Weekly Vulnerabilities Reports > April 1 to 7, 2019

Overview

423 new vulnerabilities reported during this period, including 62 critical vulnerabilities and 44 high severity vulnerabilities. This weekly summary report vulnerabilities in 324 products from 95 vendors including Apple, Jenkins, Microsoft, Synology, and IBM. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Input Validation", "Information Exposure", "Missing Encryption of Sensitive Data", and "Cross-Site Request Forgery (CSRF)".

  • 381 reported vulnerabilities are remotely exploitables.
  • 7 reported vulnerabilities have public exploit available.
  • 95 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 318 reported vulnerabilities are exploitable by an anonymous user.
  • Apple has the most reported vulnerabilities, with 187 reported vulnerabilities.
  • Apple has the most reported critical vulnerabilities, with 42 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

62 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-04-05 CVE-2019-10479 Glory Global Use of Hard-coded Credentials vulnerability in Glory-Global Rbw-100 Firmware Ispk05027.0.0

An issue was discovered on Glory RBW-100 devices with firmware ISP-K05-02 7.0.0.

10.0
2019-04-04 CVE-2018-19282 Rockwellautomation Resource Exhaustion vulnerability in Rockwellautomation Powerflex 525 AC Drives Firmware

Rockwell Automation PowerFlex 525 AC Drives 5.001 and earlier allow remote attackers to cause a denial of service by crashing the Common Industrial Protocol (CIP) network stack.

10.0
2019-04-04 CVE-2018-18068 Raspberrypi Exposure of Resource to Wrong Sphere vulnerability in Raspberrypi Raspberry PI 3 Model B+ Firmware

The ARM-based hardware debugging feature on Raspberry Pi 3 module B+ and possibly other devices allows non-secure EL1 code to read/write any EL3 (the highest privilege level in ARMv8) memory/register via inter-processor debugging.

10.0
2019-04-04 CVE-2019-10842 Getbootstrap Code Injection vulnerability in Getbootstrap Bootstrap-Sass 3.2.0.3

Arbitrary code execution (via backdoor code) was discovered in bootstrap-sass 3.2.0.3, when downloaded from rubygems.org.

10.0
2019-04-03 CVE-2018-4332 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

10.0
2019-04-03 CVE-2018-4331 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

10.0
2019-04-03 CVE-2018-4291 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

Multiple memory corruption issues were addressed with improved memory handling.

10.0
2019-04-03 CVE-2018-4288 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

Multiple memory corruption issues were addressed with improved memory handling.

10.0
2019-04-03 CVE-2018-4287 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

Multiple memory corruption issues were addressed with improved memory handling.

10.0
2019-04-03 CVE-2018-4286 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

Multiple memory corruption issues were addressed with improved memory handling.

10.0
2019-04-03 CVE-2018-4268 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

A memory corruption issue was addressed with improved memory handling.

10.0
2019-04-03 CVE-2018-4259 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

Multiple memory corruption issues were addressed with improved memory handling.

10.0
2019-04-02 CVE-2018-19275 Mitel Insecure Default Initialization of Resource vulnerability in Mitel CMG Suite and Inattend

The BluStar component in Mitel InAttend before 2.5 SP3 and CMG before 8.4 SP3 Suite Servers has a default password, which could allow remote attackers to gain unauthorized access and execute arbitrary scripts with potential impacts to the confidentiality, integrity and availability of the system.

10.0
2019-04-01 CVE-2018-17565 Grandstream OS Command Injection vulnerability in Grandstream products

Shell Metacharacter Injection in the SSH configuration interface on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to execute arbitrary system commands and gain a root shell.

10.0
2019-04-01 CVE-2017-8023 Dell Improper Authentication vulnerability in Dell EMC Networker

EMC NetWorker may potentially be vulnerable to an unauthenticated remote code execution vulnerability in the Networker Client execution service (nsrexecd) when oldauth authentication method is used.

10.0
2019-04-01 CVE-2019-5891 Overit Unspecified vulnerability in Overit Geocall 6.3

An issue was discovered in OverIT Geocall 6.3 before build 2:346977.

9.8
2019-04-03 CVE-2018-4465 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple Iphone OS and mac OS X

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4463 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4461 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved input validation.

9.3
2019-04-03 CVE-2018-4456 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

A memory corruption issue was addressed with improved input validation.

9.3
2019-04-03 CVE-2018-4450 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4449 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4447 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved state management.

9.3
2019-04-03 CVE-2018-4427 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4426 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4425 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4424 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

A buffer overflow was addressed with improved size validation.

9.3
2019-04-03 CVE-2018-4422 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4421 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

A memory initialization issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4420 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed by removing the vulnerable code.

9.3
2019-04-03 CVE-2018-4419 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4415 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4410 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

A memory corruption issue was addressed with improved input validation.

9.3
2019-04-03 CVE-2018-4408 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved input validation This issue affected versions prior to iOS 12, macOS Mojave 10.14, tvOS 12, watchOS 5.

9.3
2019-04-03 CVE-2018-4402 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4401 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4393 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4383 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved state management.

9.3
2019-04-03 CVE-2018-4357 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple Xcode

A memory corruption issue was addressed with improved input validation.

9.3
2019-04-03 CVE-2018-4350 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

A memory corruption issue was addressed with improved input validation.

9.3
2019-04-03 CVE-2018-4344 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4343 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4340 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4337 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4336 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4334 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4327 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple Iphone OS

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4285 Apple Incorrect Type Conversion or Cast vulnerability in Apple mac OS X

A type confusion issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2018-4126 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

9.3
2019-04-03 CVE-2017-13911 Apple Improper Input Validation vulnerability in Apple mac OS X

A configuration issue was addressed with additional restrictions.

9.3
2019-04-03 CVE-2019-10673 Ultimatemember Cross-Site Request Forgery (CSRF) vulnerability in Ultimatemember Ultimate Member

A CSRF vulnerability in a logged-in user's profile edit form in the Ultimate Member plugin before 2.0.40 for WordPress allows attackers to become admin and subsequently extract sensitive information and execute arbitrary code.

9.3
2019-04-02 CVE-2019-1010260 Ktlint Project Cleartext Transmission of Sensitive Information vulnerability in Ktlint Project Ktlint

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM.

9.3
2019-04-05 CVE-2019-10478 Glory Global Unrestricted Upload of File with Dangerous Type vulnerability in Glory-Global Rbw-100 Firmware Ispk05027.0.0

An issue was discovered on Glory RBW-100 devices with firmware ISP-K05-02 7.0.0.

9.0
2019-04-04 CVE-2018-19981 Amazon Cleartext Storage of Sensitive Information vulnerability in Amazon AWS Software Development KIT

Amazon AWS SDK <=2.8.5 for Android uses Android SharedPreferences to store plain text AWS STS Temporary Credentials retrieved by AWS Cognito Identity Service.

9.0
2019-04-02 CVE-2019-5524 Vmware Out-of-bounds Write vulnerability in VMWare Fusion and Workstation

VMware Workstation (14.x before 14.1.6) and Fusion (10.x before 10.1.6) contain an out-of-bounds write vulnerability in the e1000 virtual network adapter.

9.0
2019-04-02 CVE-2019-5515 Vmware Out-of-bounds Write vulnerability in VMWare Fusion and Workstation

VMware Workstation (15.x before 15.0.3, 14.x before 14.1.6) and Fusion (11.x before 11.0.3, 10.x before 10.1.6) updates address an out-of-bounds write vulnerability in the e1000 and e1000e virtual network adapters.

9.0
2019-04-02 CVE-2018-1640 IBM Improper Input Validation vulnerability in IBM Security Privileged Identity Manager 2.1.1

IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 could allow a remote authenticated attacker to execute arbitrary commands on the system.

9.0
2019-04-01 CVE-2019-9193 Postgresql OS Command Injection vulnerability in Postgresql

** DISPUTED ** In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user.

9.0
2019-04-01 CVE-2018-17990 Dlink OS Command Injection vulnerability in Dlink Dsl-3782 Firmware 1.01

An issue was discovered on D-Link DSL-3782 devices with firmware 1.01.

9.0
2019-04-01 CVE-2018-5757 Audiocodes OS Command Injection vulnerability in Audiocodes 420Hd IP Phone Firmware 3.0.0.535.106

An issue was discovered on AudioCodes 450HD IP Phone devices with firmware 3.0.0.535.106.

9.0
2019-04-01 CVE-2018-13285 Synology OS Command Injection vulnerability in Synology Router Manager

Command injection vulnerability in ftpd in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command.

9.0
2019-04-01 CVE-2018-13284 Synology OS Command Injection vulnerability in Synology Diskstation Manager

Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command.

9.0

44 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-04-01 CVE-2019-5890 Overit Improper Authentication vulnerability in Overit Geocall 6.3

An issue was discovered in OverIT Geocall 6.3 before build 2:346977.

8.8
2019-04-07 CVE-2019-10908 Airsonic Project Cryptographic Issues vulnerability in Airsonic Project Airsonic 10.2.1

In Airsonic 10.2.1, RecoverController.java generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally.

7.5
2019-04-05 CVE-2019-6552 Advantech Command Injection vulnerability in Advantech Webaccess

Advantech WebAccess/SCADA, Versions 8.3.5 and prior.

7.5
2019-04-05 CVE-2019-6550 Advantech Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Advantech Webaccess

Advantech WebAccess/SCADA, Versions 8.3.5 and prior.

7.5
2019-04-05 CVE-2019-10877 Teeworlds Integer Overflow or Wraparound vulnerability in Teeworlds 0.7.2

In Teeworlds 0.7.2, there is an integer overflow in CMap::Load() in engine/shared/map.cpp that can lead to a buffer overflow, because multiplication of width and height is mishandled.

7.5
2019-04-05 CVE-2019-10879 Teeworlds Integer Overflow or Wraparound vulnerability in Teeworlds 0.7.2

In Teeworlds 0.7.2, there is an integer overflow in CDataFileReader::Open() in engine/shared/datafile.cpp that can lead to a buffer overflow and possibly remote code execution, because size-related multiplications are mishandled.

7.5
2019-04-05 CVE-2019-10878 Teeworlds Out-of-bounds Write vulnerability in Teeworlds 0.7.2

In Teeworlds 0.7.2, there is a failed bounds check in CDataFileReader::GetData() and CDataFileReader::ReplaceData() and related functions in engine/shared/datafile.cpp that can lead to an arbitrary free and out-of-bounds pointer write, possibly resulting in remote code execution.

7.5
2019-04-04 CVE-2019-6553 Rockwellautomation Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Rockwellautomation Rslinx

A vulnerability was found in Rockwell Automation RSLinx Classic versions 4.10.00 and prior.

7.5
2019-04-04 CVE-2018-20222 Airsonic Project XXE vulnerability in Airsonic Project Airsonic

XXE issue in Airsonic before 10.1.2 during parse.

7.5
2019-04-04 CVE-2018-10244 Suricata IDS Integer Overflow or Wraparound vulnerability in Suricata-Ids Suricata 4.0.4

Suricata version 4.0.4 incorrectly handles the parsing of an EtherNet/IP PDU.

7.5
2019-04-04 CVE-2018-10243 Oisf Out-of-bounds Read vulnerability in Oisf Libhtp 0.5.26

htp_parse_authorization_digest in htp_parsers.c in LibHTP 0.5.26 allows remote attackers to cause a heap-based buffer over-read via an authorization digest header.

7.5
2019-04-04 CVE-2019-10844 Sony Improper Input Validation vulnerability in Sony Neural Network Libraries

nbla/logger.cpp in libnnabla.a in Sony Neural Network Libraries (aka nnabla) through v1.0.14 relies on the HOME environment variable, which might be untrusted.

7.5
2019-04-03 CVE-2015-5463 Axiomsl Improper Authorization vulnerability in Axiomsl Axiom 9.5.3

AxiomSL's Axiom java applet module (used for editing uploaded Excel files and associated Java RMI services) 9.5.3 and earlier allows remote attackers to (1) access data of other basic users through arbitrary SQL commands, (2) perform a horizontal and vertical privilege escalation, (3) cause a Denial of Service on global application, or (4) write/read/delete arbitrary files on server hosting the application.

7.5
2019-04-03 CVE-2018-4367 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple Iphone OS

A memory corruption issue was addressed with improved input validation.

7.5
2019-04-03 CVE-2018-4353 Apple Improper Input Validation vulnerability in Apple mac OS X

A configuration issue was addressed with additional restrictions.

7.5
2019-04-03 CVE-2018-4310 Apple Improper Privilege Management vulnerability in Apple Iphone OS and mac OS X

An access issue was addressed with additional sandbox restrictions.

7.5
2019-04-03 CVE-2018-4295 Apple Improper Input Validation vulnerability in Apple mac OS X

An input validation issue was addressed with improved input validation.

7.5
2019-04-03 CVE-2019-5421 Plataformatec Improper Restriction of Excessive Authentication Attempts vulnerability in Plataformatec Devise

Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method.

7.5
2019-04-02 CVE-2019-6506 Salesagility SQL Injection vulnerability in Salesagility Suitecrm 7.11.0

SuiteCRM before 7.8.28, 7.9.x and 7.10.x before 7.10.15, and 7.11.x before 7.11.3 allows SQL Injection.

7.5
2019-04-02 CVE-2019-10708 S CMS SQL Injection vulnerability in S-Cms 1.0

S-CMS PHP v1.0 has SQL injection via the 4/js/scms.php?action=unlike id parameter.

7.5
2019-04-02 CVE-2019-10707 Mkcms Project SQL Injection vulnerability in Mkcms Project Mkcms 5.0

MKCMS V5.0 has SQL injection via the bplay.php play parameter.

7.5
2019-04-02 CVE-2019-7475 Sonicwall Improper Access Control vulnerability in Sonicwall Sonicos and Sonicosv

A vulnerability in SonicWall SonicOS and SonicOSv with management enabled system on specific configuration allow unprivileged user to access advanced routing services.

7.5
2019-04-02 CVE-2019-10692 Codecabin SQL Injection vulnerability in Codecabin WP Google Maps

In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement.

7.5
2019-04-02 CVE-2019-9759 Tongda2000 SQL Injection vulnerability in Tongda2000 Office Anywhere 10.18.190121

An issue was discovered in TONGDA Office Anywhere 10.18.190121.

7.5
2019-04-01 CVE-2018-17564 Grandstream Unspecified vulnerability in Grandstream products

A Malformed Input String to /cgi-bin/delete_CA on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to delete configuration parameters and gain admin access to the device.

7.5
2019-04-01 CVE-2019-5523 Vmware Session Fixation vulnerability in VMWare Vcloud Director 9.5.0.0/9.5.0.1/9.5.0.2

VMware vCloud Director for Service Providers 9.5.x prior to 9.5.0.3 update resolves a Remote Session Hijack vulnerability in the Tenant and Provider Portals.

7.5
2019-04-01 CVE-2019-10686 Ctrip Server-Side Request Forgery (SSRF) vulnerability in Ctrip Apollo

An SSRF vulnerability was found in an API from Ctrip Apollo through 1.4.0-SNAPSHOT.

7.5
2019-04-01 CVE-2019-5889 Overit Path Traversal vulnerability in Overit Geocall 6.3

An log-management directory traversal issue was discovered in OverIT Geocall 6.3 before build 2:346977.

7.5
2019-04-01 CVE-2019-10684 74Cms Code Injection vulnerability in 74Cms 5.0.1

Application/Admin/Controller/ConfigController.class.php in 74cms v5.0.1 allows remote attackers to execute arbitrary PHP code via the index.php?m=Admin&c=config&a=edit site_domain parameter.

7.5
2019-04-04 CVE-2018-13918 Qualcomm Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Qualcomm products

kernel could return a received message length higher than expected, which leads to buffer overflow in a subsequent operation and stops normal operation in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables, in MDM9150, MDM9206, MDM9607, MDM9650, MSM8909W, QCS605, Qualcomm 215, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 675, SD 712 / SD 710 / SD 670, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM439, SDX24, SM7150

7.2
2019-04-04 CVE-2018-11970 Qualcomm Unspecified vulnerability in Qualcomm products

TZ App dynamic allocations not protected from XBL loader in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in MDM9206, MDM9607, MDM9650, MDM9655, QCS605, SD 410/12, SD 636, SD 712 / SD 710 / SD 670, SD 845 / SD 850, SD 8CX, SDA660, SDM630, SDM660, SXR1130

7.2
2019-04-04 CVE-2018-11966 Qualcomm Improper Input Validation vulnerability in Qualcomm products

Undefined behavior in UE while processing unknown IEI in OTA message in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SM7150, Snapdragon_High_Med_2016, SXR1130

7.2
2019-04-04 CVE-2018-11830 Qualcomm Improper Input Validation vulnerability in Qualcomm products

Improper input validation in QCPE create function may lead to integer overflow in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile in MDM9206, MDM9607, MDM9650, MDM9655, MSM8996AU, SD 410/12, SD 820A

7.2
2019-04-03 CVE-2019-4014 IBM Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in IBM DB2

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root.

7.2
2019-04-03 CVE-2018-1936 IBM
Linux
Microsoft
Out-of-bounds Write vulnerability in IBM DB2

IBM DB2 9.7, 10.1, 10.5, and 11.1 libdb2e.so.1 is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow an attacker to execute arbitrary code.

7.2
2019-04-02 CVE-2018-4049 GOG Incorrect Permission Assignment for Critical Resource vulnerability in GOG Galaxy 1.2.48.36

An exploitable local privilege elevation vulnerability exists in the file system permissions of GOG Galaxy's “Games” directory, version 1.2.48.36 (Windows 64-bit Installer).

7.2
2019-04-02 CVE-2018-3974 GOG Incorrect Permission Assignment for Critical Resource vulnerability in GOG Galaxy 1.2.45.61

An exploitable local privilege elevation vulnerability exists in the file system permissions of GOG Galaxy's install directory.

7.2
2019-04-01 CVE-2019-5519 Vmware Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in VMWare Esxi, Fusion and Workstation

VMware ESXi (6.7 before ESXi670-201903001, 6.5 before ESXi650-201903001, 6.0 before ESXi600-201903001), Workstation (15.x before 15.0.4, 14.x before 14.1.7), Fusion (11.x before 11.0.3, 10.x before 10.1.6) contain a Time-of-check Time-of-use (TOCTOU) vulnerability in the virtual USB 1.1 UHCI (Universal Host Controller Interface).

7.2
2019-04-01 CVE-2019-5518 Vmware Out-of-bounds Read vulnerability in VMWare Esxi, Fusion and Workstation

VMware ESXi (6.7 before ESXi670-201903001, 6.5 before ESXi650-201903001, 6.0 before ESXi600-201903001), Workstation (15.x before 15.0.4, 14.x before 14.1.7), Fusion (11.x before 11.0.3, 10.x before 10.1.6) contain an out-of-bounds read/write vulnerability in the virtual USB 1.1 UHCI (Universal Host Controller Interface).

7.2
2019-04-01 CVE-2019-8956 Linux
Canonical
Use After Free vulnerability in multiple products

In the Linux Kernel before versions 4.20.8 and 4.19.21 a use-after-free error in the "sctp_sendmsg()" function (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited to corrupt memory.

7.2
2019-04-01 CVE-2018-4050 GOG Incorrect Permission Assignment for Critical Resource vulnerability in GOG Galaxy 1.2.47

An exploitable local privilege escalation vulnerability exists in the privileged helper tool of GOG Galaxy's Games, version 1.2.47 for macOS.

7.2
2019-04-03 CVE-2018-4413 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory initialization issue was addressed with improved memory handling.

7.1
2019-04-03 CVE-2018-4363 Apple Improper Input Validation vulnerability in Apple Iphone OS, Tvos and Watchos

An input validation issue existed in the kernel.

7.1
2019-04-03 CVE-2018-4289 Apple Information Exposure vulnerability in Apple mac OS X

An information disclosure issue was addressed by removing the vulnerable code.

7.1

291 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-04-06 CVE-2019-10905 Parsedown Cross-site Scripting vulnerability in Parsedown

Parsedown before 1.7.2, when safe mode is used and HTML markup is disabled, might allow attackers to execute arbitrary JavaScript code if a script (already running on the affected page) executes the contents of any element with a specific class.

6.8
2019-04-05 CVE-2019-10888 Ukcms Cross-Site Request Forgery (CSRF) vulnerability in Ukcms 1.1.10

A CSRF Issue that can add an admin user was discovered in UKcms v1.1.10 via admin.php/admin/role/add.html.

6.8
2019-04-05 CVE-2019-10874 Boltcms Cross-Site Request Forgery (CSRF) vulnerability in Boltcms Bolt 3.6.6

Cross Site Request Forgery (CSRF) in the bolt/upload File Upload feature in Bolt CMS 3.6.6 allows remote attackers to execute arbitrary code by uploading a JavaScript file to include executable extensions in the file/edit/config/config.yml configuration file.

6.8
2019-04-05 CVE-2019-10872 Freedesktop Out-of-bounds Read vulnerability in Freedesktop Poppler 0.74.0

An issue was discovered in Poppler 0.74.0.

6.8
2019-04-03 CVE-2015-5384 Axiomsl Session Fixation vulnerability in Axiomsl Axiom 9.5.3

AxiomSL's Axiom Google Web Toolkit module 9.5.3 and earlier is vulnerable to a Session Fixation attack.

6.8
2019-04-03 CVE-2019-10240 Eclipse Cleartext Transmission of Sensitive Information vulnerability in Eclipse Hawkbit

Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS.

6.8
2019-04-03 CVE-2018-4464 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4443 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4442 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4441 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4438 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A logic issue existed resulting in memory corruption.

6.8
2019-04-03 CVE-2018-4437 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4435 Apple Improper Input Validation vulnerability in Apple products

A logic issue was addressed with improved restrictions.

6.8
2019-04-03 CVE-2018-4423 Apple Improper Input Validation vulnerability in Apple mac OS X

A logic issue was addressed with improved validation.

6.8
2019-04-03 CVE-2018-4416 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4414 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved input validation.

6.8
2019-04-03 CVE-2018-4412 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved input validation.

6.8
2019-04-03 CVE-2018-4411 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

A memory corruption issue was addressed with improved input validation.

6.8
2019-04-03 CVE-2018-4394 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved input validation.

6.8
2019-04-03 CVE-2018-4392 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4386 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4384 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple Iphone OS and Watchos

A memory corruption issue was addressed with improved input validation.

6.8
2019-04-03 CVE-2018-4382 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4378 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved validation.

6.8
2019-04-03 CVE-2018-4376 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4375 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4373 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4372 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4371 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved input validation.

6.8
2019-04-03 CVE-2018-4361 Apple
Microsoft
Unspecified vulnerability in Apple products

A memory consumption issue was addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4360 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4359 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4358 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4354 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4347 Apple
Microsoft
Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

6.8
2019-04-03 CVE-2018-4341 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4328 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4326 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple Iphone OS and mac OS X

A memory corruption issue was addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4323 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4318 Apple
Microsoft
Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

6.8
2019-04-03 CVE-2018-4317 Apple
Microsoft
Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

6.8
2019-04-03 CVE-2018-4316 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved state management.

6.8
2019-04-03 CVE-2018-4315 Apple
Microsoft
Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

6.8
2019-04-03 CVE-2018-4314 Apple
Microsoft
Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

6.8
2019-04-03 CVE-2018-4312 Apple
Microsoft
Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

6.8
2019-04-03 CVE-2018-4306 Apple
Microsoft
Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

6.8
2019-04-03 CVE-2018-4303 Apple Improper Input Validation vulnerability in Apple products

An input validation issue was addressed with improved input validation.

6.8
2019-04-03 CVE-2018-4299 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4284 Apple
Microsoft
Incorrect Type Conversion or Cast vulnerability in Apple products

A type confusion issue was addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4280 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4275 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple Iphone OS

A memory corruption issue was addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4272 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4269 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved input validation.

6.8
2019-04-03 CVE-2018-4267 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4265 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4264 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4263 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4261 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-4197 Apple
Microsoft
Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

6.8
2019-04-03 CVE-2018-4191 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved validation.

6.8
2019-04-03 CVE-2018-4145 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved memory handling.

6.8
2019-04-03 CVE-2018-20506 Sqlite
Apple
Opensuse
Integer Overflow or Wraparound vulnerability in multiple products

SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a "merge" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases).

6.8
2019-04-02 CVE-2019-4080 IBM Resource Exhaustion vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server Admin Console 7.5, 8.0, 8.5, and 9.0 is vulnerable to a potential denial of service, caused by improper parameter parsing.

6.8
2019-04-02 CVE-2018-1622 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Security Privileged Identity Manager 2.1.1

IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

6.8
2019-04-01 CVE-2019-5514 Vmware Improper Input Validation vulnerability in VMWare Fusion 11.0.0/11.0.1/11.0.2

VMware VMware Fusion (11.x before 11.0.3) contains a security vulnerability due to certain unauthenticated APIs accessible through a web socket.

6.8
2019-04-01 CVE-2019-9132 Kakaocorp Improper Input Validation vulnerability in Kakaocorp Kakaotalk 2.7.5.2024

Remote code execution vulnerability exists in KaKaoTalk PC messenger when user clicks specially crafted link in the message window.

6.8
2019-04-01 CVE-2018-13298 Synology Unspecified vulnerability in Synology Moments

Channel accessible by non-endpoint vulnerability in privacy page in Synology Android Moments before 1.2.3-199 allows man-in-the-middle attackers to execute arbitrary code via unspecified vectors.

6.8
2019-04-01 CVE-2014-7198 Openmicroscopy Cross-Site Request Forgery (CSRF) vulnerability in Openmicroscopy Omero

OMERO before 5.0.6 has multiple CSRF vulnerabilities because the framework for OMERO's web interface lacks CSRF protection.

6.8
2019-04-03 CVE-2018-4434 Apple Out-of-bounds Read vulnerability in Apple mac OS X

An out-of-bounds read was addressed with improved input validation.

6.6
2019-04-04 CVE-2019-10867 Pimcore Deserialization of Untrusted Data vulnerability in Pimcore

An issue was discovered in Pimcore before 5.7.1.

6.5
2019-04-04 CVE-2019-10863 Combodo Code Injection vulnerability in Combodo Teemip

A command injection vulnerability exists in TeemIp versions before 2.4.0.

6.5
2019-04-04 CVE-2019-7001 Avaya SQL Injection vulnerability in Avaya IP Office Contact Center

A SQL injection vulnerability in the WebUI component of IP Office Contact Center could allow an authenticated attacker to retrieve or alter sensitive data related to other users on the system.

6.5
2019-04-03 CVE-2018-4407 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved validation.

6.5
2019-04-01 CVE-2019-3876 Redhat Cross-Site Request Forgery (CSRF) vulnerability in Redhat Openshift Container Platform

A flaw was found in the /oauth/token/request custom endpoint of the OpenShift OAuth server allowing for XSS generation of CLI tokens due to missing X-Frame-Options and CSRF protections.

6.3
2019-04-01 CVE-2019-5888 Overit Cross-site Scripting vulnerability in Overit Geocall 6.3

Multiple XSS vulnerabilities were discovered in OverIT Geocall 6.3 before build 2:346977.

6.1
2019-04-04 CVE-2019-10856 Jupyter Open Redirect vulnerability in Jupyter Notebook

In Jupyter Notebook before 5.7.8, an open redirect can occur via an empty netloc.

5.8
2019-04-03 CVE-2018-4319 Apple Origin Validation Error vulnerability in Apple products

A cross-origin issue existed with "iframe" elements.

5.8
2019-04-03 CVE-2018-4311 Apple
Microsoft
Information Exposure vulnerability in Apple products

The issue was addressed by removing origin information.

5.8
2019-04-02 CVE-2018-15180 Qasymphony Open Redirect vulnerability in Qasymphony Qtest Manager 9.0.0

qTest Portal in QASymphony qTest Manager 9.0.0 has an Open Redirect via the /portal/loginform redirect parameter.

5.8
2019-04-01 CVE-2018-8913 Synology Open Redirect vulnerability in Synology web Station

Missing custom error page vulnerability in Synology Web Station before 2.1.3-0139 allows remote attackers to conduct phishing attacks via a crafted URL.

5.8
2019-04-01 CVE-2018-13283 Synology Unspecified vulnerability in Synology SSL VPN Client

Lack of administrator control over security vulnerability in client.cgi in Synology SSL VPN Client before 1.2.5-0226 allows remote attackers to conduct man-in-the-middle attacks via the (1) command, (2) hostname, or (3) port parameter.

5.8
2019-04-01 CVE-2017-16775 Synology Improper Input Validation vulnerability in Synology SSO Server

Improper restriction of rendered UI layers or frames vulnerability in SSOOauth.cgi in Synology SSO Server before 2.1.3-0129 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

5.8
2019-04-01 CVE-2019-1002101 Kubernetes
Redhat
Link Following vulnerability in multiple products

The kubectl cp command allows copying files between containers and the user machine.

5.8
2019-04-02 CVE-2019-4043 IBM XXE vulnerability in IBM Sterling B2B Integrator

IBM Sterling B2B Integrator Standard Edition 5.2.0 snf 6.0.0.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data.

5.5
2019-04-04 CVE-2019-3886 Redhat
Opensuse
Fedoraproject
Missing Authorization vulnerability in multiple products

An incorrect permissions check was discovered in libvirt 4.8.0 and above.

5.4
2019-04-03 CVE-2017-7151 Apple
Microsoft
Race Condition vulnerability in Apple products

A race condition was addressed with additional validation.

5.1
2019-04-07 CVE-2019-10907 Airsonic Project Inadequate Encryption Strength vulnerability in Airsonic Project Airsonic 10.2.1

Airsonic 10.2.1 uses Spring's default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java.

5.0
2019-04-07 CVE-2019-10906 Palletsprojects
Fedoraproject
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
5.0
2019-04-05 CVE-2019-9489 Trendmicro Path Traversal vulnerability in Trendmicro products

A directory traversal vulnerability in Trend Micro Apex One, OfficeScan (versions XG and 11.0), and Worry-Free Business Security (versions 10.0, 9.5 and 9.0) could allow an attacker to modify arbitrary files on the affected product's management console.

5.0
2019-04-05 CVE-2019-6554 Advantech Unspecified vulnerability in Advantech Webaccess

Advantech WebAccess/SCADA, Versions 8.3.5 and prior.

5.0
2019-04-04 CVE-2018-20229 Gitlab Path Traversal vulnerability in Gitlab

GitLab Community and Enterprise Edition before 11.3.14, 11.4.x before 11.4.12, and 11.5.x before 11.5.5 allows Directory Traversal.

5.0
2019-04-04 CVE-2018-10242 Suricata IDS
Debian
Out-of-bounds Read vulnerability in multiple products

Suricata version 4.0.4 incorrectly handles the parsing of the SSH banner.

5.0
2019-04-03 CVE-2015-5606 Axway Improper Input Validation vulnerability in Axway Vordel XML Gateway 7.2.2

Vordel XML Gateway (acquired by Axway) version 7.2.2 could allow remote attackers to cause a denial of service via a specially crafted request.

5.0
2019-04-03 CVE-2018-4436 Apple Improper Certificate Validation vulnerability in Apple Iphone OS, Tvos and Watchos

A certificate validation issue existed in configuration profiles.

5.0
2019-04-03 CVE-2018-4398 Apple
Microsoft
Improper Input Validation vulnerability in Apple products

An issue existed in the method for determining prime numbers.

5.0
2019-04-03 CVE-2018-4369 Apple Improper Input Validation vulnerability in Apple products

A logic issue was addressed with improved state management.

5.0
2019-04-03 CVE-2018-4366 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple Iphone OS

A memory corruption issue was addressed with improved input validation.

5.0
2019-04-03 CVE-2018-4356 Apple Unspecified vulnerability in Apple Iphone OS

A permissions issue existed.

5.0
2019-04-03 CVE-2018-4329 Apple Data Processing Errors vulnerability in Apple Iphone OS and Safari

Clearing a history item may not clear visits with redirect chains.

5.0
2019-04-03 CVE-2018-4321 Apple Improper Input Validation vulnerability in Apple Iphone OS, mac OS X and Tvos

A validation issue existed in the entitlement verification.

5.0
2019-04-03 CVE-2018-4293 Apple
Microsoft
Improper Input Validation vulnerability in Apple products

A cookie management issue was addressed with improved checks.

5.0
2019-04-03 CVE-2018-4279 Apple Improper Input Validation vulnerability in Apple Safari

An inconsistent user interface issue was addressed with improved state management.

5.0
2019-04-03 CVE-2018-4276 Apple NULL Pointer Dereference vulnerability in Apple mac OS X

A null pointer dereference was addressed with improved validation.

5.0
2019-04-03 CVE-2018-4274 Apple Improper Input Validation vulnerability in Apple Iphone OS and Safari

A spoofing issue existed in the handling of URLs.

5.0
2019-04-03 CVE-2018-4248 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved input validation.

5.0
2019-04-03 CVE-2018-4203 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved bounds checking.

5.0
2019-04-03 CVE-2018-20505 Sqlite
Apple
Microsoft
SQL Injection vulnerability in multiple products

SQLite 3.25.2, when queries are run on a table with a malformed PRIMARY KEY, allows remote attackers to cause a denial of service (application crash) by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases).

5.0
2019-04-03 CVE-2019-5423 Http Live Simulator Project Path Traversal vulnerability in Http-Live-Simulator Project Http-Live-Simulator 1.0.5

Path traversal vulnerability in http-live-simulator npm package version 1.0.5 allows arbitrary path to be accessed on the file system by a remote attacker.

5.0
2019-04-02 CVE-2018-12680 Coapthon Project Deserialization of Untrusted Data vulnerability in Coapthon Project Coapthon

The Serialize.deserialize() method in CoAPthon 3.1, 4.0.0, 4.0.1, and 4.0.2 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, CoAP reverse proxy, example collect CoAP server and client) when they receive crafted CoAP messages.

5.0
2019-04-02 CVE-2017-6049 3M Improper Authentication vulnerability in 3M Detcon Sitewatch Gateway

Detcon Sitewatch Gateway, all versions without cellular, an attacker can edit settings on the device using a specially crafted URL.

5.0
2019-04-02 CVE-2017-6047 3M Credentials Management vulnerability in 3M Detcon Sitewatch Gateway

Detcon Sitewatch Gateway, all versions without cellular, Passwords are presented in plaintext in a file that is accessible without authentication.

5.0
2019-04-02 CVE-2018-12679 Coapthon3 Project Deserialization of Untrusted Data vulnerability in Coapthon3 Project Coapthon3 1.0/1.0.1

The Serialize.deserialize() method in CoAPthon3 1.0 and 1.0.1 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, example collect CoAP server and client) when they receive crafted CoAP messages.

5.0
2019-04-02 CVE-2019-9946 Cncf
Kubernetes
Netapp
Always-Incorrect Control Flow Implementation vulnerability in multiple products

Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes.

5.0
2019-04-02 CVE-2019-7477 Sonicwall Use of a Broken or Risky Cryptographic Algorithm vulnerability in Sonicwall Sonicos and Sonicosv

A vulnerability in SonicWall SonicOS and SonicOSv TLS CBC Cipher allow remote attackers to obtain sensitive plaintext data when CBC cipher suites are enabled.

5.0
2019-04-02 CVE-2018-1680 IBM Weak Password Requirements vulnerability in IBM Security Privileged Identity Manager 2.1.1

IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.

5.0
2019-04-02 CVE-2018-1618 IBM Path Traversal vulnerability in IBM Security Privileged Identity Manager 2.1.1

IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 could allow a remote attacker to traverse directories on the system.

5.0
2019-04-01 CVE-2019-3792 Pivotal Software SQL Injection vulnerability in Pivotal Software Concourse

Pivotal Concourse version 5.0.0, contains an API that is vulnerable to SQL injection.

5.0
2019-04-01 CVE-2018-17563 Grandstream Missing Encryption of Sensitive Data vulnerability in Grandstream products

A Malformed Input String to /cgi-bin/api-get_line_status on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to dump the device's configuration in cleartext.

5.0
2019-04-01 CVE-2019-6715 W3 Edge Unspecified vulnerability in W3-Edge Total Cache 0.9.2.5/0.9.3

pub/sns.php in the W3 Total Cache plugin before 0.9.4 for WordPress allows remote attackers to read arbitrary files via the SubscribeURL field in SubscriptionConfirmation JSON data.

5.0
2019-04-01 CVE-2019-3489 Microfocus Unrestricted Upload of File with Dangerous Type vulnerability in Microfocus Content Manager 9.1/9.2/9.3

An unauthenticated file upload vulnerability has been identified in the Web Client component of Micro Focus Content Manager 9.1, 9.2, and 9.3 when configured to use the ADFS authentication method.

5.0
2019-04-01 CVE-2019-3836 GNU
Fedoraproject
Opensuse
Access of Uninitialized Pointer vulnerability in multiple products

It was discovered in gnutls before version 3.6.7 upstream that there is an uninitialized pointer access in gnutls versions 3.6.3 or later which can be triggered by certain post-handshake messages.

5.0
2019-04-01 CVE-2018-13297 Synology Information Exposure vulnerability in Synology Drive

Information exposure vulnerability in SYNO.SynologyDrive.Files in Synology Drive before 1.1.2-10562 allows remote attackers to obtain sensitive system information via the dsm_path parameter.

5.0
2019-04-01 CVE-2018-13296 Synology Resource Exhaustion vulnerability in Synology Mailplus Server

Uncontrolled resource consumption vulnerability in TLS configuration in Synology MailPlus Server before 2.0.5-0606 allows remote attackers to conduct denial-of-service attacks via client-initiated renegotiation.

5.0
2019-04-01 CVE-2018-13289 Synology Information Exposure vulnerability in Synology Router Manager

Information exposure vulnerability in SYNO.FolderSharing.List in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote attackers to obtain sensitive information via the (1) folder_path or (2) real_path parameter.

5.0
2019-04-01 CVE-2018-13288 Synology Information Exposure vulnerability in Synology File Station

Information exposure vulnerability in SYNO.FolderSharing.List in Synology File Station before 1.2.3-0252 and before 1.1.5-0125 allows remote attackers to obtain sensitive information via the (1) folder_path or (2) real_path parameter.

5.0
2019-04-04 CVE-2018-11971 Qualcomm Information Exposure vulnerability in Qualcomm products

Interrupt exit code flow may undermine access control policy set forth by secure world can lead to potential secure asset leakage in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, in MDM9206, MDM9607, MDM9650, MDM9655, QCS605, SD 410/12, SD 615/16/SD 415, SD 636, SD 712 / SD 710 / SD 670, SD 845 / SD 850, SD 8CX, SDA660, SDM630, SDM660, SXR1130

4.9
2019-04-04 CVE-2018-11958 Qualcomm Unspecified vulnerability in Qualcomm products

Insufficient protection of keys in keypad can lead HLOS to gain access to confidential keypad input data in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in MDM9206, MDM9607, MDM9650, MDM9655, Qualcomm 215, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016

4.9
2019-04-03 CVE-2018-4431 Apple Information Exposure vulnerability in Apple products

A memory initialization issue was addressed with improved memory handling.

4.9
2019-04-03 CVE-2018-4283 Apple Out-of-bounds Read vulnerability in Apple mac OS X

An out-of-bounds read issue existed that led to the disclosure of kernel memory.

4.9
2019-04-03 CVE-2018-4282 Apple Out-of-bounds Read vulnerability in Apple Iphone OS, Tvos and Watchos

An out-of-bounds read issue existed that led to the disclosure of kernel memory.

4.9
2019-04-02 CVE-2018-4051 GOG Incorrect Permission Assignment for Critical Resource vulnerability in GOG Galaxy 1.2.47

An exploitable local privilege escalation vulnerability exists in the privileged helper tool of GOG Galaxy's Games, version 1.2.47 for macOS.

4.9
2019-04-05 CVE-2019-10885 Ivanti Permissions, Privileges, and Access Controls vulnerability in Ivanti Workspace Control

An issue was discovered in Ivanti Workspace Control before 10.3.90.0.

4.6
2019-04-01 CVE-2018-19113 Pronestor Incorrect Permission Assignment for Critical Resource vulnerability in Pronestor Health Monitoring 8.1.11.0

The Pronestor PNHM (aka Health Monitoring or HealthMonitor) add-in before 8.1.13.0 for Outlook has "BUILTIN\Users:(I)(F)" permissions for the "%PROGRAMFILES(X86)%\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe" file, which allows local users to gain privileges via a Trojan horse PronestorHealthMonitor.exe file.

4.4
2019-04-07 CVE-2019-10741 K 9 Mail Project 7PK - Security Features vulnerability in K-9 Mail Project K-9 Mail 5.600

K-9 Mail v5.600 can include the original quoted HTML code of a specially crafted, benign looking, email within (digitally signed) reply messages.

4.3
2019-04-07 CVE-2019-10740 Roundcube
Fedoraproject
Opensuse
Cleartext Transmission of Sensitive Information vulnerability in multiple products

In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email.

4.3
2019-04-07 CVE-2019-10735 Claws Mail Unspecified vulnerability in Claws-Mail Mail 3.14.1

In Claws Mail 3.14.1, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email.

4.3
2019-04-07 CVE-2019-10734 Trojita Project Inadequate Encryption Strength vulnerability in Trojita Project Trojita 0.7

In KDE Trojita 0.7, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email.

4.3
2019-04-07 CVE-2019-10732 KDE
Debian
Cleartext Transmission of Sensitive Information vulnerability in multiple products

In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email.

4.3
2019-04-06 CVE-2019-10904 Debian
Roundup Tracker
Cross-site Scripting vulnerability in multiple products

Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors.

4.3
2019-04-05 CVE-2019-10887 Salicru Cross-site Scripting vulnerability in Salicru Slc-20-Cube3(5) Cs121Snmp4.54.82.130611

A reflected HTML injection vulnerability on Salicru SLC-20-cube3(5) devices running firmware version cs121-SNMP v4.54.82.130611 allows remote attackers to inject arbitrary HTML elements via a /DataLog.csv?log= or /AlarmLog.csv?log= or /waitlog.cgi?name= or /chart.shtml?data= or /createlog.cgi?name= request.

4.3
2019-04-05 CVE-2019-10884 Uniqkey Improper Authentication vulnerability in Uniqkey Password Manager 1.14

Uniqkey Password Manager 1.14 contains a vulnerability because it fails to recognize the difference between domains and sub-domains.

4.3
2019-04-05 CVE-2018-20816 Salesagility Cross-site Scripting vulnerability in Salesagility Suitecrm

An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking.

4.3
2019-04-05 CVE-2019-10875 MI Authentication Bypass by Spoofing vulnerability in MI Browser and Mint Browser

A URL spoofing vulnerability was found in all international versions of Xiaomi Mi browser 10.5.6-g (aka the MIUI native browser) and Mint Browser 1.5.3 due to the way they handle the "q" query parameter.

4.3
2019-04-05 CVE-2019-10873 Freedesktop NULL Pointer Dereference vulnerability in Freedesktop Poppler 0.74.0

An issue was discovered in Poppler 0.74.0.

4.3
2019-04-05 CVE-2019-10871 Freedesktop Out-of-bounds Read vulnerability in Freedesktop Poppler 0.74.0

An issue was discovered in Poppler 0.74.0.

4.3
2019-04-04 CVE-2019-1828 Cisco Use of a Broken or Risky Cryptographic Algorithm vulnerability in Cisco Rv320 Firmware and Rv325 Firmware

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to access administrative credentials.

4.3
2019-04-04 CVE-2019-1827 Cisco Cross-site Scripting vulnerability in Cisco Rv320 Firmware and Rv325 Firmware

A vulnerability in the Online Help web service of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the service.

4.3
2019-04-04 CVE-2019-10292 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Kmap

A cross-site request forgery vulnerability in Jenkins Kmap Plugin in KmapJenkinsBuilder.DescriptorImpl form validation methods allows attackers to initiate a connection to an attacker-specified server.

4.3
2019-04-04 CVE-2019-10289 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Netsparker Cloud Scan

A cross-site request forgery vulnerability in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers to initiate a connection to an attacker-specified server.

4.3
2019-04-04 CVE-2019-10278 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Jenkins-Reviewbot

A cross-site request forgery vulnerability in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.

4.3
2019-04-04 CVE-2019-1003098 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Openid

A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.

4.3
2019-04-04 CVE-2019-1003092 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Nomad

A cross-site request forgery vulnerability in Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.

4.3
2019-04-04 CVE-2019-1003090 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Soasta Cloudtest

A cross-site request forgery vulnerability in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.

4.3
2019-04-04 CVE-2019-1003086 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Chef Sinatra

A cross-site request forgery vulnerability in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.

4.3
2019-04-04 CVE-2019-1003084 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Zephyr Enterprise Test Management

A cross-site request forgery vulnerability in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.

4.3
2019-04-04 CVE-2019-1003082 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Gearman

A cross-site request forgery vulnerability in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.

4.3
2019-04-04 CVE-2019-1003080 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Openshift Deployer

A cross-site request forgery vulnerability in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers to initiate a connection to an attacker-specified server.

4.3
2019-04-04 CVE-2019-1003078 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins VMWare LAB Manager Slaves

A cross-site request forgery vulnerability in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.

4.3
2019-04-04 CVE-2019-1003076 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Audit TO Database

A cross-site request forgery vulnerability in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers to initiate a connection to an attacker-specified server.

4.3
2019-04-04 CVE-2019-1003058 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins FTP Publisher

A cross-site request forgery vulnerability in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers to initiate a connection to an attacker-specified server.

4.3
2019-04-04 CVE-2014-3603 Shibboleth Improper Validation of Certificate with Host Mismatch vulnerability in Shibboleth Identity Provider and Opensaml Java

The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

4.3
2019-04-03 CVE-2015-5462 Axiomsl Injection vulnerability in Axiomsl Axiom 9.5.3

AxiomSL's Axiom Google Web Toolkit module 9.5.3 and earlier allows remote attackers to inject HTML into the scoping dashboard features.

4.3
2019-04-03 CVE-2019-10723 Podofo Project Allocation of Resources Without Limits or Throttling vulnerability in Podofo Project Podofo 0.9.6

An issue was discovered in PoDoFo 0.9.6.

4.3
2019-04-03 CVE-2018-4470 Apple Unspecified vulnerability in Apple mac OS X

A privacy issue in the handling of Open Directory records was addressed with improved indexing.

4.3
2019-04-03 CVE-2018-4462 Apple Improper Input Validation vulnerability in Apple mac OS X

A validation issue was addressed with improved input sanitization.

4.3
2019-04-03 CVE-2018-4446 Apple Improper Input Validation vulnerability in Apple Iphone OS

This issue was addressed with improved entitlements.

4.3
2019-04-03 CVE-2018-4440 Apple
Microsoft
Improper Input Validation vulnerability in Apple products

A logic issue was addressed with improved state management.

4.3
2019-04-03 CVE-2018-4439 Apple
Microsoft
Improper Input Validation vulnerability in Apple products

A logic issue was addressed with improved validation.

4.3
2019-04-03 CVE-2018-4429 Apple Improper Input Validation vulnerability in Apple Iphone OS and Watchos

A spoofing issue existed in the handling of URLs.

4.3
2019-04-03 CVE-2018-4418 Apple Improper Input Validation vulnerability in Apple mac OS X

A validation issue was addressed with improved input sanitization.

4.3
2019-04-03 CVE-2018-4417 Apple Improper Input Validation vulnerability in Apple mac OS X

A validation issue was addressed with improved input sanitization.

4.3
2019-04-03 CVE-2018-4409 Apple
Microsoft
Resource Exhaustion vulnerability in Apple products

A resource exhaustion issue was addressed with improved input validation.

4.3
2019-04-03 CVE-2018-4403 Apple Information Exposure vulnerability in Apple mac OS X

This issue was addressed by removing additional entitlements.

4.3
2019-04-03 CVE-2018-4400 Apple Improper Input Validation vulnerability in Apple Iphone OS, mac OS X and Watchos

A validation issue was addressed with improved logic.

4.3
2019-04-03 CVE-2018-4399 Apple Improper Input Validation vulnerability in Apple products

An access issue existed with privileged API calls.

4.3
2019-04-03 CVE-2018-4396 Apple Improper Input Validation vulnerability in Apple mac OS X

A validation issue was addressed with improved input sanitization.

4.3
2019-04-03 CVE-2018-4389 Apple Improper Input Validation vulnerability in Apple mac OS X

An inconsistent user interface issue was addressed with improved state management.

4.3
2019-04-03 CVE-2018-4385 Apple Improper Input Validation vulnerability in Apple Iphone OS

A logic issue was addressed with improved state management.

4.3
2019-04-03 CVE-2018-4377 Apple
Microsoft
Cross-site Scripting vulnerability in Apple products

A cross-site scripting issue existed in Safari.

4.3
2019-04-03 CVE-2018-4374 Apple
Microsoft
Cross-site Scripting vulnerability in Apple products

A logic issue was addressed with improved validation.

4.3
2019-04-03 CVE-2018-4365 Apple Out-of-bounds Read vulnerability in Apple Iphone OS

An out-of-bounds read was addressed with improved bounds checking.

4.3
2019-04-03 CVE-2018-4362 Apple Improper Input Validation vulnerability in Apple Iphone OS and Safari

An inconsistent user interface issue was addressed with improved state management.

4.3
2019-04-03 CVE-2018-4355 Apple Information Exposure vulnerability in Apple Iphone OS and mac OS X

A configuration issue was addressed with additional restrictions.

4.3
2019-04-03 CVE-2018-4351 Apple Improper Initialization vulnerability in Apple mac OS X

A memory initialization issue was addressed with improved memory handling.

4.3
2019-04-03 CVE-2018-4346 Apple Improper Input Validation vulnerability in Apple mac OS X

A validation issue existed which allowed local file access.

4.3
2019-04-03 CVE-2018-4345 Apple
Microsoft
Cross-site Scripting vulnerability in Apple products

A cross-site scripting issue existed in Safari.

4.3
2019-04-03 CVE-2018-4338 Apple Improper Input Validation vulnerability in Apple mac OS X

A validation issue was addressed with improved input sanitization.

4.3
2019-04-03 CVE-2018-4335 Apple Improper Input Validation vulnerability in Apple Iphone OS

A validation issue was addressed with improved input sanitization.

4.3
2019-04-03 CVE-2018-4333 Apple Improper Input Validation vulnerability in Apple Iphone OS and mac OS X

A validation issue was addressed with improved input sanitization.

4.3
2019-04-03 CVE-2018-4324 Apple Incorrect Permission Assignment for Critical Resource vulnerability in Apple mac OS X

A permissions issue existed in the handling of the Apple ID.

4.3
2019-04-03 CVE-2018-4309 Apple
Microsoft
Cross-site Scripting vulnerability in Apple products

A cross-site scripting issue existed in Safari.

4.3
2019-04-03 CVE-2018-4308 Apple Out-of-bounds Read vulnerability in Apple mac OS X

An out-of-bounds read was addressed with improved bounds checking.

4.3
2019-04-03 CVE-2018-4307 Apple Improper Input Validation vulnerability in Apple Iphone OS and Safari

A logic issue was addressed with improved state management.

4.3
2019-04-03 CVE-2018-4304 Apple Improper Input Validation vulnerability in Apple products

A denial of service issue was addressed with improved validation.

4.3
2019-04-03 CVE-2018-4300 Apple Information Exposure vulnerability in Apple Cups

The session cookie generated by the CUPS web interface was easy to guess on Linux, allowing unauthorized scripted access to the web interface when the web interface is enabled.

4.3
2019-04-03 CVE-2018-4290 Apple Unspecified vulnerability in Apple Iphone OS and Watchos

A denial of service issue was addressed with improved memory handling.

4.3
2019-04-03 CVE-2018-4273 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved input validation.

4.3
2019-04-03 CVE-2018-4271 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved input validation.

4.3
2019-04-03 CVE-2018-4270 Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

4.3
2019-04-03 CVE-2018-4266 Apple
Microsoft
Race Condition vulnerability in Apple products

A race condition was addressed with additional validation.

4.3
2019-04-03 CVE-2018-4260 Apple Improper Input Validation vulnerability in Apple Iphone OS and Safari

An inconsistent user interface issue was addressed with improved state management.

4.3
2019-04-03 CVE-2018-4216 Apple Unspecified vulnerability in Apple Iphone OS

A logic issue existed in the handling of call URLs.

4.3
2019-04-03 CVE-2018-4195 Apple Improper Input Validation vulnerability in Apple Safari

An inconsistent user interface issue was addressed with improved state management.

4.3
2019-04-03 CVE-2018-4153 Apple Injection vulnerability in Apple mac OS X

An injection issue was addressed with improved validation.

4.3
2019-04-03 CVE-2019-5422 Buttle Project Cross-site Scripting vulnerability in Buttle Project Buttle 0.2.0

XSS in buttle npm package version 0.2.0 causes execution of attacker-provided code in the victim's browser when an attacker creates an arbitrary file on the server.

4.3
2019-04-02 CVE-2018-18035 Open EMR Cross-site Scripting vulnerability in Open-Emr Openemr

A vulnerability in flashcanvas.swf in OpenEMR before 5.0.1 Patch 6 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system.

4.3
2019-04-02 CVE-2019-10714 Imagemagick Out-of-bounds Read vulnerability in Imagemagick

LocaleLowercase in MagickCore/locale.c in ImageMagick before 7.0.8-32 allows out-of-bounds access, leading to a SIGSEGV.

4.3
2019-04-02 CVE-2019-6531 Kunbus Unspecified vulnerability in Kunbus Pr100088 Modbus Gateway Firmware 1.0.10232

An attacker could retrieve passwords from a HTTP GET request from the Kunbus PR100088 Modbus gateway versions prior to Release R02 (or Software Version 1.1.13166) if the attacker is in an MITM position.

4.3
2019-04-01 CVE-2018-3979 Canonical
Nvidia
Resource Exhaustion vulnerability in multiple products

A remote denial-of-service vulnerability exists in the way the Nouveau Display Driver (the default Ubuntu Nvidia display driver) handles GPU shader execution.

4.3
2019-04-05 CVE-2019-9490 Trendmicro Unspecified vulnerability in Trendmicro Interscan web Security Virtual Appliance 6.5

A vulnerability in Trend Micro InterScan Web Security Virtual Appliance version 6.5 SP2 could allow an non-authorized user to disclose administrative credentials.

4.0
2019-04-05 CVE-2019-10876 Openstack
Redhat
An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3.
4.0
2019-04-05 CVE-2019-10868 Tryton
Debian
Missing Authorization vulnerability in multiple products

In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right.

4.0
2019-04-04 CVE-2019-10299 Jenkins Credentials Management vulnerability in Jenkins Cloudcoreo Deploytime

Jenkins CloudCoreo DeployTime Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-10298 Jenkins Credentials Management vulnerability in Jenkins Koji

Jenkins Koji Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-10297 Jenkins Credentials Management vulnerability in Jenkins Sametime

Jenkins Sametime Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-10296 Jenkins Credentials Management vulnerability in Jenkins Serena SRA Deploy

Jenkins Serena SRA Deploy Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-10295 Jenkins Credentials Management vulnerability in Jenkins Crittercism-Dsym

Jenkins crittercism-dsym Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-04-04 CVE-2019-10294 Jenkins Credentials Management vulnerability in Jenkins Kmap

Jenkins Kmap Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-04-04 CVE-2019-10293 Jenkins Permission Issues vulnerability in Jenkins Kmap

A missing permission check in Jenkins Kmap Plugin in KmapJenkinsBuilder.DescriptorImpl form validation methods allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

4.0
2019-04-04 CVE-2019-10291 Jenkins Credentials Management vulnerability in Jenkins Netsparker Cloud Scan

Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-10290 Jenkins Permission Issues vulnerability in Jenkins Netsparker Cloud Scan

A missing permission check in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

4.0
2019-04-04 CVE-2019-10288 Jenkins Credentials Management vulnerability in Jenkins Jabber Server

Jenkins Jabber Server Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-10287 Jenkins Credentials Management vulnerability in Jenkins Youtrack-Plugin

Jenkins youtrack-plugin Plugin 0.7.1 and older stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-10286 Jenkins Credentials Management vulnerability in Jenkins Deployhub

Jenkins DeployHub Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-04-04 CVE-2019-10285 Jenkins Credentials Management vulnerability in Jenkins Minio Storage

Jenkins Minio Storage Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-10284 Jenkins Credentials Management vulnerability in Jenkins Diawi Upload

Jenkins Diawi Upload Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-04-04 CVE-2019-10283 Jenkins Credentials Management vulnerability in Jenkins Mabl

Jenkins mabl Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-04-04 CVE-2019-10282 Jenkins Credentials Management vulnerability in Jenkins Klaros-Testmanagement

Jenkins Klaros-Testmanagement Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-04-04 CVE-2019-10281 Jenkins Credentials Management vulnerability in Jenkins Relution Enterprise Appstore Publisher

Jenkins Relution Enterprise Appstore Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-10280 Jenkins Credentials Management vulnerability in Jenkins Assembla Auth

Jenkins Assembla Auth Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-10279 Jenkins Permission Issues vulnerability in Jenkins Jenkins-Reviewbot

A missing permission check in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

4.0
2019-04-04 CVE-2019-10277 Jenkins Credentials Management vulnerability in Jenkins Starteam

Jenkins StarTeam Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-04-04 CVE-2019-10273 Zohocorp Improper Authentication vulnerability in Zohocorp Manageengine Servicedesk Plus 9.3

Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 software allows authenticated users to enumerate active users.

4.0
2019-04-04 CVE-2019-1003099 Jenkins Missing Authorization vulnerability in Jenkins Openid

A missing permission check in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

4.0
2019-04-04 CVE-2019-1003097 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Crowd Integration

Jenkins Crowd Integration Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-1003096 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Testfairy

Jenkins TestFairy Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-04-04 CVE-2019-1003095 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Perfecto Mobile

Jenkins Perfecto Mobile Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-1003094 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Open STF

Jenkins Open STF Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-1003093 Jenkins Missing Authorization vulnerability in Jenkins Nomad

A missing permission check in Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

4.0
2019-04-04 CVE-2019-1003091 Jenkins Missing Authorization vulnerability in Jenkins Soasta Cloudtest

A missing permission check in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

4.0
2019-04-04 CVE-2019-1003089 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Upload TO Pgyer

Jenkins Upload to pgyer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-04-04 CVE-2019-1003088 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Fabric Beta Publisher

Jenkins Fabric Beta Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-04-04 CVE-2019-1003087 Jenkins Missing Authorization vulnerability in Jenkins Chef Sinatra

A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

4.0
2019-04-04 CVE-2019-1003085 Jenkins Missing Authorization vulnerability in Jenkins Zephyr Enterprise Test Management

A missing permission check in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

4.0
2019-04-04 CVE-2019-1003083 Jenkins Missing Authorization vulnerability in Jenkins Gearman

A missing permission check in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

4.0
2019-04-04 CVE-2019-1003081 Jenkins Missing Authorization vulnerability in Jenkins Openshift Deployer

A missing permission check in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

4.0
2019-04-04 CVE-2019-1003079 Jenkins Missing Authorization vulnerability in Jenkins VMWare LAB Manager Slaves

A missing permission check in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

4.0
2019-04-04 CVE-2019-1003077 Jenkins Missing Authorization vulnerability in Jenkins Audit TO Database

A missing permission check in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

4.0
2019-04-04 CVE-2019-1003075 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Audit TO Database

Jenkins Audit to Database Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-1003074 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Hyper.Sh Commons

Jenkins Hyper.sh Commons Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-1003073 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins VS Team Services Continuous Deployment

Jenkins VS Team Services Continuous Deployment Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-04-04 CVE-2019-1003072 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Wildfly Deployer

Jenkins WildFly Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-04-04 CVE-2019-1003071 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Octopusdeploy

Jenkins OctopusDeploy Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-1003070 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Veracode-Scanner

Jenkins veracode-scanner Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-1003069 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Aqua Security Scanner

Jenkins Aqua Security Scanner Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-1003068 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins VMWare Vrealize Automation

Jenkins VMware vRealize Automation Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-04-04 CVE-2019-1003067 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Trac Publisher

Jenkins Trac Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-04-04 CVE-2019-1003066 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Bugzilla

Jenkins Bugzilla Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-1003065 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Cloudshare Docker-Machine

Jenkins CloudShare Docker-Machine Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-1003064 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Aws-Device-Farm

Jenkins aws-device-farm Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-1003063 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Amazon SNS Build Notifier

Jenkins Amazon SNS Build Notifier Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-1003062 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins AWS Cloudwatch Logs Publisher

Jenkins AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-1003061 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Jenkins-Cloudformation-Plugin

Jenkins jenkins-cloudformation-plugin Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-04-04 CVE-2019-1003060 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Official Owasp ZAP

Jenkins Official OWASP ZAP Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-1003059 Jenkins Missing Authorization vulnerability in Jenkins FTP Publisher

A missing permission check in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

4.0
2019-04-04 CVE-2019-1003057 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Bitbucket Approve

Jenkins Bitbucket Approve Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-1003056 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Websphere Deployer

Jenkins WebSphere Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-04-04 CVE-2019-1003055 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins FTP Publisher

Jenkins FTP publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-1003054 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Jira Issue Updater

Jenkins Jira Issue Updater Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-04-04 CVE-2019-1003053 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Hockeyapp

Jenkins HockeyApp Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2019-04-04 CVE-2019-1003052 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins AWS Elastic Beanstalk Publisher

Jenkins AWS Elastic Beanstalk Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-04 CVE-2019-1003051 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins IRC

Jenkins IRC Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2019-04-03 CVE-2018-4460 Apple Improper Input Validation vulnerability in Apple products

A denial of service issue was addressed by removing the vulnerable code.

4.0
2019-04-03 CVE-2018-4445 Apple Information Exposure vulnerability in Apple Iphone OS and Safari

"Clear History and Website Data" did not clear the history.

4.0
2019-04-03 CVE-2018-4406 Apple Improper Input Validation vulnerability in Apple mac OS X

A denial of service issue was addressed with improved validation.

4.0
2019-04-03 CVE-2018-4397 Apple Improper Input Validation vulnerability in Apple Support

Analytics data was sent using HTTP rather than HTTPS.

4.0
2019-04-03 CVE-2018-4368 Apple Improper Input Validation vulnerability in Apple products

A denial of service issue was addressed with improved validation.

4.0
2019-04-02 CVE-2019-7474 Sonicwall Improper Access Control vulnerability in Sonicwall Sonicos and Sonicosv

A vulnerability in SonicWall SonicOS and SonicOSv, allow authenticated read-only admin to leave the firewall in an unstable state by downloading certificate with specific extension.

4.0
2019-04-02 CVE-2018-1917 IBM Information Exposure vulnerability in IBM products

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could allow an authenticated user to access JSP files and disclose sensitive information.

4.0
2019-04-02 CVE-2018-1906 IBM Unspecified vulnerability in IBM products

IBM InfoSphere Information Server 11.3, 11.5, and 11.7could allow an authenticated user to download code using a specially crafted HTTP request.

4.0
2019-04-02 CVE-2018-1626 IBM Session Fixation vulnerability in IBM Security Privileged Identity Manager 2.1.1

IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability.

4.0
2019-04-02 CVE-2018-1625 IBM Information Exposure vulnerability in IBM Security Privileged Identity Manager 2.1.1

IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 generates an error message that includes sensitive information about its environment, users, or associated data.

4.0
2019-04-01 CVE-2018-13299 Synology Path Traversal vulnerability in Synology Calendar

Relative path traversal vulnerability in Attachment Uploader in Synology Calendar before 2.2.2-0532 allows remote authenticated users to upload arbitrary files via the filename parameter.

4.0
2019-04-01 CVE-2018-13295 Synology Information Exposure vulnerability in Synology Application Service

Information exposure vulnerability in SYNO.Personal.Application.Info in Synology Application Service before 1.5.4-0320 allows remote authenticated users to obtain sensitive system information via the version parameter.

4.0
2019-04-01 CVE-2018-13294 Synology Information Exposure vulnerability in Synology Application Service

Information exposure vulnerability in SYNO.Personal.Profile in Synology Application Service before 1.5.4-0320 allows remote authenticated users to obtain sensitive system information via the uid parameter.

4.0
2019-04-01 CVE-2018-13292 Synology Information Exposure vulnerability in Synology Router Manager

Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote authenticated users to obtain sensitive information via the world readable configuration.

4.0
2019-04-01 CVE-2018-13291 Synology Information Exposure vulnerability in Synology Diskstation Manager

Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to obtain sensitive information via the world readable configuration.

4.0
2019-04-01 CVE-2018-13290 Synology Information Exposure vulnerability in Synology Router Manager

Information exposure vulnerability in SYNO.Core.ACL in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote authenticated users to determine the existence of files or obtain sensitive information of files via the file_path parameter.

4.0
2019-04-01 CVE-2018-13287 Synology Incorrect Default Permissions vulnerability in Synology Router Manager

Incorrect default permissions vulnerability in synouser.conf in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to obtain sensitive information via the world readable configuration.

4.0
2019-04-01 CVE-2018-13286 Synology Incorrect Default Permissions vulnerability in Synology Diskstation Manager

Incorrect default permissions vulnerability in synouser.conf in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to obtain sensitive information via the world readable configuration.

4.0
2019-04-01 CVE-2019-1002100 Kubernetes Allocation of Resources Without Limits or Throttling vulnerability in Kubernetes

In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g.

4.0

26 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-04-02 CVE-2019-4093 IBM
Microsoft
Incorrect Permission Assignment for Critical Resource vulnerability in IBM Spectrum Protect 8.1.7

IBM Tivoli Storage Manager (IBM Spectrum Protect 8.1.7) could allow a user to restore files and directories using IBM Spectrum Prootect Client Web User Interface on Windows that they should not have access to due to incorrect file permissions.

3.6
2019-04-03 CVE-2019-10261 Centos Webpanel Cross-site Scripting vulnerability in Centos-Webpanel Centos web Panel 0.9.8.789

CentOS Web Panel (CWP) 0.9.8.789 is vulnerable to Stored/Persistent XSS for the "Name Server 1" and "Name Server 2" fields via a "DNS Functions" "Edit Nameservers IPs" action.

3.5
2019-04-03 CVE-2018-1913 IBM Cross-site Scripting vulnerability in IBM Doors Next Generation

IBM DOORS Next Generation (DNG/RRC) 5.0 through 5.0.3 and 6.0 through 6.0.6 is vulnerable to cross-site scripting.

3.5
2019-04-03 CVE-2018-1731 IBM Cross-site Scripting vulnerability in IBM Doors Next Generation 5.0/6.0/6.0.2

IBM DOORS Next Generation (DNG/RRC) 5.0 through 5.0.3 and 6.0 through 6.0.6 is vulnerable to cross-site scripting.

3.5
2019-04-01 CVE-2018-17989 Dlink Cross-site Scripting vulnerability in Dlink Dsl-3782 Firmware 1.01

A stored XSS vulnerability exists in the web interface on D-Link DSL-3782 devices with firmware 1.01 that allows authenticated attackers to inject a JavaScript or HTML payload inside the ACL page.

3.5
2019-04-01 CVE-2018-13293 Synology Cross-site Scripting vulnerability in Synology Diskstation Manager

Cross-site scripting (XSS) vulnerability in Control Panel SSO Settings in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to inject arbitrary web script or HTML via the URL parameter.

3.5
2019-04-01 CVE-2017-16774 Synology Cross-site Scripting vulnerability in Synology Diskstation Manager

Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter.

3.5
2019-04-03 CVE-2018-4305 Apple Improper Input Validation vulnerability in Apple Iphone OS, Tvos and Watchos

An input validation issue was addressed with improved input validation.

3.3
2019-04-04 CVE-2018-20449 Linux
Netapp
Information Exposure vulnerability in multiple products

The hidma_chan_stats function in drivers/dma/qcom/hidma_dbg.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading "callback=" lines in a debugfs file.

2.1
2019-04-03 CVE-2018-4430 Apple Information Exposure vulnerability in Apple Iphone OS

A lock screen issue allowed access to contacts on a locked device.

2.1
2019-04-03 CVE-2018-4395 Apple Improper Input Validation vulnerability in Apple products

This issue was addressed with improved checks.

2.1
2019-04-03 CVE-2018-4388 Apple Information Exposure vulnerability in Apple Iphone OS

A lock screen issue allowed access to the share function on a locked device.

2.1
2019-04-03 CVE-2018-4387 Apple Information Exposure vulnerability in Apple Iphone OS

A lock screen issue allowed access to photos via Reply With Message on a locked device.

2.1
2019-04-03 CVE-2018-4380 Apple Information Exposure vulnerability in Apple Iphone OS

A lock screen issue allowed access to photos and contacts on a locked device.

2.1
2019-04-03 CVE-2018-4379 Apple Information Exposure vulnerability in Apple Iphone OS

A lock screen issue allowed access to the share function on a locked device.

2.1
2019-04-03 CVE-2018-4352 Apple Information Exposure vulnerability in Apple Iphone OS

A consistency issue existed in the handling of application snapshots.

2.1
2019-04-03 CVE-2018-4348 Apple Improper Input Validation vulnerability in Apple mac OS X

A validation issue was addressed with improved logic.

2.1
2019-04-03 CVE-2018-4342 Apple Improper Input Validation vulnerability in Apple mac OS X

A configuration issue was addressed with additional restrictions.

2.1
2019-04-03 CVE-2018-4325 Apple Information Exposure vulnerability in Apple Iphone OS

A logic issue was addressed with improved restrictions.

2.1
2019-04-03 CVE-2018-4322 Apple Improper Input Validation vulnerability in Apple Iphone OS

This issue was addressed with improved entitlements.

2.1
2019-04-03 CVE-2018-4313 Apple Improper Input Validation vulnerability in Apple Iphone OS, Tvos and Watchos

A consistency issue existed in the handling of application snapshots.

2.1
2019-04-03 CVE-2018-4178 Apple Incorrect Permission Assignment for Critical Resource vulnerability in Apple mac OS X

A permissions issue existed in which execute permission was incorrectly granted.

2.1
2019-04-02 CVE-2018-4053 GOG Improper Input Validation vulnerability in GOG Galaxy 1.2.47

An exploitable local denial-of-service vulnerability exists in the privileged helper tool of GOG Galaxy's Games, version 1.2.47 for macOS.

2.1
2019-04-02 CVE-2018-4052 GOG Information Exposure vulnerability in GOG Galaxy 1.2.47

An exploitable local information leak vulnerability exists in the privileged helper tool of GOG Galaxy's Games, version 1.2.47 for macOS.

2.1
2019-04-02 CVE-2018-1874 IBM Information Exposure vulnerability in IBM API Connect

IBM API Connect 5.0.0.0 through 5.0.8.5 could display highly sensitive information to an attacker with physical access to the system.

2.1
2019-04-02 CVE-2018-1623 IBM Information Exposure vulnerability in IBM Security Privileged Identity Manager 2.1.1

IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 allows web pages to be stored locally which can be read by another user on the system.

2.1