO Software Inc.'s TIBCO JasperReports Server, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that may allow a malicious authenticated user to copy text files from the host operating system.

4.0
2019-03-07 CVE-2019-3784 Cloudfoundry Session Fixation vulnerability in Cloudfoundry Stratos

Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session that can be spoofed.

4.0
2019-03-07 CVE-2019-3783 Cloudfoundry Insecure Default Initialization of Resource vulnerability in Cloudfoundry Stratos

Cloud Foundry Stratos, versions prior to 2.3.0, deploys with a public default session store secret.

4.0
2019-03-07 CVE-2019-3775 Cloudfoundry Improper Authentication vulnerability in Cloudfoundry UAA Release

Cloud Foundry UAA, versions prior to v70.0, allows a user to update their own email address.

4.0
2019-03-07 CVE-2019-9622 Ebrigade Path Traversal vulnerability in Ebrigade

eBrigade through 4.5 allows Arbitrary File Download via ../ directory traversal in the showfile.php file parameter, as demonstrated by reading the user-data/save/backup.sql file.

4.0
2019-03-06 CVE-2019-9611 Ofcms Project Path Traversal vulnerability in Ofcms Project Ofcms

An issue was discovered in OFCMS before 1.1.3.

4.0
2019-03-06 CVE-2019-9610 Ofcms Project Path Traversal vulnerability in Ofcms Project Ofcms

An issue was discovered in OFCMS before 1.1.3.

4.0
2019-03-06 CVE-2019-3824 Samba
Canonical
Debian
Out-of-bounds Read vulnerability in multiple products

A flaw was found in the way an LDAP search expression could crash the shared LDAP server process of a samba AD DC in samba before version 4.10.

4.0

28 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-03-07 CVE-2019-8440 Dilicms Cross-site Scripting vulnerability in Dilicms 2.4.0

An issue was discovered in DiliCMS 2.4.0.

3.5
2019-03-07 CVE-2019-8439 Dilicms Cross-site Scripting vulnerability in Dilicms 2.4.0

An issue was discovered in DiliCMS 2.4.0.

3.5
2019-03-07 CVE-2019-8438 Dilicms Cross-site Scripting vulnerability in Dilicms 2.4.0

An issue was discovered in DiliCMS 2.4.0.

3.5
2019-03-07 CVE-2018-17426 Wuzhicms Cross-site Scripting vulnerability in Wuzhicms Wuzhi CMS 4.1.0

WUZHI CMS 4.1.0 has stored XSS via the "Extension module" "SMS in station" field under the index.php?m=core URI.

3.5
2019-03-07 CVE-2018-17425 Wuzhicms Cross-site Scripting vulnerability in Wuzhicms Wuzhi CMS 4.1.0

WUZHI CMS 4.1.0 has stored XSS via the "Membership Center" "I want to ask" "detailed description" field under the index.php?m=member URI.

3.5
2019-03-07 CVE-2018-18816 Tibco Cross-site Scripting vulnerability in Tibco products

The repository component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS contains a persistent cross site scripting vulnerability.

3.5
2019-03-07 CVE-2019-3781 Cloudfoundry Information Exposure vulnerability in Cloudfoundry Command Line Interface

Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on.

3.5
2019-03-07 CVE-2019-3776 Pivotal Software Cross-site Scripting vulnerability in Pivotal Software Operations Manager

Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability.

3.5
2019-03-06 CVE-2019-9606 Personal Video Collection Script Project Cross-site Scripting vulnerability in Personal Video Collection Script Project Personal Video Collection Script 4.0.4

PHP Scripts Mall Personal Video Collection Script 4.0.4 has Stored XSS via the "Update profile" feature.

3.5
2019-03-06 CVE-2018-1912 IBM Cross-site Scripting vulnerability in IBM Rational Doors Next Generation

IBM DOORS Next Generation (DNG/RRC) 6.0.2 through 6.0.6 is vulnerable to cross-site scripting.

3.5
2019-03-06 CVE-2018-1911 IBM Cross-site Scripting vulnerability in IBM Rational Doors Next Generation

IBM DOORS Next Generation (DNG/RRC) 5.0 through 5.0.2 and 6.0 through 6.0.6 is vulnerable to cross-site scripting.

3.5
2019-03-05 CVE-2019-0743 Microsoft Cross-site Scripting vulnerability in Microsoft Team Foundation Server 2018

A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka 'Team Foundation Server Cross-site Scripting Vulnerability'.

3.5
2019-03-05 CVE-2019-0742 Microsoft Cross-site Scripting vulnerability in Microsoft Team Foundation Server 2018

A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka 'Team Foundation Server Cross-site Scripting Vulnerability'.

3.5
2019-03-05 CVE-2019-9570 Yzmcms Cross-site Scripting vulnerability in Yzmcms 5.2.0

An issue was discovered in YzmCMS 5.2.0.

3.5
2019-03-04 CVE-2017-15515 Netapp Cross-site Scripting vulnerability in Netapp Snapcenter Server

NetApp SnapCenter Server prior to 4.0 is susceptible to cross site scripting vulnerability that could allow a privileged user to inject arbitrary scripts into the custom secondary policy label field.

3.5
2019-03-04 CVE-2019-9551 Wdoyo Cross-site Scripting vulnerability in Wdoyo Doyocms 2.3

An issue was discovered in DOYO (aka doyocms) 2.3 through 2015-05-06.

3.5
2019-03-05 CVE-2018-1899 IBM Unspecified vulnerability in IBM products

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could allow an attacker to change one of the settings related to InfoSphere Business Glossary Anywhere due to improper access control.

3.3
2019-03-08 CVE-2018-4055 Pixar Improper Input Validation vulnerability in Pixar Renderman 22.2.0

A local privilege escalation vulnerability exists in the install helper tool of the Mac OS X version of Pixar Renderman, version 22.2.0.

2.1
2019-03-06 CVE-2019-1588 Cisco Improper Privilege Management vulnerability in Cisco Nx-Os

A vulnerability in the Cisco Nexus 9000 Series Fabric Switches running in Application-Centric Infrastructure (ACI) mode could allow an authenticated, local attacker to read arbitrary files on an affected device.

2.1
2019-03-05 CVE-2019-0663 Microsoft Improper Initialization vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.To exploit this vulnerability, an authenticated attacker could run a specially crafted application, aka 'Windows Kernel Information Disclosure Vulnerability'.

2.1
2019-03-05 CVE-2019-0661 Microsoft Unspecified vulnerability in Microsoft Windows 7, Windows Server 2008 and Windows Server 2012

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka 'Windows Kernel Information Disclosure Vulnerability'.

2.1
2019-03-05 CVE-2019-0636 Microsoft Unspecified vulnerability in Microsoft products

An information vulnerability exists when Windows improperly discloses file information, aka 'Windows Information Disclosure Vulnerability'.

2.1
2019-03-05 CVE-2019-0628 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when the win32k component improperly provides kernel information, aka 'Win32k Information Disclosure Vulnerability'.

2.1
2019-03-05 CVE-2019-0621 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka 'Windows Kernel Information Disclosure Vulnerability'.

2.1
2019-03-05 CVE-2018-1938 IBM Missing Encryption of Sensitive Data vulnerability in IBM Cloud Private 3.1.1

IBM Cloud Private 3.1.1 could alllow a local user with administrator privileges to intercept highly sensitive unencrypted data.

2.1
2019-03-05 CVE-2018-1937 IBM Missing Encryption of Sensitive Data vulnerability in IBM Cloud Private 3.1.1

IBM Cloud Private 3.1.1 could alllow a local user with administrator privileges to intercept highly sensitive unencrypted data.

2.1
2019-03-05 CVE-2019-0601 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when the Human Interface Devices (HID) component improperly handles objects in memory, aka 'HID Information Disclosure Vulnerability'.

1.9
2019-03-05 CVE-2019-0600 Microsoft Unspecified vulnerability in Microsoft products

An information disclosure vulnerability exists when the Human Interface Devices (HID) component improperly handles objects in memory, aka 'HID Information Disclosure Vulnerability'.

1.9