Vulnerability Summary for the Week of September 17, 2018

Released
Sep 24, 2018
Document ID
SB18-267

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 

 The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

High Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
There were no high vulnerabilities recorded this week.

Back to top

 

Medium Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
There were no medium vulnerabilities recorded this week.

Back to top

 

Low Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
There were no low vulnerabilities recorded this week.

Back to top

 

Severity Not Yet Assigned

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
accusoft -- prizmdoc
 
Accusoft PrizmDoc version 13.3 and earlier contains a Stored Cross-Site Scripting issue through a crafted PDF file.2018-09-18not yet calculatedCVE-2018-15546
CONFIRM
MISC
apache -- camel
 
Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal.2018-09-17not yet calculatedCVE-2018-8041
CONFIRM
BID
CONFIRM
apache -- karaf
 
In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a bit by using chroot to change the root directory to protect files outside of the Karaf install directory; it can be further locked down by defining a security manager policy that limits file system access to those directories beneath the Karaf home that are necessary for the system to run. However, this still allows anyone with ssh access to the Karaf process to read and write a large number of files as the Karaf process user.2018-09-18not yet calculatedCVE-2018-11786
CONFIRM
CONFIRM
MLIST
apache -- karaf
 
In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../system/console/gogo. Trying to go directly to that URL does require authentication. And optional bundle that some applications use is the Pax Web Extender Whiteboard, it is part of the pax-war feature and perhaps others. When it is installed, the Gogo console becomes available at another URL .../gogo/, and that URL is not secured giving access to the Karaf console to unauthenticated users. A mitigation for the issue is to manually stop/uninstall Gogo plugin bundle that is installed with the webconsole feature, although of course this removes the console from the .../system/console application, not only from the unauthenticated endpoint. One could also stop/uninstall the Pax Web Extender Whiteboard, but other components/applications may require it and so their functionality would be reduced/compromised.2018-09-18not yet calculatedCVE-2018-11787
CONFIRM
CONFIRM
MLIST
apache -- mesos
 
Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value.2018-09-21not yet calculatedCVE-2018-8023
MLIST
apache -- spamassassin
 
A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2.2018-09-17not yet calculatedCVE-2018-11780
BID
MLIST
apache -- spamassassin
 
Apache SpamAssassin 3.4.2 fixes a local user code injection in the meta rule syntax.2018-09-17not yet calculatedCVE-2018-11781
MLIST
apache -- spamassassin
 
A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts. In Apache SpamAssassin, using HTML::Parser, we setup an object and hook into the begin and end tag event handlers In both cases, the "open" event is immediately followed by a "close" event - even if the tag *does not* close in the HTML being parsed. Because of this, we are missing the "text" event to deal with the object normally. This can cause carefully crafted emails that might take more scan time than expected leading to a Denial of Service. The issue is possibly a bug or design decision in HTML::Parser that specifically impacts the way Apache SpamAssassin uses the module with poorly formed html. The exploit has been seen in the wild but not believed to have been purposefully part of a Denial of Service attempt. We are concerned that there may be attempts to abuse the vulnerability in the future.2018-09-17not yet calculatedCVE-2017-15705
BID
MLIST
apache -- tika
 
In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.2018-09-19not yet calculatedCVE-2018-11761
MLIST
apache -- tika
 
In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file.2018-09-19not yet calculatedCVE-2018-11762
MLIST
apache -- tika
 
In Apache Tika 1.2 to 1.18, a carefully crafted file can trigger an infinite loop in the IptcAnpaParser.2018-09-19not yet calculatedCVE-2018-8017
MLIST
artifex -- ghostscript
 
Artifex Ghostscript before 9.25 allowed a user-writable error exception table, which could be used by remote attackers able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code.2018-09-19not yet calculatedCVE-2018-17183
MISC
MISC
asus -- gt-ac5300
 
blocking_request.cgi on ASUS GT-AC5300 devices through 3.0.0.4.384_32738 allows remote attackers to cause a denial of service (NULL pointer dereference and device crash) via a request that lacks a timestap parameter.2018-09-17not yet calculatedCVE-2018-17127
MISC
atlassian -- fisheye_and_crucible
 
The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery (CSRF) vulnerability.2018-09-18not yet calculatedCVE-2018-13398
CONFIRM
CONFIRM
atlassian -- jiraThe DEISER "Profields - Project Custom Fields" app before 6.0.2 for Jira has Incorrect Access Control.2018-09-21not yet calculatedCVE-2018-16281
CONFIRM
audiofile -- audiofile
 
An issue has been discovered in mpruett Audio File Library (aka audiofile) 0.3.6. A heap-based buffer overflow in Expand3To4Module::run has occurred when running sfconvert.2018-09-16not yet calculatedCVE-2018-17095
MISC
MISC
avaya -- aura_orchestration_designer
 
A CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could allow an attacker to add, change, or remove administrative settings. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1.2018-09-21not yet calculatedCVE-2018-15612
CONFIRM
avaya -- aura_orchestration_designer
 
A cross-site scripting (XSS) vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could result in malicious content being returned to the user. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1.2018-09-21not yet calculatedCVE-2018-15613
CONFIRM
bitcoin_core -- bitcoin_core
 
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.2018-09-19not yet calculatedCVE-2018-17144
MISC
MISC
MISC
MISC
blackberry -- enterprise_mobility_server
 
A directory traversal vulnerability in the Connect Service of the BlackBerry Enterprise Mobility Server (BEMS) 2.8.17.29 and earlier could allow an attacker to retrieve arbitrary files in the context of a BEMS administrator account.2018-09-19not yet calculatedCVE-2018-8889
CONFIRM
browserify-hmr -- browserify-hmr
 
An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/ connection from any origin.2018-09-21not yet calculatedCVE-2018-14730
MISC
MISC
bullguard -- safe_browsing
 
BullGuard Safe Browsing before 18.1.355.9 allows XSS on Google, Bing, and Yahoo! pages via domains indexed in search results.2018-09-15not yet calculatedCVE-2018-17061
MISC
CONFIRM
circontrol -- circarlife
 
An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is system software information disclosure due to lack of authentication for /html/device-id.2018-09-18not yet calculatedCVE-2018-16671
MISC
circontrol -- circarlife
 
An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is internal installation path disclosure due to the lack of authentication for /html/repository.2018-09-18not yet calculatedCVE-2018-16668
MISC
circontrol -- circarlife
 
An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is PLC status disclosure due to lack of authentication for /html/devstat.html.2018-09-18not yet calculatedCVE-2018-16670
MISC
circontrol -- open_charge_point_protocol
 
An issue was discovered in CIRCONTROL Open Charge Point Protocol (OCPP) before 1.5.0, as used in CirCarLife, PowerStudio, and other products. Due to storage of credentials in XML files, an unprivileged user can look at /services/config/config.xml for the admin credentials of the ocpp and circarlife panels.2018-09-18not yet calculatedCVE-2018-16669
MISC
cloud_foundry_foundation -- container_runtime
 
Cloud Foundry Container Runtime (kubo-release), versions prior to 0.14.0, may leak UAA and vCenter credentials to application logs. A malicious user with the ability to read the application logs could use these credentials to escalate privileges.2018-09-17not yet calculatedCVE-2018-1223
CONFIRM
cloud_foundry_foundation -- garden-runc
 
Cloud Foundry Garden-runC release, versions prior to 1.16.1, prevents deletion of some app environments based on file attributes. A remote authenticated malicious user may create and delete apps with crafted file attributes to cause a denial of service for new app instances or scaling up of existing apps.2018-09-18not yet calculatedCVE-2018-11084
CONFIRM
cscms -- cscms
 
CScms 4.1 allows arbitrary directory deletion via a dir=..\\ substring to plugins\sys\admin\Plugins.php.2018-09-17not yet calculatedCVE-2018-17125
MISC
MISC
cscms -- cscms
 
CScms 4.1 allows remote code execution, as demonstrated by 1');eval($_POST[cmd]);# in Web Name to upload\plugins\sys\Install.php.2018-09-17not yet calculatedCVE-2018-17126
MISC
MISC
cuppacms -- cuppacms
 
Stored XSS exists in CuppaCMS through 2018-09-03 via an administrator/#/component/table_manager/view/cu_menus section name.2018-09-21not yet calculatedCVE-2018-17300
MISC
dedecms -- dedecms
 
DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "<file type='file' name='../" substring.2018-09-21not yet calculatedCVE-2018-16784
MISC
dedecms -- dedecms
 
DedeCMS 5.7 SP2 allows XSS via an onhashchange attribute in the msg parameter to /plus/feedback_ajax.php.2018-09-21not yet calculatedCVE-2018-16786
MISC
dedecms -- dedecms
 
XML injection vulnerability exists in the file of DedeCMS V5.7 SP2 version, which can be utilized by attackers to create script file to obtain webshell2018-09-19not yet calculatedCVE-2018-16785
MISC
dell_emc -- isilon_onefsDell EMC Isilon OneFS versions 7.1.1.x, 7.2.1.x, 8.0.0.x, 8.0.1.x, 8.1.0.x and 8.1.x prior to 8.1.2 and Dell EMC IsilonSD Edge versions 8.0.0.x, 8.0.1.x, 8.1.0.x and 8.1.x prior to 8.1.2 contain a remote process crash vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to crash the isi_drive_d process by sending specially crafted input data to the affected system. This process will then be restarted.2018-09-18not yet calculatedCVE-2018-11071
FULLDISC
donlinkage -- donlinkage
 
An issue was discovered in DonLinkage 6.6.8. It allows remote attackers to obtain potentially sensitive information via a direct request for files/temporary.txt.2018-09-16not yet calculatedCVE-2018-17091
MISC
donlinkage -- donlinkage
 
An issue was discovered in DonLinkage 6.6.8. The modules /pages/bazy/bazy_adresow.php and /pages/proxy/add.php are vulnerable to stored XSS that can be triggered by closing <textarea> followed by <script></script> tags.2018-09-16not yet calculatedCVE-2018-17090
MISC
donlinkage -- donlinkage
 
An issue was discovered in DonLinkage 6.6.8. SQL injection in /pages/proxy/php.php and /pages/proxy/add.php can be exploited via specially crafted input, allowing an attacker to obtain information from a database. The vulnerability can only be triggered by an authorized user.2018-09-16not yet calculatedCVE-2018-17092
MISC
easycms -- easycms
 
App/Modules/Admin/Tpl/default/Public/dwz/uploadify/scripts/uploadify.swf in EasyCMS 1.5 has XSS via the uploadifyID or movieName parameter, a related issue to CVE-2018-9173.2018-09-17not yet calculatedCVE-2018-17113
MISC
elastic -- elastic_cloud_enterprise
 
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known.2018-09-19not yet calculatedCVE-2018-3825
CONFIRM
CONFIRM
elastic -- elastic_cloud_enterprise
 
Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was discovered that certain exception conditions would result in encryption keys, passwords, and other security sensitive headers being leaked to the allocator logs. An attacker with access to the logging cluster may obtain leaked credentials and perform authenticated actions using these credentials.2018-09-19not yet calculatedCVE-2018-3828
CONFIRM
CONFIRM
elastic -- elastic_cloud_enterprise
 
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host could add a allocator to an existing ECE install to gain access to other clusters data.2018-09-19not yet calculatedCVE-2018-3829
CONFIRM
CONFIRM
elastic -- elasticsearch_alerting_and_monitoring
 
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.2018-09-19not yet calculatedCVE-2018-3831
CONFIRM
CONFIRM
elastic -- elasticsearch_repository-azureA sensitive data disclosure flaw was found in the Elasticsearch repository-azure (formerly elasticsearch-cloud-azure) plugin. When the repository-azure plugin is set to log at TRACE level Azure credentials can be inadvertently logged.2018-09-19not yet calculatedCVE-2018-3827
CONFIRM
CONFIRM
elastic -- elasticsearch
 
In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot API.2018-09-19not yet calculatedCVE-2018-3826
CONFIRM
CONFIRM
elastic -- x-pack_machine_learning
 
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs.2018-09-19not yet calculatedCVE-2018-3823
CONFIRM
CONFIRM
elastic -- x-pack_machine_learning
 
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user.2018-09-19not yet calculatedCVE-2018-3824
CONFIRM
CONFIRM
enalean -- tuleap
 
An issue was discovered in Enalean Tuleap before 10.5. Reset password links are not invalidated after a user changes its password.2018-09-21not yet calculatedCVE-2018-17298
MISC
MISC
MISC
espocrm -- espocrmStored XSS exists in views/fields/wysiwyg.js in EspoCRM 5.3.6 via a /#Email/view saved draft message.2018-09-21not yet calculatedCVE-2018-17302
MISC
espocrm -- espocrm
 
Reflected XSS exists in client/res/templates/global-search/name-field.tpl in EspoCRM 5.3.6 via /#Account in the search panel.2018-09-21not yet calculatedCVE-2018-17301
MISC
ethereum -- coinlancer_tokenThe onlyOwner modifier of a smart contract implementation for Coinlancer (CL), an Ethereum ERC20 token, has a potential access control vulnerability. All contract users can access functions that use this onlyOwner modifier, because the comparison between msg.sender and owner is incorrect.2018-09-18not yet calculatedCVE-2018-17111
MISC
ethereum -- minttoken_tokenIn the mintToken function of a smart contract implementation for Substratum (SUB), an Ethereum ERC20 token, the administrator can control mintedAmount, leverage an integer overflow, and modify a user account's balance arbitrarily.2018-09-21not yet calculatedCVE-2018-12511
MISC
ethereum -- minttoken_tokenThe mintToken function of a smart contract implementation for PolyAi (AI), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.2018-09-21not yet calculatedCVE-2018-17050
MISC
exiv2 -- exiv2Exiv2::ul2Data in types.cpp in Exiv2 v0.26 allows remote attackers to cause a denial of service (heap-based buffer overflow) via a crafted image file.2018-09-19not yet calculatedCVE-2018-17230
MISC
exiv2 -- exiv2An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference.2018-09-20not yet calculatedCVE-2018-17282
MISC
exiv2 -- exiv2Exiv2::d2Data in types.cpp in Exiv2 v0.26 allows remote attackers to cause a denial of service (heap-based buffer overflow) via a crafted image file.2018-09-19not yet calculatedCVE-2018-17229
MISC
foreman -- foreman
 
An authentication bypass flaw was found in the smart_proxy_dynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context.2018-09-21not yet calculatedCVE-2018-14643
BID
REDHAT
CONFIRM
CONFIRM
foscam -- c1_indoor_hd_cameraAn exploitable buffer overflow vulnerability exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10000 can cause a buffer overflow resulting in overwriting arbitrary data.2018-09-19not yet calculatedCVE-2017-2875
MISC
foscam -- c1_indoor_hd_cameraAn exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating a rogue HTTP server.2018-09-17not yet calculatedCVE-2017-2856
MISC
foscam -- c1_indoor_hd_cameraAn exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during the SoftAP configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.2018-09-19not yet calculatedCVE-2017-2873
MISC
foscam -- c1_indoor_hd_cameraAn exploitable buffer overflow vulnerability exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10000 can cause a buffer overflow resulting in overwriting arbitrary data.2018-09-19not yet calculatedCVE-2017-2876
MISC
foscam -- c1_indoor_hd_cameraAn information disclosure vulnerability exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10001 can allow for a user to retrieve sensitive information without authentication.2018-09-17not yet calculatedCVE-2017-2874
MISC
foscam -- c1_indoor_hd_cameraInsufficient security checks exist in the recovery procedure used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A HTTP request can allow for a user to perform a firmware upgrade using a crafted image. Before any firmware upgrades in this image are flashed to the device, binaries as well as arguments to shell commands contained in the image are executed with elevated privileges.2018-09-17not yet calculatedCVE-2017-2872
MISC
foscam -- c1_indoor_hd_cameraA missing error check exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10001 could allow an attacker to reset the user accounts to factory defaults, without authentication.2018-09-19not yet calculatedCVE-2017-2877
MISC
foscam -- c1_indoor_hd_cameraAn exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating a rogue HTTP server.2018-09-19not yet calculatedCVE-2017-2855
MISC
foscam -- c1_indoor_hd_cameraAn exploitable buffer overflow vulnerability exists in the UPnP implementation used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted UPnP discovery response can cause a buffer overflow resulting in overwriting arbitrary data. An attacker needs to be in the same subnetwork and reply to a discovery message to trigger this vulnerability.2018-09-19not yet calculatedCVE-2017-2879
MISC
foscam -- c1_indoor_hd_cameraAn exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating a rogue HTTP server.2018-09-17not yet calculatedCVE-2017-2857
MISC
foscam -- c1_indoor_hd_camera
 
An exploitable buffer overflow vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted HTTP request can cause a buffer overflow resulting in overwriting arbitrary data. An attacker can simply send an HTTP request to the device to trigger this vulnerability.2018-09-19not yet calculatedCVE-2017-2878
MISC
foscam -- c1_indoor_hd_camera
 
An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating a rogue HTTP server.2018-09-17not yet calculatedCVE-2017-2854
MISC
gitolite -- gitolitegitolite before commit fa06a34 might allow local users to read arbitrary files in repositories via vectors related to the user umask when running gitolite setup.2018-09-21not yet calculatedCVE-2013-7203
CONFIRM
FEDORA
MLIST
gitolite -- gitolite
 
gitolite commit fa06a34 through 3.5.3 might allow attackers to have unspecified impact via vectors involving world-writable permissions when creating (1) ~/.gitolite.rc, (2) ~/.gitolite, or (3) ~/repositories/gitolite-admin.git on fresh installs.2018-09-21not yet calculatedCVE-2013-4451
CONFIRM
CONFIRM
MLIST
BID
golang -- goThe html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.2018-09-17not yet calculatedCVE-2018-17143
MISC
golang -- goThe html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.2018-09-17not yet calculatedCVE-2018-17142
MISC
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of length validation check for value received from firmware can lead to buffer overflow in WMA handler.2018-09-18not yet calculatedCVE-2018-11869
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, during wlan association, driver allocates memory. In case the mem allocation fails driver does a mem free though the memory was not allocated.2018-09-18not yet calculatedCVE-2018-11842
CONFIRM
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check while calculating the MPDU data length will cause an integer overflow and then to buffer overflow in WLAN function.2018-09-19not yet calculatedCVE-2018-11886
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check on the length of array while accessing can lead to an out of bound read in WLAN HOST function.2018-09-19not yet calculatedCVE-2018-11891
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, a buffer over-read can occur In the WMA NDP event handler functions due to lack of validation of input value event_info which is received from FW.2018-09-18not yet calculatedCVE-2018-11297
CONFIRM
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing diag event after associating to a network out of bounds read occurs if ssid of the network joined is greater than max limit.2018-09-19not yet calculatedCVE-2018-11897
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, LUT configuration is passed down to driver from userspace via ioctl. Simultaneous update from userspace while kernel drivers are updating LUT registers can lead to race condition.2018-09-18not yet calculatedCVE-2018-11818
CONFIRM
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing start bss request from upper layer, out of bounds read occurs if ssid length is greater than maximum.2018-09-19not yet calculatedCVE-2018-11898
CONFIRM
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, WLAN handler indication from the firmware gets the information for 4 access categories. While processing this information only the first 3 AC information is copied due to the improper conditional logic used to compare with the max number of categories.2018-09-18not yet calculatedCVE-2018-11294
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, in policy mgr unit test if mode parameter in wlan function is given an out of bound value it can cause an out of bound access while accessing the PCL table.2018-09-19not yet calculatedCVE-2018-11883
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing the function for writing device values into flash, uninitialized memory can be written to flash.2018-09-18not yet calculatedCVE-2017-15844
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of length validation check for value received from firmware can lead to OOB access in WLAN HOST.2018-09-19not yet calculatedCVE-2018-11902
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check of input received from userspace before copying into buffer can lead to potential array overflow in WLAN.2018-09-18not yet calculatedCVE-2018-11302
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, callback executed from the other thread has freed memory which is also used in wlan function and may result in to a "Use after free" scenario.2018-09-18not yet calculatedCVE-2018-11300
CONFIRM
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, in wma_ndp_confirm_event_handler and wma_ndp_indication_event_handler, ndp_cfg len and num_ndp_app_info is from fw. If they are not checked, it may cause buffer over-read once the value is too large.2018-09-18not yet calculatedCVE-2018-11293
CONFIRM
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper length check Validation in WLAN function can lead to driver writes the default rsn capabilities to the memory not allocated to the frame.2018-09-19not yet calculatedCVE-2018-11895
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, when requesting rssi timeout, access invalid memory may occur since local variable 'context' stack data of wlan function is free.2018-09-19not yet calculatedCVE-2018-11889
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of input size validation before copying to buffer in PMIC function can lead to heap overflow.2018-09-18not yet calculatedCVE-2018-11832
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, possibility of invalid memory access while processing driver command in WLAN function.2018-09-19not yet calculatedCVE-2018-11878
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of length validation check for value received from firmware can lead to buffer overflow in nan response event handler.2018-09-18not yet calculatedCVE-2018-11868
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing preferred network offload scan results integer overflow may lead to buffer overflow when large frame length is received from FW.2018-09-19not yet calculatedCVE-2018-11894
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper check In the WMA API for the inputs received from the firmware and then fills the same to the host structure will lead to OOB write.2018-09-18not yet calculatedCVE-2018-11852
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of length validation check for value received from caller function used as an array index for WMA interfaces can lead to OOB write in WLAN HOST.2018-09-19not yet calculatedCVE-2018-11903
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing vendor scan request, when input argument - length of request IEs is greater than maximum can lead to a buffer overflow.2018-09-19not yet calculatedCVE-2018-11893
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check on buffer length while processing debug log event from firmware can lead to an integer overflow.2018-09-18not yet calculatedCVE-2018-11301
CONFIRM
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while accessing the keystore in LK, an integer overflow vulnerability exists which may potentially lead to a buffer overflow.2018-09-18not yet calculatedCVE-2017-15828
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack fo check on return value in WMA response handler can lead to potential use after free.2018-09-18not yet calculatedCVE-2018-11843
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, asynchronous callbacks received a pointer to a callers local variable. Should the caller return early (e.g., timeout), the callback will dereference an invalid pointer.2018-09-19not yet calculatedCVE-2018-11904
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing a gpt update, an out of bounds memory access may potentially occur.2018-09-18not yet calculatedCVE-2017-15825
CONFIRM
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check on input received to calculate the buffer length can lead to out of bound write to kernel stack.2018-09-18not yet calculatedCVE-2018-11851
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, a potential buffer over flow could occur while processing the ndp event due to lack of check on the message length.2018-09-18not yet calculatedCVE-2018-11860
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, WMA handler carries a fixed event data from the firmware to the host . If the length and anqp length from this event data exceeds the max length, an OOB write would happen.2018-09-18not yet calculatedCVE-2018-11295
CONFIRM
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper validation of array index in WMA roam synchronization handler can lead to OOB write.2018-09-18not yet calculatedCVE-2018-11827
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, when WLAN FW has not filled the vdev id correctly in stats events then WLAN host driver tries to access interface array without proper bound check which can lead to invalid memory access and as a side effect kernel panic or page fault.2018-09-18not yet calculatedCVE-2018-11299
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing a message from firmware in WLAN handler, a buffer overwrite can occur.2018-09-18not yet calculatedCVE-2018-11296
CONFIRM
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing the WLAN driver command ioctl a temporary buffer used to construct the reply message may be freed twice.2018-09-18not yet calculatedCVE-2018-11840
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper length check can lead to out-of-bounds access in WLAN function.2018-09-18not yet calculatedCVE-2018-11836
CONFIRM
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check of input received from firmware to calculate the length of WMA roam synch buffer can lead to buffer overwrite during memcpy.2018-09-18not yet calculatedCVE-2018-11863
CONFIRM
CONFIRM
google -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check on integer overflow while calculating memory can lead to Buffer overflow in WLAN ext scan handler.2018-09-18not yet calculatedCVE-2018-11826
CONFIRM
CONFIRM
google -- android
 
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, memory allocated with devm_kzalloc is automatically released by the kernel if the probe function fails with an error code. This may result in data corruption.2018-09-18not yet calculatedCVE-2018-11270
CONFIRM
CONFIRM
CONFIRM
google -- android
 
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while relocating kernel images with a specially crafted boot image, an out of bounds access can occur.2018-09-19not yet calculatedCVE-2018-3573
CONFIRM
CONFIRM
google -- android
 
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, 'voice_svc_dev' is allocated as a device-managed resource. If error 'cdev_alloc_err' occurs, 'device_destroy' will free all associated resources, including 'voice_svc_dev' leading to a double free.2018-09-18not yet calculatedCVE-2018-11273
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google -- android
 
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, possible buffer overflow while incrementing the log_buf of type uint64_t in memcpy function, since the log_buf pointer can access the memory beyond the size to store the data after pointer increment.2018-09-18not yet calculatedCVE-2018-11265
CONFIRM
CONFIRM
CONFIRM
google -- android
 
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing user-space there is no size validation of the NAT entry input. If the user input size of the NAT entry is greater than the max allowed size, memory exhaustion will occur.2018-09-18not yet calculatedCVE-2018-11280
CONFIRM
CONFIRM
google -- android
 
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while accessing global variable "debug_client" in multi-thread manner, Use after free issue occurs2018-09-18not yet calculatedCVE-2018-11286
CONFIRM
CONFIRM
google -- android
 
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, userspace can request ION cache maintenance on a secure ION buffer for which the ION_FLAG_SECURE ion flag is not set and cause the kernel to attempt to perform cache maintenance on memory which does not belong to HLOS.2018-09-19not yet calculatedCVE-2018-3574
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google -- android
 
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing SET_PASSPOINT_LIST vendor command HDD does not make sure that the realm string that gets passed by upper-layer is NULL terminated. This may lead to buffer overflow as strlen is used to get realm string length to construct the PASSPOINT WMA command.2018-09-18not yet calculatedCVE-2018-11298
CONFIRM
CONFIRM
CONFIRM
google -- android
 
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, buffer overflow may occur when payload size is extremely large.2018-09-18not yet calculatedCVE-2018-11274
CONFIRM
CONFIRM
google -- android
 
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while loading a user application in qseecom, an integer overflow could potentially occur if the application partition size is rounded up to page_size.2018-09-18not yet calculatedCVE-2017-15818
CONFIRM
CONFIRM
google -- android
 
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, when flashing image using FastbootLib if size is not divisible by block size, information leak occurs.2018-09-18not yet calculatedCVE-2018-11275
CONFIRM
CONFIRM
google -- android
 
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, a race condition while accessing num of clients in DIAG services can lead to out of boundary access.2018-09-19not yet calculatedCVE-2018-5905
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google -- android
 
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Venus HW searches for start code when decoding input bit stream buffers. If start code is not found in entire buffer, there is over-fetch beyond allocation length. This leads to page fault.2018-09-18not yet calculatedCVE-2018-11278
CONFIRM
CONFIRM
google -- android
 
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, double free of memory allocation is possible in Kernel when it explicitly tries to free that memory on driver probe failure, since memory allocated is automatically freed on probe.2018-09-18not yet calculatedCVE-2018-11276
CONFIRM
CONFIRM
CONFIRM
google -- android
 
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while calling IPA_IOC_MDFY_RT_RULE IPA IOCTL, header entry is not checked before use. If IPA_IOC_MDFY_RT_RULE IOCTL called for header entries formerly deleted, a Use after free condition will occur.2018-09-18not yet calculatedCVE-2018-11281
CONFIRM
CONFIRM
CONFIRM
CONFIRM
haproxy -- hpack_decoder
 
A flaw was discovered in the HPACK decoder of HAProxy, before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpack_valid_idx() resulted in a remote crash and denial of service.2018-09-21not yet calculatedCVE-2018-14645
CONFIRM
MLIST
hdf -- hdf5
 
A SIGFPE signal is raised in the function H5D__chunk_set_info_real() of H5Dchunk.c in the HDF HDF5 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. This issue is different from CVE-2018-11207.2018-09-20not yet calculatedCVE-2018-17237
MISC
hdf -- hdf5
 
Memory leak in the H5O__chunk_deserialize() function in H5Ocache.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (memory consumption) via a crafted HDF5 file.2018-09-20not yet calculatedCVE-2018-17234
MISC
hdf -- hdf5
 
A SIGFPE signal is raised in the function H5D__create_chunk_file_map_hyper() of H5Dchunk.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack.2018-09-20not yet calculatedCVE-2018-17233
MISC
huawei -- mate10_smartphones
 
Huawei smartphones Mate10 with versions earlier before ALP-AL00B 8.0.0.110(C00) have a Factory Reset Protection (FRP) bypass vulnerability. The system does not sufficiently verify the permission, an attacker uses a data cable to connect the smartphone to the computer and then perform some specific operations. Successful exploit could allow the attacker bypass the FRP protection to access the system setting page.2018-09-18not yet calculatedCVE-2018-7991
CONFIRM
huawei -- mate_rs_smartphones
 
Huawei Mate RS smartphones with the versions before NEO-AL00D 8.1.0.167(C786) have a lock-screen bypass vulnerability. An attacker could unlock and use the phone through certain operations.2018-09-18not yet calculatedCVE-2018-7929
CONFIRM
hutool -- hutool
 
The unzip function in ZipUtil.java in Hutool before 4.1.12 allows remote attackers to overwrite arbitrary files via directory traversal sequences in a filename within a ZIP archive.2018-09-21not yet calculatedCVE-2018-17297
MISC
hylafax -- fax_software
 
HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow remote attackers to execute arbitrary code via a dial-in session that provides a FAX page with the JPEG bit enabled, which is mishandled in FaxModem::writeECMData() in the faxd/CopyQuality.c++ file.2018-09-21not yet calculatedCVE-2018-17141
CONFIRM
MLIST
MLIST
BUGTRAQ
DEBIAN
MISC
ibm -- business_process_manager
 
IBM Business Process Manager 8.5 through 8.6 and 18.0.0.0 through 18.0.0.1 are vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 145109.2018-09-20not yet calculatedCVE-2018-1674
XF
CONFIRM
ibm -- db2_for_linux_and_unix_and_windows
 
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 contains a vulnerability in db2cacpy that could allow a local user to read any file on the system. IBM X-Force ID: 145502.2018-09-21not yet calculatedCVE-2018-1685
SECTRACK
XF
CONFIRM
ibm -- db2_for_linux_and_unix_and_windows
 
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.1, 10.5, and 11.1 tool db2licm is affected by buffer overflow vulnerability that can potentially result in arbitrary code execution. IBM X-Force ID: 146364.2018-09-21not yet calculatedCVE-2018-1710
XF
CONFIRM
ibm -- db2_for_linux_and_unix_and_windows
 
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to to gain privileges due to allowing modificaiton of columns of existing tasks. IBM X-Force ID: 146369.2018-09-21not yet calculatedCVE-2018-1711
XF
CONFIRM
ibm -- gpfs
 
IBM GPFS (IBM Spectrum Scale 5.0.1.0 and 5.0.1.1) allows a local, unprivileged user to cause a kernel panic on a node running GPFS by accessing a file that is stored on a GPFS file system with mmap, or by executing a crafted file stored on a GPFS file system. IBM X-Force ID: 148805.2018-09-19not yet calculatedCVE-2018-1782
XF
CONFIRM
ibm -- sterling_b2b_integrator
 
IBM Sterling B2B Integrator Standard Edition 5.2.6.0 and 6.2.6.1 could allow a local user to obtain highly sensitive information during a short time period when installation is occuring. IBM X-Force ID: 149607.2018-09-20not yet calculatedCVE-2018-1800
XF
CONFIRM
ibm -- tivoli_monitoring
 
IBM Tivoli Monitoring 6.2.3 through 6.2.3.5 and 6.3.0 through 6.3.0.7 are vulnerable to both TEPS user privilege escalation and possible denial of service due to unconstrained memory growth. IBM X-Force ID: 137039.2018-09-19not yet calculatedCVE-2017-1794
XF
CONFIRM
iceni -- argus
 
An exploitable heap overflow vulnerability exists in the ipStringCreate function of Iceni Argus Version 6.6.05. A specially crafted pdf file can cause an integer overflow resulting in heap overflow. An attacker can send file to trigger this vulnerability.2018-09-17not yet calculatedCVE-2017-2777
MISC
insteon -- insteon_hubAn exploitable information leak vulnerability exists in Insteon Hub running firmware version 1012. The HTTP server implementation incorrectly checks the number of GET parameters supplied, leading to an arbitrarily controlled information leak on the whole device memory. An attacker can send an authenticated HTTP request to trigger this vulnerability.2018-09-17not yet calculatedCVE-2017-14443
MISC
intel -- core_processor
 
Platform sample code firmware in 4th Generation Intel Core Processor, 5th Generation Intel Core Processor, 6th Generation Intel Core Processor, 7th Generation Intel Core Processor and 8th Generation Intel Core Processor contains a logic error which may allow physical attacker to potentially bypass firmware authentication.2018-09-21not yet calculatedCVE-2018-12169
CONFIRM
jhead -- jheadThe ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because there is an integer overflow during a check for whether a location exceeds the EXIF data length. This is analogous to the CVE-2016-3822 integer overflow in exif.c. This gpsinfo.c vulnerability is unrelated to the CVE-2018-16554 gpsinfo.c vulnerability.2018-09-16not yet calculatedCVE-2018-17088
MISC
joomla! -- joomla!The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.2018-09-20not yet calculatedCVE-2018-17254
EXPLOIT-DB
joomla! -- joomla!The CWJoomla CW Article Attachments PRO extension before 2.0.7 and CW Article Attachments FREE extension before 1.0.6 for Joomla! allow SQL Injection within download.php.2018-09-20not yet calculatedCVE-2018-14592
CONFIRM
kibana -- kibana
 
Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.2018-09-19not yet calculatedCVE-2018-3830
CONFIRM
CONFIRM
lg -- supersign_cms
 
LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.2018-09-21not yet calculatedCVE-2018-17173
MISC
lg -- supersign_cms
 
LG SuperSign CMS allows reading of arbitrary files via signEzUI/playlist/edit/upload/..%2f URIs.2018-09-14not yet calculatedCVE-2018-16288
MISC
EXPLOIT-DB
liblouis -- liblouisThe matchCurrentInput function inside lou_translateString.c of Liblouis prior to 3.7 does not check the input string's length, allowing attackers to cause a denial of service (application crash via out-of-bounds read) by crafting an input file with certain translation dictionaries.2018-09-21not yet calculatedCVE-2018-17294
MISC
MISC
libmp4v2 -- libmp4v2The function mp4v2::impl::MP4Track::FinishSdtp() in mp4track.cpp in libmp4v2 2.1.0 mishandles compatibleBrand while processing a crafted mp4 file, which leads to a heap-based buffer over-read, causing denial of service.2018-09-20not yet calculatedCVE-2018-17235
MISC
libmp4v2 -- libmp4v2The function MP4Free() in mp4property.cpp in libmp4v2 2.1.0 internally calls free() on a invalid pointer, raising a SIGABRT signal.2018-09-20not yet calculatedCVE-2018-17236
MISC
libsvg2 -- libsvg2An issue was discovered in libsvg2 through 2012-10-19. The svgGetNextPathField function in svg_string.c returns its input pointer in certain circumstances, which might result in a memory leak caused by wasteful malloc calls.2018-09-22not yet calculatedCVE-2018-17332
MISC
libsvg2 -- libsvg2An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in the svgGetNextPathField function in svg_string.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because a strncpy copy limit is miscalculated.2018-09-22not yet calculatedCVE-2018-17334
MISC
libsvg2 -- libsvg2An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in svgStringToLength in svg_types.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because sscanf is misused.2018-09-22not yet calculatedCVE-2018-17333
MISC
libtiff -- libtiff
 
An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.2018-09-16not yet calculatedCVE-2018-17101
MISC
BID
MISC
libtiff -- libtiff
 
An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.2018-09-16not yet calculatedCVE-2018-17100
MISC
MISC
limesurvey -- limesurvey
 
In LimeSurvey 3.14.7, HTML Injection and Stored XSS have been discovered in the appendix via the surveyls_title parameter to /index.php?r=admin/survey/sa/insert.2018-09-21not yet calculatedCVE-2018-17003
MISC
link-net -- lw-n605r_devices
 
LINK-NET LW-N605R devices with firmware 12.20.2.1486 allow Remote Code Execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases.2018-09-20not yet calculatedCVE-2018-16752
MISC
EXPLOIT-DB
linksys -- velop
 
Linksys Velop 1.1.2.187020 devices allow unauthenticated command injection, providing an attacker with full root access, via cgi-bin/zbtest.cgi or cgi-bin/zbtest2.cgi (scripts that can be discovered with binwalk on the firmware, but are not visible in the web interface). This occurs because shell metacharacters in the query string are mishandled by ShellExecute, as demonstrated by the zbtest.cgi?cmd=level&level= substring. This can also be exploited via CSRF.2018-09-19not yet calculatedCVE-2018-17208
MISC
linux -- kernel
 
An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.2018-09-19not yet calculatedCVE-2018-17182
MISC
MISC
MISC
linux -- kernel
 
An issue was discovered in the Linux kernel through 4.18.6. Incorrect access checking in overlayfs mounts could be used by local attackers to modify or truncate files in the underlying filesystem.2018-09-21not yet calculatedCVE-2018-16597
CONFIRM
CONFIRM
linux -- kernel
 
A security flaw was found in the ip_frag_reasm() function in net/ipv4/ip_fragment.c in the Linux kernel from 4.19-rc1 to 4.19-rc3 inclusive, which can cause a later system crash in ip_do_fragment(). With certain non-default, but non-rare, configuration of a victim host, an attacker can trigger this crash remotely, thus leading to a remote denial-of-service.2018-09-18not yet calculatedCVE-2018-14641
CONFIRM
CONFIRM
MLIST
lucky9io -- lucky9ioThe fallback function of a simple lottery smart contract implementation for Lucky9io, an Ethereum gambling game, generates a random value with the publicly readable variable entry_number. This variable is private, yet it is readable by eth.getStorageAt function. Also, attackers can purchase a ticket at a low price by directly calling the fallback function with small msg.value, because the developer set the currency unit incorrectly. Therefore, it allows attackers to always win and get rewards.2018-09-18not yet calculatedCVE-2018-17071
MISC
matrix -- synapse
 
Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.2018-09-18not yet calculatedCVE-2018-16515
CONFIRM
FEDORA
CONFIRM
mcafee -- application_and_change_control
 
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.2018-09-18not yet calculatedCVE-2017-3912
BID
CONFIRM
mcafee -- application_and_change_control
 
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.2018-09-18not yet calculatedCVE-2018-6690
CONFIRM
mcafee -- endpoint_security_for_linux_threat_preventionAn unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escalation to delete arbitrary files.2018-09-18not yet calculatedCVE-2018-6693
CONFIRM
metinfo -- metinfo
 
MetInfo 6.1.0 has XSS in doexport() in app/system/feedback/admin/feedback_admin.class.php via the class1 field.2018-09-17not yet calculatedCVE-2018-17129
MISC
micro_focus -- arcsight_management_center
 
A potential Directory Traversal Security vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be remotely exploited to allow Directory Traversal.2018-09-20not yet calculatedCVE-2018-6500
CONFIRM
micro_focus -- arcsight_management_center
 
A potential Reflected Cross-Site Scripting (XSS) Security vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be exploited to allow for Reflected Cross-site Scripting (XSS).2018-09-20not yet calculatedCVE-2018-6502
CONFIRM
micro_focus -- arcsight_management_center
 
A potential Unauthenticated File Download vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be exploited to allow for Unauthenticated File Downloads.2018-09-20not yet calculatedCVE-2018-6505
CONFIRM
micro_focus -- arcsight_management_center
 
Potential security vulnerability of Insufficient Access Controls has been identified in ArcSight Management Center (ArcMC) for versions prior to 2.81. This vulnerability could be exploited to allow for insufficient access controls.2018-09-20not yet calculatedCVE-2018-6501
CONFIRM
micro_focus -- arcsight_management_center
 
A potential Access Control vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be exploited to allow for vulnerable Access Controls.2018-09-20not yet calculatedCVE-2018-6503
CONFIRM
micro_focus -- arcsight_management_center
 
A potential Cross-Site Request Forgery (CSRF) vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be exploited to allow for Cross-Site Request Forgery (CSRF).2018-09-20not yet calculatedCVE-2018-6504
CONFIRM
microsoft -- active_directory_federation_services_windows_server
 
Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory Federation Services) has an SSRF vulnerability via the txtBoxEmail parameter in /adfs/ls.2018-09-18not yet calculatedCVE-2018-16794
MISC
FULLDISC
BID
BUGTRAQ
microsoft -- exchange_server
 
Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parameter in /owa/auth/logon.aspx in the OWA (Outlook Web Access) login page.2018-09-21not yet calculatedCVE-2018-16793
MISC
FULLDISC
BUGTRAQ
microweber -- microweber
 
An issue was discovered in Microweber 1.0.7. There is a CSRF attack (against the admin user) that can add an administrative account via api/save_user.2018-09-16not yet calculatedCVE-2018-17104
CONFIRM
MISC
CONFIRM
monstra -- cms
 
admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/.......//./.......//./&delete_file= requests.2018-09-18not yet calculatedCVE-2018-16819
MISC
MISC
monstra -- cms
 
admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./.......//./ requests.2018-09-18not yet calculatedCVE-2018-16820
MISC
MISC
moodle -- moodle
 
moodle before versions 3.5.2, 3.4.5, 3.3.8 is vulnerable to a boost theme - blog search GET parameter insufficiently filtered. The breadcrumb navigation provided by Boost theme when displaying search results of a blog were insufficiently filtered, which could result in reflected XSS if a user followed a malicious link containing JavaScript in the search parameter.2018-09-17not yet calculatedCVE-2018-14631
CONFIRM
BID
CONFIRM
CONFIRM
moodle -- moodle
 
moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.2018-09-17not yet calculatedCVE-2018-14630
CONFIRM
BID
CONFIRM
CONFIRM
FULLDISC
MISC
moxa -- edr-810
 
A command injection vulnerability in the web server functionality of Moxa EDR-810 V4.2 build 18041013 allows remote attackers to execute arbitrary OS commands with root privilege via the caname parameter to the /xml/net_WebCADELETEGetValue URI.2018-09-20not yet calculatedCVE-2018-16282
MISC
CONFIRM
mybb -- mybb
 
A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode.2018-09-17not yet calculatedCVE-2018-17128
MISC
navigate -- cms
 
Navigate CMS 2.8 has Reflected XSS via the navigate.php fid parameter.2018-09-20not yet calculatedCVE-2018-17255
MISC
neato_robotics -- botvac
 
A replay issue was discovered on Neato Botvac Connected 2.2.0 devices. Manual control mode requires authentication, but once recorded, the authentication (always transmitted in cleartext) can be replayed to /bin/webserver on port 8081. There are no nonces, and timestamps are not checked at all.2018-09-18not yet calculatedCVE-2018-17176
MISC
neato_robotics -- botvac
 
An issue was discovered on Neato Botvac Connected 2.2.0 devices. They execute unauthenticated manual drive commands (sent to /bin/webserver on port 8081) if they already have an active session. Commands like forward, back, arc-left, arc-right, pivot-left, and pivot-right are executed even though the web socket replies with { "message" : "invalid authorization header" }. Without an active session, commands are still interpreted, but (except for eco-on and eco-off) have no effect, since without active driving, a driving direction does not change anything.2018-09-18not yet calculatedCVE-2018-17178
MISC
neato_robotics -- botvac
 
An issue was discovered on Neato Botvac Connected 2.2.0 and Botvac 85 1.2.1 devices. Static encryption is used for the copying of so-called "black box" logs (event logs and core dumps) to a USB stick. These logs are RC4-encrypted with a 9-character password of *^JEd4W!I that is obfuscated by hiding it within a custom /bin/rc4_crypt binary.2018-09-18not yet calculatedCVE-2018-17177
MISC
nmap4j -- nmap4jnmap4j 1.1.0 allows attackers to execute arbitrary commands via shell metacharacters in an includeHosts call.2018-09-19not yet calculatedCVE-2018-17228
MISC
nmealib -- nmealibA stack-based buffer overflow was discovered in the xtimor NMEA library (aka nmealib) 0.5.3. nmea_parse() in parser.c allows an attacker to trigger denial of service (even arbitrary code execution in a certain context) in a product using this library via malformed data.2018-09-21not yet calculatedCVE-2018-17174
MISC
nuuo -- nvrmini2
 
NUUO's NVRMini2 3.8.0 and below contains a backdoor that would allow an unauthenticated remote attacker to take over user accounts if the file /tmp/moses exists.2018-09-19not yet calculatedCVE-2018-1150
CONFIRM
MISC
nuuo -- nvrmini2
 
cgi_system in NUUO's NVRMini2 3.8.0 and below allows remote attackers to execute arbitrary code via crafted HTTP requests.2018-09-19not yet calculatedCVE-2018-1149
CONFIRM
CONFIRM
MISC
open-xchange -- webmail
 
Cross-site scripting (XSS) vulnerability in the Open-Xchange webmail before 7.6.3-rev28 allows remote attackers to inject arbitrary web script or HTML via the event attribute in a time tag.2018-09-18not yet calculatedCVE-2017-6913
MISC
CONFIRM
open_vswitch -- open_vswitch
 
An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The decode_bundle function inside lib/ofp-actions.c is affected by a buffer over-read issue during BUNDLE action decoding.2018-09-19not yet calculatedCVE-2018-17206
MISC
open_vswitch -- openvswitchAn issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, affecting parse_group_prop_ntr_selection_method in lib/ofp-util.c. When decoding a group mod, it validates the group type and command after the whole group mod has been decoded. The OF1.5 decoder, however, tries to use the type and command earlier, when it might still be invalid. This causes an assertion failure (via OVS_NOT_REACHED). ovs-vswitchd does not enable support for OpenFlow 1.5 by default.2018-09-19not yet calculatedCVE-2018-17204
MISC
open_vswitch -- openvswitch
 
An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, affecting ofproto_rule_insert__ in ofproto/ofproto.c. During bundle commit, flows that are added in a bundle are applied to ofproto in order. If a flow cannot be added (e.g., the flow action is a go-to for a group id that does not exist), OvS tries to revert back all previous flows that were successfully applied from the same bundle. This is possible since OvS maintains list of old flows that were replaced by flows from the bundle. While reinserting old flows, OvS has an assertion failure due to a check on rule state != RULE_INITIALIZED. This would work for new flows, but for an old flow the rule state is RULE_REMOVED. The assertion failure causes an OvS crash.2018-09-19not yet calculatedCVE-2018-17205
MISC
opmantek -- open-auditCross-site scripting (XSS) vulnerability in the Orgs Page in Open-AudIT Professional edition in 2.2.7 allows remote attackers to inject arbitrary web script via the Orgs name field.2018-09-19not yet calculatedCVE-2018-16607
MISC
oracle -- webcenter_interaction_portal
 
An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The portal component is delivered with an insecure default User Profile community configuration that allows anonymous users to retrieve the account names of all portal users via /portal/server.pt/user/user/ requests. When WCI is synchronised with Active Directory (AD), this vulnerability can expose the account names of all AD users.2018-09-17not yet calculatedCVE-2018-16959
BID
MISC
oracle -- webcenter_interaction_portal
 
The AjaxControl component of Oracle WebCenter Interaction Portal 10.3.3 does not validate the names of pages when processing page rename requests. Pages can be renamed to include characters unsupported for URIs by the web server hosting the WCI Portal software (such as IIS). Renaming pages to include unsupported characters, such as 0x7f, prevents these pages from being accessed over the web server, causing a Denial of Service (DoS) to the page.2018-09-17not yet calculatedCVE-2018-16956
BID
MISC
oracle -- webcenter_interaction_portal
 
The login function of Oracle WebCenter Interaction Portal 10.3.3 is vulnerable to reflected cross-site scripting (XSS). The content of the in_hi_redirect parameter, when prefixed with the https:// scheme, is unsafely reflected in a HTML META tag in the HTTP response.2018-09-17not yet calculatedCVE-2018-16955
BID
MISC
oracle -- webcenter_interaction_portal
 
The AjaxView::DisplayResponse() function of the portalpages.dll assembly in Oracle WebCenter Interaction Portal 10.3.3 is vulnerable to reflected cross-site scripting (XSS). User input from the name parameter is unsafely reflected in the server response.2018-09-17not yet calculatedCVE-2018-16953
BID
MISC
oracle -- webcenter_interaction_portal
 
An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The login function of the portal is vulnerable to insecure redirection (also called an open redirect). The in_hi_redirect parameter is not validated by the application after a successful login.2018-09-17not yet calculatedCVE-2018-16954
BID
MISC
oracle -- webcenter_interaction_portal
 
An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The ASP.NET_SessionID primary session cookie, when Internet Information Services (IIS) with ASP.NET is used, is not protected with the HttpOnly attribute. The attribute cannot be enabled by customers. Consequently, this cookie is exposed to session hijacking attacks should an adversary be able to execute JavaScript in the origin of the portal installation.2018-09-17not yet calculatedCVE-2018-16958
BID
MISC
oracle -- webcenter_interaction_portal
 
The Oracle WebCenter Interaction Portal 10.3.3 does not implement protection against Cross-site Request Forgery in its design. The impact is sensitive actions in the portal (such as changing a portal user's password).2018-09-17not yet calculatedCVE-2018-16952
BID
MISC
oracle -- webcenter_interaction
 
The Oracle WebCenter Interaction 10.3.3 search service queryd.exe binary is compiled with the i1g2s3c4 hardcoded password. Authentication to the Oracle WCI search service uses this hardcoded password and cannot be customised by customers. An adversary able to access this service over a network could perform search queries to extract large quantities of sensitive information from the WCI installation.2018-09-17not yet calculatedCVE-2018-16957
BID
MISC
otcms -- otcms
 
An issue was discovered in OTCMS 3.61. XSS exists in admin/share_switch.php via these parameters: fieldName fieldName2 tabName.2018-09-16not yet calculatedCVE-2018-17086
MISC
otcms -- otcms
 
An issue was discovered in OTCMS 3.61. XSS exists in admin/users.php via these parameters: dataTypeCN dataMode dataModeStr.2018-09-16not yet calculatedCVE-2018-17085
MISC
parcel -- parcel-bundler
 
An issue was discovered in HMRServer.js in Parcel parcel-bundler. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1 connection (with a random TCP port number) from any origin. The random port number can be found by connecting to http://127.0.0.1 and reading the "new WebSocket" line in the source code.2018-09-21not yet calculatedCVE-2018-14731
MISC
CONFIRM
CONFIRM
patatasfritas -- patatawifiFruityWifi (aka PatatasFritas/PatataWifi) 2.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the io_mode, ap_mode, io_action, io_in_iface, io_in_set, io_in_ip, io_in_mask, io_in_gw, io_out_iface, io_out_set, io_out_mask, io_out_gw, iface, or domain parameter to /www/script/config_iface.php, or the newSSID, hostapd_secure, hostapd_wpa_passphrase, or supplicant_ssid parameter to /www/page_config.php.2018-09-21not yet calculatedCVE-2018-17317
MISC
MISC
php -- php
 
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.2018-09-16not yet calculatedCVE-2018-17082
MISC
MISC
MISC
MISC
MLIST
phpmywind -- phpmywind
 
admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the rewrite url setting.2018-09-17not yet calculatedCVE-2018-17133
MISC
phpmywind -- phpmywind
 
admin/goods_update.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the attrvalue[] array parameter.2018-09-17not yet calculatedCVE-2018-17132
MISC
phpmywind -- phpmywind
 
PHPMyWind 5.5 has XSS in member.php via an HTTP Referer header,2018-09-17not yet calculatedCVE-2018-17130
MISC
phpmywind -- phpmywind
 
admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the varvalue field.2018-09-17not yet calculatedCVE-2018-17131
MISC
phpmywind -- phpmywind
 
admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the cfg_author field in conjunction with a crafted cfg_webpath field.2018-09-17not yet calculatedCVE-2018-17134
MISC
pivotal -- applications_service
 
Pivotal Usage Service in Pivotal Application Service, versions 2.0 prior to 2.0.21 and 2.1 prior to 2.1.13 and 2.2 prior to 2.2.5, contains a bug which may allow escalation of privileges. A space developer with access to the system org may be able to access an artifact which contains the CF admin credential, allowing them to escalate to an admin role.2018-09-17not yet calculatedCVE-2018-11086
CONFIRM
pivotal -- applications_service
 
Pivotal Applications Manager in Pivotal Application Service, versions 2.0 prior to 2.0.21 and 2.1 prior to 2.1.13 and 2.2 prior to 2.2.5, contains a bug which may allow escalation of privileges. A space developer with access to the system org may be able to access an artifact which contains the CF admin credential, allowing them to escalate to an admin role.2018-09-17not yet calculatedCVE-2018-11088
CONFIRM
pivotal -- cloud_cache
 
Pivotal Cloud Cache, versions prior to 1.3.1, prints a superuser password in plain text during BOSH deployment logs. A malicious user with access to the logs could escalate their privileges using this password.2018-09-17not yet calculatedCVE-2018-1198
CONFIRM
podofo_project -- podofo
 
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of PoDoFo. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within PdfEncoding::ParseToUnicode. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-5673.2018-09-17not yet calculatedCVE-2018-14320
MISC
prezi -- next
 
Prezi Next 1.3.101.11 has a documented purpose of creating HTML5 presentations but has SE_DEBUG_PRIVILEGE on Windows, which might allow attackers to bypass intended access restrictions.2018-09-17not yet calculatedCVE-2018-17137
MISC
processmaker -- processmaker_enterprise_core
 
A code execution vulnerability exists in ProcessMaker Enterprise Core 3.0.1.7-community. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.2018-09-17not yet calculatedCVE-2016-9045
MISC
python -- marshmallow_libraryIn the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only").2018-09-18not yet calculatedCVE-2018-17175
MISC
MISC
MISC
python_software_foundation -- python
 
Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.2018-09-18not yet calculatedCVE-2018-1000802
CONFIRM
CONFIRM
CONFIRM
MISC
qbee -- multisensor_camera
 
The QBee MultiSensor Camera through 4.16.4 accepts unencrypted network traffic from clients (such as the QBee Cam application through 1.0.5 for Android and the Swisscom Home application up to 10.7.2 for Android), which results in an attacker being able to reuse cookies to bypass authentication and disable the camera.2018-09-18not yet calculatedCVE-2018-16225
MISC
FULLDISC
qualcomm -- androidIn Snapdragon (Automobile ,Mobile) in version MSM8996AU, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, Snapdragon_High_Med_2016, a crafted HLOS client can modify the structure in memory passed to a QSEE application between the time of check and the time of use, resulting in arbitrary writes to TZ kernel memory regions.2018-09-20not yet calculatedCVE-2017-18302
SECTRACK
CONFIRM
CONFIRM
qualcomm -- androidIn Small Cell SoC and Snapdragon (Automobile, Mobile, Wear) in version FSM9055, FSM9955, MDM9607, MDM9640, MDM9650, MSM8909W, SD 425, SD 427, SD 430, SD 435, SD 450, SD 617, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SDM630, SDM636, SDM660, SDX20, Snapdragon_High_Med_2016, providing the NULL argument of ICE regulator while processing create key IOCTL results in system restart.2018-09-20not yet calculatedCVE-2017-18301
SECTRACK
CONFIRM
CONFIRM
qualcomm -- androidIn Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, Snapdragon_High_Med_2016, on TZ cold boot the CNOC_QDSS RG0 locked by xBL_SEC is cleared by TZ.2018-09-20not yet calculatedCVE-2017-18314
CONFIRM
CONFIRM
qualcomm -- android
 
In Snapdragon (Automobile, Mobile, Wear) in version MDM9607, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 617, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SDM429, SDM439, SDM632, Snapdragon_High_Med_2016, when a Trusted Application has opened the SPI/I2C interface to a particular device, it is possible for another Trusted Application to read the data on this open interface by calling the SPI/I2C read function.2018-09-20not yet calculatedCVE-2017-18280
SECTRACK
CONFIRM
CONFIRM
qualcomm -- android
 
In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, QCA6584, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 820A, SD 845, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDX20, Snapdragon_High_Med_2016, MAC address randomization performed during probe requests is not done properly due to a flawed RNG in use.2018-09-20not yet calculatedCVE-2018-11290
CONFIRM
CONFIRM
CONFIRM
qualcomm -- android
 
In Snapdragon (Mobile, Wear) in version MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 835, Snapdragon_High_Med_2016, a double free of ASN1 heap memory used for EUTRA CAP container occurs during UTRAN to LTE Capability inquiry procedure.2018-09-20not yet calculatedCVE-2018-11982
CONFIRM
qualcomm -- android
 
In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA6574AU, QCA6584, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820A, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, Snapdragon_High_Med_2016, lack of input validation in WLANWMI command handlers can lead to integer & heap overflows.2018-09-20not yet calculatedCVE-2018-11292
CONFIRM
CONFIRM
CONFIRM
qualcomm -- android
 
In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, SDX20, Snapdragon_High_Med_2016, a potential buffer overflow exists when parsing TFTP options.2018-09-20not yet calculatedCVE-2018-11269
CONFIRM
qualcomm -- android
 
In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016, MAC address randomization performed during probe requests (for privacy reasons) is not done properly due to a flawed RNG which produces repeating output much earlier than expected.2018-09-20not yet calculatedCVE-2018-5871
CONFIRM
CONFIRM
qualcomm -- android
 
In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016, incorrect control flow implementation in Video while checking buffer sufficiency.2018-09-20not yet calculatedCVE-2018-11287
CONFIRM
CONFIRM
qualcomm -- android
 
In Snapdragon (Automobile, Mobile, Wear) in version MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SDA660, the com.qualcomm.embms is a vendor package deployed in the system image which has an inadequate permission level and allows any application installed from Play Store to request this permission at install-time. The system application interfaces with the Radio Interface Layer leading to potential access control issue.2018-09-20not yet calculatedCVE-2018-11277
CONFIRM
qualcomm -- android
 
In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, SDX20, Snapdragon_High_Med_2016, a potential buffer overflow exists when parsing TFTP options.2018-09-20not yet calculatedCVE-2018-11268
CONFIRM
qualcomm -- android
 
In Snapdragon (Automobile, Mobile, Wear) in version IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016, MAC address randomization performed during probe requests is not done properly due to a flawed RNG which produced repeating output much earlier than expected.2018-09-20not yet calculatedCVE-2018-5837
CONFIRM
CONFIRM
qualcomm -- android
 
In Snapdragon (Automobile, Mobile, Wear) in version IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDM630, SDM632, SDM636, SDM660, SDX20, Snapdragon_High_Med_2016, cryptographic issues due to the random number generator was not a strong one in NAN.2018-09-20not yet calculatedCVE-2018-11291
CONFIRM
qualcomm -- android
 
In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, SDX20, Snapdragon_High_Med_2016, while parsing FLAC file with corrupted picture block, a buffer over-read can occur.2018-09-20not yet calculatedCVE-2018-11285
CONFIRM
CONFIRM
qualcomm -- android
 
In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9615, MDM9640, MDM9650, MDM9655, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDX20, Snapdragon_High_Med_2016, when sending an malformed XML data to deviceprogrammer/firehose it may do an out of bounds buffer write allowing a region of memory to be filled with 0x20.2018-09-20not yet calculatedCVE-2018-11267
CONFIRM
quickapps -- quickappscms
 
An issue was discovered in QuickAppsCMS (aka QACMS) through 2.0.0-beta2. A CSRF vulnerability can change the administrator password via the user/me URI.2018-09-16not yet calculatedCVE-2018-17102
MISC
MISC
red_hat -- undertow
 
An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests.2018-09-18not yet calculatedCVE-2018-14642
CONFIRM
ricoh -- mp_2001_printer
 
On the RICOH MP 2001 printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn parameter to /web/entry/en/address/adrsSetUserWizard.cgi.2018-09-21not yet calculatedCVE-2018-17002
MISC
ricoh -- sp_4510sf_printer
 
On the RICOH SP 4510SF printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn parameter to /web/entry/en/address/adrsSetUserWizard.cgi.2018-09-21not yet calculatedCVE-2018-17001
MISC
rockwell_automation -- rslinx_classicRockwell Automation RSLinx Classic Versions 4.00.01 and prior. This vulnerability may allow a remote threat actor to intentionally send a malformed CIP packet to Port 44818, causing the software application to stop responding and crash. This vulnerability also has the potential to exploit a buffer overflow condition, which may allow the threat actor to remotely execute arbitrary code.2018-09-20not yet calculatedCVE-2018-14829
MISC
MISC
rockwell_automation -- rslinx_classicRockwell Automation RSLinx Classic Versions 4.00.01 and prior. A remote, unauthenticated threat actor may intentionally send specially crafted Ethernet/IP packets to Port 44818, causing the software application to stop responding and crash. The user must restart the software to regain functionality.2018-09-20not yet calculatedCVE-2018-14827
MISC
rockwell_automation -- rslinx_classic
 
Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. This vulnerability may allow a remote, unauthenticated threat actor to intentionally send a malformed CIP packet to Port 44818, causing the RSLinx Classic application to terminate. The user will need to manually restart the software to regain functionality.2018-09-20not yet calculatedCVE-2018-14821
MISC
MISC
samsung -- smarthings_hub-sth-eth-250An exploitable buffer overflow vulnerability exists in the /cameras/XXXX/clips handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250-Firmware version 0.20.17. The strncpy call overflows the destination buffer, which has a size of 52 bytes. An attacker can send an arbitrarily long "startTime" value in order to exploit this vulnerability.2018-09-21not yet calculatedCVE-2018-3894
MISC
samsung -- smarthings_hub-sth-eth-250
 
An exploitable buffer overflow vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250-Firmware version 0.20.17. The strncpy overflows the destination buffer, which has a size of 160 bytes. An attacker can send an arbitrarily long "directory" value in order to exploit this vulnerability.2018-09-21not yet calculatedCVE-2018-3877
MISC
samsung -- smarthings_hub_sth-eth-250
 
An exploitable stack-based buffer overflow vulnerability exists in the retrieval of database fields in the video-core HTTP server of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The strcpy call overflows the destination buffer, which has a size of 64 bytes. An attacker can send an arbitrarily long "bucket" value in order to exploit this vulnerability.2018-09-21not yet calculatedCVE-2018-3915
MISC
samsung -- smarthings_hub_sth-eth-250
 
An exploitable buffer overflow vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250-Firmware version 0.20.17. The strncpy overflows the destination buffer, which has a size of 128 bytes. An attacker can send an arbitrarily long "secretKey" value in order to exploit this vulnerability.2018-09-21not yet calculatedCVE-2018-3873
MISC
samsung -- smarthings_hub_sth-eth-250
 
An exploitable stack-based buffer overflow vulnerability exists in the retrieval of database fields in the video-core HTTP server of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The strcpy call overflows the destination buffer, which has a size of 2000 bytes. An attacker can send an arbitrarily long "sessionToken" value in order to exploit this vulnerability.2018-09-21not yet calculatedCVE-2018-3914
MISC
samsung -- smarthings_hub_sth-eth-250
 
An exploitable buffer overflow vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250-Firmware version 0.20.17. The strncpy overflows the destination buffer, which has a size of 64 bytes. An attacker can send an arbitrarily long "bucket" value in order to exploit this vulnerability.2018-09-21not yet calculatedCVE-2018-3876
MISC
samsung -- smarthings_hub_sth-eth-250
 
An exploitable stack-based buffer overflow vulnerability exists in the retrieval of database fields in the video-core HTTP server of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The strcpy call overflows the destination buffer, which has a size of 32 bytes. An attacker can send an arbitrarily long "accessKey" value in order to exploit this vulnerability.2018-09-21not yet calculatedCVE-2018-3913
MISC
samsung -- smarthings_hub_sth-eth-250
 
An exploitable buffer overflow vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250-Firmware version 0.20.17. The strncpy overflows the destination buffer, which has a size of 32 bytes. An attacker can send an arbitrarily long "accessKey" value in order to exploit this vulnerability.2018-09-21not yet calculatedCVE-2018-3874
MISC
samsung -- smarthings_hub
 
An exploitable stack-based buffer overflow vulnerability exists in the retrieval of a database field in video-core's HTTP server of Samsung SmartThings Hub. The video-core process insecurely extracts the shard.videoHostURL field from its SQLite database, leading to a buffer overflow on the stack. An attacker can send an HTTP request to trigger this vulnerability.2018-09-21not yet calculatedCVE-2018-3906
MISC
samsung -- wifiscan
 
An exploitable buffer overflow vulnerability exists in the Samsung WifiScan handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The strcpy overflows the destination buffer, which has a size of 40 bytes. An attacker can send an arbitrarily long "cameraIp" value in order to exploit this vulnerability.2018-09-20not yet calculatedCVE-2018-3865
MISC
samsung -- wifiscan
 
An exploitable buffer overflow vulnerability exists in the Samsung WifiScan handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The strcpy overflows the destination buffer, which has a size of 40 bytes. An attacker can send an arbitrarily long "password" value in order to exploit this vulnerability.2018-09-20not yet calculatedCVE-2018-3864
MISC
sbi -- sbibuddy
 
The SBIbuddy (aka com.sbi.erupee) application 1.41 and 1.42 for Android might allow attackers to perform Account Takeover attacks by intercepting a security-question response during the initial configuration of the application.2018-09-16not yet calculatedCVE-2018-17108
MISC
seacms -- seacms
 
SeaCMS 6.64 allows arbitrary directory listing via upload/admin/admin_template.php?path=../templets/../../ requests.2018-09-21not yet calculatedCVE-2018-16821
MISC
MISC
seacms -- seacms
 
An issue was discovered in SeaCMS 6.64. XSS exists in admin_datarelate.php via the time or maxHit parameter in a dorandomset action.2018-09-21not yet calculatedCVE-2018-17321
MISC
seacms -- seacms
 
SeaCMS 6.64 allows SQL Injection via the upload/admin/admin_video.php order parameter.2018-09-21not yet calculatedCVE-2018-16822
MISC
MISC
seacms -- seacms
 
An issue was discovered in SeaCMS 6.64. XSS exists in admin_video.php via the action, area, type, yuyan, jqtype, v_isunion, v_recycled, v_ismoney, or v_ispsd parameter.2018-09-16not yet calculatedCVE-2018-17062
MISC
simple_pos_pool -- simple_pos
 
Simple POS 4.0.24 allows SQL Injection via a products/get_products/ columns[0][search][value] parameter in the management panel, as demonstrated by products/get_products/1.2018-09-17not yet calculatedCVE-2018-17110
EXPLOIT-DB
slack-archive-bot -- slack-archive-botSQL injection vulnerability in archivebot.py in docmarionum1 Slack ArchiveBot (aka slack-archive-bot) before 2018-09-19 allows remote attackers to execute arbitrary SQL commands via the text parameter to cursor.execute().2018-09-20not yet calculatedCVE-2018-17232
MISC
smarty -- smarty
 
Smarty_Security::isTrustedResourceDir() in Smarty before 3.1.33 is prone to a path traversal vulnerability due to insufficient template code sanitization. This allows attackers controlling the executed template code to bypass the trusted directory security restriction and read arbitrary files.2018-09-18not yet calculatedCVE-2018-13982
MISC
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
snap_creek -- duplicator
 
An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution.2018-09-19not yet calculatedCVE-2018-17207
MISC
MISC
softcase -- t-router
 
An issue was discovered on SoftCase T-Router build 20112017 devices. A remote attacker can read and write to arbitrary files on the system as root, as demonstrated by code execution after writing to a crontab file. This is fixed in production builds as of Spring 2018.2018-09-21not yet calculatedCVE-2018-11241
MISC
softcase -- t-router
 
An issue was discovered on SoftCase T-Router build 20112017 devices. There are no restrictions on the 'exec command' feature of the T-Router protocol. If the command syntax is correct, there is code execution both on the other modem and on the main servers. This is fixed in production builds as of Spring 2018.2018-09-21not yet calculatedCVE-2018-11240
MISC
soundtouch -- soundtouchThe BPMDetect class in BPMDetect.cpp in libSoundTouch.a in Olli Parviainen SoundTouch 2.0 allows remote attackers to cause a denial of service (assertion failure and application exit), as demonstrated by SoundStretch.2018-09-16not yet calculatedCVE-2018-17096
MISC
MISC
soundtouch -- soundtouch
 
The WavFileBase class in WavFile.cpp in Olli Parviainen SoundTouch 2.0 allows remote attackers to cause a denial of service (double free) or possibly have unspecified other impact, as demonstrated by SoundStretch.2018-09-16not yet calculatedCVE-2018-17097
MISC
MISC
soundtouch -- soundtouch
 
The WavFileBase class in WavFile.cpp in Olli Parviainen SoundTouch 2.0 allows remote attackers to cause a denial of service (heap corruption from size inconsistency) or possibly have unspecified other impact, as demonstrated by SoundStretch.2018-09-16not yet calculatedCVE-2018-17098
MISC
MISC
subsonic -- media_server
 
An XSS issue was discovered in Subsonic Media Server 6.1.1. The podcast subscription form is affected by a stored XSS vulnerability in the add parameter to podcastReceiverAdmin.view; no administrator access is required. By injecting a JavaScript payload, this flaw could be used to manipulate a user's session, or elevate privileges by targeting an administrative user.2018-09-21not yet calculatedCVE-2018-9282
MISC
subsonic -- subsonic
 
An issue was discovered in Subsonic 6.1.1. The music tags feature is affected by three stored cross-site scripting vulnerabilities in the c0-param2, c0-param3, and c0-param4 parameters to dwr/call/plaincall/tagService.setTags.dwr that could be used to steal session information of a victim.2018-09-21not yet calculatedCVE-2018-14691
MISC
subsonic -- subsonic
 
An issue was discovered in Subsonic 6.1.1. The radio settings are affected by three stored cross-site scripting vulnerabilities in the name[x], streamUrl[x], homepageUrl[x] parameters (where x is an integer) to internetRadioSettings.view that could be used to steal session information of a victim.2018-09-21not yet calculatedCVE-2018-14688
MISC
subsonic -- subsonic
 
An issue was discovered in Subsonic 6.1.1. The general settings are affected by two stored cross-site scripting vulnerabilities in the title and subtitle parameters to generalSettings.view that could be used to steal session information of a victim.2018-09-21not yet calculatedCVE-2018-14690
MISC
subsonic -- subsonic
 
An issue was discovered in Subsonic 6.1.1. The transcoding settings are affected by five stored cross-site scripting vulnerabilities in the name[x], sourceformats[x], targetFormat[x], step1[x], and step2[x] parameters (where x is an integer) to transcodingSettings.view that could be used to steal session information of a victim.2018-09-21not yet calculatedCVE-2018-14689
MISC
symantec -- messaging_gateway
 
The Symantec Messaging Gateway product prior to 10.6.6 may be susceptible to a XML external entity (XXE) exploit, which is a type of issue where XML input containing a reference to an external entity is processed by a weakly configured XML parser. The attack uses file URI schemes or relative paths in the system identifier to access files that should not normally be accessible.2018-09-19not yet calculatedCVE-2018-12243
BID
CONFIRM
symantec -- messaging_gateway
 
The Symantec Messaging Gateway product prior to 10.6.6 may be susceptible to an authentication bypass exploit, which is a type of issue that can allow attackers to potentially circumvent security mechanisms currently in place and gain access to the system or network.2018-09-19not yet calculatedCVE-2018-12242
BID
CONFIRM
tec4data -- smartcooler
 
Tec4Data SmartCooler, all versions prior to firmware 180806, the device responds to a remote unauthenticated reboot command that may be used to perform a denial of service attack.2018-09-20not yet calculatedCVE-2018-14796
MISC
thewebfosters -- ultimatepos
 
UltimatePOS 2.5 allows users to upload arbitrary files, which leads to remote command execution by posting to a /products URI with PHP code in a .php file with the image/jpeg content type.2018-09-17not yet calculatedCVE-2018-17139
EXPLOIT-DB
tinyftp -- tinyftpd
 
In Tinyftp Tinyftpd 1.1, a buffer overflow exists in the text variable of the do_mkd function in the ftpproto.c file. An attacker can overwrite ebp via a long pathname.2018-09-16not yet calculatedCVE-2018-17106
MISC
torproject.org -- tor_browserTor Browser on Windows before 8.0 allows remote attackers to bypass the intended anonymity feature and discover a client IP address, a different vulnerability than CVE-2017-16541. User interaction is required to trigger this vulnerability.2018-09-14not yet calculatedCVE-2017-16639
MISC
BID
BUGTRAQ
MISC
ubisoft -- uplay_desktop_client
 
upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI handlers. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of the current process.2018-09-20not yet calculatedCVE-2018-15832
EXPLOIT-DB
ucms -- ucmsAn issue was discovered in UCMS 1.4.6. aaddpost.php has stored XSS via the sadmin/aindex.php minfo parameter in a sadmin_aaddpost action.2018-09-21not yet calculatedCVE-2018-17320
MISC
udisks -- udisksUDisks 2.8.0 has a format string vulnerability in udisks_log in udiskslogging.c, allowing attackers to obtain sensitive information (stack contents), cause a denial of service (memory corruption), or possibly have unspecified other impact via a malformed filesystem label, as demonstrated by %d or %n substrings.2018-09-22not yet calculatedCVE-2018-17336
MISC
vectra_networks -- cognito_brain_and_sensorCouchDB in Vectra Networks Cognito Brain and Sensor before 4.3 contains a local code execution vulnerability.2018-09-21not yet calculatedCVE-2018-14889
CONFIRM
vectra_networks -- cognito_brain_and_sensor
 
Vectra Networks Cognito Brain and Sensor before 4.2 contains a cross-site scripting (XSS) vulnerability in the Web Management Console.2018-09-21not yet calculatedCVE-2018-14890
CONFIRM
vectra_networks -- cognito_brain_and_sensor
 
Management Console in Vectra Networks Cognito Brain and Sensor before 4.3 contains a local privilege escalation vulnerability.2018-09-21not yet calculatedCVE-2018-14891
CONFIRM
wallabag -- wallabag
 
The Wallabag application 2.2.3 to 2.3.2 is affected by one cross-site scripting (XSS) vulnerability that is stored within the configuration page. This vulnerability enables the execution of a JavaScript payload each time an administrator visits the configuration page. The vulnerability can be exploited with authentication and used to target administrators and steal their sessions.2018-09-21not yet calculatedCVE-2018-11352
MISC
wanscam -- hw0021_ip_camera
 
There exists a partial Denial of Service vulnerability in Wanscam HW0021 IP Cameras. An attacker could craft a malicious POST request to crash the ONVIF service on such a device.2018-09-21not yet calculatedCVE-2018-13111
MISC
wavm -- wavm
 
An issue was discovered in WAVM before 2018-09-16. The run function in Programs/wavm/wavm.cpp does not check whether there is Emscripten memory to store the command-line arguments passed by the input WebAssembly file's main function, which allows attackers to cause a denial of service (application crash by NULL pointer dereference) or possibly have unspecified other impact by crafting certain WebAssembly files.2018-09-21not yet calculatedCVE-2018-17293
MISC
MISC
wavm -- wavm
 
An issue was discovered in WAVM before 2018-09-16. The loadModule function in Include/Inline/CLI.h lacks checking of the file length before a file magic comparison, allowing attackers to cause a Denial of Service (application crash caused by out-of-bounds read) by crafting a file that has fewer than 4 bytes.2018-09-21not yet calculatedCVE-2018-17292
MISC
MISC
webpack_dev_server -- webpack_dev_server
 
An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin.2018-09-21not yet calculatedCVE-2018-14732
MISC
CONFIRM
CONFIRM
wecon -- plc_editor
 
WECON PLC Editor version 1.3.3U may allow an attacker to execute code under the current process when processing project files.2018-09-19not yet calculatedCVE-2018-14792
MISC
western_digital -- my_cloud_device
 
It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie.2018-09-18not yet calculatedCVE-2018-17153
BID
MISC
MISC
wordpress -- wordpress
 
The Quizlord plugin through 2.0 for WordPress is prone to Stored XSS via the title parameter in a ql_insert action to wp-admin/admin.php.2018-09-17not yet calculatedCVE-2018-17140
EXPLOIT-DB
wordpress -- wordpress
 
The Jibu Pro plugin through 1.7 for WordPress is prone to Stored XSS via the wp-content/plugins/jibu-pro/quiz_action.php name (aka Quiz Name) field.2018-09-17not yet calculatedCVE-2018-17138
EXPLOIT-DB
xar -- xarAn issue has been discovered in mackyle xar 1.6.1. There is a NULL pointer dereference in xar_unserialize in lib/archive.c.2018-09-16not yet calculatedCVE-2018-17094
MISC
xar -- xarAn issue has been discovered in mackyle xar 1.6.1. There is a NULL pointer dereference in xar_get_path in lib/util.c.2018-09-16not yet calculatedCVE-2018-17093
MISC
yunucms -- yunucms
 
Cross-site scripting (XSS) vulnerability in index.php/index/category/index in YUNUCMS 1.1.4 allows remote attackers to inject arbitrary web script or HTML via the area parameter.2018-09-21not yet calculatedCVE-2018-17322
MISC
zoho -- manageengine_desktop_central
 
Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI.2018-09-21not yet calculatedCVE-2018-16833
MISC
zoho -- manageengine_opmanager
 
Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection.2018-09-20not yet calculatedCVE-2018-17243
CONFIRM
zoho -- manageengine_opsmanager
 
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.2018-09-20not yet calculatedCVE-2018-17283
MISC
MISC
zoho -- manageengine_supportcenter
 
In Zoho ManageEngine SupportCenter Plus 8.1.0, there is HTML Injection and Stored XSS via the /ServiceContractDef.do contractName parameter.2018-09-21not yet calculatedCVE-2018-16965
MISC
zzcms -- zzcms
 
zzcms 8.3 contains a SQL Injection vulnerability in /user/check.php via a Client-Ip HTTP header.2018-09-17not yet calculatedCVE-2018-17136
MISC

Back to top

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.