Weekly Vulnerabilities Reports > April 22 to 28, 2019

Overview

437 new vulnerabilities reported during this period, including 19 critical vulnerabilities and 64 high severity vulnerabilities. This weekly summary report vulnerabilities in 434 products from 136 vendors including Oracle, Canonical, Mozilla, IBM, and Redhat. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Input Validation", "SQL Injection", and "Out-of-bounds Write".

  • 394 reported vulnerabilities are remotely exploitables.
  • 23 reported vulnerabilities have public exploit available.
  • 89 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 329 reported vulnerabilities are exploitable by an anonymous user.
  • Oracle has the most reported vulnerabilities, with 163 reported vulnerabilities.
  • Dell has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

19 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-04-26 CVE-2019-3707 Dell Unspecified vulnerability in Dell Idrac9 Firmware

Dell EMC iDRAC9 versions prior to 3.30.30.30 contain an authentication bypass vulnerability.

10.0
2019-04-26 CVE-2019-3706 Dell Unspecified vulnerability in Dell Idrac9 Firmware 3.20.21.20/3.21.24.22/3.23.23.23

Dell EMC iDRAC9 versions prior to 3.24.24.24, 3.21.26.22, 3.22.22.22 and 3.21.25.22 contain an authentication bypass vulnerability.

10.0
2019-04-26 CVE-2019-3705 Dell Out-Of-Bounds Write vulnerability in Dell products

Dell EMC iDRAC6 versions prior to 2.92, iDRAC7/iDRAC8 versions prior to 2.61.60.60, and iDRAC9 versions prior to 3.20.21.20, 3.21.24.22, 3.21.26.22 and 3.23.23.23 contain a stack-based buffer overflow vulnerability.

10.0
2019-04-25 CVE-2018-19442 Neatorobotics Buffer Errors vulnerability in Neatorobotics Botvac Connected Firmware 2.2.0

A Buffer Overflow in Network::AuthenticationClient::VerifySignature in /bin/astro in Neato Botvac Connected 2.2.0 allows a remote attacker to execute arbitrary code with root privileges via a crafted POST request to a vendors/neato/robots/[robot_serial]/messages Neato cloud URI on the nucleo.neatocloud.com web site (port 4443).

10.0
2019-04-24 CVE-2018-20434 Librenms OS Command Injection vulnerability in Librenms 1.46

LibreNMS 1.46 allows remote attackers to execute arbitrary OS commands by using the $_POST['community'] parameter to html/pages/addhost.inc.php during creation of a new device, and then making a /ajax_output.php?id=capture&format=text&type=snmpwalk&hostname=localhost request that triggers html/includes/output/capture.inc.php command mishandling.

10.0
2019-04-24 CVE-2019-7214 Smartertools Deserialization of Untrusted Data vulnerability in Smartertools Smartermail

SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data.

10.0
2019-04-24 CVE-2019-11081 Dentsplysirona Improper Authentication vulnerability in Dentsplysirona Sidexis 4.2

A default username and password in Dentsply Sirona Sidexis 4.3.1 and earlier allows an attacker to gain administrative access to the application server.

10.0
2019-04-23 CVE-2019-7304 Canonical Incorrect Authorization vulnerability in Canonical Snapd and Ubuntu Linux

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root.

10.0
2019-04-23 CVE-2019-11469 Zohocorp SQL Injection vulnerability in Zohocorp Manageengine Applications Manager

Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection.

10.0
2019-04-22 CVE-2019-11448 Zohocorp SQL Injection vulnerability in Zohocorp Manageengine Applications Manager

An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0.

10.0
2019-04-25 CVE-2018-14999 Leagoo Unspecified vulnerability in Leagoo P1 Firmware

The Leagoo P1 device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a pre-installed platform app with a package name of com.wtk.factory (versionCode=1, versionName=1.0) that contains an exported broadcast receiver named com.wtk.factory.MMITestReceiver allows any app co-located on the device to programmatically initiate a factory reset.

9.4
2019-04-25 CVE-2018-14994 Essential Improper Input Validation vulnerability in Essential Phone Firmware

The Essential Phone Android device with a build fingerprint of essential/mata/mata:8.1.0/OPM1.180104.166/297:user/release-keys contains a pre-installed platform app with a package name of com.ts.android.hiddenmenu (versionName=1.0, platformBuildVersionName=8.1.0) that contains an exported activity app component named com.ts.android.hiddenmenu.rtn.RTNResetActivity that allows any app co-located on the device to programmatically initiate a factory reset.

9.4
2019-04-25 CVE-2018-14989 Plum Mobile Improper Input Validation vulnerability in Plum-Mobile Compass Firmware

The Plum Compass Android device with a build fingerprint of PLUM/c179_hwf_221/c179_hwf_221:6.0/MRA58K/W16.51.5-22:user/release-keys contains a pre-installed platform app with a package name of com.android.settings (versionCode=23, versionName=6.0-eng.root.20161223.224055) that contains an exported broadcast receiver app component which allows any app co-located on the device to programmatically perform a factory reset.

9.4
2019-04-22 CVE-2015-1326 Python Dbusmock Project Improper Input Validation vulnerability in Python-Dbusmock Project Python-Dbusmock

python-dbusmock before version 0.15.1 AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() method could be tricked into executing malicious code if an attacker supplies a .pyc file.

9.3
2019-04-22 CVE-2019-11416 Intelbras Cross-Site Request Forgery (CSRF) vulnerability in Intelbras IWR 3000N Firmware 1.5.0

A CSRF issue was discovered on Intelbras IWR 3000N 1.5.0 devices, leading to complete control of the router, as demonstrated by v1/system/user.

9.3
2019-04-25 CVE-2019-11489 Simplybook Unspecified vulnerability in Simplybook

Incorrect Access Control in the Administrative Management Interface in SimplyBook.me Enterprise before 2019-04-23 allows Authenticated Low-Priv Users to Elevate Privileges to Full Admin Rights via a crafted HTTP PUT Request, as demonstrated by modified JSON data to a /v2/rest/ URI.

9.0
2019-04-25 CVE-2018-16660 Imperva OS Command Injection vulnerability in Imperva Securesphere 13.0.10/13.1.10/13.2.10

A command injection vulnerability in PWS in Imperva SecureSphere 13.0.0.10 and 13.1.0.10 Gateway allows an attacker with authenticated access to execute arbitrary OS commands on a vulnerable installation.

9.0
2019-04-22 CVE-2019-11445 Openkm Unrestricted Upload of File With Dangerous Type vulnerability in Openkm

OpenKM 6.3.2 through 6.3.7 allows an attacker to upload a malicious JSP file into the /okm:root directories and move that file to the home directory of the site, via frontend/FileUpload and admin/repository_export.jsp.

9.0
2019-04-22 CVE-2019-11444 Liferay OS Command Injection vulnerability in Liferay Portal 7.1.2

** DISPUTED ** An issue was discovered in Liferay Portal CE 7.1.2 GA3.

9.0

64 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-04-25 CVE-2019-3721 Dell Allocation of Resources Without Limits OR Throttling vulnerability in Dell EMC Openmanage Server Administrator

Dell EMC Open Manage System Administrator (OMSA) versions prior to 9.3.0 contain an Improper Range Header Processing Vulnerability.

7.8
2019-04-25 CVE-2018-14559 Tenda Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Tenda Ac10 Firmware, AC7 Firmware and AC9 Firmware

An issue was discovered on Tenda AC7 devices with firmware through V15.03.06.44_CN(AC7), AC9 devices with firmware through V15.03.05.19(6318)_CN(AC9), and AC10 devices with firmware through V15.03.06.23_CN(AC10).

7.8
2019-04-25 CVE-2018-14557 Tenda Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Tenda Ac10 Firmware, AC7 Firmware and AC9 Firmware

An issue was discovered on Tenda AC7 devices with firmware through V15.03.06.44_CN(AC7), AC9 devices with firmware through V15.03.05.19(6318)_CN(AC9), and AC10 devices with firmware through V15.03.06.23_CN(AC10).

7.8
2019-04-22 CVE-2019-6155 IBM Unspecified vulnerability in IBM products

A potential vulnerability was found in an SMI handler in various BIOS versions of certain legacy IBM System x and IBM BladeCenter systems that could lead to denial of service.

7.8
2019-04-22 CVE-2019-11415 Intelbras Unspecified vulnerability in Intelbras IWR 3000N Firmware 1.5.0

An issue was discovered on Intelbras IWR 3000N 1.5.0 devices.

7.8
2019-04-25 CVE-2018-16216 Audiocodes OS Command Injection vulnerability in Audiocodes 405Hd Firmware 2.2.12

A command injection (missing input validation, escaping) in the monitoring or memory status web interface in AudioCodes 405HD (firmware 2.2.12) VoIP phone allows an authenticated remote attacker in the same network as the device to trigger OS commands (like starting telnetd or opening a reverse shell) via a POST request to the web server.

7.7
2019-04-28 CVE-2019-11577 Dhcpcd Project Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Dhcpcd Project Dhcpcd

dhcpcd before 7.2.1 contains a buffer overflow in dhcp6_findna in dhcp6.c when reading NA/TA addresses.

7.5
2019-04-28 CVE-2019-11576 Gitea Improper Authentication vulnerability in Gitea

Gitea before 1.8.0 allows 1FA for user accounts that have completed 2FA enrollment.

7.5
2019-04-27 CVE-2019-11565 Print MY Blog Project Server-Side Request Forgery (SSRF) vulnerability in Print MY Blog Project Print MY Blog

Server Side Request Forgery (SSRF) exists in the Print My Blog plugin before 1.6.7 for WordPress via the site parameter.

7.5
2019-04-26 CVE-2019-2725 Oracle Injection vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.3.0.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services).

7.5
2019-04-26 CVE-2019-9805 Mozilla USE of Uninitialized Resource vulnerability in Mozilla Firefox

A latent vulnerability exists in the Prio library where data may be read from uninitialized memory for some functions, leading to potential memory corruption.

7.5
2019-04-26 CVE-2019-9804 Mozilla
Apple
OS Command Injection vulnerability in Mozilla Firefox

In Firefox Developer Tools it is possible that pasting the result of the 'Copy as cURL' command into a command shell on macOS will cause the execution of unintended additional bash script commands if the URL was maliciously crafted.

7.5
2019-04-26 CVE-2019-9796 Mozilla USE After Free vulnerability in Mozilla Firefox and Firefox ESR

A use-after-free vulnerability can occur when the SMIL animation controller incorrectly registers with the refresh driver twice when only a single registration is expected.

7.5
2019-04-26 CVE-2019-9795 Mozilla Reachable Assertion vulnerability in Mozilla Firefox, Firefox ESR and Thunderbird

A vulnerability where type-confusion in the IonMonkey just-in-time (JIT) compiler could potentially be used by malicious JavaScript to trigger a potentially exploitable crash.

7.5
2019-04-26 CVE-2019-9794 Mozilla
Microsoft
Improper Input Validation vulnerability in Mozilla Firefox and Firefox ESR

A vulnerability was discovered where specific command line arguments are not properly discarded during Firefox invocation as a shell handler for URLs.

7.5
2019-04-26 CVE-2019-9792 Mozilla Buffer Errors vulnerability in Mozilla Firefox and Firefox ESR

The IonMonkey just-in-time (JIT) compiler can leak an internal JS_OPTIMIZED_OUT magic value to the running script during a bailout.

7.5
2019-04-26 CVE-2019-9791 Mozilla Improper Input Validation vulnerability in Mozilla Firefox and Firefox ESR

The type inference system allows the compilation of functions that can cause type confusions between arbitrary objects when compiled through the IonMonkey just-in-time (JIT) compiler and when the constructor function is entered through on-stack replacement (OSR).

7.5
2019-04-26 CVE-2019-9790 Mozilla USE After Free vulnerability in Mozilla Firefox and Firefox ESR

A use-after-free vulnerability can occur when a raw pointer to a DOM element on a page is obtained using JavaScript and the element is then removed while still in use.

7.5
2019-04-26 CVE-2019-9789 Mozilla Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Mozilla Firefox

Mozilla developers and community members reported memory safety bugs present in Firefox 65.

7.5
2019-04-26 CVE-2019-9788 Mozilla Buffer Errors vulnerability in Mozilla Firefox and Firefox ESR

Mozilla developers and community members reported memory safety bugs present in Firefox 65, Firefox ESR 60.5, and Thunderbird 60.5.

7.5
2019-04-26 CVE-2018-18512 Mozilla USE After Free vulnerability in Mozilla Thunderbird

A use-after-free vulnerability can occur while playing a sound notification in Thunderbird.

7.5
2019-04-26 CVE-2019-11540 Pulsesecure Unspecified vulnerability in Pulsesecure Pulse Connect Secure and Pulse Policy Secure

In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4 and 8.3RX before 8.3R7.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2 and 5.4RX before 5.4R7.1, an unauthenticated, remote attacker can conduct a session hijacking attack.

7.5
2019-04-25 CVE-2018-18285 Mitel SQL Injection vulnerability in Mitel CMG Suite 8.4

SQL injection vulnerabilities in CMG Suite 8.4 SP2 and earlier, could allow an unauthenticated attacker to conduct an SQL injection attack due to insufficient input validation for the login interface.

7.5
2019-04-25 CVE-2018-14991 Coolpad
T Mobile
Improper Input Validation vulnerability in multiple products

The Coolpad Defiant device with a build fingerprint of Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys, the ZTE ZMAX Pro with a build fingerprint of ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys, and the T-Mobile Revvl Plus with a build fingerprint of Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys all contain a vulnerable, pre-installed Rich Communication Services (RCS) app.

7.5
2019-04-25 CVE-2018-18286 Mitel SQL Injection vulnerability in Mitel CMG Suite 8.4

SQL injection vulnerabilities in CMG Suite 8.4 SP2 and earlier, could allow an unauthenticated attacker to conduct an SQL injection attack due to insufficient input validation for the changepwd interface.

7.5
2019-04-25 CVE-2017-16558 Contao SQL Injection vulnerability in Contao CMS

Contao 3.0.0 to 3.5.30 and 4.0.0 to 4.4.7 contains an SQL injection vulnerability in the back end as well as in the listing module.

7.5
2019-04-25 CVE-2019-9901 Envoyproxy USE of Incorrectly-Resolved Name OR Reference vulnerability in Envoyproxy Envoy

Envoy 1.9.0 and before does not normalize HTTP URL paths.

7.5
2019-04-25 CVE-2018-20053 Cerner Unspecified vulnerability in Cerner Connectivity Engine 4 Firmware

An issue was discovered on Cerner Connectivity Engine (CCE) 4 devices.

7.5
2019-04-25 CVE-2019-9900 Envoyproxy Improper Input Validation vulnerability in Envoyproxy Envoy

When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0).

7.5
2019-04-24 CVE-2018-7575 Google Integer Overflow OR Wraparound vulnerability in Google Tensorflow

Google TensorFlow 1.7.x and earlier is affected by a Buffer Overflow vulnerability.

7.5
2019-04-24 CVE-2018-18251 Deltek SQL Injection vulnerability in Deltek Vision 7.0/7.1

Deltek Vision 7.x before 7.6 permits the execution of any attacker supplied SQL statement through a custom RPC over HTTP protocol.

7.5
2019-04-24 CVE-2019-11217 Bonobogitserver Command Injection vulnerability in Bonobogitserver Bonobo GIT Server

The GitController in Jakub Chodounsky Bonobo Git Server before 6.5.0 allows execution of arbitrary commands in the context of the web server via a crafted http request.

7.5
2019-04-24 CVE-2019-9951 Western Digital Unrestricted Upload of File With Dangerous Type vulnerability in Western Digital products

Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an unauthenticated file upload vulnerability.

7.5
2019-04-24 CVE-2019-9950 Westerndigital Weak Password Requirements vulnerability in Westerndigital products

Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an authentication bypass vulnerability.

7.5
2019-04-23 CVE-2019-7727 Nice Missing Authentication FOR Critical Function vulnerability in Nice Engage 6.5

In NICE Engage through 6.5, the default configuration binds an unauthenticated JMX/RMI interface to all network interfaces, without restricting registration of MBeans, which allows remote attackers to execute arbitrary code via the RMI protocol by using the JMX connector.

7.5
2019-04-23 CVE-2019-2658 Oracle Unspecified vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.3.0.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components).

7.5
2019-04-23 CVE-2019-2646 Oracle Unspecified vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.3.0.0/12.2.1.3.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: EJB Container).

7.5
2019-04-23 CVE-2019-2645 Oracle Unspecified vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.3.0.0/12.2.1.3.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components).

7.5
2019-04-23 CVE-2019-2608 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

7.5
2019-04-23 CVE-2019-2558 Oracle Unspecified vulnerability in Oracle Retail Point-Of-Service 13.4/14.0/14.1

Vulnerability in the Oracle Retail Point-of-Service component of Oracle Retail Applications (subcomponent: Infrastructure).

7.5
2019-04-23 CVE-2019-2517 Oracle Unspecified vulnerability in Oracle Database Server 12.2.0.1/18C

Vulnerability in the Core RDBMS component of Oracle Database Server.

7.5
2019-04-23 CVE-2019-2424 Oracle Unspecified vulnerability in Oracle Retail Convenience Store Back Office 3.6

Vulnerability in the Oracle Retail Convenience Store Back Office component of Oracle Retail Applications (subcomponent: Level 3 Maintenance Functions).

7.5
2019-04-23 CVE-2019-11076 Cribl Command Injection vulnerability in Cribl 1.5.0

Cribl UI 1.5.0 allows remote attackers to run arbitrary commands via an unauthenticated web request.

7.5
2019-04-22 CVE-2019-3899 Redhat
Heketi Project
Missing Authentication FOR Critical Function vulnerability in multiple products

It was found that default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse.

7.5
2019-04-22 CVE-2016-1585 Canonical 7PK - Security Features vulnerability in Canonical Apparmor

In all versions of AppArmor mount rules are accidentally widened when compiled.

7.5
2019-04-22 CVE-2016-1579 Canonical Permissions, Privileges, and Access Controls vulnerability in Canonical Ubuntu Download Manager

UDM provides support for running commands after a download is completed, this is currently made use of for click package installation.

7.5
2019-04-22 CVE-2011-3145 Mount Ecrpytfs Private Project 7PK - Security Features vulnerability in Mount.Ecrpytfs Private Project Mount.Ecrpytfs Private

When mount.ecrpytfs_private before version 87-0ubuntu1.2 calls setreuid() it doesn't also set the effective group id.

7.5
2019-04-22 CVE-2019-11450 Whatsns SQL Injection vulnerability in Whatsns 4.0

whatsns 4.0 allows index.php?question/ajaxadd.html title SQL injection.

7.5
2019-04-22 CVE-2019-11418 Trendnet Buffer Errors vulnerability in Trendnet Tew-632Brp Firmware 1.010B32

apply.cgi on the TRENDnet TEW-632BRP 1.010B32 router has a buffer overflow via long strings to the SOAPACTION:HNAP1 interface.

7.5
2019-04-22 CVE-2019-11417 Trendnet Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Trendnet Tv-Ip110Wn Firmware

system.cgi on TRENDnet TV-IP110WN cameras has a buffer overflow caused by an inadequate source-length check before a strcpy operation in the respondAsp function.

7.5
2019-04-22 CVE-2019-11411 Artifex Out-Of-Bounds Write vulnerability in Artifex Mujs 1.0.5

An issue was discovered in Artifex MuJS 1.0.5.

7.5
2019-04-22 CVE-2019-11395 Tabslab Buffer Errors vulnerability in Tabslab Mailcarrier 2.51

A buffer overflow in MailCarrier 2.51 allows remote attackers to execute arbitrary code via a long string, as demonstrated by SMTP RCPT TO, POP3 USER, POP3 LIST, POP3 TOP, or POP3 RETR.

7.5
2019-04-22 CVE-2019-11235 Freeradius
Fedoraproject
Redhat
Canonical
Opensuse
Insufficient Verification of Data Authenticity vulnerability in multiple products

FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used" protection mechanism, aka a "Dragonblood" issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.

7.5
2019-04-22 CVE-2019-11234 Freeradius
Fedoraproject
Redhat
Canonical
Improper Authentication vulnerability in multiple products

FreeRADIUS before 3.0.19 does not prevent use of reflection for authentication spoofing, aka a "Dragonblood" issue, a similar issue to CVE-2019-9497.

7.5
2019-04-22 CVE-2018-20818 Openplcproject Buffer Errors vulnerability in Openplcproject Openplc V2 Firmware and Openplc V3 Firmware

A buffer overflow vulnerability was discovered in the OpenPLC controller, in the OpenPLC_v2 and OpenPLC_v3 versions.

7.5
2019-04-26 CVE-2019-6689 Dillonkane Command Injection vulnerability in Dillonkane Tidal Workload Automation 3.2.0.5

An issue was discovered in Dillon Kane Tidal Workload Automation Agent 3.2.0.5 (formerly known as Cisco Workload Automation or CWA).

7.2
2019-04-25 CVE-2018-14996 Oppo Unspecified vulnerability in Oppo F5 Firmware

The Oppo F5 Android device with a build fingerprint of OPPO/CPH1723/CPH1723:7.1.1/N6F26Q/1513597833:user/release-keys contains a pre-installed platform app with a package name of com.dropboxchmod (versionCode=1, versionName=1.0) that contains an exported service named com.dropboxchmod.DropboxChmodService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user.

7.2
2019-04-25 CVE-2018-14993 Asus Unspecified vulnerability in Asus Zenfone 3 MAX Firmware and Zenfone V Live Firmware

The ASUS Zenfone V Live Android device with a build fingerprint of asus/VZW_ASUS_A009/ASUS_A009:7.1.1/NMF26F/14.0610.1802.78-20180313:user/release-keys and the Asus ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys both contain a pre-installed platform app with a package name of com.asus.splendidcommandagent (versionCode=1510200090, versionName=1.2.0.18_160928) that contains an exported service named com.asus.splendidcommandagent.SplendidCommandAgentService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user.

7.2
2019-04-25 CVE-2018-20052 Cerner Insecure Default Initialization of Resource vulnerability in Cerner Connectivity Engine 4 Firmware

An issue was discovered on Cerner Connectivity Engine (CCE) 4 devices.

7.2
2019-04-24 CVE-2019-11490 Nmap Double Free vulnerability in Nmap Npcap 0.992

An issue was discovered in Npcap 0.992.

7.2
2019-04-23 CVE-2019-11487 Linux USE After Free vulnerability in Linux Kernel

The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists.

7.2
2019-04-22 CVE-2015-1341 Canonical Permissions, Privileges, and Access Controls vulnerability in Canonical Apport and Ubuntu Linux

Any Python module in sys.path can be imported if the command line of the process triggering the coredump is Python and the first argument is -m in Apport before 2.19.2 function _python_module_path.

7.2
2019-04-23 CVE-2019-11470 Imagemagick Resource Exhaustion vulnerability in Imagemagick 7.0.826

The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size.

7.1
2019-04-23 CVE-2013-7470 Linux Resource Exhaustion vulnerability in Linux Kernel

cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel before 3.11.7, when CONFIG_NETLABEL is disabled, allows attackers to cause a denial of service (infinite loop and crash), as demonstrated by icmpsic, a different vulnerability than CVE-2013-0310.

7.1

317 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-04-23 CVE-2019-11486 Linux Race Condition vulnerability in Linux Kernel

The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.

6.9
2019-04-27 CVE-2019-11568 Aikcms Unrestricted Upload of File With Dangerous Type vulnerability in Aikcms 2.0

An issue was discovered in AikCms v2.0.

6.8
2019-04-26 CVE-2019-11557 WEB Dorado Path Traversal vulnerability in Web-Dorado WP Form Builder

The WebDorado Contact Form Builder plugin before 1.0.69 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized.

6.8
2019-04-26 CVE-2019-7476 Sonicwall KEY Management Errors vulnerability in Sonicwall Global Management System

A vulnerability in SonicWall Global Management System (GMS), allow a remote user to gain access to the appliance using existing SSH key.

6.8
2019-04-26 CVE-2019-9813 Mozilla Type Confusion vulnerability in Mozilla Firefox, Firefox ESR and Thunderbird

Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write.

6.8
2019-04-26 CVE-2019-9810 Mozilla Buffer Errors vulnerability in Mozilla Firefox and Firefox ESR

Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow.

6.8
2019-04-26 CVE-2015-9284 Omniauth Cross-Site Request Forgery (CSRF) vulnerability in Omniauth

The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user.

6.8
2019-04-26 CVE-2019-11493 Verypdf Buffer Errors vulnerability in Verypdf 4.1

VeryPDF 4.1 has a Memory Overflow leading to Code Execution because pdfocx!CxImageTIF::operator in pdfocx.ocx (used by pdfeditor.exe and pdfcmd.exe) is mishandled.

6.8
2019-04-25 CVE-2019-11488 Simplybook Improper Authentication vulnerability in Simplybook

Incorrect Access Control in the Account Access / Password Reset Link in SimplyBook.me Enterprise before 2019-04-23 allows Unauthorized Attackers to READ/WRITE Customer or Administrator data via a persistent HTTP GET Request Hash Link Replay, as demonstrated by a login-link from the browser history.

6.8
2019-04-25 CVE-2018-18367 Symantec Untrusted Search Path vulnerability in Symantec Endpoint Protection Manager

Symantec Endpoint Protection Manager (SEPM) prior to and including 12.1 RU6 MP9 and prior to 14.2 RU1 may be susceptible to a DLL Preloading vulnerability, which is a type of issue that can occur when an application looks to call a DLL for execution and an attacker provides a malicious DLL to use instead.

6.8
2019-04-25 CVE-2018-12244 Symantec Unspecified vulnerability in Symantec Endpoint Protection

SEP (Mac client) prior to and including 12.1 RU6 MP9 and prior to 14.2 RU1 may be susceptible to a CSV/DDE injection (also known as formula injection) vulnerability, which is a type of issue whereby an application or website allows untrusted input into CSV files.

6.8
2019-04-25 CVE-2019-9139 Datools Integer Overflow OR Wraparound vulnerability in Datools Daviewindy

DaviewIndy 8.98.7 and earlier versions have a Integer overflow vulnerability, triggered when the user opens a malformed PDF file that is mishandled by Daview.exe.

6.8
2019-04-25 CVE-2019-9138 Datools Integer Overflow OR Wraparound vulnerability in Datools Daviewindy

DaviewIndy 8.98.7 and earlier versions have a Integer overflow vulnerability, triggered when the user opens a malformed PhotoShop file that is mishandled by Daview.exe.

6.8
2019-04-25 CVE-2019-9137 Hmtalk Integer Overflow OR Wraparound vulnerability in Hmtalk Daviewindy 8.98.4/8.98.7

DaviewIndy 8.98.7 and earlier versions have a Integer overflow vulnerability, triggered when the user opens a malformed Image file that is mishandled by Daview.exe.

6.8
2019-04-25 CVE-2019-9136 Datools Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Datools Daviewindy

DaviewIndy 8.98.7 and earlier versions have a Heap-based overflow vulnerability, triggered when the user opens a malformed JPEG2000 format file that is mishandled by Daview.exe.

6.8
2019-04-25 CVE-2019-9135 Datools Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Datools Daviewindy

DaviewIndy 8.98.7 and earlier versions have a Heap-based overflow vulnerability, triggered when the user opens a malformed DIB format file that is mishandled by Daview.exe.

6.8
2019-04-25 CVE-2018-18369 Symantec Untrusted Search Path vulnerability in Symantec products

Norton Security (Windows client) prior to 22.16.3 and SEP SBE (Windows client) prior to Cloud Agent 3.00.31.2817, NIS-22.15.2.22 & SEP-12.1.7484.7002, may be susceptible to a DLL Preloading vulnerability, which is a type of issue that can occur when an application looks to call a DLL for execution and an attacker provides a malicious DLL to use instead.

6.8
2019-04-25 CVE-2019-3900 Linux
Fedoraproject
Redhat
Debian
Canonical
Netapp
Infinite Loop vulnerability in multiple products

An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx().

6.8
2019-04-24 CVE-2019-8991 Tibco Cross-Site Request Forgery (CSRF) vulnerability in Tibco products

The administrator web interface of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO Silver Fabric Enabler for ActiveMatrix BPM, and TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid contains multiple vulnerabilities that may allow for cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.

6.8
2019-04-24 CVE-2019-11506 Graphicsmagick Out-Of-Bounds Write vulnerability in Graphicsmagick 1.3.30/1.3.31

In GraphicsMagick from version 1.3.30 to 1.4 snapshot-20190403 Q8, there is a heap-based buffer overflow in the function WriteMATLABImage of coders/mat.c, which allows an attacker to cause a denial of service or possibly have unspecified other impact via a crafted image file.

6.8
2019-04-24 CVE-2019-11505 Graphicsmagick Out-Of-Bounds Write vulnerability in Graphicsmagick

In GraphicsMagick from version 1.3.8 to 1.4 snapshot-20190403 Q8, there is a heap-based buffer overflow in the function WritePDBImage of coders/pdb.c, which allows an attacker to cause a denial of service or possibly have unspecified other impact via a crafted image file.

6.8
2019-04-24 CVE-2019-9928 Gstreamer Project
Debian
Canonical
Out-Of-Bounds Write vulnerability in multiple products

GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server, potentially allowing remote code execution.

6.8
2019-04-24 CVE-2018-13443 Block Out-Of-Bounds Write vulnerability in Block Jit-Wasm 4.1

EOS.IO jit-wasm 4.1 has a heap-based buffer overflow via a crafted wast file.

6.8
2019-04-23 CVE-2018-8825 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Tensorflow

Google TensorFlow 1.7 and below is affected by: Buffer Overflow.

6.8
2019-04-23 CVE-2019-2699 Oracle Unspecified vulnerability in Oracle JDK and JRE

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Windows DLL).

6.8
2019-04-23 CVE-2019-2698 Oracle
Redhat
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D).
6.8
2019-04-23 CVE-2019-2697 Oracle Unspecified vulnerability in Oracle JDK and JRE

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D).

6.8
2019-04-23 CVE-2019-11471 Struktur USE After Free vulnerability in Struktur Libheif 1.4.0

libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images.

6.8
2019-04-23 CVE-2018-20819 Dropbox Out-Of-Bounds Write vulnerability in Dropbox Lepton 1.2.1

io/ZlibCompression.cc in the decompression component in Dropbox Lepton 1.2.1 allows attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact by crafting a jpg image file.

6.8
2019-04-22 CVE-2019-11460 Gnome Improper Input Validation vulnerability in Gnome Gnome-Desktop

An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 prior to 3.30.2.2, and 3.32 prior to 3.32.1.1.

6.8
2019-04-22 CVE-2019-10248 Eclipse Incorrect Resource Transfer Between Spheres vulnerability in Eclipse Vorto

Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS.

6.8
2019-04-22 CVE-2019-11456 Gilacms Cross-Site Request Forgery (CSRF) vulnerability in Gilacms Gila CMS 1.10.1

Gila CMS 1.10.1 allows fm/save CSRF for executing arbitrary PHP code.

6.8
2019-04-22 CVE-2015-1340 Linuxcontainers Race Condition vulnerability in Linuxcontainers LXD

LXD before version 0.19-0ubuntu5 doUidshiftIntoContainer() has an unsafe Chmod() call that races against the stat in the Filepath.Walk() function.

6.8
2019-04-22 CVE-2011-1830 Ekiga Code Injection vulnerability in Ekiga

Ekiga versions before 3.3.0 attempted to load a module from /tmp/ekiga_test.so.

6.8
2019-04-27 CVE-2019-11567 Aikcms SQL Injection vulnerability in Aikcms 2.0

An issue was discovered in AikCms v2.0.

6.5
2019-04-26 CVE-2019-11542 Pulsesecure Out-Of-Bounds Write vulnerability in Pulsesecure Pulse Connect Secure and Pulse Policy Secure

In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, an authenticated attacker (via the admin web interface) can send a specially crafted message resulting in a stack buffer overflow.

6.5
2019-04-26 CVE-2019-11539 Pulsesecure OS Command Injection vulnerability in Pulsesecure Pulse Connect Secure and Pulse Policy Secure

In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.

6.5
2019-04-25 CVE-2018-19359 Gitlab Unspecified vulnerability in Gitlab

GitLab Community and Enterprise Edition 8.9 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 has Incorrect Access Control.

6.5
2019-04-25 CVE-2019-11518 SEM CMS SQL Injection vulnerability in Sem-Cms Semcms 3.8

An issue was discovered in SEMCMS 3.8.

6.5
2019-04-24 CVE-2019-8992 Tibco Unrestricted Upload of File With Dangerous Type vulnerability in Tibco products

The administrative server component of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric, TIBCO Silver Fabric Enabler for ActiveMatrix BPM, and TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid contains a vulnerability wherein a user without privileges to upload distributed application archives ("Upload DAA" permission) can theoretically upload arbitrary code, and in some circumstances then execute that code on ActiveMatrix Service Grid nodes.

6.5
2019-04-24 CVE-2019-11218 Bonobogitserver Data Processing Errors vulnerability in Bonobogitserver Bonobo GIT Server

Improper handling of extra parameters in the AccountController (User Profile edit) in Jakub Chodounsky Bonobo Git Server before 6.5.0 allows authenticated users to gain application administrator privileges via additional form parameter submissions.

6.5
2019-04-24 CVE-2019-10008 Zohocorp Session Fixation vulnerability in Zohocorp Servicedesk Plus 9.3

Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login attempt within a different browser tab.

6.5
2019-04-23 CVE-2019-2638 Oracle Unspecified vulnerability in Oracle General Ledger

Vulnerability in the Oracle General Ledger component of Oracle E-Business Suite (subcomponent: Consolidation Hierarchy Viewer).

6.5
2019-04-23 CVE-2019-2633 Oracle Unspecified vulnerability in Oracle Work in Process

Vulnerability in the Oracle Work in Process component of Oracle E-Business Suite (subcomponent: Messages).

6.5
2019-04-23 CVE-2019-2570 Oracle Unspecified vulnerability in Oracle Siebel CRM 19.3

Vulnerability in the Siebel Core - Server BizLogic Script component of Oracle Siebel CRM (subcomponent: Integration - Scripting).

6.5
2019-04-23 CVE-2019-2557 Oracle Unspecified vulnerability in Oracle Application Testing Suite 13.3.0.1

Vulnerability in the Oracle Application Testing Suite component of Oracle Enterprise Manager Products Suite (subcomponent: Load Testing for Web Apps).

6.5
2019-04-23 CVE-2018-1317 Apache Improper Authentication vulnerability in Apache Zeppelin

In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication.

6.5
2019-04-22 CVE-2019-11452 Whatsns SQL Injection vulnerability in Whatsns 4.0

whatsns 4.0 allows index.php?admin_category/remove.html cid[] SQL injection.

6.5
2019-04-22 CVE-2019-11451 Whatsns SQL Injection vulnerability in Whatsns 4.0

whatsns 4.0 allows index.php?inform/add.html qid SQL injection.

6.5
2019-04-22 CVE-2019-11447 Cutephp Unrestricted Upload of File With Dangerous Type vulnerability in Cutephp Cutenews 2.1.2

An issue was discovered in CutePHP CuteNews 2.1.2.

6.5
2019-04-22 CVE-2019-11446 Atutor Unrestricted Upload of File With Dangerous Type vulnerability in Atutor

An issue was discovered in ATutor through 2.2.4.

6.5
2019-04-22 CVE-2019-11401 Siteserver Unrestricted Upload of File With Dangerous Type vulnerability in Siteserver CMS 6.9.0

A issue was discovered in SiteServer CMS 6.9.0.

6.5
2019-04-26 CVE-2019-11219 Ilnkp2P Project Cryptographic Issues vulnerability in Ilnkp2P Project Ilnkp2P

The algorithm used to generate device IDs (UIDs) for devices that utilize Shenzhen Yunni Technology iLnkP2P suffers from a predictability flaw that allows remote attackers to establish direct connections to arbitrary devices.

6.4
2019-04-24 CVE-2019-7212 Smartertools USE of Hard-Coded Credentials vulnerability in Smartertools Smartermail

SmarterTools SmarterMail 16.x before build 6985 has hardcoded secret keys.

6.4
2019-04-23 CVE-2019-2713 Oracle Unspecified vulnerability in Oracle Commerce Merchandising 11.2.0.3

Vulnerability in the Oracle Commerce Merchandising component of Oracle Commerce (subcomponent: Asset Manager).

6.4
2019-04-23 CVE-2019-2705 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

6.4
2019-04-23 CVE-2019-2702 Oracle Unspecified vulnerability in Oracle Hospitality Cruise Dining Room Management 8.0.80

Vulnerability in the Oracle Hospitality Cruise Dining Room Management component of Oracle Hospitality Applications (subcomponent: Web Service).

6.4
2019-04-23 CVE-2019-2616 Oracle Unspecified vulnerability in Oracle Business Intelligence Publisher 11.1.1.9.0/12.2.1.3.0/12.2.1.4.0

Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: BI Publisher Security).

6.4
2019-04-23 CVE-2019-2613 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

6.4
2019-04-23 CVE-2019-2612 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

6.4
2019-04-23 CVE-2019-2611 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

6.4
2019-04-23 CVE-2019-2610 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

6.4
2019-04-23 CVE-2019-2609 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.3/8.5.4

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters).

6.4
2019-04-23 CVE-2019-2571 Oracle Unspecified vulnerability in Oracle Database Server

Vulnerability in the RDBMS DataPump component of Oracle Database Server.

6.0
2019-04-23 CVE-2019-2518 Oracle Unspecified vulnerability in Oracle Database Server

Vulnerability in the Java VM component of Oracle Database Server.

6.0
2019-04-23 CVE-2018-3312 Oracle Unspecified vulnerability in Oracle Retail Customer Engagement 16.0/17.0

Vulnerability in the Oracle Retail Customer Engagement component of Oracle Retail Applications (subcomponent: Segment).

6.0
2019-04-23 CVE-2018-3120 Oracle Unspecified vulnerability in Oracle Micros Lucas 2.9.5.6/2.9.5.7

Vulnerability in the MICROS Lucas component of Oracle Retail Applications (subcomponent: Security).

6.0
2019-04-26 CVE-2019-9803 Mozilla Origin Validation Error vulnerability in Mozilla Firefox

The Upgrade-Insecure-Requests (UIR) specification states that if UIR is enabled through Content Security Policy (CSP), navigation to a same-origin URL must be upgraded to HTTPS.

5.8
2019-04-26 CVE-2019-9798 Mozilla
Google
Untrusted Search Path vulnerability in Mozilla Firefox

On Android systems, Firefox can load a library from APITRACE_LIB, which is writable by all users and applications.

5.8
2019-04-25 CVE-2019-3788 Cloudfoundry Open Redirect vulnerability in Cloudfoundry UAA Release

Cloud Foundry UAA Release, versions prior to 71.0, allows clients to be configured with an insecure redirect uri.

5.8
2019-04-25 CVE-2019-10955 Rockwellautomation Open Redirect vulnerability in Rockwellautomation products

In Rockwell Automation MicroLogix 1400 Controllers Series A, All Versions Series B, v15.002 and earlier, MicroLogix 1100 Controllers v14.00 and earlier, CompactLogix 5370 L1 controllers v30.014 and earlier, CompactLogix 5370 L2 controllers v30.014 and earlier, CompactLogix 5370 L3 controllers (includes CompactLogix GuardLogix controllers) v30.014 and earlier, an open redirect vulnerability could allow a remote unauthenticated attacker to input a malicious link to redirect users to a malicious site that could run or download arbitrary malware on the user’s machine.

5.8
2019-04-25 CVE-2019-4092 IBM Open Redirect vulnerability in IBM Content Navigator 2.0.0/3.0.0

IBM Content Navigator 2.0.3 and 3.0CD could allow a remote attacker to conduct phishing attacks, using an open redirect attack.

5.8
2019-04-24 CVE-2019-8995 Tibco Open Redirect vulnerability in Tibco Activematrix BPM and Silver Fabric Enabler

The workspace client, openspace client, and app development client of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM contain a vulnerability wherein a malicious URL could trick a user into visiting a website of the attacker's choice.

5.8
2019-04-24 CVE-2018-7577 Google Improper Input Validation vulnerability in Google Snappy and Tensorflow

Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory.

5.8
2019-04-24 CVE-2018-10055 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Tensorflow

Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow before 1.7.1 could cause a crash or read from other parts of process memory via a crafted configuration file.

5.8
2019-04-23 CVE-2019-2719 Oracle Unspecified vulnerability in Oracle Knowledge Management

Vulnerability in the Oracle Knowledge component of Oracle Siebel CRM (subcomponent: Web Applications (InfoCenter)).

5.8
2019-04-23 CVE-2019-2712 Oracle Unspecified vulnerability in Oracle Commerce Platform 11.2.0.3/11.3.1

Vulnerability in the Oracle Commerce Platform component of Oracle Commerce (subcomponent: Dynamo Application Framework).

5.8
2019-04-23 CVE-2019-2709 Oracle Unspecified vulnerability in Oracle Transportation Management 6.3.7/6.4.2/6.4.3

Vulnerability in the Oracle Transportation Management component of Oracle Supply Chain Products Suite (subcomponent: Security).

5.8
2019-04-23 CVE-2019-2707 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Learning Management 9.2

Vulnerability in the PeopleSoft Enterprise ELM Enterprise Learning Management component of Oracle PeopleSoft Products (subcomponent: Application Search).

5.8
2019-04-23 CVE-2019-2706 Oracle Unspecified vulnerability in Oracle Business Process Management Suite 11.1.1.9.0

Vulnerability in the Oracle Business Process Management Suite component of Oracle Fusion Middleware (subcomponent: BPM Foundation Services).

5.8
2019-04-23 CVE-2019-2682 Oracle Unspecified vulnerability in Oracle Applications Framework

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Attachments / File Upload).

5.8
2019-04-23 CVE-2019-2677 Oracle Unspecified vulnerability in Oracle Marketing

Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: Marketing Administration).

5.8
2019-04-23 CVE-2019-2675 Oracle Unspecified vulnerability in Oracle CRM Technical Foundation

Vulnerability in the Oracle CRM Technical Foundation component of Oracle E-Business Suite (subcomponent: Preferences).

5.8
2019-04-23 CVE-2019-2671 Oracle Unspecified vulnerability in Oracle CRM Technical Foundation

Vulnerability in the Oracle CRM Technical Foundation component of Oracle E-Business Suite (subcomponent: Preferences).

5.8
2019-04-23 CVE-2019-2665 Oracle Unspecified vulnerability in Oracle Common Applications

Vulnerability in the Oracle Common Applications component of Oracle E-Business Suite (subcomponent: CRM User Management Framework).

5.8
2019-04-23 CVE-2019-2664 Oracle Unspecified vulnerability in Oracle Marketing

Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: Marketing Administration).

5.8
2019-04-23 CVE-2019-2663 Oracle Unspecified vulnerability in Oracle Advanced Outbound Telephony

Vulnerability in the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite (subcomponent: User Interface).

5.8
2019-04-23 CVE-2019-2662 Oracle Unspecified vulnerability in Oracle Territory Management

Vulnerability in the Oracle Territory Management component of Oracle E-Business Suite (subcomponent: Territory Administration).

5.8
2019-04-23 CVE-2019-2661 Oracle Unspecified vulnerability in Oracle Email Center

Vulnerability in the Oracle Email Center component of Oracle E-Business Suite (subcomponent: Message Display).

5.8
2019-04-23 CVE-2019-2660 Oracle Unspecified vulnerability in Oracle Knowledge Management

Vulnerability in the Oracle Knowledge Management component of Oracle E-Business Suite (subcomponent: Setup, Admin).

5.8
2019-04-23 CVE-2019-2659 Oracle Unspecified vulnerability in Oracle Commerce Platform 11.2.0.3

Vulnerability in the Oracle Commerce Platform component of Oracle Commerce (subcomponent: Dynamo Application Framework).

5.8
2019-04-23 CVE-2019-2655 Oracle Unspecified vulnerability in Oracle Interaction Center Intelligence 12.1.1/12.1.2/12.1.3

Vulnerability in the Oracle Interaction Center Intelligence component of Oracle E-Business Suite (subcomponent: Business Intelligence (OLTP)).

5.8
2019-04-23 CVE-2019-2654 Oracle Unspecified vulnerability in Oracle One-To-One Fulfillment

Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: Print Server).

5.8
2019-04-23 CVE-2019-2653 Oracle Unspecified vulnerability in Oracle One-To-One Fulfillment

Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: Print Server).

5.8
2019-04-23 CVE-2019-2652 Oracle Unspecified vulnerability in Oracle Istore

Vulnerability in the Oracle iStore component of Oracle E-Business Suite (subcomponent: Shopping Cart).

5.8
2019-04-23 CVE-2019-2651 Oracle Unspecified vulnerability in Oracle Email Center

Vulnerability in the Oracle Email Center component of Oracle E-Business Suite (subcomponent: Message Display).

5.8
2019-04-23 CVE-2019-2643 Oracle Unspecified vulnerability in Oracle Trade Management

Vulnerability in the Oracle Trade Management component of Oracle E-Business Suite (subcomponent: User Interface).

5.8
2019-04-23 CVE-2019-2642 Oracle Unspecified vulnerability in Oracle Trade Management

Vulnerability in the Oracle Trade Management component of Oracle E-Business Suite (subcomponent: User Interface).

5.8
2019-04-23 CVE-2019-2641 Oracle Unspecified vulnerability in Oracle Trade Management

Vulnerability in the Oracle Trade Management component of Oracle E-Business Suite (subcomponent: User Interface).

5.8
2019-04-23 CVE-2019-2640 Oracle Unspecified vulnerability in Oracle Trade Management

Vulnerability in the Oracle Trade Management component of Oracle E-Business Suite (subcomponent: User Interface).

5.8
2019-04-23 CVE-2019-2639 Oracle Unspecified vulnerability in Oracle CRM Technical Foundation

Vulnerability in the Oracle CRM Technical Foundation component of Oracle E-Business Suite (subcomponent: Preferences).

5.8
2019-04-23 CVE-2019-2637 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56/8.57

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: PIA Core Technology).

5.8
2019-04-23 CVE-2019-2604 Oracle Unspecified vulnerability in Oracle Marketing

Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: Marketing Administration).

5.8
2019-04-23 CVE-2019-2603 Oracle Unspecified vulnerability in Oracle One-To-One Fulfillment

Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: Print Server).

5.8
2019-04-23 CVE-2019-2600 Oracle Unspecified vulnerability in Oracle Email Center

Vulnerability in the Oracle Email Center component of Oracle E-Business Suite (subcomponent: Message Display).

5.8
2019-04-23 CVE-2019-2597 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56/8.57

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: PIA Core Technology).

5.8
2019-04-23 CVE-2019-2595 Oracle Unspecified vulnerability in Oracle Business Intelligence Publisher 11.1.1.9.0/12.2.1.3.0/12.2.1.4.0

Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: BI Publisher Security).

5.8
2019-04-23 CVE-2019-2591 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Human Capital Management Candidate Gateway 9.2

Vulnerability in the PeopleSoft Enterprise HRMS component of Oracle PeopleSoft Products (subcomponent: Candidate Gateway).

5.8
2019-04-23 CVE-2019-2590 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Human Capital Management Talent Acquisition Manager 9.2

Vulnerability in the PeopleSoft Enterprise HCM Talent Acquisition Manager component of Oracle PeopleSoft Products (subcomponent: Job Opening).

5.8
2019-04-23 CVE-2019-2583 Oracle Unspecified vulnerability in Oracle Isupplier Portal

Vulnerability in the Oracle iSupplier Portal component of Oracle E-Business Suite (subcomponent: Attachments).

5.8
2019-04-23 CVE-2019-2551 Oracle Unspecified vulnerability in Oracle E-Business Suite

Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: Print Server).

5.8
2019-04-23 CVE-2017-12619 Apache Session Fixation vulnerability in Apache Zeppelin 0.6.1/0.6.2/0.7.2

Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session.

5.8
2019-04-22 CVE-2019-3902 Mercurial
Debian
Redhat
Link Following vulnerability in multiple products

A flaw was found in Mercurial before 4.9.

5.8
2019-04-22 CVE-2011-3151 Canonical Protection Mechanism Failure vulnerability in Canonical Selinux

The Ubuntu SELinux initscript before version 1:0.10 used touch to create a lockfile in a world-writable directory.

5.8
2019-04-22 CVE-2019-11405 Openapi Generator Missing Encryption of Sensitive Data vulnerability in Openapi-Generator Openapi Generator

OpenAPI Tools OpenAPI Generator before 4.0.0-20190419.052012-560 uses http:// URLs in various build.gradle, build.gradle.mustache, and build.sbt files, which may have caused insecurely resolved dependencies.

5.8
2019-04-24 CVE-2019-3868 Redhat Information Exposure vulnerability in Redhat Keycloak

Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC.

5.5
2019-04-24 CVE-2019-7213 Smartertools Path Traversal vulnerability in Smartertools Smartermail

SmarterTools SmarterMail 16.x before build 6985 allows directory traversal.

5.5
2019-04-23 CVE-2019-2629 Oracle Unspecified vulnerability in Oracle Health Sciences Data Management Workbench 2.4.8

Vulnerability in the Oracle Health Sciences Data Management Workbench component of Oracle Health Sciences Applications (subcomponent: User Interface).

5.5
2019-04-23 CVE-2019-2618 Oracle Unspecified vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.3.0.0/12.2.1.3.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components).

5.5
2019-04-23 CVE-2019-2598 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56/8.57

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: SQR).

5.5
2019-04-22 CVE-2019-11455 Tildeslash
Debian
Out-Of-Bounds Read vulnerability in multiple products

A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit before 5.25.3 allows a remote authenticated attacker to retrieve the contents of adjacent memory via manipulation of GET or POST parameters.

5.5
2019-04-28 CVE-2019-11579 Dhcpcd Project Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Dhcpcd Project Dhcpcd

dhcp.c in dhcpcd before 7.2.1 contains a 1-byte read overflow with DHO_OPTSOVERLOADED.

5.0
2019-04-26 CVE-2019-11492 Projectsend Information Exposure Through LOG Files vulnerability in Projectsend

ProjectSend before r1070 writes user passwords to the server logs.

5.0
2019-04-26 CVE-2019-9809 Mozilla Resource Management Errors vulnerability in Mozilla Firefox

If the source for resources on a page is through an FTP connection, it is possible to trigger a series of modal alert messages for these resources through invalid credentials or locations.

5.0
2019-04-26 CVE-2019-9808 Mozilla Origin Validation Error vulnerability in Mozilla Firefox

If WebRTC permission is requested from documents with data: or blob: URLs, the permission notifications do not properly display the originating domain.

5.0
2019-04-26 CVE-2019-9806 Mozilla Resource Management Errors vulnerability in Mozilla Firefox

A vulnerability exists during authorization prompting for FTP transaction where successive modal prompts are displayed and cannot be immediately dismissed.

5.0
2019-04-26 CVE-2019-9802 Mozilla Information Exposure vulnerability in Mozilla Firefox

If a Sandbox content process is compromised, it can initiate an FTP download which will then use a child process to render the downloaded data.

5.0
2019-04-26 CVE-2019-9801 Mozilla
Microsoft
Improper Input Validation vulnerability in Mozilla Firefox and Firefox ESR

Firefox will accept any registered Program ID as an external protocol handler and offer to launch this local application when given a matching URL on Windows operating systems.

5.0
2019-04-26 CVE-2019-9799 Mozilla Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Mozilla Firefox

Insufficient bounds checking of data during inter-process communication might allow a compromised content process to be able to read memory from the parent process under certain conditions.

5.0
2019-04-26 CVE-2019-9797 Mozilla Origin Validation Error vulnerability in Mozilla Firefox

Cross-origin images can be read in violation of the same-origin policy by exporting an image after using createImageBitmap to read the image and then rendering the resulting bitmap image within a canvas element.

5.0
2019-04-26 CVE-2018-18513 Mozilla Null Pointer Dereference vulnerability in Mozilla Thunderbird

A crash can occur when processing a crafted S/MIME message or an XPI package containing a crafted signature.

5.0
2019-04-26 CVE-2018-18509 Mozilla Improper Verification of Cryptographic Signature vulnerability in Mozilla Thunderbird

A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature.

5.0
2019-04-26 CVE-2018-5179 Mozilla Missing Release of Resource After Effective Lifetime vulnerability in Mozilla Firefox

A service worker can send the activate event on itself periodically which allows it to run perpetually, allowing it to monitor activity by users.

5.0
2019-04-26 CVE-2019-11541 Pulsesecure Unspecified vulnerability in Pulsesecure Pulse Connect Secure

In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.2RX before 8.2R12.1, users using SAML authentication with the Reuse Existing NC (Pulse) Session option may see authentication leaks.

5.0
2019-04-25 CVE-2019-3801 Cloudfoundry Improper Input Validation vulnerability in Cloudfoundry Cf-Deployment

Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building.

5.0
2019-04-25 CVE-2018-15003 Coolpad
T Mobile
Improper Input Validation vulnerability in multiple products

The Coolpad Defiant (Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys) and the T-Mobile Revvl Plus (Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys) Android devices contain a pre-installed platform app with a package name of com.qualcomm.qti.telephony.extcarrierpack (versionCode=25, versionName=7.1.1) containing an exported broadcast receiver app component named com.qualcomm.qti.telephony.extcarrierpack.UiccReceiver that allows any app co-located on the device to programmatically perform a factory reset.

5.0
2019-04-25 CVE-2018-14990 Coolpad
T Mobile
Improper Input Validation vulnerability in multiple products

The Coolpad Defiant device with a build fingerprint of Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys, the ZTE ZMAX Pro with a build fingerprint of ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys, and the T-Mobile Revvl Plus with a build fingerprint of Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys all contain a vulnerable, pre-installed Rich Communication Services (RCS) app.

5.0
2019-04-25 CVE-2018-1720 IBM USE of A Broken OR Risky Cryptographic Algorithm vulnerability in IBM Sterling B2B Integrator

IBM Sterling B2B Integrator Standard Edition 5.2.0.1, 5.2.6.3_6, 6.0.0.0, and 6.0.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

5.0
2019-04-25 CVE-2018-20823 Xiaomi Improper Input Validation vulnerability in Xiaomi MI 5S Firmware

The gyroscope on Xiaomi Mi 5s devices allows attackers to cause a denial of service (resonance and false data) via a 20.4 kHz audio signal, aka a MEMS ultrasound attack.

5.0
2019-04-25 CVE-2019-11514 Flarum Incomplete Cleanup vulnerability in Flarum 0.1.0

User/Command/ConfirmEmailHandler.php in Flarum before 0.1.0-beta.8 mishandles invalidation of user email tokens.

5.0
2019-04-24 CVE-2019-8993 Tibco Missing Authentication FOR Critical Function vulnerability in Tibco products

The administrative web server component of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric, TIBCO Silver Fabric Enabler for ActiveMatrix BPM, and TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid contains a vulnerability that could theoretically allow an unauthenticated user to download a file with credentials information.

5.0
2019-04-24 CVE-2019-11503 Canonical Link Following vulnerability in Canonical Snapd

snap-confine as included in snapd before 2.39 did not guard against symlink races when performing the chdir() to the current working directory of the calling user, aka a "cwd restore permission bypass."

5.0
2019-04-24 CVE-2019-11502 Canonical Link Following vulnerability in Canonical Snapd

snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user.

5.0
2019-04-24 CVE-2017-18367 Libseccomp Golang Project Improper Input Validation vulnerability in Libseccomp-Golang Project Libseccomp-Golang 0.9.0

libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than ANDing them.

5.0
2019-04-24 CVE-2019-10691 Dovecot
Opensuse
The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username.
5.0
2019-04-24 CVE-2019-3793 Pivotal Software Cleartext Transmission of Sensitive Information vulnerability in Pivotal Software Application Service

Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, versions 666.0.x prior to 666.0.21, versions 667.0.x prior to 667.0.7, contain an invitation service that accepts HTTP.

5.0
2019-04-24 CVE-2019-9734 Aquaverde Information Exposure Through LOG Files vulnerability in Aquaverde Aquarius CMS

Aquarius CMS through 4.3.5 writes POST and GET parameters (including passwords) to a log file due to an overwriting of configuration parameters under certain circumstances.

5.0
2019-04-24 CVE-2019-9724 Aquaverde Information Exposure Through LOG Files vulnerability in Aquaverde Aquarius CMS

aquaverde Aquarius CMS through 4.3.5 allows Information Exposure through Log Files because of an error in the Log-File writer component.

5.0
2019-04-23 CVE-2019-10711 Hisilicon Unspecified vulnerability in Hisilicon Hi3510 Firmware

Incorrect access control in the RTSP stream and web portal on all IP cameras based on Hisilicon Hi3510 firmware (until Webware version V1.0.1) allows attackers to view an RTSP stream by connecting to the stream with hidden credentials (guest or user) that are neither displayed nor configurable in the camera's CamHi or keye mobile management application.

5.0
2019-04-23 CVE-2019-2704 Oracle Unspecified vulnerability in Oracle Solaris 11

Vulnerability in the Oracle Solaris component of Oracle Sun Systems Products Suite (subcomponent: IPS Package Manager).

5.0
2019-04-23 CVE-2019-2650 Oracle Unspecified vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.3.0.0/12.2.1.3.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services).

5.0
2019-04-23 CVE-2019-2649 Oracle Unspecified vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.3.0.0/12.2.1.3.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services).

5.0
2019-04-23 CVE-2019-2648 Oracle Unspecified vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.3.0.0/12.2.1.3.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services).

5.0
2019-04-23 CVE-2019-2647 Oracle Unspecified vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.3.0.0/12.2.1.3.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services).

5.0
2019-04-23 CVE-2019-2632 Oracle
Canonical
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Pluggable Auth).
5.0
2019-04-23 CVE-2019-2602 Oracle
Redhat
Opensuse
Resource Exhaustion vulnerability in multiple products

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries).

5.0
2019-04-23 CVE-2019-2582 Oracle Unspecified vulnerability in Oracle Database Server 12.2.0.1/18C

Vulnerability in the Core RDBMS component of Oracle Database Server.

5.0
2019-04-23 CVE-2019-2578 Oracle Unspecified vulnerability in Oracle Webcenter Sites 12.2.1.3.0

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI).

5.0
2019-04-23 CVE-2019-2576 Oracle Unspecified vulnerability in Oracle Service BUS 11.1.1.9.0/12.1.3.0.0/12.2.1.3.0

Vulnerability in the Oracle Service Bus component of Oracle Fusion Middleware (subcomponent: Web Container).

5.0
2019-04-23 CVE-2019-2575 Oracle Unspecified vulnerability in Oracle Autovue 3D Professional Advanced 21.0.0/21.0.1

Vulnerability in the Oracle AutoVue 3D Professional Advanced component of Oracle Supply Chain Products Suite (subcomponent: Format Handling - 2D).

5.0
2019-04-23 CVE-2019-2572 Oracle Unspecified vulnerability in Oracle SOA Suite 11.1.1.9.0

Vulnerability in the Oracle SOA Suite component of Oracle Fusion Middleware (subcomponent: Fabric Layer).

5.0
2019-04-23 CVE-2019-2567 Oracle Unspecified vulnerability in Oracle Configurator 12.1/12.2

Vulnerability in the Oracle Configurator component of Oracle Supply Chain Products Suite (subcomponent: Active Model Generation).

5.0
2019-04-23 CVE-2019-2565 Oracle Unspecified vulnerability in Oracle JD Edwards World Technical Foundation A9.2/A9.3.1/A9.4

Vulnerability in the JD Edwards World Technical Foundation component of Oracle JD Edwards Products (subcomponent: Service Enablement).

5.0
2019-04-23 CVE-2018-2880 Oracle Unspecified vulnerability in Oracle Micros Retail-J 12.1.2

Vulnerability in the MICROS Retail-J component of Oracle Retail Applications (subcomponent: Back Office).

5.0
2019-04-23 CVE-2019-7303 Canonical Unspecified vulnerability in Canonical Snapd and Ubuntu Linux

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert characters into a terminal on a 64-bit host.

5.0
2019-04-22 CVE-2019-11383 Wifi FTP Server Project Unspecified vulnerability in Wifi FTP Server Project Wifi FTP Server 1.8.3

An issue was discovered in the Medha WiFi FTP Server application 1.8.3 for Android.

5.0
2019-04-22 CVE-2019-5427 Mchange
Fedoraproject
Oracle
XML Entity Expansion vulnerability in multiple products

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

5.0
2019-04-22 CVE-2019-11384 Zalora Cleartext Storage of Sensitive Information vulnerability in Zalora 6.15.1

The Zalora application 6.15.1 for Android stores confidential information insecurely on the system (i.e.

5.0
2019-04-22 CVE-2019-10247 Eclipse
Netapp
Oracle
Information Exposure vulnerability in multiple products

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path.

5.0
2019-04-22 CVE-2019-10246 Eclipse
Netapp
Oracle
Information Exposure vulnerability in multiple products

In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents.

5.0
2019-04-22 CVE-2019-6157 Lenovo
IBM
Information Exposure Through LOG Files vulnerability in multiple products

In various firmware versions of Lenovo System x, the integrated management module II (IMM2)'s first failure data capture (FFDC) includes the web server's private key in the generated log file for support.

5.0
2019-04-22 CVE-2016-1587 Snapweb Improper Access Control vulnerability in Snapweb

The Snapweb interface before version 0.21.2 was exposing controls to install or remove snap packages without controlling the identity of the user, nor the origin of the connection.

5.0
2019-04-22 CVE-2016-1586 Oxide Project Improper Input Validation vulnerability in Oxide Project Oxide

A malicious webview could install long-lived unload handlers that re-use an incognito BrowserContext that is queued for destruction in versions of Oxide before 1.18.3.

5.0
2019-04-22 CVE-2016-1584 Unity8 Resource Management Errors vulnerability in Unity8

In all versions of Unity8 a running but not active application on a large-screen device could talk with Maliit and consume keyboard input.

5.0
2019-04-22 CVE-2015-1343 Canonical Information Exposure Through LOG Files vulnerability in Canonical Ubuntu Linux 15.10

All versions of unity-scope-gdrive logs search terms to syslog.

5.0
2019-04-22 CVE-2015-1320 Canonical Credentials Management vulnerability in Canonical Metal AS A Service 1.9.0/1.9.1

The SeaMicro provisioning of Ubuntu MAAS logs credentials, including username and password, for the management interface.

5.0
2019-04-22 CVE-2015-1316 Canonical KEY Management Errors vulnerability in Canonical Juju

Juju Core's Joyent provider before version 1.25.5 uploads the user's private ssh key.

5.0
2019-04-22 CVE-2014-1428 Canonical 7PK - Security Features vulnerability in Canonical Metal AS A Service 1.9.0/1.9.1

A vulnerability in generate_filestorage_key of Ubuntu MAAS allows an attacker to brute-force filenames.

5.0
2019-04-22 CVE-2014-1426 Canonical Improper Input Validation vulnerability in Canonical Metal AS A Service 1.9.0/1.9.1

A vulnerability in maasserver.api.get_file_by_name of Ubuntu MAAS allows unauthenticated network clients to download any file.

5.0
2019-04-22 CVE-2011-3147 Openstack Information Exposure vulnerability in Openstack Nova

Versions of nova before 2012.1 could expose hypervisor host files to a guest operating system when processing a maliciously constructed qcow filesystem.

5.0
2019-04-22 CVE-2019-11413 Artifex Uncontrolled Recursion vulnerability in Artifex Mujs 1.0.5

An issue was discovered in Artifex MuJS 1.0.5.

5.0
2019-04-22 CVE-2019-11412 Artifex Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Artifex Mujs 1.0.5

An issue was discovered in Artifex MuJS 1.0.5.

5.0
2019-04-22 CVE-2019-11403 Gradle Information Exposure vulnerability in Gradle Enterprise 2018.5/2018.5.1

In Gradle Enterprise before 2018.5.2, Build Cache Nodes would reflect the configured password back when viewing the HTML page source of the settings page.

5.0
2019-04-22 CVE-2019-11402 Gradle Insufficiently Protected Credentials vulnerability in Gradle Enterprise 2018.5/2018.5.1/2018.5.2

In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store the credentials at rest in an encrypted format.

5.0
2019-04-22 CVE-2019-11393 Tildeslash Weak Password Recovery Mechanism FOR Forgotten Password vulnerability in Tildeslash Monit

An issue was discovered in /admin/users/update in M/Monit before 3.7.3.

5.0
2019-04-24 CVE-2019-8994 Tibco Unspecified vulnerability in Tibco products

The workspace client of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM contains vulnerabilities where an authenticated user can change settings that can theoretically adversely impact other users.

4.9
2019-04-24 CVE-2019-3882 Linux
Fedoraproject
Debian
Canonical
Opensuse
Netapp
Allocation of Resources Without Limits OR Throttling vulnerability in multiple products

A flaw was found in the Linux kernel's vfio interface implementation that permits violation of the user's locked memory limit.

4.9
2019-04-23 CVE-2019-2601 Oracle Unspecified vulnerability in Oracle Business Intelligence Publisher 11.1.1.9.0/12.2.1.3.0/12.2.1.4.0

Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: BI Publisher Security).

4.9
2019-04-23 CVE-2019-2594 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56/8.57

Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of Oracle PeopleSoft Products (subcomponent: Application Server).

4.9
2019-04-23 CVE-2018-3314 Oracle Unspecified vulnerability in Oracle Micros Relate Customer Relationship Management Software 11.4

Vulnerability in the MICROS Relate CRM Software component of Oracle Retail Applications (subcomponent: Customer).

4.9
2019-04-26 CVE-2019-3844 Freedesktop
Fedoraproject
Canonical
Netapp
It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set.
4.6
2019-04-26 CVE-2019-3843 Freedesktop
Fedoraproject
Canonical
Netapp
It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated.
4.6
2019-04-23 CVE-2019-10688 Polycom USE of Hard-Coded Credentials vulnerability in Polycom products

VVX products with software versions including and prior to, UCS 5.9.2 with Better Together over Ethernet Connector (BToE) application 3.9.1, use hard-coded credentials to establish connections between the host application and the device.

4.6
2019-04-23 CVE-2019-2723 Oracle Integer Overflow OR Wraparound vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.6
2019-04-23 CVE-2019-2722 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.6
2019-04-23 CVE-2019-2721 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.6
2019-04-23 CVE-2019-2703 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.6
2019-04-23 CVE-2019-2696 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.6
2019-04-23 CVE-2019-2680 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.6
2019-04-23 CVE-2019-2657 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.6
2019-04-23 CVE-2019-2656 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.6
2019-04-23 CVE-2019-2619 Oracle Unspecified vulnerability in Oracle Database

Vulnerability in the Portable Clusterware component of Oracle Database Server.

4.6
2019-04-23 CVE-2019-2516 Oracle Unspecified vulnerability in Oracle Database Server

Vulnerability in the Portable Clusterware component of Oracle Database Server.

4.6
2019-04-22 CVE-2019-8452 Checkpoint Link Following vulnerability in Checkpoint Endpoint Security and Zonealarm

A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security client for Windows before E80.96 to any file on the system will get its permission changed so that all users can access that linked file.

4.6
2019-04-22 CVE-2016-1573 Unity8
Ubports
USE After Free vulnerability in Unity8

Versions of Unity8 before 8.11+16.04.20160122-0ubuntu1 file plugins/Dash/CardCreator.js will execute any code found in place of a fallback image supplied by a scope.

4.6
2019-04-23 CVE-2019-2690 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.4
2019-04-22 CVE-2019-11461 Gnome Unspecified vulnerability in Gnome Nautilus

An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.32 prior to 3.32.1.

4.4
2019-04-28 CVE-2019-11578 Dhcpcd Project Cryptographic Issues vulnerability in Dhcpcd Project Dhcpcd

auth.c in dhcpcd before 7.2.1 allowed attackers to infer secrets by performing latency attacks.

4.3
2019-04-26 CVE-2019-11555 W1 FI Null Pointer Dereference vulnerability in W1.Fi Hostapd and WPA Supplicant

The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation reassembly state properly for a case where an unexpected fragment could be received.

4.3
2019-04-26 CVE-2019-11533 Projectsend Cross-Site Scripting vulnerability in Projectsend

Cross-site scripting (XSS) vulnerability in ProjectSend before r1070 allows remote attackers to inject arbitrary web script or HTML.

4.3
2019-04-26 CVE-2018-15584 Gnuboard Cross-Site Scripting vulnerability in Gnuboard Gnuboard5

Cross-Site Scripting (XSS) vulnerability in adm/boardgroup_form_update.php and adm/boardgroup_list_update.php in gnuboard5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML.

4.3
2019-04-26 CVE-2018-15582 Gnuboard Cross-Site Scripting vulnerability in Gnuboard Gnuboard5

Cross-Site Scripting (XSS) vulnerability in adm/sms_admin/num_book_write.php and adm/sms_admin/num_book_update.php in gnuboard5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML.

4.3
2019-04-26 CVE-2018-15581 Gnuboard Cross-Site Scripting vulnerability in Gnuboard Gnuboard5

Cross-Site Scripting (XSS) vulnerability in adm/faqmasterformupdate.php in gnuboard5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML.

4.3
2019-04-26 CVE-2018-15580 Gnuboard Cross-Site Scripting vulnerability in Gnuboard Gnuboard5

Cross-Site Scripting (XSS) vulnerability in adm/contentformupdate.php in gnuboard5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML.

4.3
2019-04-26 CVE-2019-11220 Ilnkp2P Project Cleartext Transmission of Sensitive Information vulnerability in Ilnkp2P Project Ilnkp2P

An authentication flaw in Shenzhen Yunni Technology iLnkP2P allows remote attackers to actively intercept user-to-device traffic in cleartext, including video streams and device credentials.

4.3
2019-04-26 CVE-2019-9807 Mozilla Improper Input Validation vulnerability in Mozilla Firefox

When arbitrary text is sent over an FTP connection and a page reload is initiated, it is possible to create a modal alert message with this text as the content.

4.3
2019-04-26 CVE-2019-9793 Mozilla Buffer Errors vulnerability in Mozilla Firefox and Firefox ESR

A mechanism was discovered that removes some bounds checking for string, array, or typed array accesses if Spectre mitigations have been disabled.

4.3
2019-04-26 CVE-2018-5124 Mozilla Cross-Site Scripting vulnerability in Mozilla Firefox

Unsanitized output in the browser UI leaves HTML tags in place and can result in arbitrary code execution in Firefox before version 58.0.1.

4.3
2019-04-26 CVE-2018-18511 Mozilla Information Exposure vulnerability in Mozilla Firefox 65.0

Cross-origin images can be read from a canvas element in violation of the same-origin policy using the transferFromImageBitmap method.

4.3
2019-04-26 CVE-2018-18510 Mozilla Unspecified vulnerability in Mozilla Firefox

The about:crashcontent and about:crashparent pages can be triggered by web content.

4.3
2019-04-26 CVE-2019-0186 Apache Cross-Site Scripting vulnerability in Apache Pluto 3.0.0/3.0.1

The input fields of the Apache Pluto "Chat Room" demo portlet 3.0.0 and 3.0.1 are vulnerable to Cross-Site Scripting (XSS) attacks.

4.3
2019-04-26 CVE-2019-11543 Pulsesecure Cross-Site Scripting vulnerability in Pulsesecure Pulse Connect Secure and Pulse Policy Secure

XSS exists in the admin web console in Pulse Secure Pulse Connect Secure (PCS) 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, and 5.2RX before 5.2R12.1.

4.3
2019-04-25 CVE-2018-18643 Gitlab Cross-Site Scripting vulnerability in Gitlab

GitLab CE & EE 11.2 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 have Persistent XSS.

4.3
2019-04-25 CVE-2018-16220 Audiocodes Cross-Site Scripting vulnerability in Audiocodes 405Hd Firmware 2.2.12

Cross Site Scripting in different input fields (domain field and personal settings) in AudioCodes 405HD VoIP phone with firmware 2.2.12 allows an attacker (local or remote) to inject JavaScript into the web interface of the device by manipulating the phone book entries or manipulating the domain name sent to the device from the domain controller.

4.3
2019-04-25 CVE-2019-9669 Wordfence Cross-Site Scripting vulnerability in Wordfence 7.2.3

The Wordfence plugin 7.2.3 for WordPress allows XSS via a unique attack vector.

4.3
2019-04-25 CVE-2019-11537 Osticket Cross-Site Scripting vulnerability in Osticket

In osTicket before 1.12, XSS exists via /upload/file.php, /upload/scp/users.php?do=import-users, and /upload/scp/ajax.php/users/import if an agent manager user uploads a crafted .csv file to the User Importer, because file contents can appear in an error message.

4.3
2019-04-25 CVE-2018-1360 Fortinet Cleartext Transmission of Sensitive Information vulnerability in Fortinet Fortimanager

A cleartext transmission of sensitive information vulnerability in Fortinet FortiManager 5.2.0 through 5.2.7, 5.4.0 and 5.4.1 may allow an unauthenticated attacker in a man in the middle position to retrieve the admin password via intercepting REST API JSON responses.

4.3
2019-04-25 CVE-2019-11511 Zohocorp Cross-Site Scripting vulnerability in Zohocorp Manageengine Adselfservice Plus 5.7

Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API.

4.3
2019-04-24 CVE-2019-11203 Tibco Cross-Site Request Forgery (CSRF) vulnerability in Tibco products

The workspace client, openspace client, app development client, and REST API of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM contain cross site scripting (XSS) and cross-site request forgery vulnerabilities.

4.3
2019-04-24 CVE-2019-9635 Google Null Pointer Dereference vulnerability in Google Tensorflow

NULL pointer dereference in Google TensorFlow before 1.12.2 could cause a denial of service via an invalid GIF file.

4.3
2019-04-24 CVE-2019-7211 Smartertools Cross-Site Scripting vulnerability in Smartertools Smartermail

SmarterTools SmarterMail 16.x before build 6995 has stored XSS.

4.3
2019-04-24 CVE-2019-11032 HR Technologies Cross-Site Scripting vulnerability in Hr-Technologies Easytorecruit

In EasyToRecruit (E2R) before 2.11, the upload feature and the Candidate Profile Management feature are prone to Cross Site Scripting (XSS) injection in multiple locations.

4.3
2019-04-24 CVE-2019-11498 Wavpack
Canonical
Access of Uninitialized Pointer vulnerability in multiple products

WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack through 5.1.0 has a "Conditional jump or move depends on uninitialised value" condition, which might allow attackers to cause a denial of service (application crash) via a DFF file that lacks valid sample-rate data.

4.3
2019-04-23 CVE-2018-7576 Google Null Pointer Dereference vulnerability in Google Tensorflow

Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference.

4.3
2019-04-23 CVE-2019-2684 Oracle
Redhat
Opensuse
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI).
4.3
2019-04-23 CVE-2019-2676 Oracle Unspecified vulnerability in Oracle CRM Technical Foundation

Vulnerability in the Oracle CRM Technical Foundation component of Oracle E-Business Suite (subcomponent: Preferences).

4.3
2019-04-23 CVE-2019-2674 Oracle Unspecified vulnerability in Oracle One-To-One Fulfillment

Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: Print Server).

4.3
2019-04-23 CVE-2019-2673 Oracle Unspecified vulnerability in Oracle Marketing

Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: Marketing Administration).

4.3
2019-04-23 CVE-2019-2670 Oracle Unspecified vulnerability in Oracle Marketing

Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: Marketing Administration).

4.3
2019-04-23 CVE-2019-2669 Oracle Unspecified vulnerability in Oracle CRM Technical Foundation

Vulnerability in the Oracle CRM Technical Foundation component of Oracle E-Business Suite (subcomponent: Preferences).

4.3
2019-04-23 CVE-2019-2622 Oracle Unspecified vulnerability in Oracle Service Contracts

Vulnerability in the Oracle Service Contracts component of Oracle E-Business Suite (subcomponent: Renewals).

4.3
2019-04-23 CVE-2019-2621 Oracle Unspecified vulnerability in Oracle Application Object Library

Vulnerability in the Oracle Application Object Library component of Oracle E-Business Suite (subcomponent: Diagnostics).

4.3
2019-04-23 CVE-2019-2573 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.56/8.57

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Fluid Homepage & Navigation).

4.3
2019-04-23 CVE-2018-3123 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: libmysqld).

4.3
2019-04-23 CVE-2019-10864 Veronalabs Cross-Site Scripting vulnerability in Veronalabs WP Statistics

The WP Statistics plugin through 12.6.2 for WordPress has XSS, allowing a remote attacker to inject arbitrary web script or HTML via the Referer header of a GET request.

4.3
2019-04-23 CVE-2018-1328 Apache Cross-Site Scripting vulnerability in Apache Zeppelin

Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions.

4.3
2019-04-23 CVE-2019-11474 Graphicsmagick Incorrect Calculation vulnerability in Graphicsmagick 1.3.31

coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a denial of service (floating-point exception and application crash) by crafting an XWD image file, a different vulnerability than CVE-2019-11008 and CVE-2019-11009.

4.3
2019-04-23 CVE-2019-11473 Graphicsmagick Out-Of-Bounds Read vulnerability in Graphicsmagick 1.3.31

coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a denial of service (out-of-bounds read and application crash) by crafting an XWD image file, a different vulnerability than CVE-2019-11008 and CVE-2019-11009.

4.3
2019-04-23 CVE-2019-11472 Imagemagick Divide BY Zero vulnerability in Imagemagick 7.0.841

ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first.

4.3
2019-04-23 CVE-2018-20822 Sass Lang Uncontrolled Recursion vulnerability in Sass-Lang Libsass 3.5.4

LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp).

4.3
2019-04-23 CVE-2018-20821 Sass Lang Uncontrolled Recursion vulnerability in Sass-Lang Libsass

The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).

4.3
2019-04-23 CVE-2018-20820 Dropbox Integer Overflow OR Wraparound vulnerability in Dropbox Lepton 1.2.1

read_ujpg in jpgcoder.cc in Dropbox Lepton 1.2.1 allows attackers to cause a denial-of-service (application runtime crash because of an integer overflow) via a crafted file.

4.3
2019-04-23 CVE-2019-11463 Libarchive Memory Leak vulnerability in Libarchive

A memory leak in archive_read_format_zip_cleanup in archive_read_support_format_zip.c in libarchive 3.3.4-dev allows remote attackers to cause a denial of service via a crafted ZIP file because of a HAVE_LZMA_H typo.

4.3
2019-04-22 CVE-2019-11459 Gnome
Canonical
USE of Uninitialized Resource vulnerability in multiple products

The tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend in GNOME Evince through 3.32.0 did not handle errors from TIFFReadRGBAImageOriented(), leading to uninitialized memory use when processing certain TIFF image files.

4.3
2019-04-22 CVE-2019-0218 Apache Cross-Site Scripting vulnerability in Apache Pony Mail

A vulnerability was discovered wherein a specially crafted URL could enable reflected XSS via JavaScript in the pony mail interface.

4.3
2019-04-22 CVE-2019-9955 Zyxel Cross-Site Scripting vulnerability in Zyxel products

On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100 devices, the security firewall login page is vulnerable to Reflected XSS via the unsanitized 'mp_idx' parameter.

4.3
2019-04-22 CVE-2019-10241 Eclipse Cross-Site Scripting vulnerability in Eclipse Jetty

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

4.3
2019-04-22 CVE-2019-11454 Mmonit
Canonical
Debian
Fedoraproject
Cross-Site Scripting vulnerability in multiple products

Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash Monit before 5.25.3 allows a remote unauthenticated attacker to introduce arbitrary JavaScript via manipulation of an unsanitized user field of the Authorization header for HTTP Basic Authentication, which is mishandled during an _viewlog operation.

4.3
2019-04-22 CVE-2015-1327 Canonical Permissions, Privileges, and Access Controls vulnerability in Canonical Ubuntu Linux 15.04

Content Hub before version 0.0+15.04.20150331-0ubuntu1.0 DBUS API only requires a file path for a content item, it doesn't actually require the confined app have access to the file to create a transfer.

4.3
2019-04-22 CVE-2014-1427 Canonical Cross-Site Scripting vulnerability in Canonical Metal AS A Service 1.9.0/1.9.1

A vulnerability in the REST API of Ubuntu MAAS allows an attacker to cause a logged-in user to execute commands via cross-site scripting.

4.3
2019-04-22 CVE-2019-11243 Kubernetes Credentials Management vulnerability in Kubernetes

In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data).

4.3
2019-04-22 CVE-2019-11449 I Librarian Cross-Site Scripting vulnerability in I-Librarian I, Librarian 4.10

I, Librarian 4.10 has XSS via the notes.php notes parameter.

4.3
2019-04-22 CVE-2019-11428 I Librarian Cross-Site Scripting vulnerability in I-Librarian I, Librarian 4.10

I, Librarian 4.10 has XSS via the export.php export_files parameter.

4.3
2019-04-22 CVE-2019-11427 Idreamsoft Cross-Site Scripting vulnerability in Idreamsoft Icms 7.0.14

An XSS issue was discovered in app/search/search.app.php in idreamsoft iCMS 7.0.14 via the public/api.php?app=search q parameter.

4.3
2019-04-22 CVE-2019-11426 Idreamsoft Cross-Site Scripting vulnerability in Idreamsoft Icms 7.0.14

An XSS issue was discovered in app/admincp/template/admincp.header.php in idreamsoft iCMS 7.0.14 via the admincp.php?app=config tab parameter.

4.3
2019-04-22 CVE-2019-11414 Intelbras Weak Password Recovery Mechanism for Forgotten Password vulnerability in Intelbras IWR 3000N Firmware 1.5.0

An issue was discovered on Intelbras IWR 3000N 1.5.0 devices.

4.3
2019-04-22 CVE-2019-11404 Arrow KT Missing Encryption of Sensitive Data vulnerability in Arrow-Kt Arrow

arrow-kt Arrow before 0.9.0 resolved Gradle build artifacts (for compiling and building the published JARs) over HTTP instead of HTTPS.

4.3
2019-04-26 CVE-2019-11538 Pulsesecure Link Following vulnerability in Pulsesecure Pulse Connect Secure

In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1, an NFS problem could allow an authenticated attacker to access the contents of arbitrary files on the affected device.

4.0
2019-04-25 CVE-2019-3720 Dell Path Traversal vulnerability in Dell EMC Openmanage Server Administrator

Dell EMC Open Manage System Administrator (OMSA) versions prior to 9.3.0 contain a Directory Traversal Vulnerability.

4.0
2019-04-25 CVE-2019-4222 IBM Improper Privilege Management vulnerability in IBM Sterling B2B Integrator 6.0.0.0/6.0.0.1

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 could allow an authenticated user to view process definition of a business process without permission.

4.0
2019-04-25 CVE-2019-11519 Nopcommerce XXE vulnerability in Nopcommerce

Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen.

4.0
2019-04-25 CVE-2019-11515 Gilacms Path Traversal vulnerability in Gilacms Gila CMS 1.10.1

core/classes/db_backup.php in Gila CMS 1.10.1 allows admin/db_backup?download= absolute path traversal to read arbitrary files.

4.0
2019-04-24 CVE-2019-3789 Cloudfoundry Improper Privilege Management vulnerability in Cloudfoundry Routing Release

Cloud Foundry Routing Release, all versions prior to 0.188.0, contains a vulnerability that can hijack the traffic to route services hosted outside the platform.

4.0
2019-04-24 CVE-2019-3786 Cloudfoundry Insufficient Verification of Data Authenticity vulnerability in Cloudfoundry Bosh Backup and Restore

Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH.

4.0
2019-04-23 CVE-2019-10710 Hisilicon Incorrect Permission Assignment FOR Critical Resource vulnerability in Hisilicon Hi3510 Firmware

Insecure permissions in the Web management portal on all IP cameras based on Hisilicon Hi3510 firmware allow authenticated attackers to receive a network's cleartext WiFi credentials via a specific HTTP request.

4.0
2019-04-23 CVE-2019-2701 Oracle Unspecified vulnerability in Oracle Primavera P6 Enterprise Project Portfolio Management 18.8

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Construction and Engineering Suite (subcomponent: Web Access).

4.0
2019-04-23 CVE-2019-2700 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Learning Management 9.2

Vulnerability in the PeopleSoft Enterprise ELM component of Oracle PeopleSoft Products (subcomponent: Enterprise Learning Mgmt).

4.0
2019-04-23 CVE-2019-2695 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).

4.0
2019-04-23 CVE-2019-2694 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).

4.0
2019-04-23 CVE-2019-2693 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).

4.0
2019-04-23 CVE-2019-2691 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Roles).

4.0
2019-04-23 CVE-2019-2689 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).

4.0
2019-04-23 CVE-2019-2688 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).

4.0
2019-04-23 CVE-2019-2687 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).

4.0
2019-04-23 CVE-2019-2686 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).

4.0
2019-04-23 CVE-2019-2685 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).

4.0
2019-04-23 CVE-2019-2683 Oracle
Canonical
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Options).
4.0
2019-04-23 CVE-2019-2681 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).

4.0
2019-04-23 CVE-2019-2644 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL).

4.0
2019-04-23 CVE-2019-2635 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication).

4.0
2019-04-23 CVE-2019-2631 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Information Schema).

4.0
2019-04-23 CVE-2019-2628 Oracle
Canonical
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB).
4.0
2019-04-23 CVE-2019-2627 Oracle
Canonical
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges).
4.0
2019-04-23 CVE-2019-2626 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL).

4.0
2019-04-23 CVE-2019-2625 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).

4.0
2019-04-23 CVE-2019-2624 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB).

4.0
2019-04-23 CVE-2019-2620 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges).

4.0
2019-04-23 CVE-2019-2615 Oracle Unspecified vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.3.0.0/12.2.1.3.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components).

4.0
2019-04-23 CVE-2019-2607 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).

4.0
2019-04-23 CVE-2019-2606 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges).

4.0
2019-04-23 CVE-2019-2596 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).

4.0
2019-04-23 CVE-2019-2593 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB).

4.0
2019-04-23 CVE-2019-2592 Oracle
Canonical
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: PS).
4.0
2019-04-23 CVE-2019-2589 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges).

4.0
2019-04-23 CVE-2019-2588 Oracle Unspecified vulnerability in Oracle Business Intelligence Publisher 11.1.1.9.0/12.2.1.3.0/12.2.1.4.0

Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: BI Publisher Security).

4.0
2019-04-23 CVE-2019-2587 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Partition).

4.0
2019-04-23 CVE-2019-2586 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.55/8.56/8.57

Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of Oracle PeopleSoft Products (subcomponent: RemoteCall).

4.0
2019-04-23 CVE-2019-2585 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB).

4.0
2019-04-23 CVE-2019-2584 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges).

4.0
2019-04-23 CVE-2019-2581 Oracle
Canonical
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).
4.0
2019-04-23 CVE-2019-2580 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB).

4.0
2019-04-23 CVE-2019-2579 Oracle Unspecified vulnerability in Oracle Webcenter Sites 12.2.1.3.0

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI).

4.0
2019-04-23 CVE-2019-2568 Oracle Unspecified vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.3.0.0/12.2.1.3.0

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components).

4.0
2019-04-23 CVE-2019-2566 Oracle
Canonical
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Audit Plug-in).
4.0
2019-04-23 CVE-2019-2564 Oracle Unspecified vulnerability in Oracle JD Edwards Enterpriseone Tools 9.2

Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracle JD Edwards Products (subcomponent: Web Runtime).

4.0
2019-04-23 CVE-2019-0223 Apache
Redhat
Improper Certificate Validation vulnerability in multiple products

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0.

4.0
2019-04-23 CVE-2018-17169 Printeron XXE vulnerability in Printeron

An XML external entity (XXE) vulnerability in PrinterOn version 4.1.4 and lower allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.

4.0

37 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2019-04-25 CVE-2018-14980 Asus Incorrect Permission Assignment FOR Critical Resource vulnerability in Asus Zenfone 3 MAX Firmware

The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains the android framework (i.e., system_server) with a package name of android (versionCode=24, versionName=7.0) that has been modified by ASUS or another entity in the supply chain.

3.6
2019-04-23 CVE-2019-2679 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

3.6
2019-04-26 CVE-2018-18276 Profiles Project Cross-Site Scripting vulnerability in Profiles Project Profiles 1.5

XSS exists in the ProFiles 1.5 component for Joomla! via the name or path parameter when creating a new folder in the administrative panel.

3.5
2019-04-25 CVE-2018-18824 Wolfcms Cross-Site Scripting vulnerability in Wolfcms Wolf CMS 0.8.3.1

WolfCMS v0.8.3.1 allows XSS via an SVG file to /?/admin/plugin/file_manager/browse/.

3.5
2019-04-25 CVE-2018-18823 Wolfcms Cross-Site Scripting vulnerability in Wolfcms Wolf CMS 0.8.3.1

WolfCMS 0.8.3.1 allows XSS via an SVG file to /?/admin/plugin/file_manager/browse/.

3.5
2019-04-25 CVE-2019-4238 IBM Cross-Site Scripting vulnerability in IBM products

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site scripting.

3.5
2019-04-25 CVE-2019-4148 IBM Cross-Site Scripting vulnerability in IBM Sterling B2B Integrator 6.0.0.0/6.0.0.1

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 is vulnerable to cross-site scripting.

3.5
2019-04-25 CVE-2019-4146 IBM Unspecified vulnerability in IBM Sterling B2B Integrator 6.0.0.0/6.0.0.1

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 could allow an authenticated user to obtain sensitive document information under unusual circumstances.

3.5
2019-04-25 CVE-2019-4077 IBM Cross-Site Scripting vulnerability in IBM Sterling B2B Integrator 6.0.0.0/6.0.0.1

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 is vulnerable to cross-site scripting.

3.5
2019-04-25 CVE-2019-4076 IBM Cross-Site Scripting vulnerability in IBM Sterling B2B Integrator 6.0.0.0/6.0.0.1

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 is vulnerable to cross-site scripting.

3.5
2019-04-25 CVE-2019-4075 IBM Cross-Site Scripting vulnerability in IBM Sterling B2B Integrator 6.0.0.0/6.0.0.1

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 is vulnerable to cross-site scripting.

3.5
2019-04-25 CVE-2019-4074 IBM Cross-Site Scripting vulnerability in IBM Sterling B2B Integrator 6.0.0.0/6.0.0.1

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 is vulnerable to cross-site scripting.

3.5
2019-04-25 CVE-2019-4073 IBM Cross-Site Scripting vulnerability in IBM Sterling B2B Integrator 6.0.0.0/6.0.0.1

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 is vulnerable to cross-site scripting.

3.5
2019-04-25 CVE-2019-4033 IBM Cross-Site Scripting vulnerability in IBM Content Navigator 2.0.3/3.0.0

IBM Content Navigator 2.0.3 and 3.0CD is vulnerable to cross-site scripting.

3.5
2019-04-25 CVE-2019-11513 Cmsmadesimple Cross-Site Scripting vulnerability in Cmsmadesimple CMS Made Simple

The File Manager in CMS Made Simple through 2.2.10 has Reflected XSS via the "New name" field in a Rename action.

3.5
2019-04-24 CVE-2019-11504 Zotonic Cross-Site Scripting vulnerability in Zotonic

Zotonic before version 0.47 has mod_admin XSS.

3.5
2019-04-23 CVE-2019-2720 Oracle Unspecified vulnerability in Oracle Data Integrator 11.1.1.9.0/12.2.1.3.0

Vulnerability in the Oracle Data Integrator component of Oracle Fusion Middleware (subcomponent: ODI Tools).

3.5
2019-04-23 CVE-2019-2692 Oracle Unspecified vulnerability in Oracle Mysql Connector/J

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J).

3.5
2019-04-23 CVE-2019-2636 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Group Replication Plugin).

3.5
2019-04-23 CVE-2019-2630 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication).

3.5
2019-04-23 CVE-2019-2623 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Options).

3.5
2019-04-23 CVE-2019-2617 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication).

3.5
2019-04-23 CVE-2019-2614 Oracle
Canonical
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication).
3.5
2019-04-25 CVE-2018-16219 Audiocodes Improper Authentication vulnerability in Audiocodes 405Hd Firmware 2.2.12

A missing password verification in the web interface in AudioCodes 405HD VoIP phone with firmware 2.2.12 allows an remote attacker (in the same network as the device) to change the admin password without authentication via a POST request.

3.3
2019-04-25 CVE-2018-15000 Vivo Unspecified vulnerability in Vivo V7 Firmware

The Vivo V7 Android device with a build fingerprint of vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys contains a platform app with a package name of com.vivo.smartshot (versionCode=1, versionName=3.0.0).

3.3
2019-04-23 CVE-2019-2605 Oracle Unspecified vulnerability in Oracle Business Intelligence 11.1.1.9.0/12.2.1.3.0/12.2.1.4.0

Vulnerability in the Oracle Business Intelligence Enterprise Edition component of Oracle Fusion Middleware (subcomponent: Web Catalog).

2.6
2019-04-25 CVE-2018-18366 Symantec USE of Uninitialized Resource vulnerability in Symantec products

Symantec Norton Security prior to 22.16.3, SEP (Windows client) prior to and including 12.1 RU6 MP9, and prior to 14.2 RU1, SEP SBE prior to Cloud Agent 3.00.31.2817, NIS-22.15.2.22, SEP-12.1.7484.7002 and SEP Cloud prior to 22.16.3 may be susceptible to a kernel memory disclosure, which is a type of issue where a specially crafted IRP request can cause the driver to return uninitialized memory.

2.1
2019-04-25 CVE-2018-14997 Leagoo Unspecified vulnerability in Leagoo P1 Firmware

The Leagoo P1 Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains the android framework (i.e., system_server) with a package name of android that has been modified by Leagoo or another entity in the supply chain.

2.1
2019-04-25 CVE-2018-14983 Sony Improper Input Validation vulnerability in Sony Xperia L1 Firmware

The Sony Xperia L1 Android device with a build fingerprint of Sony/G3313/G3313:7.0/43.0.A.6.49/2867558199:user/release-keys contains the android framework (i.e., system_server) with a package name of android (versionCode=24, versionName=7.0) that has been modified by Sony or another entity in the supply chain.

2.1
2019-04-24 CVE-2019-10239 Robotronic Improper Privilege Management vulnerability in Robotronic Runasspc 3.7.0.0

Robotronic RunAsSpc 3.7.0.0 protects stored credentials insufficiently, which allows locally authenticated attackers (under the same user context) to obtain cleartext credentials of the stored account.

2.1
2019-04-23 CVE-2019-2708 Oracle Unspecified vulnerability in Oracle Berkeley DB

Vulnerability in the Data Store component of Oracle Berkeley DB.

2.1
2019-04-23 CVE-2019-2678 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

2.1
2019-04-23 CVE-2019-2577 Oracle Unspecified vulnerability in Oracle Solaris 11

Vulnerability in the Oracle Solaris component of Oracle Sun Systems Products Suite (subcomponent: File Locking Services).

2.1
2019-04-23 CVE-2019-2574 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

2.1
2019-04-23 CVE-2019-2634 Oracle Unspecified vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication).

1.9
2019-04-22 CVE-2019-3901 Linux
Debian
Netapp
Improper Locking vulnerability in multiple products

A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs.

1.9
2019-04-22 CVE-2019-11244 Kubernetes Permissions, Privileges, and Access Controls vulnerability in Kubernetes

In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-).

1.9