Weekly Vulnerabilities Reports > March 25 to 31, 2019

Overview

310 new vulnerabilities reported during this period, including 24 critical vulnerabilities and 64 high severity vulnerabilities. This weekly summary report vulnerabilities in 608 products from 134 vendors including Cisco, Redhat, Fedoraproject, Opensuse, and Debian. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Input Validation", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Path Traversal", and "SQL Injection".

  • 279 reported vulnerabilities are remotely exploitables.
  • 8 reported vulnerabilities have public exploit available.
  • 104 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 233 reported vulnerabilities are exploitable by an anonymous user.
  • Cisco has the most reported vulnerabilities, with 25 reported vulnerabilities.
  • Cisco has the most reported critical vulnerabilities, with 4 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

24 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-03-30 CVE-2019-10661 Grandstream Improper Authentication vulnerability in Grandstream Gxv3611Ir HD Firmware

On Grandstream GXV3611IR_HD before 1.0.3.23 devices, the root account lacks a password.

10.0
2019-03-29 CVE-2019-10269 Burrow Wheeler Aligner Project Out-Of-Bounds Write vulnerability in Burrow-Wheeler Aligner Project Burrow-Wheeler Aligner

BWA (aka Burrow-Wheeler Aligner) before 2019-01-23 has a stack-based buffer overflow in the bns_restore function in bntseq.c via a long sequence name in a .alt file.

10.0
2019-03-27 CVE-2019-9863 Abus Inadequate Encryption Strength vulnerability in Abus products

Due to the use of an insecure algorithm for rolling codes in the ABUS Secvest wireless alarm system FUAA50000 3.01.01 and its remote controls FUBE50014 and FUBE50015, an attacker is able to predict valid future rolling codes, and can thus remotely control the alarm system in an unauthorized way.

10.0
2019-03-27 CVE-2019-10125 Linux
Netapp
USE After Free vulnerability in multiple products

An issue was discovered in aio_poll() in fs/aio.c in the Linux kernel through 5.0.4.

10.0
2019-03-26 CVE-2014-5401 Hospira Code Injection vulnerability in Hospira Mednet 5.8

Hospira MedNet software version 5.8 and prior uses vulnerable versions of the JBoss Enterprise Application Platform software that may allow unauthenticated users to execute arbitrary code on the target system.

10.0
2019-03-25 CVE-2014-9189 Honeywell Buffer Errors vulnerability in Honeywell Experion Process Knowledge System R400/R410/R430

Multiple stack-based buffer overflow vulnerabilities were found in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules that could lead to possible remote code execution, dynamic memory corruption, or denial of service.

10.0
2019-03-25 CVE-2019-7609 Elastic
Redhat
Code Injection vulnerability in multiple products

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer.

10.0
2019-03-25 CVE-2019-3396 Atlassian Path Traversal vulnerability in Atlassian Confluence

The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

10.0
2019-03-25 CVE-2019-10040 Dlink Missing Authentication FOR Critical Function vulnerability in Dlink Dir-816 Firmware 1.11

The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request.

10.0
2019-03-25 CVE-2015-3956 Pifzer Insufficient Verification of Data Authenticity vulnerability in Pifzer products

Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior accept drug libraries, firmware updates, pump commands, and unauthorized configuration changes from unauthenticated devices on the host network.

10.0
2019-03-25 CVE-2015-3954 Pifzer Improper Authorization vulnerability in Pifzer products

Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior give unauthenticated users root privileges on Port 23/TELNET by default.

10.0
2019-03-25 CVE-2015-3953 Pifzer USE of Hard-Coded Credentials vulnerability in Pifzer products

Hard-coded accounts may be used to access Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior.

10.0
2019-03-25 CVE-2019-0204 Apache Improper Input Validation vulnerability in Apache Mesos

A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1.

9.3
2019-03-25 CVE-2019-7610 Elastic Command Injection vulnerability in Elastic Kibana

Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger.

9.3
2019-03-25 CVE-2015-1007 Opto22 Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Opto22 products

A specially crafted configuration file could be used to cause a stack-based buffer overflow condition in the OPCTest.exe, which may allow remote code execution on Opto 22 PAC Project Professional versions prior to R9.4008, PAC Project Basic versions prior to R9.4008, PAC Display Basic versions prior to R9.4g, PAC Display Professional versions prior to R9.4g, OptoOPCServer version R9.4c and prior that were installed by PAC Project installer, versions prior to R9.4008, and OptoDataLink version R9.4d and prior that were installed by PAC Project installer, versions prior to R9.4008.

9.3
2019-03-30 CVE-2019-10662 Grandstream OS Command Injection vulnerability in Grandstream Ucm6204 Firmware

Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI.

9.0
2019-03-30 CVE-2019-10656 Grandstream OS Command Injection vulnerability in Grandstream Gwn7000 Firmware

Grandstream GWN7000 before 1.0.6.32 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/uci.apply update_nds_webroot_from_tmp API call.

9.0
2019-03-28 CVE-2019-1756 Cisco Improper Input Validation vulnerability in Cisco IOS and IOS XE

A vulnerability in Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges.

9.0
2019-03-28 CVE-2019-1755 Cisco Improper Input Validation vulnerability in Cisco IOS XE

A vulnerability in the Web Services Management Agent (WSMA) function of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary Cisco IOS commands as a privilege level 15 user.

9.0
2019-03-28 CVE-2019-1754 Cisco Improper Input Validation vulnerability in Cisco IOS XE

A vulnerability in the authorization subsystem of Cisco IOS XE Software could allow an authenticated but unprivileged (level 1), remote attacker to run privileged Cisco IOS commands by using the web UI.

9.0
2019-03-28 CVE-2019-1753 Cisco Improper Input Validation vulnerability in Cisco IOS XE

A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated but unprivileged (level 1), remote attacker to run privileged Cisco IOS commands by using the web UI.

9.0
2019-03-27 CVE-2018-19648 Adtran Improper Privilege Management vulnerability in Adtran Pmaa 1.6.2/1.6.3

An issue was discovered in ADTRAN PMAA 1.6.2-1, 1.6.3, and 1.6.4.

9.0
2019-03-26 CVE-2019-9743 Phoenixcontact Command Injection vulnerability in Phoenixcontact products

An issue was discovered on PHOENIX CONTACT RAD-80211-XD and RAD-80211-XD/HP-BUS devices.

9.0
2019-03-25 CVE-2019-3831 Ovirt
Redhat
A vulnerability was discovered in vdsm, version 4.19 through 4.30.3 and 4.30.5 through 4.30.8.
9.0

64 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-03-28 CVE-2019-0225 Apache Path Traversal vulnerability in Apache Jspwiki

A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki 2.9.0 to 2.11.0.M2, which could be used by an attacker to obtain registered users' details.

7.8
2019-03-28 CVE-2019-6542 Enttec Missing Authentication FOR Critical Function vulnerability in Enttec products

ENTTEC Datagate MK2, Storm 24, Pixelator all firmware versions prior to (70044,70050,70060)_update_05032019-482 allows an unauthenticated user to initiate a remote reboot, which may be used to cause a denial of service condition.

7.8
2019-03-28 CVE-2019-1752 Cisco Improper Input Validation vulnerability in Cisco IOS

A vulnerability in the ISDN functions of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload.

7.8
2019-03-28 CVE-2019-1751 Cisco Improper Input Validation vulnerability in Cisco IOS

A vulnerability in the Network Address Translation 64 (NAT64) functions of Cisco IOS Software could allow an unauthenticated, remote attacker to cause either an interface queue wedge or a device reload.

7.8
2019-03-28 CVE-2019-1741 Cisco Improper Input Validation vulnerability in Cisco IOS XE

A vulnerability in the Cisco Encrypted Traffic Analytics (ETA) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

7.8
2019-03-28 CVE-2019-1740 Cisco Improper Input Validation vulnerability in Cisco IOS

A vulnerability in the Network-Based Application Recognition (NBAR) feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

7.8
2019-03-28 CVE-2019-1739 Cisco Improper Input Validation vulnerability in Cisco IOS

A vulnerability in the Network-Based Application Recognition (NBAR) feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

7.8
2019-03-28 CVE-2019-1738 Cisco Improper Input Validation vulnerability in Cisco IOS

A vulnerability in the Network-Based Application Recognition (NBAR) feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

7.8
2019-03-27 CVE-2019-1737 Cisco Resource Exhaustion vulnerability in Cisco IOS and IOS XE

A vulnerability in the processing of IP Service Level Agreement (SLA) packets by Cisco IOS Software and Cisco IOS XE software could allow an unauthenticated, remote attacker to cause an interface wedge and an eventual denial of service (DoS) condition on the affected device.

7.8
2019-03-27 CVE-2018-19016 Rockwellautomation Improper Input Validation vulnerability in Rockwellautomation products

Rockwell Automation EtherNet/IP Web Server Modules 1756-EWEB (includes 1756-EWEBK) Version 5.001 and earlier, and CompactLogix 1768-EWEB Version 2.005 and earlier.

7.8
2019-03-27 CVE-2018-18994 Laquisscada Out-Of-Bounds Read vulnerability in Laquisscada Laquis Scada

LCDS Laquis SCADA prior to version 4.1.0.4150 allows an out of bounds read when opening a specially crafted project file, which may cause a system crash or allow data exfiltration.

7.8
2019-03-27 CVE-2019-5419 Rubyonrails
Debian
Redhat
Opensuse
Fedoraproject
Allocation of Resources Without Limits OR Throttling vulnerability in multiple products

There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.

7.8
2019-03-26 CVE-2013-2805 Rockwellautomation Out-Of-Bounds Read vulnerability in Rockwellautomation Rslinx Enterprise

Rockwell Automation RSLinx Enterprise Software (LogReceiver.exe) CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1, and CPR9-SR6 does not handle input correctly and results in a logic error if it receives a datagram with an incorrect value in the “Record Data Size” field.

7.8
2019-03-26 CVE-2013-2807 Rockwellautomation Out-Of-Bounds Read vulnerability in Rockwellautomation Rslinx Enterprise

Rockwell Automation RSLinx Enterprise Software (LogReceiver.exe) CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1, and CPR9-SR6 does not handle input correctly and results in a logic error if it calculates an incorrect value for the “Total Record Size” field.

7.8
2019-03-26 CVE-2013-2806 Rockwellautomation Integer Overflow OR Wraparound vulnerability in Rockwellautomation Rslinx Enterprise

Rockwell Automation RSLinx Enterprise Software (LogReceiver.exe) CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1, and CPR9-SR6 does not handle input correctly and results in a logic error if it calculates an incorrect value for the “End of Current Record” field.

7.8
2019-03-25 CVE-2019-10042 Dlink Missing Authentication FOR Critical Function vulnerability in Dlink Dir-816 Firmware 1.11

The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request.

7.8
2019-03-31 CVE-2019-10672 Symonics Improper Input Validation vulnerability in Symonics Libmysofa

treeRead in hdf/btree.c in libmysofa before 0.7 does not properly validate multiplications and additions.

7.5
2019-03-31 CVE-2019-10664 Domoticz SQL Injection vulnerability in Domoticz

Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp.

7.5
2019-03-30 CVE-2019-10655 Grandstream Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Grandstream products

Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow unauthenticated remote code execution via shell metacharacters in a /manager?action=getlogcat priority field, in conjunction with a buffer overflow (via the phonecookie cookie) to overwrite a data structure and consequently bypass authentication.

7.5
2019-03-30 CVE-2019-10648 Robocode Project Improper Input Validation vulnerability in Robocode Project Robocode

Robocode through 1.9.3.5 allows remote attackers to cause external service interaction (DNS), as demonstrated by a query for a unique subdomain name within an attacker-controlled DNS zone, because of a .openStream call within java.net.URL.

7.5
2019-03-30 CVE-2019-10647 Zzzcms Unrestricted Upload of File With Dangerous Type vulnerability in Zzzcms Zzzphp 1.6.3

ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter because of a lack of inc/zzz_file.php restrictions.

7.5
2019-03-29 CVE-2018-18766 Provisio Unspecified vulnerability in Provisio Sitekiosk

An elevation of privilege vulnerability exists in the Call Dispatcher in Provisio SiteKiosk before 9.7.4905.

7.5
2019-03-29 CVE-2019-10276 Cobub Unrestricted Upload of File With Dangerous Type vulnerability in Cobub Razor 0.8.0

Western Bridge Cobub Razor 0.8.0 has a file upload vulnerability via the web/assets/swf/uploadify.php URI, as demonstrated by a .php file with the image/jpeg content type.

7.5
2019-03-28 CVE-2019-10262 Bluecms Project SQL Injection vulnerability in Bluecms Project Bluecms 1.6

A SQL Injection issue was discovered in BlueCMS 1.6.

7.5
2019-03-28 CVE-2019-9204 Nagios SQL Injection vulnerability in Nagios Incident Manager 2.0.0/2.0.1

SQL injection vulnerability in Nagios IM (component of Nagios XI) before 2.2.7 allows attackers to execute arbitrary SQL commands.

7.5
2019-03-28 CVE-2019-9203 Nagios Unspecified vulnerability in Nagios Incident Manager 2.0.0/2.0.1

Authorization bypass in Nagios IM (component of Nagios XI) before 2.2.7 allows closing incidents in IM via the API.

7.5
2019-03-28 CVE-2019-9165 Nagios SQL Injection vulnerability in Nagios XI

SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id.

7.5
2019-03-28 CVE-2019-1003041 Jenkins 7PK - Security Features vulnerability in Jenkins Pipeline: Groovy

A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.

7.5
2019-03-28 CVE-2019-1003040 Jenkins 7PK - Security Features vulnerability in Jenkins Script Security

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.

7.5
2019-03-28 CVE-2017-18365 Github Deserialization of Untrusted Data vulnerability in Github

The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a deserialization issue that allows unauthenticated remote attackers to execute arbitrary code.

7.5
2019-03-28 CVE-2019-1743 Cisco Improper Input Validation vulnerability in Cisco IOS XE

A vulnerability in the web UI framework of Cisco IOS XE Software could allow an authenticated, remote attacker to make unauthorized changes to the filesystem of the affected device.

7.5
2019-03-27 CVE-2019-0160 Tianocore
Opensuse
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Buffer overflow in system firmware for EDK II may allow unauthenticated user to potentially enable escalation of privilege and/or denial of service via network access.

7.5
2019-03-27 CVE-2017-9626 Marel Incorrect Permission Assignment FOR Critical Resource vulnerability in Marel Pluto1203 and Pluto2

Systems using the Marel Food Processing Systems Pluto platform do not restrict remote access.

7.5
2019-03-27 CVE-2019-1010257 Article2Pdf Project Path Traversal vulnerability in Article2Pdf Project Article2Pdf

An Information Disclosure / Data Modification issue exists in article2pdf_getfile.php in the article2pdf Wordpress plugin 0.24, 0.25, 0.26, 0.27.

7.5
2019-03-27 CVE-2019-10232 Teclib Edition SQL Injection vulnerability in Teclib-Edition Gestionnaire Libre DE Parc Informatique

Teclib GLPI through 9.3.3 has SQL injection via the "cycle" parameter in /scripts/unlock_tasks.php.

7.5
2019-03-27 CVE-2019-10231 Teclib Edition Type Confusion vulnerability in Teclib-Edition Gestionnaire Libre DE Parc Informatique

Teclib GLPI before 9.4.1.1 is affected by a PHP type juggling vulnerability allowing bypass of authentication.

7.5
2019-03-27 CVE-2018-19641 Microfocus Code Injection vulnerability in Microfocus Solutions Business Manager

Unauthenticated remote code execution issue in Micro Focus Solutions Business Manager (SBM) (formerly Serena Business Manager (SBM)) versions prior to 11.5.

7.5
2019-03-27 CVE-2018-5923 HP Improper Verification of Cryptographic Signature vulnerability in HP products

In HP LaserJet Enterprise, HP PageWide Enterprise, HP LaserJet Managed, and HP OfficeJet Enterprise Printers, solution application signature checking may allow potential execution of arbitrary code.

7.5
2019-03-27 CVE-2019-5420 Rubyonrails
Debian
Fedoraproject
Improper Input Validation vulnerability in multiple products

A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token.

7.5
2019-03-26 CVE-2019-3597 Mcafee Unspecified vulnerability in Mcafee Network Security Manager

Authentication Bypass vulnerability in McAfee Network Security Manager (NSM) 9.1 < 9.1.7.75.2 and 9.2 < 9.2.7.31 (9.2 Update 2) allows unauthenticated users to gain administrator rights via incorrect handling of expired GUI sessions.

7.5
2019-03-26 CVE-2019-10068 Kentico Deserialization of Untrusted Data vulnerability in Kentico

An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions.

7.5
2019-03-26 CVE-2010-5305 Rockwellautomation Improper Access Control vulnerability in Rockwellautomation products

The potential exists for exposure of the product's password used to restrict unauthorized access to Rockwell PLC5/SLC5/0x/RSLogix 1785-Lx and 1747-L5x controllers.

7.5
2019-03-26 CVE-2014-5433 Baxter Credentials Management vulnerability in Baxter Sigma Spectrum Infusion System Firmware 6.05

An unauthenticated remote attacker may be able to execute commands to view wireless account credentials that are stored in cleartext on Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16, which may allow an attacker to gain access the host network.

7.5
2019-03-26 CVE-2014-5432 Baxter Improper Authentication vulnerability in Baxter Sigma Spectrum Infusion System Firmware 6.05

Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 is remotely accessible via Port 22/SSH without authentication.

7.5
2019-03-26 CVE-2019-8981 Axtls Project Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Axtls Project Axtls

tls1.c in Cameron Hamilton-Rich axTLS before 2.1.5 has a Buffer Overflow via a crafted sequence of TLS packets because the need_bytes value is mismanaged.

7.5
2019-03-26 CVE-2019-7714 GHS Out-Of-Bounds Write vulnerability in GHS Integrity Rtos 5.0.4

An issue was discovered in Interpeak IPWEBS on Green Hills INTEGRITY RTOS 5.0.4.

7.5
2019-03-26 CVE-2019-7713 GHS Out-Of-Bounds Write vulnerability in GHS Integrity Rtos 5.0.4

An issue was discovered in the Interpeak IPCOMShell TELNET server on Green Hills INTEGRITY RTOS 5.0.4.

7.5
2019-03-26 CVE-2019-10061 Node Opencv Project OS Command Injection vulnerability in Node-Opencv Project Node-Opencv

utils/find-opencv.js in node-opencv (aka OpenCV bindings for Node.js) prior to 6.1.0 is vulnerable to Command Injection.

7.5
2019-03-25 CVE-2017-7342 Fortinet Improper Input Validation vulnerability in Fortinet Fortiportal

A weak password recovery process vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to execute unauthorized code or commands via a hidden Close button

7.5
2019-03-25 CVE-2014-9187 Honeywell Buffer Errors vulnerability in Honeywell Experion Process Knowledge System R400/R410/R430

Multiple heap-based buffer overflow vulnerabilities exist in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules, which could lead to possible remote code execution or denial of service.

7.5
2019-03-25 CVE-2019-3395 Atlassian Server-Side Request Forgery (SSRF) vulnerability in Atlassian Confluence

The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery.

7.5
2019-03-25 CVE-2019-10011 Jenzabar USE of Hard-Coded Credentials vulnerability in Jenzabar Internet Campus Solution 9

ICS/StaticPages/AddTestUsers.aspx in Jenzabar JICS (aka Internet Campus Solution) before 2019-02-06 allows remote attackers to create an arbitrary number of accounts with a password of 1234.

7.5
2019-03-25 CVE-2019-3809 Moodle Server-Side Request Forgery (SSRF) vulnerability in Moodle

A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions.

7.5
2019-03-25 CVE-2018-16858 Libreoffice Path Traversal vulnerability in Libreoffice

It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document.

7.5
2019-03-25 CVE-2019-3481 HP XXE vulnerability in HP Arcsight Logger

Mitigates a XML External Entity Parsing issue in ArcSight Logger versions prior to 6.7.

7.5
2019-03-25 CVE-2019-3479 HP Improper Input Validation vulnerability in HP Arcsight Logger

Mitigates a potential remote code execution issue in ArcSight Logger versions prior to 6.7.

7.5
2019-03-25 CVE-2019-3476 Microfocus Improper Input Validation vulnerability in Microfocus Data Protector 10.03

Remote arbitrary code execution in Micro Focus Data Protector, version 10.03 this vulnerability could allow remote arbitrary code execution.

7.5
2019-03-29 CVE-2019-9695 Symantec Code Injection vulnerability in Symantec Norton Core Firmware

Norton Core prior to v278 may be susceptible to an arbitrary code execution issue, which is a type of vulnerability that has the potential of allowing an individual to execute arbitrary commands or code on a target machine or in a target process.

7.2
2019-03-28 CVE-2019-9166 Nagios Incorrect Permission Assignment FOR Critical Resource vulnerability in Nagios XI

Privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php and import_xiconfig.php.

7.2
2019-03-28 CVE-2019-7524 Dovecot
Debian
Canonical
Opensuse
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root.

7.2
2019-03-28 CVE-2019-1745 Cisco OS Command Injection vulnerability in Cisco IOS XE

A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with elevated privileges.

7.2
2019-03-25 CVE-2019-3484 HP Improper Input Validation vulnerability in HP Arcsight Logger

Mitigates a remote code execution issue in ArcSight Logger versions prior to 6.7.

7.2
2019-03-28 CVE-2019-6608 F5 Memory Leak vulnerability in F5 products

On BIG-IP 11.5.1-11.6.3, 12.1.0-12.1.3, 13.0.0-13.1.1.1, and 14.0.0-14.0.0.2, under certain conditions, the snmpd daemon may leak memory on a multi-blade BIG-IP vCMP guest when processing authorized SNMP requests.

7.1
2019-03-28 CVE-2019-1760 Cisco Improper Input Validation vulnerability in Cisco IOS XE

A vulnerability in Performance Routing Version 3 (PfRv3) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the affected device to reload.

7.1

190 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-03-28 CVE-2019-5674 Nvidia Link Following vulnerability in Nvidia Geforce Experience

NVIDIA GeForce Experience before 3.18 contains a vulnerability when ShadowPlay or GameStream is enabled.

6.9
2019-03-30 CVE-2019-10644 Hyphp Cross-Site Request Forgery (CSRF) vulnerability in Hyphp Hybbs 2.2

An issue was discovered in HYBBS 2.2.

6.8
2019-03-29 CVE-2019-9604 Online Lottery PHP Readymade Script Project Cross-Site Request Forgery (CSRF) vulnerability in Online Lottery PHP Readymade Script Project Online Lottery PHP Readymade Script 1.7.0

PHP Scripts Mall Online Lottery PHP Readymade Script 1.7.0 has Cross-Site Request Forgery (CSRF) for Edit Profile actions.

6.8
2019-03-29 CVE-2017-18105 Atlassian Session Fixation vulnerability in Atlassian Crowd

The console login resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers, who have previously obtained a user's JSESSIONID cookie, to gain access to some of the built-in and potentially third party rest resources via a session fixation vulnerability.

6.8
2019-03-28 CVE-2019-3710 Dell KEY Management Errors vulnerability in Dell EMC Networking Os10

Dell EMC Networking OS10 versions prior to 10.4.3 contain a cryptographic key vulnerability due to an underlying application using undocumented, pre-installed X.509v3 key/certificate pairs.

6.8
2019-03-27 CVE-2018-12180 Tianocore
Opensuse
Out-Of-Bounds Write vulnerability in multiple products

Buffer overflow in BlockIo service for EDK II may allow an unauthenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via network access.

6.8
2019-03-27 CVE-2019-10237 S CMS Cross-Site Request Forgery (CSRF) vulnerability in S-Cms 1.0

S-CMS PHP v1.0 has a CSRF vulnerability to add a new admin user via the 4.edu.php/admin/ajax.php?type=admin&action=add&lang=0 URI, a related issue to CVE-2019-9040.

6.8
2019-03-27 CVE-2018-12551 Eclipse Improper Authentication vulnerability in Eclipse Mosquitto

When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid.

6.8
2019-03-27 CVE-2018-12550 Eclipse Unspecified vulnerability in Eclipse Mosquitto

When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy.

6.8
2019-03-27 CVE-2019-10233 Glpi Project Information Exposure Through Discrepancy vulnerability in Glpi-Project Glpi

Teclib GLPI before 9.4.1.1 is affected by a timing attack associated with a cookie.

6.8
2019-03-27 CVE-2019-6536 Lcds Out-Of-Bounds Write vulnerability in Lcds Laquis Scada 4.1.0.4150

Opening a specially crafted LCDS LAquis SCADA before 4.3.1.71 ELS file may result in a write past the end of an allocated buffer, which may allow an attacker to execute remote code in the context of the current process.

6.8
2019-03-27 CVE-2019-3817 RPM USE After Free vulnerability in RPM Libcomps

A use-after-free flaw has been discovered in libcomps before version 0.1.10 in the way ObjMRTrees are merged.

6.8
2019-03-26 CVE-2019-9744 Phoenixcontact Session Fixation vulnerability in Phoenixcontact products

An issue was discovered on PHOENIX CONTACT FL NAT SMCS 8TX, FL NAT SMN 8TX, FL NAT SMN 8TX-M, and FL NAT SMN 8TX-M-DMG devices.

6.8
2019-03-26 CVE-2019-3878 MOD Auth Mellon Project
Fedoraproject
Redhat
Canonical
Improper Authentication vulnerability in multiple products

A vulnerability was found in mod_auth_mellon before v0.14.2.

6.8
2019-03-26 CVE-2019-9053 Cmsmadesimple SQL Injection vulnerability in Cmsmadesimple CMS Made Simple 2.2.8

An issue was discovered in CMS Made Simple 2.2.8.

6.8
2019-03-26 CVE-2019-10063 Flatpak Improper Input Validation vulnerability in Flatpak

Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass.

6.8
2019-03-26 CVE-2019-10060 Verifone Buffer Errors vulnerability in Verifone Verix Multi-App Conductor 2.7

The Verix Multi-app Conductor application 2.7 for Verifone Verix suffers from a buffer overflow vulnerability that allows attackers to execute arbitrary code via a long configuration key value.

6.8
2019-03-25 CVE-2019-10044 Telegram
Microsoft
Improper Input Validation vulnerability in Telegram and Telegram Desktop

Telegram Desktop before 1.5.12 on Windows, and the Telegram applications for Android, iOS, and Linux, is vulnerable to an IDN homograph attack when displaying messages containing URLs.

6.8
2019-03-25 CVE-2019-7611 Elastic Unspecified vulnerability in Elastic Elasticsearch

A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used .

6.8
2019-03-25 CVE-2019-3857 Libssh2
Debian
Netapp
Opensuse
Redhat
Fedoraproject
Oracle
Integer Overflow OR Wraparound vulnerability in multiple products

An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed.

6.8
2019-03-25 CVE-2019-3856 Libssh2
Debian
Netapp
Opensuse
Redhat
Fedoraproject
Oracle
Integer Overflow OR Wraparound vulnerability in multiple products

An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed.

6.8
2019-03-25 CVE-2019-3863 Libssh2
Debian
Netapp
Opensuse
Redhat
Out-Of-Bounds Write vulnerability in multiple products

A flaw was found in libssh2 before 1.8.1.

6.8
2019-03-25 CVE-2019-3483 HP Information Exposure vulnerability in HP Arcsight Logger

Mitigates a potential information leakage issue in ArcSight Logger versions prior to 6.7.

6.8
2019-03-25 CVE-2019-3482 HP Path Traversal vulnerability in HP Arcsight Logger

Mitigates a directory traversal issue in ArcSight Logger versions prior to 6.7.

6.8
2019-03-30 CVE-2019-10663 Grandstream SQL Injection vulnerability in Grandstream Ucm6204 Firmware

Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to conduct SQL injection attacks via the sord parameter in a listCodeblueGroup API call to the /cgi? URI.

6.5
2019-03-30 CVE-2019-10660 Grandstream OS Command Injection vulnerability in Grandstream Gxv3611Ir HD Firmware

Grandstream GXV3611IR_HD before 1.0.3.23 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the /goform/systemlog?cmd=set logserver field.

6.5
2019-03-30 CVE-2019-10659 Grandstream OS Command Injection vulnerability in Grandstream Gxv3370 Firmware and Wp820 Firmware

Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in a /manager?action=getlogcat priority field.

6.5
2019-03-30 CVE-2019-10658 Grandstream OS Command Injection vulnerability in Grandstream Gwn7610 Firmware

Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call.

6.5
2019-03-30 CVE-2019-10652 Flatcore Unrestricted Upload of File With Dangerous Type vulnerability in Flatcore 1.4.7

An issue was discovered in flatCore 1.4.7.

6.5
2019-03-29 CVE-2019-9920 Harmistechnology Unspecified vulnerability in Harmistechnology JE Messenger 1.2.2

An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!.

6.5
2019-03-29 CVE-2017-18108 Atlassian Code Injection vulnerability in Atlassian Crowd

The administration SMTP configuration resource in Atlassian Crowd before version 2.10.2 allows remote attackers with administration rights to execute arbitrary code via a JNDI injection.

6.5
2019-03-28 CVE-2019-9202 Nagios Unspecified vulnerability in Nagios Incident Manager 2.0.0/2.0.1

Nagios IM (component of Nagios XI) before 2.2.7 allows authenticated users to execute arbitrary code via API key issues.

6.5
2019-03-28 CVE-2019-9164 Nagios Cross-Site Scripting vulnerability in Nagios XI

Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job.

6.5
2019-03-28 CVE-2018-6330 Laravel SQL Injection vulnerability in Laravel Framework 5.4.15

Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php via dhx_user and dhx_version parameters.

6.5
2019-03-28 CVE-2018-20678 Librenms SQL Injection vulnerability in Librenms

LibreNMS through 1.47 allows SQL injection via the html/ajax_table.php sort[hostname] parameter, exploitable by authenticated users during a search.

6.5
2019-03-27 CVE-2019-3847 Moodle Improper Input Validation vulnerability in Moodle

A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17.

6.5
2019-03-26 CVE-2019-3849 Moodle Improper Privilege Management vulnerability in Moodle

A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8.

6.5
2019-03-26 CVE-2019-9061 Cmsmadesimple Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Cmsmadesimple CMS Made Simple

An issue was discovered in CMS Made Simple 2.2.8.

6.5
2019-03-26 CVE-2019-9059 Cmsmadesimple Command Injection vulnerability in Cmsmadesimple CMS Made Simple

An issue was discovered in CMS Made Simple 2.2.8.

6.5
2019-03-26 CVE-2019-9058 Cmsmadesimple Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Cmsmadesimple CMS Made Simple

An issue was discovered in CMS Made Simple 2.2.8.

6.5
2019-03-26 CVE-2019-9057 Cmsmadesimple Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Cmsmadesimple CMS Made Simple

An issue was discovered in CMS Made Simple 2.2.8.

6.5
2019-03-26 CVE-2019-9055 Cmsmadesimple Deserialization of Untrusted Data vulnerability in Cmsmadesimple CMS Made Simple

An issue was discovered in CMS Made Simple 2.2.8.

6.5
2019-03-25 CVE-2017-9362 Zohocorp XXE vulnerability in Zohocorp Manageengine Servicedesk Plus 9.1/9.2

ManageEngine ServiceDesk Plus before 9312 contains an XML injection at add Configuration items CMDB API.

6.5
2019-03-29 CVE-2019-9918 Harmistechnology SQL Injection vulnerability in Harmistechnology JE Messenger 1.2.2

An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!.

6.4
2019-03-27 CVE-2018-12178 Tianocore Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Tianocore EDK II

Buffer overflow in network stack for EDK II may allow unprivileged user to potentially enable escalation of privilege and/or denial of service via network.

6.4
2019-03-27 CVE-2018-5926 HP Improper Certificate Validation vulnerability in HP Remote Graphics Software 7.5.0

A potential vulnerability has been identified in HP Remote Graphics Software’s certificate authentication process version 7.5.0 and earlier.

6.4
2019-03-26 CVE-2019-6569 Siemens Unspecified vulnerability in Siemens products

A vulnerability has been identified in SCALANCE X-200 switch family (incl.

6.4
2019-03-25 CVE-2019-3861 Libssh2
Debian
Netapp
Opensuse
Out-Of-Bounds Read vulnerability in multiple products

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed.

6.4
2019-03-25 CVE-2019-3860 Libssh2
Debian
Netapp
Opensuse
Out-Of-Bounds Read vulnerability in multiple products

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed.

6.4
2019-03-28 CVE-2019-1750 Cisco 7PK - Errors vulnerability in Cisco IOS XE

A vulnerability in the Easy Virtual Switching System (VSS) of Cisco IOS XE Software on Catalyst 4500 Series Switches could allow an unauthenticated, adjacent attacker to cause the switches to reload.

6.1
2019-03-28 CVE-2019-1749 Cisco Improper Input Validation vulnerability in Cisco IOS XE

A vulnerability in the ingress traffic validation of Cisco IOS XE Software for Cisco Aggregation Services Router (ASR) 900 Route Switch Processor 3 (RSP3) could allow an unauthenticated, adjacent attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.

6.1
2019-03-28 CVE-2019-1746 Cisco Improper Input Validation vulnerability in Cisco IOS

A vulnerability in the Cluster Management Protocol (CMP) processing code in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to trigger a denial of service (DoS) condition on an affected device.

6.1
2019-03-29 CVE-2017-18106 Atlassian Improper Authentication vulnerability in Atlassian Crowd

The identifier_hash for a session token in Atlassian Crowd before version 2.9.1 could potentially collide with an identifier_hash for another user or a user in a different directory, this allows remote attackers who can authenticate to Crowd or an application using Crowd for authentication to gain access to another user's session provided they can make their identifier hash collide with another user's session identifier hash.

6.0
2019-03-28 CVE-2019-0212 Apache Unspecified vulnerability in Apache Hbase

In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server.

6.0
2019-03-28 CVE-2019-6607 F5 Cross-Site Request Forgery (CSRF) vulnerability in F5 Big-Ip Application Security Manager

On BIG-IP ASM 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3, 13.0.0-13.1.1.3, and 14.0.0-14.0.0.2, there is a stored cross-site scripting vulnerability in an ASM violation viewed in the Configuration utility.

6.0
2019-03-25 CVE-2019-10012 Jenzabar
Tiny
Unrestricted Upload of File With Dangerous Type vulnerability in multiple products

Jenzabar JICS (aka Internet Campus Solution) before 9 allows remote attackers to upload and execute arbitrary .aspx code by placing it in a ZIP archive and using the MoxieManager (for .NET) plugin before 2.1.4 in the moxiemanager directory within the installation folder ICS\ICS.NET\ICSFileServer.

6.0
2019-03-30 CVE-2019-10650 Imagemagick
Debian
Out-Of-Bounds Read vulnerability in multiple products

In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file.

5.8
2019-03-29 CVE-2017-18109 Atlassian Open Redirect vulnerability in Atlassian Crowd

The login resource of CrowdId in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect.

5.8
2019-03-28 CVE-2019-10255 Jupyter Open Redirect vulnerability in Jupyter Jupyterhub and Notebook

An Open Redirect vulnerability for all browsers in Jupyter Notebook before 5.7.7 and some browsers (Chrome, Firefox) in JupyterHub before 0.9.5 allows crafted links to the login page, which will redirect to a malicious site after successful login.

5.8
2019-03-28 CVE-2019-1748 Cisco Improper Certificate Validation vulnerability in Cisco IOS

A vulnerability in the Cisco Network Plug-and-Play (PnP) agent of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data.

5.8
2019-03-26 CVE-2019-3850 Moodle Open Redirect vulnerability in Moodle

A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17.

5.8
2019-03-26 CVE-2019-9764 Hashicorp Origin Validation Error vulnerability in Hashicorp Consul 1.4.3

HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication.

5.8
2019-03-29 CVE-2017-18111 Atlassian XXE vulnerability in Atlassian Application Links

The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request.

5.5
2019-03-26 CVE-2019-8988 Tibco Unspecified vulnerability in Tibco Data Science FOR AWS and Spotfire Data Science

The application server component of TIBCO Software Inc.'s TIBCO Data Science for AWS, and TIBCO Spotfire Data Science contains a persistent cross-site contains a vulnerability that theoretically allows a user to escalate their privileges on the affected system, in a way that may allow for data modifications and deletions that should be denied.

5.5
2019-03-25 CVE-2019-3879 Ovirt
Redhat
Missing Authorization vulnerability in multiple products

It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped.

5.5
2019-03-25 CVE-2018-16838 Fedoraproject
Redhat
Improper Privilege Management vulnerability in multiple products

A flaw was found in sssd Group Policy Objects implementation.

5.5
2019-03-29 CVE-2018-20378 Opensynergy Improper Input Validation vulnerability in Opensynergy Blue SDK

The L2CAP signaling channel implementation and SDP server implementation in OpenSynergy Blue SDK 3.2 through 6.0 allow remote, unauthenticated attackers to execute arbitrary code or cause a denial of service via malicious L2CAP configuration requests, in conjunction with crafted SDP communication over maliciously configured L2CAP channels.

5.4
2019-03-31 CVE-2019-10678 Domoticz Crlf Injection vulnerability in Domoticz

Domoticz before 4.10579 neglects to categorize \n and \r as insecure argument options.

5.0
2019-03-29 CVE-2018-15840 TP Link Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Tp-Link Tl-Wr840N Firmware

TP-Link TL-WR840N devices allow remote attackers to cause a denial of service (networking outage) via fragmented packets, as demonstrated by an "nmap -f" command.

5.0
2019-03-29 CVE-2019-9922 Harmistechnology Path Traversal vulnerability in Harmistechnology JE Messenger 1.2.2

An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!.

5.0
2019-03-29 CVE-2019-6481 Abine Inadequate Encryption Strength vulnerability in Abine Blur 7.8.2431

Abine Blur 7.8.2431 allows remote attackers to conduct "Second-Factor Auth Bypass" attacks by using the "Perform a right-click operation to access a forgotten dev menu to insert user passwords that otherwise would require the user to accept a second-factor request in a mobile app." approach, related to a "Multifactor Auth Bypass, Full Disk Encryption Bypass" issue affecting the Affected Chrome Plugin component.

5.0
2019-03-29 CVE-2019-10477 Fusioninventory
Glpi Project
Data Processing Errors vulnerability in Fusioninventory

The FusionInventory plugin before 1.4 for GLPI 9.3.x and before 1.1 for GLPI 9.4.x mishandles sendXML actions.

5.0
2019-03-28 CVE-2019-0222 Apache
Netapp
Oracle
Debian
Code Injection vulnerability in multiple products

In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.

5.0
2019-03-28 CVE-2019-6605 F5 Unspecified vulnerability in F5 products

On BIG-IP 11.5.1-11.5.8, 11.6.1-11.6.3, and 12.0.x, an undisclosed sequence of packets received by an SSL virtual server and processed by an associated Client SSL or Server SSL profile may cause a denial of service.

5.0
2019-03-28 CVE-2019-6603 F5 Unspecified vulnerability in F5 products

In BIG-IP 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3, and 13.0.0-13.0.1, malformed TCP packets sent to a self IP address or a FastL4 virtual server may cause an interruption of service.

5.0
2019-03-28 CVE-2019-6602 F5 Information Exposure Through Discrepancy vulnerability in F5 products

In BIG-IP 11.5.1-11.5.8 and 11.6.1-11.6.3, the Configuration Utility login page may not follow best security practices when handling a malicious request.

5.0
2019-03-28 CVE-2019-5739 Nodejs
Opensuse
Allocation of Resources Without Limits OR Throttling vulnerability in multiple products

Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier.

5.0
2019-03-28 CVE-2019-5737 Nodejs
Opensuse
Allocation of Resources Without Limits OR Throttling vulnerability in multiple products

In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly.

5.0
2019-03-28 CVE-2018-19879 Teltonika Improper Restriction of Excessive Authentication Attempts vulnerability in Teltonika Rut950 Firmware R31.04.89

An issue was discovered in /cgi-bin/luci on Teltonika RTU9XX (e.g., RUT950) R_31.04.89 before R_00.05.00.5 devices.

5.0
2019-03-28 CVE-2018-16529 Forcepoint Weak Password Recovery Mechanism for Forgotten Password vulnerability in Forcepoint Email Security 8.5.3

A password reset vulnerability has been discovered in Forcepoint Email Security 8.5.x.

5.0
2019-03-28 CVE-2018-20144 Gitlab Path Traversal vulnerability in Gitlab

GitLab Community and Enterprise Edition 11.x before 11.3.13, 11.4.x before 11.4.11, and 11.5.x before 11.5.4 has Incorrect Access Control.

5.0
2019-03-28 CVE-2019-1759 Cisco Improper Access Control vulnerability in Cisco IOS XE

A vulnerability in access control list (ACL) functionality of the Gigabit Ethernet Management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to reach the configured IP addresses on the Gigabit Ethernet Management interface.

5.0
2019-03-28 CVE-2019-1747 Cisco Improper Input Validation vulnerability in Cisco IOS and IOS XE

A vulnerability in the implementation of the Short Message Service (SMS) handling functionality of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a denial of service (DoS) condition on an affected device.

5.0
2019-03-28 CVE-2019-1742 Cisco Improper Access Control vulnerability in Cisco IOS XE

A vulnerability in the web UI of Cisco IOS XE Software could allow an unauthenticated, remote attacker to access sensitive configuration information.

5.0
2019-03-27 CVE-2018-12545 Eclipse
Fedoraproject
Allocation of Resources Without Limits OR Throttling vulnerability in multiple products

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames.

5.0
2019-03-27 CVE-2017-7655 Eclipse Null Pointer Dereference vulnerability in Eclipse Mosquitto

In Eclipse Mosquitto version from 1.0 to 1.4.15, a Null Dereference vulnerability was found in the Mosquitto library which could lead to crashes for those applications using the library.

5.0
2019-03-27 CVE-2019-3829 GNU
Fedoraproject
USE After Free vulnerability in multiple products

A vulnerability was found in gnutls versions from 3.5.8 before 3.6.7.

5.0
2019-03-27 CVE-2019-1000031 Article2Pdf Project Memory Leak vulnerability in Article2Pdf Project Article2Pdf

A disk space or quota exhaustion issue exists in article2pdf_getfile.php in the article2pdf Wordpress plugin 0.24, 0.25, 0.26, 0.27.

5.0
2019-03-27 CVE-2018-19643 Microfocus Information Exposure vulnerability in Microfocus Solutions Business Manager

Information leakage issue in Micro Focus Solutions Business Manager (SBM) (formerly Serena Business Manager (SBM)) versions prior to 11.5.

5.0
2019-03-27 CVE-2018-19642 Microfocus Improper Input Validation vulnerability in Microfocus Solutions Business Manager

Denial of service issue in Micro Focus Solutions Business Manager (SBM) (formerly Serena Business Manager (SBM)) versions prior to 11.5.

5.0
2019-03-27 CVE-2018-19466 Portainer Insufficiently Protected Credentials vulnerability in Portainer

A vulnerability was found in Portainer before 1.20.0.

5.0
2019-03-27 CVE-2017-2748 HP 7PK - Security Features vulnerability in HP Isaac Mizrahi Smartwatch

A potential security vulnerability caused by the use of insecure (http) transactions during login has been identified with early versions of the Isaac Mizrahi Smartwatch mobile app.

5.0
2019-03-27 CVE-2019-9860 Abus Insufficient Entropy in PRNG vulnerability in Abus products

Due to unencrypted signal communication and predictability of rolling codes, an attacker can "desynchronize" an ABUS Secvest wireless remote control (FUBE50014 or FUBE50015) relative to its controlled Secvest wireless alarm system FUAA50000 3.01.01, so that sent commands by the remote control are not accepted anymore.

5.0
2019-03-27 CVE-2019-5927 Weban Path Traversal vulnerability in Weban AN

Directory traversal vulnerability in 'an' App for iOS Version 3.2.0 and earlier allows remote attackers to read arbitrary files via unspecified vectors.

5.0
2019-03-27 CVE-2019-5418 Rubyonrails
Debian
Redhat
Opensuse
Fedoraproject
There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.
5.0
2019-03-27 CVE-2019-3821 Ceph
Canonical
Missing Release of Resource After Effective Lifetime vulnerability in multiple products

A flaw was found in the way civetweb frontend was handling requests for ceph RGW server with SSL enabled.

5.0
2019-03-27 CVE-2019-7167 Z Cash Improper Check FOR Unusual OR Exceptional Conditions vulnerability in Z.Cash Zcash

Zcash, before the Sapling network upgrade (2018-10-28), had a counterfeiting vulnerability.

5.0
2019-03-26 CVE-2019-1572 Paloaltonetworks Unspecified vulnerability in Paloaltonetworks Pan-Os 9.0.0

PAN-OS 9.0.0 may allow an unauthenticated remote user to access php files.

5.0
2019-03-26 CVE-2019-3804 Cockpit Project
Fedoraproject
Improper Input Validation vulnerability in multiple products

It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack.

5.0
2019-03-26 CVE-2018-16856 Openstack
Redhat
Information Exposure Through LOG Files vulnerability in multiple products

In a default Red Hat Openstack Platform Director installation, openstack-octavia before versions openstack-octavia 2.0.2-5 and openstack-octavia-3.0.1-0.20181009115732 creates log files that are readable by all users.

5.0
2019-03-26 CVE-2018-19856 Gitlab Path Traversal vulnerability in Gitlab

GitLab CE/EE before 11.3.12, 11.4.x before 11.4.10, and 11.5.x before 11.5.3 allows Directory Traversal in Templates API.

5.0
2019-03-26 CVE-2014-5434 Baxter USE of Hard-Coded Credentials vulnerability in Baxter Sigma Spectrum Infusion System Firmware 6.05

Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 has a default account with hard-coded credentials used with the FTP protocol.

5.0
2019-03-26 CVE-2019-7715 GHS USE of Externally-Controlled Format String vulnerability in GHS Integrity Rtos 5.0.4

An issue was discovered in the Interpeak IPCOMShell TELNET server on Green Hills INTEGRITY RTOS 5.0.4.

5.0
2019-03-26 CVE-2019-7712 GHS USE of Externally-Controlled Format String vulnerability in GHS Integrity Rtos 5.0.4

An issue was discovered in handler_ipcom_shell_pwd in the Interpeak IPCOMShell TELNET server on Green Hills INTEGRITY RTOS 5.0.4.

5.0
2019-03-26 CVE-2019-7711 GHS USE of Externally-Controlled Format String vulnerability in GHS Integrity Rtos 5.0.4

An issue was discovered in the Interpeak IPCOMShell TELNET server on Green Hills INTEGRITY RTOS 5.0.4.

5.0
2019-03-25 CVE-2019-7642 Dlink Missing Authentication for Critical Function vulnerability in Dlink products

D-Link routers with the mydlink feature have some web interfaces without authentication requirements.

5.0
2019-03-25 CVE-2019-7613 Elastic Improper Input Validation vulnerability in Elastic Winlogbeat

Winlogbeat versions before 5.6.16 and 6.6.2 had an insufficient logging flaw.

5.0
2019-03-25 CVE-2019-7612 Elastic
Netapp
Credentials Management vulnerability in multiple products

A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs.

5.0
2019-03-25 CVE-2019-4046 IBM Resource Exhaustion vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by improper handling of request headers.

5.0
2019-03-25 CVE-2019-10041 Dlink Missing Authentication FOR Critical Function vulnerability in Dlink Dir-816 Firmware 1.11

The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request.

5.0
2019-03-25 CVE-2019-10039 Dlink Missing Authentication FOR Critical Function vulnerability in Dlink Dir-816 Firmware 1.11

The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request.

5.0
2019-03-25 CVE-2015-1012 Pfizer Information Exposure vulnerability in Pfizer Lifecare PCA Infusion System Firmware

Wireless keys are stored in plain text on version 5 of the Hospira LifeCare PCA Infusion System.

5.0
2019-03-25 CVE-2019-3810 Moodle Improper Input Validation vulnerability in Moodle

A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions.

5.0
2019-03-25 CVE-2019-6240 Gitlab Path Traversal vulnerability in Gitlab

An issue was discovered in GitLab Community and Enterprise Edition before 11.4.

5.0
2019-03-25 CVE-2017-9376 Zohocorp Improper Input Validation vulnerability in Zohocorp Manageengine Servicedesk Plus 9.1/9.2

ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defModule parameter in DefaultConfigDef.do and AssetDefaultConfigDef.do.

5.0
2019-03-25 CVE-2015-3952 Pifzer Information Exposure vulnerability in Pifzer products

Wireless keys are stored in plain text on Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior.

5.0
2019-03-27 CVE-2019-3814 Dovecot
Canonical
Opensuse
Improper Certificate Validation vulnerability in multiple products

It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates.

4.9
2019-03-25 CVE-2019-3841 Kubevirt Improper Certificate Validation vulnerability in Kubevirt Containerized Data Importer

Kubevirt/virt-cdi-importer, versions 1.4.0 to 1.5.3 inclusive, were reported to disable TLS certificate validation when importing data into PVCs from container registries.

4.9
2019-03-27 CVE-2018-3613 Tianocore Unspecified vulnerability in Tianocore EDK II Udk2015/Udk2017/Udk2018

Logic issue in variable service module for EDK II/UDK2018/UDK2017/UDK2015 may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via local access.

4.6
2019-03-27 CVE-2018-12183 Tianocore Out-Of-Bounds Write vulnerability in Tianocore EDK II

Stack overflow in DxeCore for EDK II may allow an unauthenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via local access.

4.6
2019-03-27 CVE-2018-12182 Tianocore Confused Deputy vulnerability in Tianocore EDK II

Insufficient memory write check in SMM service for EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via local access.

4.6
2019-03-27 CVE-2018-12179 Tianocore Unspecified vulnerability in Tianocore EDK II

Improper configuration in system firmware for EDK II may allow unauthenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via local access.

4.6
2019-03-26 CVE-2014-5431 Baxter USE of Hard-Coded Credentials vulnerability in Baxter Sigma Spectrum Infusion System Firmware 6.05

Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 contains a hard-coded password, which provides access to basic biomedical information, limited device settings, and network configuration of the WBM, if connected.

4.6
2019-03-25 CVE-2015-1014 Schneider Electric Uncontrolled Search Path Element vulnerability in Schneider-Electric OPC Factory Server 3.5

A successful exploit of these vulnerabilities requires the local user to load a crafted DLL file in the system directory on servers running Schneider Electric OFS v3.5 with version v7.40 of SCADA Expert Vijeo Citect/CitectSCADA, OFS v3.5 with version v7.30 of Vijeo Citect/CitectSCADA, and OFS v3.5 with version v7.20 of Vijeo Citect/CitectSCADA..

4.4
2019-03-30 CVE-2019-10654 Lrzip Project Out-Of-Bounds Read vulnerability in Lrzip Project Lrzip 0.631

The lzo1x_decompress function in liblzo2.so.2 in LZO 2.10, as used in Long Range Zip (aka lrzip) 0.631, allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted archive, a different vulnerability than CVE-2017-8845.

4.3
2019-03-30 CVE-2019-10649 Imagemagick Memory Leak vulnerability in Imagemagick 7.0.836

In ImageMagick 7.0.8-36 Q16, there is a memory leak in the function SVGKeyValuePairs of coders/svg.c, which allows an attacker to cause a denial of service via a crafted image file.

4.3
2019-03-30 CVE-2019-10646 Wolfcms Cross-Site Scripting vulnerability in Wolfcms Wolf CMS 0.8.3.1

Wolf CMS v0.8.3.1 is affected by cross site scripting (XSS) in the module Add Snippet (/?/admin/snippet/add).

4.3
2019-03-29 CVE-2018-19201 Mybb Cross-Site Scripting vulnerability in Mybb

A reflected XSS vulnerability in the ModCP Profile Editor in MyBB before 1.8.20 allows remote attackers to inject JavaScript via the 'username' parameter.

4.3
2019-03-28 CVE-2019-6604 F5 Unspecified vulnerability in F5 products

On BIG-IP 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3.6, 13.0.0-13.1.1.1, and 14.0.0-14.0.0.2, under certain conditions, hardware systems with a High-Speed Bridge and using non-default Layer 2 forwarding configurations may experience a lockup of the High-Speed Bridge.

4.3
2019-03-28 CVE-2019-0224 Apache Cross-Site Scripting vulnerability in Apache Jspwiki

In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user's session.

4.3
2019-03-28 CVE-2019-9167 Nagios Cross-Site Scripting vulnerability in Nagios XI

Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter.

4.3
2019-03-28 CVE-2019-1003046 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Fortify ON Demand Uploader

A cross-site request forgery vulnerability in Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier allows attackers to initiate a connection to an attacker-specified server.

4.3
2019-03-28 CVE-2019-10260 Totaljs Cross-Site Scripting vulnerability in Totaljs Total.Js CMS 12.0.0

Total.js CMS 12.0.0 has XSS related to themes/admin/views/index.html (item.message) and themes/admin/public/ui.js (column.format).

4.3
2019-03-28 CVE-2019-10254 Misp Cross-Site Scripting vulnerability in Misp

In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability.

4.3
2019-03-28 CVE-2019-10251 Ucweb Cryptographic Issues vulnerability in Ucweb UC Browser

The UCWeb UC Browser application through 2019-03-26 for Android uses HTTP to download certain modules associated with PDF and Microsoft Office files (related to libpicsel), which allows MITM attacks.

4.3
2019-03-28 CVE-2019-10250 Ucweb
Microsoft
Cryptographic Issues vulnerability in Ucweb UC Browser 7.0.185.1002

UCWeb UC Browser 7.0.185.1002 on Windows uses HTTP for downloading certain PDF modules, which allows MITM attacks.

4.3
2019-03-28 CVE-2019-1757 Cisco Improper Certificate Validation vulnerability in Cisco IOS

A vulnerability in the Cisco Smart Call Home feature of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data using an invalid certificate.

4.3
2019-03-27 CVE-2018-15585 Gnuboard5 Project Cross-Site Scripting vulnerability in Gnuboard5 Project Gnuboard5

Cross-Site Scripting (XSS) vulnerability in newwinform.php in GNUBOARD5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML via the popup title parameter.

4.3
2019-03-27 CVE-2018-14814 WE CON Out-Of-Bounds Read vulnerability in We-Con PI Studio and PI Studio HMI

WECON Technology PI Studio HMI versions 4.1.9 and prior and PI Studio versions 4.2.34 and prior lacks proper validation of user-supplied data, which may result in a read past the end of an allocated object.

4.3
2019-03-27 CVE-2019-10238 Sitemagic Cross-Site Scripting vulnerability in Sitemagic 4.4

Sitemagic CMS v4.4 has XSS in SMFiles/FrmUpload.class.php via the filename parameter.

4.3
2019-03-27 CVE-2018-19644 Microfocus Cross-Site Scripting vulnerability in Microfocus Solutions Business Manager

Reflected cross site script issue in Micro Focus Solutions Business Manager (SBM) (formerly Serena Business Manager (SBM)) versions prior to 11.5.

4.3
2019-03-27 CVE-2017-18364 Frank Karau Cross-Site Scripting vulnerability in Frank-Karau PHPfk

phpFK lite has XSS via the faq.php, members.php, or search.php query string or the user.php user parameter.

4.3
2019-03-27 CVE-2019-5926 Kinagacms Project Cross-Site Scripting vulnerability in Kinagacms Project Kinagacms

Cross-site scripting vulnerability in KinagaCMS versions prior to 6.5 allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2019-03-27 CVE-2019-3877 MOD Auth Mellon Project
Fedoraproject
Redhat
Canonical
Open Redirect vulnerability in multiple products

A vulnerability was found in mod_auth_mellon before v0.14.2.

4.3
2019-03-27 CVE-2019-10118 Snipeitapp Cross-Site Scripting vulnerability in Snipeitapp Snipe-It

Snipe-IT before 4.6.14 has XSS, as demonstrated by log_meta values and the user's last name in the API.

4.3
2019-03-27 CVE-2016-10744 Select2 Cross-Site Scripting vulnerability in Select2

In Select2 through 4.0.5, as used in Snipe-IT and other products, rich selectlists allow XSS.

4.3
2019-03-26 CVE-2018-15817 Faststone Buffer Errors vulnerability in Faststone Image Viewer 6.5

FastStone Image Viewer 6.5 has a Read Access Violation on Block Data Move starting at image00400000+0x0000000000002d63 via a crafted image file.

4.3
2019-03-26 CVE-2018-15816 Faststone Buffer Errors vulnerability in Faststone Image Viewer 6.5

FastStone Image Viewer 6.5 has a Read Access Violation on Block Data Move starting at image00400000+0x0000000000002d7d via a crafted image file.

4.3
2019-03-26 CVE-2018-15815 Faststone Improper Check for Unusual OR Exceptional Conditions vulnerability in Faststone Image Viewer 6.5

FastStone Image Viewer 6.5 has an Exception Handler Chain Corrupted issue starting at image00400000+0x00000000003ef68a via a crafted image file.

4.3
2019-03-26 CVE-2018-15814 Faststone Buffer Errors vulnerability in Faststone Image Viewer 6.5

FastStone Image Viewer 6.5 has a User Mode Write AV starting at image00400000+0x00000000001cb509 via a crafted image file.

4.3
2019-03-26 CVE-2018-15813 Faststone Buffer Errors vulnerability in Faststone Image Viewer 6.5

FastStone Image Viewer 6.5 has a User Mode Write AV starting at image00400000+0x00000000000e1237 via a crafted image file.

4.3
2019-03-26 CVE-2019-9961 Wikindx Project Cross-Site Scripting vulnerability in Wikindx Project Wikindx

A cross-site scripting (XSS) vulnerability in ressource view in core/modules/resource/RESOURCEVIEW.php in Wikindx prior to version 5.7.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter.

4.3
2019-03-26 CVE-2019-3826 Prometheus
Redhat
Cross-Site Scripting vulnerability in multiple products

A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1.

4.3
2019-03-25 CVE-2018-15583 Gnuboard Cross-Site Scripting vulnerability in Gnuboard Gnuboard5

Cross-Site Scripting (XSS) vulnerability in point_list.php in GNUBOARD5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML via the popup title parameter.

4.3
2019-03-25 CVE-2017-7340 Fortinet Cross-Site Scripting vulnerability in Fortinet Fortiportal

A Cross-Site Scripting vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to execute unauthorized code or commands via the applicationSearch parameter in the FortiView functionality.

4.3
2019-03-25 CVE-2019-7608 Elastic Cross-Site Scripting vulnerability in Elastic Kibana

Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

4.3
2019-03-25 CVE-2019-3838 Artifex
Redhat
Fedoraproject
Opensuse
Debian
It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27.
4.3
2019-03-25 CVE-2019-3835 Artifex
Redhat
Fedoraproject
Debian
Opensuse
Missing Authorization vulnerability in multiple products

It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27.

4.3
2019-03-25 CVE-2018-12653 Myadrenalin Cross-Site Scripting vulnerability in Myadrenalin Adrenalin 5.4.0

A Reflected Cross Site Scripting (XSS) vulnerability exists in Adrenalin HRMS 5.4.0.

4.3
2019-03-25 CVE-2018-12652 Myadrenalin Cross-Site Scripting vulnerability in Myadrenalin Adrenalin 5.4.0

A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin 5.4 HRMS Software.

4.3
2019-03-25 CVE-2019-3480 HP Cross-Site Scripting vulnerability in HP Arcsight Logger

Mitigates a stored/reflected XSS issue in ArcSight Logger versions prior to 6.7.

4.3
2019-03-25 CVE-2019-10016 Gforge Cross-Site Scripting vulnerability in Gforge Advanced Server 6.4.4

GForge Advanced Server 6.4.4 allows XSS via the commonsearch.php words parameter, as demonstrated by a snippet/search/?words= substring.

4.3
2019-03-25 CVE-2019-10026 Xpdfreader Divide BY Zero vulnerability in Xpdfreader Xpdf 4.01.01

An issue was discovered in Xpdf 4.01.01.

4.3
2019-03-25 CVE-2019-10025 Xpdfreader Divide BY Zero vulnerability in Xpdfreader Xpdf 4.01.01

An issue was discovered in Xpdf 4.01.01.

4.3
2019-03-25 CVE-2019-10024 Xpdfreader Divide BY Zero vulnerability in Xpdfreader Xpdf 4.01.01

An issue was discovered in Xpdf 4.01.01.

4.3
2019-03-25 CVE-2019-10023 Xpdfreader Divide BY Zero vulnerability in Xpdfreader Xpdf 4.01.01

An issue was discovered in Xpdf 4.01.01.

4.3
2019-03-25 CVE-2019-10022 Xpdfreader Null Pointer Dereference vulnerability in Xpdfreader Xpdf 4.01.01

An issue was discovered in Xpdf 4.01.01.

4.3
2019-03-25 CVE-2019-10021 Xpdfreader Divide BY Zero vulnerability in Xpdfreader Xpdf 4.01.01

An issue was discovered in Xpdf 4.01.01.

4.3
2019-03-25 CVE-2019-10020 Xpdfreader Divide BY Zero vulnerability in Xpdfreader Xpdf 4.01.01

An issue was discovered in Xpdf 4.01.01.

4.3
2019-03-25 CVE-2019-10019 Xpdfreader Divide BY Zero vulnerability in Xpdfreader Xpdf 4.01.01

An issue was discovered in Xpdf 4.01.01.

4.3
2019-03-25 CVE-2019-10018 Xpdfreader Divide BY Zero vulnerability in Xpdfreader Xpdf 4.01.01

An issue was discovered in Xpdf 4.01.01.

4.3
2019-03-27 CVE-2018-5927 HP Unspecified vulnerability in HP Support Assistant 8.1.40.3/8.7.50

HP Support Assistant before 8.7.50.3 allows an unauthorized person with local access to load arbitrary code.

4.1
2019-03-30 CVE-2019-10657 Grandstream OS Command Injection vulnerability in Grandstream Gwn7000 Firmware and Gwn7610 Firmware

Grandstream GWN7000 before 1.0.6.32 and GWN7610 before 1.0.8.18 devices allow remote authenticated users to discover passwords via a /ubus/uci.apply config request.

4.0
2019-03-29 CVE-2019-9921 Harmistechnology Authorization Bypass Through User-Controlled KEY vulnerability in Harmistechnology JE Messenger 1.2.2

An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!.

4.0
2019-03-29 CVE-2017-18110 Atlassian XXE vulnerability in Atlassian Crowd

The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability.

4.0
2019-03-28 CVE-2019-6606 F5 Memory Leak vulnerability in F5 products

On BIG-IP 11.5.1-11.6.3.4, 12.1.0-12.1.3.7, 13.0.0-13.1.1.3, and 14.0.0-14.0.0.2, when processing certain SNMP requests with a request-id of 0, the snmpd process may leak a small amount of memory.

4.0
2019-03-28 CVE-2019-1003047 Jenkins Permission Issues vulnerability in Jenkins Fortify ON Demand Uploader

A missing permission check in Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

4.0
2019-03-28 CVE-2019-1003045 Trustsource Information Exposure vulnerability in Trustsource ECS Publisher 1.0.0

A vulnerability in Jenkins ECS Publisher Plugin 1.0.0 and earlier allows attackers with Item/Extended Read permission, or local file system access to the Jenkins home directory to obtain the API token configured in this plugin's configuration.

4.0
2019-03-28 CVE-2019-7251 Digium Integer Overflow OR Wraparound vulnerability in Digium Asterisk

An Integer Signedness issue (for a return code) in the res_pjsip_sdp_rtp module in Digium Asterisk versions 15.7.1 and earlier and 16.1.1 and earlier allows remote authenticated users to crash Asterisk via a specially crafted SDP protocol violation.

4.0
2019-03-28 CVE-2019-9864 Amazon Affiliate Store Project Improper Input Validation vulnerability in Amazon Affiliate Store Project Amazon Affiliate Store 2.1.6

PHP Scripts Mall Amazon Affiliate Store 2.1.6 allows Parameter Tampering of the payment amount.

4.0
2019-03-28 CVE-2019-3869 Redhat Information Exposure vulnerability in Redhat Ansible Tower

When running Tower before 3.4.3 on OpenShift or Kubernetes, application credentials are exposed to playbook job runs via environment variables.

4.0
2019-03-27 CVE-2018-12546 Eclipse Incorrect Permission Assignment FOR Critical Resource vulnerability in Eclipse Mosquitto

In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a topic, then has its access to that topic revoked, the retained message will still be published to clients that subscribe to that topic in the future.

4.0
2019-03-27 CVE-2018-16207 Omron Unspecified vulnerability in Omron Poweract PRO Master Agent

PowerAct Pro Master Agent for Windows Version 5.13 and earlier allows authenticated attackers to bypass access restriction to alter or edit unauthorized files via unspecified vectors.

4.0
2019-03-27 CVE-2019-9917 ZNC
Canonical
Fedoraproject
Improper Input Validation vulnerability in multiple products

ZNC before 1.7.3-rc1 allows an existing remote user to cause a Denial of Service (crash) via invalid encoding.

4.0
2019-03-26 CVE-2019-8989 Tibco Improper Input Validation vulnerability in Tibco Data Science FOR AWS and Spotfire Data Science

The application server component of TIBCO Software Inc.'s TIBCO Data Science for AWS, and TIBCO Spotfire Data Science contains a vulnerability that theoretically enables a user to spoof their account to look like a different user in the affected system.

4.0
2019-03-26 CVE-2019-3852 Moodle Unspecified vulnerability in Moodle

A vulnerability was found in moodle before version 3.6.3.

4.0
2019-03-26 CVE-2019-3851 Moodle
Fedoraproject
A vulnerability was found in moodle before versions 3.6.3 and 3.5.5.
4.0
2019-03-26 CVE-2019-3848 Moodle Information Exposure vulnerability in Moodle

A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8.

4.0
2019-03-25 CVE-2019-3808 Moodle Cross-Site Scripting vulnerability in Moodle

A flaw was found in Moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions.

4.0
2019-03-25 CVE-2017-7510 Redhat Insufficiently Protected Credentials vulnerability in Redhat Ovirt-Engine 4.1.0

In ovirt-engine 4.1, if a host was provisioned with cloud-init, the root password could be revealed through the REST interface.

4.0

32 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-03-27 CVE-2018-12181 Tianocore Out-Of-Bounds Write vulnerability in Tianocore EDK II

Stack overflow in corrupted bmp for EDK II may allow unprivileged user to potentially enable denial of service or elevation of privilege via local access.

3.6
2019-03-29 CVE-2019-9919 Harmistechnology Cross-Site Scripting vulnerability in Harmistechnology JE Messenger 1.2.2

An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!.

3.5
2019-03-29 CVE-2019-9605 Online Lottery PHP Readymade Script Project Cross-Site Scripting vulnerability in Online Lottery PHP Readymade Script Project Online Lottery PHP Readymade Script 1.7.0

PHP Scripts Mall Online Lottery PHP Readymade Script 1.7.0 has Reflected Cross-site Scripting (XSS) via the err value in a .ico picture upload.

3.5
2019-03-28 CVE-2019-1003043 Jenkins Credentials Management vulnerability in Jenkins Slack Notification

A missing permission check in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

3.5
2019-03-28 CVE-2019-1003042 Jenkins Cross-Site Scripting vulnerability in Jenkins Lockable Resources

A cross site scripting vulnerability in Jenkins Lockable Resources Plugin 2.4 and earlier allows attackers able to control resource names to inject arbitrary JavaScript in web pages rendered by the plugin.

3.5
2019-03-27 CVE-2019-3840 Redhat
Opensuse
Null Pointer Dereference vulnerability in multiple products

A NULL pointer dereference flaw was discovered in libvirt before version 5.0.0 in the way it gets interface information through the QEMU agent.

3.5
2019-03-27 CVE-2018-10934 Redhat Cross-Site Scripting vulnerability in Redhat products

A cross-site scripting (XSS) vulnerability was found in the JBoss Management Console versions before 7.1.6.CR1, 7.1.6.GA.

3.5
2019-03-26 CVE-2019-1571 Paloaltonetworks Cross-Site Scripting vulnerability in Paloaltonetworks Expedition

The Expedition Migration tool 1.1.8 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the RADIUS server settings.

3.5
2019-03-26 CVE-2019-1570 Paloaltonetworks Cross-Site Scripting vulnerability in Paloaltonetworks Expedition

The Expedition Migration tool 1.1.8 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the LDAP server settings.

3.5
2019-03-26 CVE-2019-1569 Paloaltonetworks Cross-Site Scripting vulnerability in Paloaltonetworks Expedition

The Expedition Migration tool 1.1.8 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the User Mapping Settings for account name of admin user.

3.5
2019-03-26 CVE-2019-10107 Cmsmadesimple Cross-Site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.10

CMS Made Simple 2.2.10 has XSS via the myaccount.php "Email Address" field, which is reachable via the "My Preferences -> My Account" section.

3.5
2019-03-26 CVE-2019-10106 Cmsmadesimple Cross-Site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.10

CMS Made Simple 2.2.10 has XSS via the 'moduleinterface.php' Name field, which is reachable via an "Add Category" action to the "Site Admin Settings - News module" section.

3.5
2019-03-26 CVE-2019-10105 Cmsmadesimple Cross-Site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.10

CMS Made Simple 2.2.10 has a Self-XSS vulnerability via the Layout Design Manager "Name" field, which is reachable via a "Create a new Template" action to the Design Manager.

3.5
2019-03-26 CVE-2019-8987 Tibco Cross-Site Scripting vulnerability in Tibco Data Science FOR AWS and Spotfire Data Science

The application server component of TIBCO Software Inc.'s TIBCO Data Science for AWS, and TIBCO Spotfire Data Science contains a persistent cross-site scripting vulnerability that theoretically allows an authenticated user to gain access to all the capabilities of the web interface available to more privileged users.

3.5
2019-03-26 CVE-2019-6341 Drupal
Debian
Fedoraproject
Cross-Site Scripting vulnerability in multiple products

In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14.

3.5
2019-03-26 CVE-2019-7646 Centos Webpanel Cross-Site Scripting vulnerability in Centos-Webpanel Centos web Panel

CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.763 is vulnerable to Stored/Persistent XSS for the "Package Name" field via the add_package module parameter.

3.5
2019-03-25 CVE-2019-10027 Phpcms Cross-Site Scripting vulnerability in PHPcms

PHPCMS 9.6.x through 9.6.3 has XSS via the mailbox (aka E-mail) field on the personal information screen.

3.5
2019-03-28 CVE-2019-1761 Cisco Improper Initialization vulnerability in Cisco IOS XE

A vulnerability in the Hot Standby Router Protocol (HSRP) subsystem of Cisco IOS and IOS XE Software could allow an unauthenticated, adjacent attacker to receive potentially sensitive information from an affected device.

3.3
2019-03-28 CVE-2019-1758 Cisco Improper Authentication vulnerability in Cisco IOS

A vulnerability in 802.1x function of Cisco IOS Software on the Catalyst 6500 Series Switches could allow an unauthenticated, adjacent attacker to access the network prior to authentication.

3.3
2019-03-27 CVE-2019-9862 Abus Missing Encryption of Sensitive Data vulnerability in Abus products

An issue was discovered on ABUS Secvest wireless alarm system FUAA50000 3.01.01 in conjunction with Secvest remote control FUBE50014 or FUBE50015.

3.3
2019-03-27 CVE-2019-3828 Redhat Path Traversal vulnerability in Redhat Ansible

Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.

3.3
2019-03-26 CVE-2019-6540 Medtronic Cryptographic Issues vulnerability in Medtronic products

The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement encryption.

3.3
2019-03-25 CVE-2019-6538 Medtronic Improper Access Control vulnerability in Medtronic products

The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement authentication or authorization.

3.3
2019-03-25 CVE-2019-3874 Linux
Debian
Redhat
Canonical
Netapp
The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem.
3.3
2019-03-25 CVE-2019-3827 Gnome Incorrect Authorization vulnerability in Gnome Gvfs

An incorrect permission check in the admin backend in gvfs before version 1.39.4 was found that allows reading and modify arbitrary files by privileged users without asking for password when no authentication agent is running.

3.3
2019-03-28 CVE-2019-1003048 Jenkins Credentials Management vulnerability in Jenkins Prqa

A vulnerability in Jenkins PRQA Plugin 3.1.0 and earlier allows attackers with local file system access to the Jenkins home directory to obtain the unencrypted password from the plugin configuration.

2.1
2019-03-28 CVE-2019-1003044 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Slack Notification

A cross-site request forgery vulnerability in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

2.1
2019-03-28 CVE-2019-1762 Cisco Information Exposure vulnerability in Cisco IOS and IOS XE

A vulnerability in the Secure Storage feature of Cisco IOS and IOS XE Software could allow an authenticated, local attacker to access sensitive system information on an affected device.

2.1
2019-03-27 CVE-2019-0161 Tianocore Out-Of-Bounds Write vulnerability in Tianocore EDK II

Stack overflow in XHCI for EDK II may allow an unauthenticated user to potentially enable denial of service via local access.

2.1
2019-03-27 CVE-2017-2752 HP 7PK - Security Features vulnerability in HP Tommy Hilfiger Th24/7

A potential security vulnerability caused by incomplete obfuscation of application configuration information was discovered in Tommy Hilfiger TH24/7 Android app versions 2.0.0.11, 2.0.1.14, 2.1.0.16, and 2.2.0.19.

2.1
2019-03-26 CVE-2019-3830 Openstack
Redhat
Information Exposure Through LOG Files vulnerability in multiple products

A vulnerability was found in ceilometer before version 12.0.0.0rc1.

2.1
2019-03-26 CVE-2019-3606 Mcafee Cleartext Storage of Sensitive Information vulnerability in Mcafee Network Security Manager

Data Leakage Attacks vulnerability in the web portal component when in an MDR pair in McAfee Network Security Management (NSM) 9.1 < 9.1.7.75 (Update 4) and 9.2 < 9.2.7.31 Update2 allows administrators to view configuration information in plain text format via the GUI or GUI terminal commands.

1.9