SB18-253: Vulnerability Summary for the Week of September 3, 2018

Original release date: September 10, 2018

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

 The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

High Vulnerabilities

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
There were no high vulnerabilities recorded this week.

Back to top

 

Medium Vulnerabilities

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
There were no medium vulnerabilities recorded this week.

Back to top

 

Low Vulnerabilities

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
There were no low vulnerabilities recorded this week.

Back to top

 

Severity Not Yet Assigned

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
absolute_software — ctes_windows_agent
 
An issue was discovered in Absolute Software CTES Windows Agent through 1.0.0.1479. The security permissions on the %ProgramData%CTES folder and sub-folders may allow write access to low-privileged user accounts. This allows unauthorized replacement of service program executable (EXE) or dynamically loadable library (DLL) files, causing elevated (SYSTEM) user access. Configuration control files or data files under this folder could also be similarly modified to affect service process behavior.2018-09-08not yet calculatedCVE-2018-16715
CONFIRM
adobe — experience_manager
 
Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a Cross-site Scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.2018-09-06not yet calculatedCVE-2018-5005
BID
SECTRACK
CONFIRM
adrenaline — hrms
 
A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin 5.4.0 HRMS Software. The user supplied input containing JavaScript is echoed back in JavaScript code in an HTML response via the flexiportal/GeneralInfo.aspx strAction parameter.2018-09-06not yet calculatedCVE-2018-12234
MISC
amcrest — networked_devices
 
Amcrest networked devices use the same hardcoded SSL private key across different customers’ installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation, as demonstrated by Amcrest_IPC-HX1X3X-LEXUS_Eng_N_AMCREST_V2.420.AC01.3.R.20180206.2018-09-05not yet calculatedCVE-2018-16546
MISC
antenna_house — dmc_htmlfilter
 
An exploitable heap corruption vulnerability exists in the Txo functionality of Antenna House DMC HTMLFilter as used by MarkLogic 8.0-6. A specially crafted xls file can cause a heap corruption resulting in arbitrary code execution. An attacker can send/provide malicious XLS file to trigger this vulnerability.2018-09-07not yet calculatedCVE-2017-2795
MISC
antenna_house — dmc_htmlfilter
 
An exploitable heap corruption vulnerability exists in the iBldDirInfo functionality of Antenna House DMC HTMLFilter used by MarkLogic 8.0-6. A specially crafted xls file can cause a heap corruption resulting in arbitrary code execution. An attacker can provide a malicious xls file to trigger this vulnerability.2018-09-07not yet calculatedCVE-2017-2792
MISC
artifex — ghostscript
 
In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use incorrect free logic in pagedevice replacement to crash the interpreter.2018-09-05not yet calculatedCVE-2018-16541
MISC
MISC
MISC
DEBIAN
artifex — ghostscript
 
In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use insufficient interpreter stack-size checking during error handling to crash the interpreter.2018-09-05not yet calculatedCVE-2018-16542
MISC
MISC
MISC
DEBIAN
artifex — ghostscript
 
An issue was discovered in Artifex Ghostscript before 9.24. The .setdistillerkeys PostScript command is accepted even though it is not intended for use during document processing (e.g., after the startup phase). This leads to memory corruption, allowing remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact.2018-09-06not yet calculatedCVE-2018-16585
MISC
MISC
MISC
DEBIAN
artifex — ghostscript
 
In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the setcolor function to crash the interpreter or possibly have unspecified other impact.2018-09-05not yet calculatedCVE-2018-16513
MISC
MISC
MISC
DEBIAN
artifex — ghostscript
 
In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files to the builtin PDF14 converter could use a use-after-free in copydevice handling to crash the interpreter or possibly have unspecified other impact.2018-09-05not yet calculatedCVE-2018-16540
MISC
MISC
MISC
DEBIAN
artifex — ghostscript
 
In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use incorrect access checking in temp file handling to disclose contents of files on the system otherwise not readable.2018-09-05not yet calculatedCVE-2018-16539
MISC
MISC
MISC
DEBIAN
artifex — ghostscript
 
An issue was discovered in Artifex Ghostscript before 9.24. A type confusion in “ztype” could be used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact.2018-09-05not yet calculatedCVE-2018-16511
MISC
MISC
MISC
MISC
DEBIAN
artifex — ghostscript
 
In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution allow attackers to have an unspecified impact.2018-09-05not yet calculatedCVE-2018-16543
MISC
MISC
DEBIAN
artifex — ghostscript
 
An issue was discovered in Artifex Ghostscript before 9.24. Incorrect exec stack handling in the “CS” and “SC” PDF primitives could be used by remote attackers able to supply crafted PDFs to crash the interpreter or possibly have unspecified other impact.2018-09-05not yet calculatedCVE-2018-16510
MISC
MISC
MISC
artifex — ghostscript
 
An issue was discovered in Artifex Ghostscript before 9.24. Incorrect “restoration of privilege” checking during handling of /invalidaccess exceptions could be used by attackers able to supply crafted PostScript to execute code using the “pipe” instruction.2018-09-05not yet calculatedCVE-2018-16509
MISC
MISC
MISC
CONFIRM
MISC
MISC
MISC
artifex — mupdfIn Artifex MuPDF 1.13.0, the fz_append_byte function in fitz/buffer.c allows remote attackers to cause a denial of service (segmentation fault) via a crafted pdf file. This is caused by a pdf/pdf-device.c pdf_dev_alpha array-index underflow.2018-09-06not yet calculatedCVE-2018-16648
MISC
artifex — mupdf
 
In Artifex MuPDF 1.13.0, the pdf_get_xref_entry function in pdf/pdf-xref.c allows remote attackers to cause a denial of service (segmentation fault in fz_write_data in fitz/output.c) via a crafted pdf file.2018-09-06not yet calculatedCVE-2018-16647
MISC
asus — wl-330nul_firmwareCross-site request forgery (CSRF) vulnerability in WL-330NUL Firmware version prior to 3.0.0.46 allows remote attackers to hijack the authentication of administrators via unspecified vectors.2018-09-07not yet calculatedCVE-2018-0647
JVN
MISC
auracms — auracms
 
An issue was discovered in AuraCMS 2.3. There is a CSRF vulnerability that can change the administrator’s password via admin.php?mod=users and subsequently add a page or menu, or submit a topic.2018-09-02not yet calculatedCVE-2018-16338
MISC
baigo — cms
 
An issue was discovered in baigo CMS v2.1.1. There is an index.php?m=article&c=request CSRF that can cause publication of any article.2018-09-04not yet calculatedCVE-2018-16458
MISC
baijiacms — baijiacms
 
An issue is discovered in baijiacms V4. Blind SQL Injection exists via the order parameter in an index.php?act=index request.2018-09-08not yet calculatedCVE-2018-16724
MISC
baijiacms — biajiacms
 
An issue is discovered in baijiacms V4. XSS exists via the assets/weengine/components/zclip/ZeroClipboard.swf id parameter, aka “Non-standard use of the flash component.”2018-09-08not yet calculatedCVE-2018-16725
MISC
bit_part — mtappjquery
 
MTAppjQuery 1.8.1 and earlier allows remote PHP code execution via unspecified vectors.2018-09-07not yet calculatedCVE-2018-0645
JVN
CONFIRM
CONFIRM
bluecms — bluecms
 
BlueCMS 1.6 allows SQL Injection via the user_name parameter to uploads/user.php?act=index_login.2018-09-03not yet calculatedCVE-2018-16432
MISC
btiteam — xbtitAn issue was discovered in BTITeam XBTIT 2.5.4. The “act” parameter in the sign-up page available at /index.php?page=signup is vulnerable to reflected cross-site scripting.2018-09-05not yet calculatedCVE-2018-15678
CONFIRM
MISC
btiteam — xbtit
 
An issue was discovered in BTITeam XBTIT. PHP error logs are stored in an open directory (/include/logs) using predictable file names, which can lead to full path disclosure and leakage of sensitive data.2018-09-05not yet calculatedCVE-2018-15684
MISC
btiteam — xbtit
 
An issue was discovered in BTITeam XBTIT 2.5.4. news.php allows XSS via the id parameter.2018-09-05not yet calculatedCVE-2018-16361
CONFIRM
MISC
btiteam — xbtit
 
An issue was discovered in BTITeam XBTIT 2.5.4. The “keywords” parameter in the search function available at /index.php?page=forums&action=search is vulnerable to reflected cross-site scripting.2018-09-05not yet calculatedCVE-2018-15679
CONFIRM
MISC
btiteam — xbtit
 
An issue was discovered in BTITeam XBTIT 2.5.4. The hashed passwords stored in the xbtit_users table are stored as unsalted MD5 hashes, which makes it easier for context-dependent attackers to obtain cleartext values via a brute-force attack.2018-09-05not yet calculatedCVE-2018-15680
MISC
btiteam — xbtit
 
An issue was discovered in BTITeam XBTIT. By using String.replace and eval, it is possible to bypass the includes/crk_protection.php anti-XSS mechanism that looks for a number of dangerous fingerprints.2018-09-05not yet calculatedCVE-2018-15676
MISC
btiteam — xbtit
 
An issue was discovered in BTITeam XBTIT. The “returnto” parameter of the login page is vulnerable to an open redirect due to a lack of validation. If a user is already logged in when accessing the page, they will be instantly redirected.2018-09-05not yet calculatedCVE-2018-15683
MISC
btiteam — xbtit
 
An issue was discovered in BTITeam XBTIT. Due to a lack of cross-site request forgery protection, it is possible to automate the action of sending private messages to users by luring an authenticated user to a web page that automatically submits a form on their behalf.2018-09-05not yet calculatedCVE-2018-15682
MISC
btiteam — xbtit
 
The newsfeed (aka /index.php?page=viewnews) in BTITeam XBTIT 2.5.4 has stored XSS via the title of a news item. This is also exploitable via CSRF.2018-09-05not yet calculatedCVE-2018-15677
CONFIRM
MISC
btiteam — xbtit
 
An issue was discovered in BTITeam XBTIT 2.5.4. When a user logs in, their password hash is rehashed using a predictable salt and stored in the “pass” cookie, which is not flagged as HTTPOnly. Due to the weak and predictable salt that is in place, an attacker who successfully steals this cookie can efficiently brute-force it to retrieve the user’s cleartext password.2018-09-05not yet calculatedCVE-2018-15681
MISC
canon_it_solutions — multiple_productsUntrusted search path vulnerability in the installers of multiple Canon IT Solutions Inc. software programs (ESET Smart Security Premium, ESET Internet Security, ESET Smart Security, ESET NOD32 Antivirus, DESlock+ Pro, and CompuSec (all programs except packaged ones)) allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.2018-09-07not yet calculatedCVE-2018-0649
JVN
CONFIRM
chatwork — desktop_app_for_windows
 
Untrusted search path vulnerability in installer of ChatWork Desktop App for Windows 2.3.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.2018-09-07not yet calculatedCVE-2018-0648
JVN
MISC
chemcms — chem_cms
 
ChemCMS 1.0.6 has XSS via the “setting -> website information” field.2018-09-02not yet calculatedCVE-2018-16346
MISC
contiki_ng — contiki_ng
 
An issue was discovered in Contiki-NG through 4.1. There is a buffer over-read in lookup in os/storage/antelope/lvm.c while parsing AQL (lvm_register_variable, lvm_set_variable_value, create_intersection, create_union).2018-09-07not yet calculatedCVE-2018-16667
MISC
contiki_ng — contiki_ng
 
An issue was discovered in Contiki-NG through 4.1. There is a buffer overflow while parsing AQL in lvm_shift_for_operator in os/storage/antelope/lvm.c.2018-09-07not yet calculatedCVE-2018-16665
MISC
contiki_ng — contiki_ng
 
An issue was discovered in Contiki-NG through 4.1. There is a stack-based buffer overflow in next_string in os/storage/antelope/aql-lexer.c while parsing AQL (parsing next string).2018-09-07not yet calculatedCVE-2018-16666
MISC
contiki_ng — contiki_ng
 
An issue was discovered in Contiki-NG through 4.1. There is a buffer overflow in lvm_set_type in os/storage/antelope/lvm.c while parsing AQL (lvm_set_op, lvm_set_relation, lvm_set_operand).2018-09-07not yet calculatedCVE-2018-16664
MISC
contiki_ng — contiki_ng
 
An issue was discovered in Contiki-NG through 4.1. There is a stack-based buffer overflow in parse_relations in os/storage/antelope/aql-parser.c while parsing AQL (storage of relations).2018-09-07not yet calculatedCVE-2018-16663
MISC
contronics — homeputer_cl_studio_fur_homematicHomeputer CL Studio fur HomeMatic 4.0 Rel 160808 and earlier uses cleartext to exchange the username and password between server and client instances, which allows remote attackers to obtain sensitive information via a man in the middle attack.2018-09-07not yet calculatedCVE-2017-17691
MISC
craftedweb — craftedwebCraftedWeb through 2013-09-24 has reflected XSS via the p parameter.2018-09-04not yet calculatedCVE-2018-16450
MISC
creme — crmAn XSS issue was discovered in CremeCRM 1.6.12. It is affected by 10 stored Cross-Site Scripting (XSS) vulnerabilities in the firstname, lastname, billing_address-address, billing_address-zipcode, billing_address-city, billing_address-department, shipping_address-address, shipping_address-zipcode, shipping_address-city, and shipping_address-department parameters in the contact creation and modification page. The payload is stored within the application database and allows the execution of JavaScript code each time a client visit an infected page.2018-09-07not yet calculatedCVE-2018-9283
MISC
creme — crm
 
An issue was discovered in Creme CRM 1.6.12. The value of the cancel button uses the content of the HTTP Referer header, and could be used to trick a user into visiting a fake login page in order to steal credentials.2018-09-07not yet calculatedCVE-2018-14398
MISC
creme — crm
 
An issue was discovered in Creme CRM 1.6.12. The salesman creation page is affected by 10 stored cross-site scripting vulnerabilities involving the firstname, lastname, billing_address-address, billing_address-zipcode, billing_address-city, billing_address-department, shipping_address-address, shipping_address-zipcode, shipping_address-city, and shipping_address-department parameters.2018-09-07not yet calculatedCVE-2018-14396
MISC
creme — crm
 
An issue was discovered in Creme CRM 1.6.12. The organization creation page is affected by 9 stored cross-site scripting vulnerabilities involving the name, billing_address-address, billing_address-zipcode, billing_address-city, billing_address-department, shipping_address-address, shipping_address-zipcode, shipping_address-city, and shipping_address-department parameters.2018-09-07not yet calculatedCVE-2018-14397
MISC
cscms — cscmsuploadpluginssysadminSetting.php in CScms 4.1 allows CSRF via admin.php/setting/ftp_save.2018-09-08not yet calculatedCVE-2018-16732
MISC
MISC
cscms — cscms
 
uploadpluginssysInstall.php in CScms 4.1 has XSS via the site name.2018-09-08not yet calculatedCVE-2018-16730
MISC
MISC
cscms — cscms
 
Cscms 4 allows CSRF for creating a member via upload/admin.php/user/save, authenticating vip members via upload/admin.php/user/init/tid and upload/admin.php/user/init/rzid, and creating a super administrator and web editor via upload/admin.php/sys/save.2018-09-04not yet calculatedCVE-2018-16448
MISC
cscms — cscms
 
CScms 4.1 allows arbitrary file upload by (for example) adding the php extension to the default filetype list (gif, jpg, png), and then providing a .php pathname within fileurl JSON data.2018-09-08not yet calculatedCVE-2018-16731
MISC
MISC
cscms — cscms
 
An issue was discovered in Cscms V4.1.8. There is a CSRF vulnerability that can modify a website’s basic configuration via upload/admin.php/setting/save.2018-09-02not yet calculatedCVE-2018-16337
MISC
curl — curl
 
curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)2018-09-05not yet calculatedCVE-2018-14618
SECTRACK
CONFIRM
CONFIRM
DEBIAN
d_link — dir-846_devices
 
D-Link DIR-846 devices with firmware 100.26 allow remote attackers to execute arbitrary code as root via a SetNetworkTomographySettings request by leveraging admin access.2018-09-03not yet calculatedCVE-2018-16408
MISC
docker — docker_for_windows
 
HandleRequestAsync in Docker for Windows before 18.06.0-ce-rc3-win68 (edge) and before 18.06.0-ce-win72 (stable) deserialized requests over the \.pipedockerBackend named pipe without verifying the validity of the deserialized .NET objects. This would allow a malicious user in the “docker-users” group (who may not otherwise have administrator access) to escalate to administrator privileges.2018-08-31not yet calculatedCVE-2018-15514
BID
MISC
MISC
MISC
dojo — dojotoolkit
 
Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross Site Scripting (XSS) vulnerability in unit.html and testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html and testsDOH/_base/i18nExhaustive.js in the DOH that can result in Victim attacked through their browser – deliver malware, steal HTTP cookies, bypass CORS trust. This attack appear to be exploitable via Victims are typically lured to a web site under the attacker’s control; the XSS vulnerability on the target domain is silently exploited without the victim’s knowledge. This vulnerability appears to have been fixed in 1.14.2018-09-06not yet calculatedCVE-2018-1000665
CONFIRM
CONFIRM
doracms — doracms
 
Multiple cross-site scripting (XSS) vulnerabilities in /api/content/addOne in DoraCMS v2.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) discription or (2) comments field, related to users/userAddContent.2018-09-06not yet calculatedCVE-2018-16622
MISC
dotclear — dotclear
 
A cross-site scripting (XSS) vulnerability in inc/core/class.dc.core.php in the media manager in Dotclear through 2.14.1 allows remote authenticated users to upload HTML content containing an XSS payload with the file extension .ahtml.2018-09-02not yet calculatedCVE-2018-16358
MISC
e107 — e107
 
e107 2.1.8 has XSS via the e107_admin/users.php?mode=main&action=list user_loginname parameter.2018-09-05not yet calculatedCVE-2018-16381
MISC
easycms — easycmsAn issue was discovered in EasyCMS 1.5. There is a CSRF vulnerability that can update the admin password via index.php?s=/admin/rbacuser/update/navTabId/listusers/callbackType/closeCurrent.2018-09-02not yet calculatedCVE-2018-16345
MISC
elefant — cms
 
An issue was discovered in Elefant CMS before 2.0.5. There is a CSRF vulnerability that can add an account via user/add.2018-09-02not yet calculatedCVE-2018-16387
MISC
elfutils — elfutilslibdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.2018-09-03not yet calculatedCVE-2018-16403
MISC
MISC
elfutils — elfutils
 
libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.2018-09-03not yet calculatedCVE-2018-16402
MISC
empirecms — empirecms
 
An issue was discovered in EmpireCMS 7.0. There is a CSRF vulnerability that can add administrators via upload/e/admin/user/AddUser.php?enews=AddUser.2018-09-02not yet calculatedCVE-2018-16339
MISC
endress+hauser — wirelesshart_fieldgate_swg70_devices
 
Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Directory Traversal via the fcgi-bin/wgsetcgi filename parameter.2018-09-07not yet calculatedCVE-2018-16059
EXPLOIT-DB
ethereum — go_ethereum
 
In Go Ethereum (aka geth) before 1.8.14, TraceChain in eth/api_tracer.go does not verify that the end block is after the start block.2018-09-08not yet calculatedCVE-2018-16733
MISC
exceljs — exceljs
 
An unescaped payload in exceljs 2018-09-06not yet calculatedCVE-2018-16459
MISC
fhcrm — fhcrmAn issue was discovered in FHCRM through 2018-02-11. There is a SQL injection via the index.php/User/read limit parameter.2018-09-02not yet calculatedCVE-2018-16354
MISC
fhcrm — fhcrm
 
An issue was discovered in FHCRM through 2018-02-11. There is a SQL injection via the /index.php/Customer/read limit parameter.2018-09-02not yet calculatedCVE-2018-16353
MISC
flask-admin — flask-admin
 
helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL.2018-09-05not yet calculatedCVE-2018-16516
MISC
foliovision — fb_flowplayer_video_player
 
Cross-site scripting vulnerability in FV Flowplayer Video Player 6.1.2 to 6.6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2018-09-07not yet calculatedCVE-2018-0642
JVN
CONFIRM
fortinet — fortimanager
 
An information disclosure vulnerability in Fortinet FortiManager 6.0.1 and below versions allows a standard user with adom assignment read the interface settings of vdoms unrelated to the assigned adom.2018-09-05not yet calculatedCVE-2018-1353
CONFIRM
fortinet — fortios
 
A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server’s private key. Fortinet FortiOS 5.4.6 to 5.4.9, 6.0.0 and 6.0.1 are vulnerable by such attack under VIP SSL feature when CPx being used.2018-09-05not yet calculatedCVE-2018-9194
CONFIRM
MISC
CERT-VN
fortinet — fortios
 
A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server’s private key. Fortinet FortiOS 5.4.6 to 5.4.9, 6.0.0 and 6.0.1 are vulnerable by such attack under SSL Deep Inspection feature when CPx being used.2018-09-05not yet calculatedCVE-2018-9192
CONFIRM
MISC
CERT-VN
freebsd — freebsd
 
In FreeBSD before 11.1-STABLE, 11.2-RELEASE-p2, 11.1-RELEASE-p13, ip fragment reassembly code is vulnerable to a denial of service due to excessive system resource consumption. This issue can allow a remote attacker who is able to send an arbitrary ip fragments to cause the machine to consume excessive resources.2018-09-04not yet calculatedCVE-2018-6923
SECTRACK
FREEBSD
frog — cmsFrog CMS 0.9.5 has stored XSS via /admin/?/plugin/comment/settings.2018-09-02not yet calculatedCVE-2018-16374
MISC
frog — cmsFrog CMS 0.9.5 has admin/?/user/edit/1 CSRF.2018-09-04not yet calculatedCVE-2018-16447
MISC
frog — cms
 
Frog CMS 0.9.5 has an Upload vulnerability that can create files via /admin/?/plugin/file_manager/save.2018-09-02not yet calculatedCVE-2018-16373
MISC
fspro_labs — event_log_explorer
 
FsPro Labs Event Log Explorer 4.6.1.2115 has “.elx” FileType XML External Entity Injection.2018-09-05not yet calculatedCVE-2018-16252
MISC
MISC
EXPLOIT-DB
fuel — cms
 
Cross-site request forgery (CSRF) vulnerability in my_profile/edit?inline= in FUEL CMS 1.4 allows remote attackers to change the administrator’s password.2018-09-03not yet calculatedCVE-2018-16416
MISC
MISC
fuji_xerox — docucentre_and_apeosport
 
Fuji Xerox DocuCentre-V 3065, ApeosPort-VI C3371, ApeosPort-V C4475, ApeosPort-V C3375, DocuCentre-VI C2271, ApeosPort-V C5576, DocuCentre-IV C2263, DocuCentre-V C2263, and ApeosPort-V 5070 devices allow remote attackers to read or write to files via crafted PJL commands.2018-09-07not yet calculatedCVE-2018-16709
EXPLOIT-DB
furuno — felcom_devices
 
FURUNO FELCOM 250 and 500 devices use only client-side JavaScript for authentication.2018-09-06not yet calculatedCVE-2018-16590
MISC
gig_technology — jumpscale_portal
 
GIG Technology NV JumpScale Portal 7 version before commit 15443122ed2b1cbfd7bdefc048bf106f075becdb contains a CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in method: notifySpaceModification; that can result in Improper validation of parameters results in command execution. This attack appear to be exploitable via Network connectivity, required minimal auth privileges (everyone can register an account). This vulnerability appears to have been fixed in After commit 15443122ed2b1cbfd7bdefc048bf106f075becdb.2018-09-06not yet calculatedCVE-2018-1000666
MISC
MISC
CONFIRM
MISC
gleez — cmsAn issue was discovered in Gleez CMS v1.2.0. There is XSS via media/imagecache/resize.2018-09-02not yet calculatedCVE-2018-16347
MISC
gleez — cmsA vulnerability in the Gleez CMS 1.2.0 login page could allow an unauthenticated, remote attacker to perform multiple user enumerations, which can further help an attacker to perform login attempts in excess of the configured login attempt limit. The vulnerability is due to insufficient server-side access control and login attempt limit enforcement. An attacker could exploit this vulnerability by sending modified login attempts to the Portal login page. An exploit could allow the attacker to identify existing users and perform brute-force password attacks on the Portal, as demonstrated by navigating to the user/4 URI.2018-09-07not yet calculatedCVE-2018-16703
MISC
gleez — cms
 
An issue was discovered in Gleez CMS v1.2.0. Because of an Insecure Direct Object Reference vulnerability, it is possible for attackers (logged in users) to view profile page of other users, as demonstrated by navigating to user/3 on demo.gleezcms.org.2018-09-07not yet calculatedCVE-2018-16704
MISC
gmo_payment_gateway — ec-cube_and_gmo-pg_payment_modulesInput validation issue in EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier allows an attacker with administrative rights to execute arbitrary PHP code on the server via unspecified vectors.2018-09-07not yet calculatedCVE-2018-0658
JVN
gmo_payment_gateway — ec-cube_and_gmo-pg_payment_modules
 
Cross-site scripting vulnerability in EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE (EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, and GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier) allow an attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors.2018-09-07not yet calculatedCVE-2018-0657
JVN
gnome — glib
 
In GNOME GLib 2.56.1, g_markup_parse_context_end_parse() in gmarkup.c has a NULL pointer dereference.2018-09-03not yet calculatedCVE-2018-16428
BID
MISC
MISC
gnome — glib
 
GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_parse_context_parse() in gmarkup.c, related to utf8_str().2018-09-03not yet calculatedCVE-2018-16429
MISC
MISC
gnu — libextractor
 
GNU Libextractor through 1.7 has an out-of-bounds read vulnerability in EXTRACTOR_zip_extract_method() in zip_extractor.c.2018-09-03not yet calculatedCVE-2018-16430
BID
MISC
MISC
gogs — gogs
 
In Gogs 0.11.53, an attacker can use migrate to send arbitrary HTTP GET requests, leading to SSRF.2018-09-03not yet calculatedCVE-2018-16409
MISC
google — androidA vulnerability in NoMachine App for Android 5.0.63 and earlier allows attackers to alter environment variables via unspecified vectors.2018-09-04not yet calculatedCVE-2018-0664
JVN
CONFIRM
google — androidThe LINE MUSIC for Android version 3.1.0 to versions prior to 3.6.5 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2018-09-07not yet calculatedCVE-2018-0650
JVN
CONFIRM
MISC
google — android
 
In Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel while trying to find out total number of partition via a non zero check, there could be possibility where the ‘TotalPart’ could cross ‘GptHeader->MaxPtCnt’ and which could result in OOB write in patching GPT.2018-09-04not yet calculatedCVE-2018-11262
CONFIRM
CONFIRM
google — android
 
In all Android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel, radio_id is received from the FW and is used to access the buffer to copy the radio stats received for each radio from FW. If the radio_id received from the FW is greater than or equal to maximum, an OOB write will occur. On supported Google Pixel and Nexus devices, this has been addressed in security patch level 2018-08-05.2018-09-06not yet calculatedCVE-2018-11263
CONFIRM
CONFIRM
CONFIRM
google — gvisorGoogle gVisor before 2018-08-23, within the seccomp sandbox, permits access to the renameat system call, which allows attackers to rename files on the host OS.2018-09-02not yet calculatedCVE-2018-16359
MISC
MISC
gxlcms — gxlcms
 
Gxlcms 2.0 has Directory Traversal exploitable by an administrator.2018-09-05not yet calculatedCVE-2018-16437
MISC
gxlcms — gxlcms
 
Gxlcms 1.0 has XSS via the PATH_INFO to gx/lib/ThinkPHP/Tpl/ThinkException.tpl.php.2018-09-07not yet calculatedCVE-2018-16655
MISC
MISC
gxlcms — gxlcms
 
Gxlcms 2.0 has SQL Injection exploitable by an administrator.2018-09-05not yet calculatedCVE-2018-16436
MISC
hdf — hdf5
 
An issue was discovered in the HDF HDF5 1.8.20 library. There is an out of bounds read in H5L_extern_query at H5Lexternal.c.2018-09-03not yet calculatedCVE-2018-16438
MISC
hibara — attachecaseDirectory traversal vulnerability in ver.2.8.4.0 and earlier and ver.3.3.0.0 and earlier allows an attacker to create arbitrary files via specially crafted ATC file.2018-09-07not yet calculatedCVE-2018-0660
JVN
CONFIRM
hibara — attachecaseDirectory traversal vulnerability in ver.2.8.4.0 and earlier and ver.3.3.0.0 and earlier allows an attacker to create or overwrite existing files via specially crafted ATC file.2018-09-07not yet calculatedCVE-2018-0659
JVN
CONFIRM
hibara — attachecase
 
AttacheCase ver.3.3.0.0 and earlier allows an arbitrary script execution via unspecified vectors.2018-09-04not yet calculatedCVE-2018-0675
JVN
CONFIRM
hibara — attachecase
 
AttacheCase ver.2.8.4.0 and earlier allows an arbitrary script execution via unspecified vectors.2018-09-04not yet calculatedCVE-2018-0674
JVN
CONFIRM
hscripts — php_file_browser
 
HScripts PHP File Browser Script v1.0 allows Directory Traversal via the index.php path parameter.2018-09-05not yet calculatedCVE-2018-16549
MISC
huawei — hirouter-cd20-10
 
In Huawei HiRouter-CD20-10 with the versions before 1.9.6 and WS5200-10 with the versions before 1.9.6, there is a plug-in signature bypass vulnerability due to insufficient plug-in verification. An attacker may tamper with a legitimate plug-in to build a malicious plug-in and trick users into installing it. Successful exploit could allow the attacker to obtain the root permission of the device and take full control over the device.2018-09-04not yet calculatedCVE-2018-7937
CONFIRM
huawei — mate_10_pro_smartphones
 
Mate 10 Pro Huawei smart phones with the versions before BLA-L29 8.0.0.148(C432) have a Factory Reset Protection (FRP) bypass security vulnerability. When re-configuring the mobile phone using the factory reset protection (FRP) function, an attacker can connect the phone with PC and send special instructions to install third party desktop and disable the boot wizard. As a result, the FRP function is bypassed.2018-09-04not yet calculatedCVE-2018-7936
CONFIRM
huawei — mate_10_pro_smartphones
 
Mate10 Pro Huawei smart phones with the versions before 8.1.0.326(C00) have a FRP bypass vulnerability. During the mobile phone reseting process, an attacker could bypass “Find My Phone” protect after a series of voice and keyboard operations. Successful exploit could allow an attacker to bypass FRP.2018-09-04not yet calculatedCVE-2018-7990
CONFIRM
huawei — p10_smartphones
 
P10 Huawei smartphones with the versions before Victoria-AL00AC00B217 have an information leak vulnerability due to the lack of permission validation. An attacker tricks a user into installing a malicious application on the smart phone, and the application can read some hardware serial number, which may cause sensitive information leak.2018-09-04not yet calculatedCVE-2018-7938
CONFIRM
i-o_data_device — ts-wrlp_firmwareMultiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier) use hardcoded credentials which may allow an remote authenticated attacker to execute arbitrary OS commands on the device via unspecified vector.2018-09-07not yet calculatedCVE-2018-0663
JVN
CONFIRM
i-o_data_device — ts-wrlp_firmwareMultiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier) allow an attacker on the same network segment to bypass access restriction to add files on a specific directory that may result in executing arbitrary OS commands/code or information including credentials leakage or alteration.2018-09-07not yet calculatedCVE-2018-0661
JVN
CONFIRM
i-o_data_device — ts-wrlp_firmware
 
Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier) allow an attacker on the same network segment to add malicious files on the device and execute arbitrary code.2018-09-07not yet calculatedCVE-2018-0662
JVN
CONFIRM
ibm — api_connect
 
IBM API Connect v2018.1.0 through v2018.3.4 could allow an attacker to send a specially crafted request to conduct a server side request forgery attack. IBM X-Force ID: 148939.2018-09-07not yet calculatedCVE-2018-1789
XF
CONFIRM
ibm — campaignIBM Campaign 9.1, 9.1.2, and 10 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim’s Web browser within the security context of the hosting site. IBM X-Force ID: 121153.2018-09-07not yet calculatedCVE-2017-1115
XF
CONFIRM
ibm — campaign
 
IBM Campaign 9.1, 9.1.2, and 10 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 121152.2018-09-07not yet calculatedCVE-2017-1114
XF
CONFIRM
ibm — security_identity_governance_and_intelligence
 
IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 could allow an attacker to obtain sensitive information due to missing authentication in IGI for the survey application. IBM X-Force ID: 148601.2018-09-07not yet calculatedCVE-2018-1757
CONFIRM
XF
ibm — security_identity_governance_and_intelligence
 
IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, information in the back-end database. IBM X-Force ID: 148599.2018-09-07not yet calculatedCVE-2018-1756
CONFIRM
XF
ibm — websphere_application_server
 
IBM WebSphere Application Server 7.0, 8.0, and 8.5.5 installations using Form Login could allow a remote attacker to conduct spoofing attacks. IBM X-Force ID: 145769.2018-09-06not yet calculatedCVE-2018-1695
XF
CONFIRM
ibm — websphere_application_server
 
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through the SOAP connector with a serialized object from untrusted sources. IBM X-Force ID: 143024.2018-09-07not yet calculatedCVE-2018-1567
XF
CONFIRM
ice_qube — thermal_management_centerIn Ice Qube Thermal Management Center versions prior to version 4.13, the web application does not properly authenticate users which may allow an attacker to gain access to sensitive information.2018-09-06not yet calculatedCVE-2017-14026
MISC
ice_qube — thermal_management_centerIn Ice Qube Thermal Management Center versions prior to version 4.13, passwords are stored in plaintext in a file that is accessible without authentication.2018-09-06not yet calculatedCVE-2017-16714
MISC
ideacms — ideacms
 
The issue was discovered in IdeaCMS through 2016-04-30. There is reflected XSS via the index.php?c=content&a=search kw parameter. NOTE: this product is discontinued.2018-09-02not yet calculatedCVE-2018-16372
MISC
idreamsoft — icms
 
An issue discovered in idreamsoft iCMS V7.0.10. admincp.php?app=group&do=save allows CSRF.2018-09-02not yet calculatedCVE-2018-16365
MISC
idreamsoft — icms
 
An issue discovered in idreamsoft iCMS V7.0.10. admincp.php?app=user&do=save allows CSRF.2018-09-02not yet calculatedCVE-2018-16366
MISC
imagemagick — imagemagickImageMagick 7.0.8-6 has a memory leak vulnerability in the TIFFWritePhotoshopLayers function in coders/tiff.c.2018-09-06not yet calculatedCVE-2018-16641
MISC
MISC
imagemagick — imagemagickImageMagick 7.0.8-5 has a memory leak vulnerability in the function ReadOneJNGImage in coders/png.c.2018-09-06not yet calculatedCVE-2018-16640
MISC
MISC
imagemagick — imagemagickThe functions ReadDCMImage in coders/dcm.c, ReadPWPImage in coders/pwp.c, ReadCALSImage in coders/cals.c, and ReadPICTImage in coders/pict.c in ImageMagick 7.0.8-4 do not check the return value of the fputc function, which allows remote attackers to cause a denial of service via a crafted image file.2018-09-06not yet calculatedCVE-2018-16643
MISC
MISC
imagemagick — imagemagickThere is a missing check for length in the functions ReadDCMImage of coders/dcm.c and ReadPICTImage of coders/pict.c in ImageMagick 7.0.8-11, which allows remote attackers to cause a denial of service via a crafted image.2018-09-06not yet calculatedCVE-2018-16644
MISC
MISC
MISC
imagemagick — imagemagickThe function InsertRow in coders/cut.c in ImageMagick 7.0.7-37 allows remote attackers to cause a denial of service via a crafted image file due to an out-of-bounds write.2018-09-06not yet calculatedCVE-2018-16642
MISC
MISC
imagemagick — imagemagick
 
ImageMagick 7.0.8-11 Q16 has a heap-based buffer over-read in the coders/psd.c ParseImageResourceBlocks function.2018-09-03not yet calculatedCVE-2018-16412
BID
MISC
imagemagick — imagemagick
 
There is an excessive memory allocation issue in the functions ReadBMPImage of coders/bmp.c and ReadDIBImage of coders/dib.c in ImageMagick 7.0.8-11, which allows remote attackers to cause a denial of service via a crafted image file.2018-09-06not yet calculatedCVE-2018-16645
MISC
MISC
imagemagick — imagemagick
 
ImageMagick 7.0.8-11 Q16 has a heap-based buffer over-read in the MagickCore/quantum-private.h PushShortPixel function when called from the coders/psd.c ParseImageResourceBlocks function.2018-09-03not yet calculatedCVE-2018-16413
BID
MISC
MISC
information_builders — webfocus_business_intelligence_portal
 
An exploitable command execution vulnerability exists in Information Builders WebFOCUS Business Intelligence Portal 8.1 . A specially crafted web parameter can cause a command injection. An authenticated attacker can send a crafted web request to trigger this vulnerability.2018-09-07not yet calculatedCVE-2016-9044
MISC
jorani — joraniAn issue was discovered in Jorani 0.6.5. SQL Injection (error-based) allows a user of the application without permissions to read and modify sensitive information from the database used by the application via the startdate or enddate parameter to leaves/validate.2018-09-05not yet calculatedCVE-2018-15918
MISC
MISC
EXPLOIT-DB
jorani — jorani
 
Persistent cross-site scripting (XSS) issues in Jorani 0.6.5 allow remote attackers to inject arbitrary web script or HTML via the language parameter to session/language.2018-09-05not yet calculatedCVE-2018-15917
MISC
MISC
EXPLOIT-DB
joyent — smartos
 
An exploitable denial of service exists in the the Joyent SmartOS OS 20161110T013148Z Hyprlofs file system. The vulnerability is present in the Ioctl system call with the command HYPRLOFSADDENTRIES when used with a 32 bit model. An attacker can cause a buffer to be allocated and never freed. When repeatedly exploit this will result in memory exhaustion, resulting in a full system denial of service.2018-09-07not yet calculatedCVE-2016-9040
MISC
jsish — jsish
 
jsish version 2.4.67 contains a CWE-476: NULL Pointer Dereference vulnerability in Jsi_LogMsg (jsiUtils.c:196) that can result in Crash due to segmentation fault. This attack appear to be exploitable via the victim executing specially crafted javascript code. This vulnerability appears to have been fixed in 2.4.69.2018-09-06not yet calculatedCVE-2018-1000661
CONFIRM
jsish — jsish
 
jsish version 2.4.70 2.047 contains a CWE-125: Out-of-bounds Read vulnerability in function jsi_ObjArrayLookup (jsiObj.c:274) that can result in Crash due to segmentation fault. This attack appear to be exploitable via The victim must execute crafted javascript code. This vulnerability appears to have been fixed in 2.4.71.2018-09-06not yet calculatedCVE-2018-1000668
CONFIRM
jsish — jsish
 
jsish version 2.4.70 2.047 contains a Buffer Overflow vulnerability in function _jsi_evalcode from jsiEval.c that can result in Crash due to segmentation fault. This attack appear to be exploitable via The victim must execute crafted javascript code.2018-09-06not yet calculatedCVE-2018-1000663
CONFIRM
kaizen — asset_manager_and_training_manager
 
Kaizen Asset Manager (Enterprise Edition) and Training Manager (Enterprise Edition) allow a remote attacker to achieve arbitrary code execution via file impersonation. For example, a malicious dynamic-link library (dll) assumed the identity of a temporary (tmp) file (isxdl.dll) and an executable file assumed the identity of a temporary file (996E.temp).2018-09-05not yet calculatedCVE-2018-16545
MISC
kamailio — kamailio
 
In Kamailio before 5.0.7 and 5.1.x before 5.1.4, a crafted SIP message with an invalid Via header causes a segmentation fault and crashes Kamailio. The reason is missing input validation in the crcitt_string_array core function for calculating a CRC hash for To tags. (An additional error is present in the check_via_address core function: this function also misses input validation.) This could result in denial of service and potentially the execution of arbitrary code.2018-09-07not yet calculatedCVE-2018-16657
MISC
koha — library_system
 
KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Request Forgery (CSRF) vulnerability in /cgi-bin/koha/members/paycollect.pl Parameters affected: borrowernumber, amount, amountoutstanding, paid that can result in Attackers can mark payments as paid for certain users on behalf of Administrators. This attack appear to be exploitable via The victim must be socially engineered into clicking a link, usually via email. This vulnerability appears to have been fixed in 17.11.2018-09-06not yet calculatedCVE-2018-1000669
CONFIRM
koha — library_system
 
KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Scripting (XSS) vulnerability in Multiple fields on multiple pages including /cgi-bin/koha/acqui/supplier.pl?op=enter , /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number] , /cgi-bin/koha/serials/subscription-add.pl that can result in Privilege escalation by taking control of higher privileged users browser sessions. This attack appear to be exploitable via Victims must be socially engineered to visit a vulnerable webpage containing malicious payload. This vulnerability appears to have been fixed in 17.11.2018-09-06not yet calculatedCVE-2018-1000670
CONFIRM
kone — group_controller
 
An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. FTP does not require authentication or authorization, aka KONE-03.2018-09-07not yet calculatedCVE-2018-15485
MISC
CONFIRM
kone — group_controller
 
An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. Unauthenticated Remote Code Execution is possible through the open HTTP interface by modifying autoexec.bat, aka KONE-01.2018-09-07not yet calculatedCVE-2018-15484
MISC
CONFIRM
kone — group_controller
 
An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. Unauthenticated Local File Inclusion and File modification is possible through the open HTTP interface by modifying the name parameter of the file endpoint, aka KONE-02.2018-09-07not yet calculatedCVE-2018-15486
MISC
CONFIRM
kone — group_controller
 
An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. Denial of Service can occur through the open HTTP interface, aka KONE-04.2018-09-07not yet calculatedCVE-2018-15483
MISC
CONFIRM
lavalite — cms
 
LavaLite 5.5 has XSS via a /edit URI, as demonstrated by client/job/job/Zy8PWBekrJ/edit.2018-09-05not yet calculatedCVE-2018-16551
MISC
limesurvey — limesurvey
 
In LimeSurvey before 3.14.7, an admin user can leverage a “file upload” question to read an arbitrary file,2018-09-03not yet calculatedCVE-2018-16397
MISC
limesurvey — limesurvey
 
LimeSurvey version prior to 3.14.4 contains a file upload vulnerability in upload functionality that can result in an attacker gaining code execution via webshell. This attack appear to be exploitable via an authenticated user uploading a zip archive which can contains malicious php files that can be called under certain circumstances. This vulnerability appears to have been fixed in after commit 91d143230eb357260a19c8424b3005deb49a47f7 / version 3.14.4.2018-09-06not yet calculatedCVE-2018-1000658
CONFIRM
CONFIRM
limesurvey — limesurvey
 
LimeSurvey version 3.14.4 and earlier contains a directory traversal in file upload that allows upload of webshell vulnerability in file upload functionality that can result in remote code execution as authenticated user. This attack appear to be exploitable via An authenticated user can upload a specially crafted zip file to get remote code execution. This vulnerability appears to have been fixed in after commit 72a02ebaaf95a80e26127ee7ee2b123cccce05a7 / version 3.14.4.2018-09-06not yet calculatedCVE-2018-1000659
CONFIRM
linux — linux_kernelMemory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket.2018-09-04not yet calculatedCVE-2018-6554
MLIST
MLIST
linux — linux_kernelThe irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket.2018-09-04not yet calculatedCVE-2018-6555
MLIST
MLIST
linux — linux_kernelThe Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size.2018-09-06not yet calculatedCVE-2018-5391
CONFIRM
BID
SECTRACK
MISC
MLIST
UBUNTU
UBUNTU
UBUNTU
UBUNTU
UBUNTU
UBUNTU
DEBIAN
CERT-VN
linux — linux_kernel
 
An issue was discovered in the Linux kernel before 4.18.6. An information leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940.2018-09-07not yet calculatedCVE-2018-16658
MISC
MISC
MISC
little_color_management_system — little_color_management_system
 
Little CMS (aka Little Color Management System) 2.9 has an integer overflow in the AllocateDataSet function in cmscgats.c, leading to a heap-based buffer overflow in the SetData function via a crafted file in the second argument to cmsIT8LoadFromFile.2018-09-03not yet calculatedCVE-2018-16435
MISC
MISC
MLIST
DEBIAN
mantisbt — mantisbt
 
An issue was discovered in the Source Integration plugin before 1.5.9 and 2.x before 2.1.5 for MantisBT. A cross-site scripting (XSS) vulnerability in the Manage Repository and Changesets List pages allows execution of arbitrary code (if CSP settings permit it) via repo_manage_page.php or list.php.2018-09-02not yet calculatedCVE-2018-16362
CONFIRM
CONFIRM
CONFIRM
mayan — edms
 
An issue was discovered in Mayan EDMS before 3.0.2. The Appearance app sets window.location directly, leading to XSS.2018-09-03not yet calculatedCVE-2018-16405
MISC
MISC
MISC
mayan — edms
 
An issue was discovered in Mayan EDMS before 3.0.2. The Cabinets app has XSS via a crafted cabinet label.2018-09-03not yet calculatedCVE-2018-16406
MISC
MISC
MISC
mayan — edms
 
An issue was discovered in Mayan EDMS before 3.0.3. The Tags app has XSS because tag label values are mishandled.2018-09-03not yet calculatedCVE-2018-16407
MISC
MISC
MISC
micropyramid — django-crm
 
MicroPyramid Django-CRM 0.2 allows CSRF for /users/create/, /users/##/edit/, and /accounts/##/delete/ URIs.2018-09-05not yet calculatedCVE-2018-16552
MISC
multiple_vendors — multiple_products
 
The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. Reusing a key pair across different versions and modes of IKE could lead to cross-protocol authentication bypasses. It is well known, that the aggressive mode of IKEv1 PSK is vulnerable to offline dictionary or brute force attacks. For the main mode, however, only an online attack against PSK authentication was thought to be feasible. This vulnerability could allow an attacker to recover a weak Pre-Shared Key or enable the impersonation of a victim host or network.2018-09-06not yet calculatedCVE-2018-5389
MISC
MISC
CERT-VN
MISC
netwide_assembler — netwide_assemblerNASM nasm-2.13.03 nasm- 2.14rc15 version 2.14rc15 and earlier contains a memory corruption (crashed) of nasm when handling a crafted file due to function assemble_file(inname, depend_ptr) at asm/nasm.c:482. vulnerability in function assemble_file(inname, depend_ptr) at asm/nasm.c:482. that can result in aborting/crash nasm program. This attack appear to be exploitable via a specially crafted asm file..2018-09-06not yet calculatedCVE-2018-1000667
MISC
MISC
netwide_assembler — netwide_assemblerasm/labels.c in Netwide Assembler (NASM) is prone to NULL Pointer Dereference, which allows the attacker to cause a denial of service via a crafted file.2018-09-06not yet calculatedCVE-2018-16517
MISC
MISC
netwide_assembler — netwide_assemblerNetwide Assembler (NASM) 2.14rc15 has a buffer over-read in x86/regflags.c.2018-09-02not yet calculatedCVE-2018-16382
MISC
nibbleblog — nibbleblog
 
An issue was discovered in Nibbleblog v4.0.5. With an admin’s username and password, an attacker can execute arbitrary PHP code by changing the username because the username is surrounded by double quotes (e.g., “${phpinfo()}”).2018-09-06not yet calculatedCVE-2018-16604
MISC
nordvpn — nordvpn
 
An exploitable code execution vulnerability exists in the connect functionality of NordVPN 6.14.28.0. A specially crafted configuration file can cause a privilege escalation, resulting in the execution of arbitrary commands with system privileges.2018-09-07not yet calculatedCVE-2018-3952
MISC
ogma_cms — ogma_cmsOgma CMS 0.4 Beta has XSS via the “Footer Text footer” field on the “Theme/Theme Options” screen.2018-09-02not yet calculatedCVE-2018-16379
MISC
ogma_cms — ogma_cmsAn issue was discovered in Ogma CMS 0.4 Beta. There is a CSRF vulnerability in users.php?action=createnew that can add an admin account.2018-09-02not yet calculatedCVE-2018-16380
MISC
okular — okular
 
okular version 18.08 and earlier contains a Directory Traversal vulnerability in function “unpackDocumentArchive(…)” in “core/document.cpp” that can result in Arbitrary file creation on the user workstation. This attack appear to be exploitable via he victim must open a specially crafted Okular archive. This issue appears to have been corrected in version 18.08.12018-09-06not yet calculatedCVE-2018-1000801
CONFIRM
CONFIRM
onethink — onethink
 
OneThink 1.1.141212 allows CSRF for adding a page via admin.php?s=/Channel/add.html, adding a blog via admin.php?s=/Article/update.html, and setting the audit state via admin.php?s=/Article/setStatus/status/1.html.2018-09-04not yet calculatedCVE-2018-16449
MISC
onlinejudge — onlinejudge
 
In OnlineJudge 2.0, the sandbox has an incorrect access control vulnerability that can write a file anywhere. A user can write a directory listing to /tmp, and can leak file data with a #include.2018-09-02not yet calculatedCVE-2018-16367
MISC
openjpeg — openjpegAn issue was discovered in OpenJPEG 2.3.0. Missing checks for header_info.height and header_info.width in the function pnmtoimage in bin/jpwl/convert.c can lead to a heap-based buffer overflow.2018-09-02not yet calculatedCVE-2018-16375
BID
MISC
openjpeg — openjpeg
 
An issue was discovered in OpenJPEG 2.3.0. A heap-based buffer overflow was discovered in the function t2_encode_packet in lib/openmj2/t2.c. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly unspecified other impact.2018-09-02not yet calculatedCVE-2018-16376
BID
MISC
openmrs — reference_application
 
An XML External Entity (XXE) vulnerability exists in HTML Form Entry 3.7.0, as distributed in OpenMRS Reference Application 2.8.0.2018-09-05not yet calculatedCVE-2018-16521
MISC
MISC
opensc — opensc
 
A double free when handling responses from an HSM Card in sc_pkcs15emu_sc_hsm_init in libopensc/pkcs15-sc-hsm.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.2018-09-03not yet calculatedCVE-2018-16425
MISC
MISC
MISC
opensc — opensc
 
Several buffer overflows when handling responses from a CAC Card in cac_get_serial_nr_from_CUID in libopensc/card-cac.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.2018-09-03not yet calculatedCVE-2018-16421
MISC
MISC
MISC
opensc — opensc
 
Various out of bounds reads when handling responses in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to potentially crash the opensc library using programs.2018-09-03not yet calculatedCVE-2018-16427
MISC
MISC
MISC
opensc — opensc
 
A double free when handling responses in read_file in tools/egk-tool.c (aka the eGK card tool) in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.2018-09-03not yet calculatedCVE-2018-16424
MISC
MISC
MISC
opensc — opensc
 
A double free when handling responses from a smartcard in sc_file_set_sec_attr in libopensc/sc.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.2018-09-03not yet calculatedCVE-2018-16423
MISC
MISC
MISC
opensc — opensc
 
Endless recursion when handling responses from an IAS-ECC card in iasecc_select_file in libopensc/card-iasecc.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to hang or crash the opensc library using programs.2018-09-03not yet calculatedCVE-2018-16426
MISC
MISC
MISC
opensc– openscSeveral buffer overflows when handling responses from a TCOS Card in tcos_select_file in libopensc/card-tcos.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.2018-09-03not yet calculatedCVE-2018-16392
MISC
MISC
MISC
opensc– openscSeveral buffer overflows when handling responses from a Muscle Card in muscle_list_files in libopensc/card-muscle.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.2018-09-03not yet calculatedCVE-2018-16391
MISC
MISC
MISC
opensc– openscA buffer overflow when handling string concatenation in util_acl_to_str in tools/util.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.2018-09-03not yet calculatedCVE-2018-16418
MISC
MISC
MISC
opensc– openscA single byte buffer overflow when handling responses from an esteid Card in sc_pkcs15emu_esteid_init in libopensc/pkcs15-esteid.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.2018-09-03not yet calculatedCVE-2018-16422
MISC
MISC
MISC
opensc– openscSeveral buffer overflows when handling responses from a Gemsafe V1 Smartcard in gemsafe_get_cert_len in libopensc/pkcs15-gemsafeV1.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.2018-09-03not yet calculatedCVE-2018-16393
MISC
MISC
MISC
opensc– openscSeveral buffer overflows when handling responses from a Cryptoflex card in read_public_key in tools/cryptoflex-tool.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.2018-09-03not yet calculatedCVE-2018-16419
MISC
MISC
MISC
opensc– opensc
 
Several buffer overflows when handling responses from an ePass 2003 Card in decrypt_response in libopensc/card-epass2003.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.2018-09-03not yet calculatedCVE-2018-16420
MISC
MISC
MISC
openshift — container_platform
 
An out of bound write can occur when patching an Openshift object using the ‘oc patch’ functionality in OpenShift Container Platform before 3.7. An attacker can use this flaw to cause a denial of service attack on the Openshift master api service which provides cluster management.2018-09-06not yet calculatedCVE-2018-14632
CONFIRM
CONFIRM
opsview — monitorThe data parameter of the /settings/api/router endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting.2018-09-05not yet calculatedCVE-2018-16147
CONFIRM
CONFIRM
FULLDISC
MISC
opsview — monitorThe diagnosticsb2ksy parameter of the /rest endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting.2018-09-05not yet calculatedCVE-2018-16148
CONFIRM
CONFIRM
FULLDISC
MISC
opsview — monitorThe web management console of Opsview Monitor 5.4.x before 5.4.2 provides functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The value parameter is not properly sanitized, leading to arbitrary command injection with the privileges of the nagios user account.2018-09-05not yet calculatedCVE-2018-16146
CONFIRM
FULLDISC
MISC
opsview — monitorThe test connection functionality in the NetAudit section of Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to command injection due to improper sanitization of the rancid_password parameter.2018-09-05not yet calculatedCVE-2018-16144
CONFIRM
CONFIRM
FULLDISC
MISC
opsview — monitorThe /etc/init.d/opsview-reporting-module script that runs at boot time in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 invokes a file that can be edited by the nagios user, and would allow attackers to elevate their privileges to root after a system restart, hence obtaining full control of the appliance.2018-09-05not yet calculatedCVE-2018-16145
CONFIRM
CONFIRM
FULLDISC
MISC
owasp — modsecurity_core_rule_set
 
A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a special function name (such as “if”) and b is the SQL statement to be executed.2018-09-02not yet calculatedCVE-2018-16384
MISC
pescms-team — pescms-teamIn PESCMS Team 2.2.1, attackers may upload and execute arbitrary PHP code through /Public/?g=Team&m=Setting&a=upgrade by placing a .php file in a ZIP archive.2018-09-02not yet calculatedCVE-2018-16370
MISC
pescms-team — pescms-team
 
PESCMS Team 2.2.1 has multiple reflected XSS via the keyword parameter: g=Team&m=User&a=index&keyword=, g=Team&m=User_group&a=index&keyword=, g=Team&m=Department&a=index&keyword=, and g=Team&m=Bulletin&a=index&keyword=.2018-09-02not yet calculatedCVE-2018-16371
MISC
phpmyfaq — phpmyfaqphpMyFAQ before 2.9.11 allows CSRF.2018-09-07not yet calculatedCVE-2018-16650
CONFIRM
phpmyfaq — phpmyfaq
 
The admin backend in phpMyFAQ before 2.9.11 allows CSV injection in reports.2018-09-07not yet calculatedCVE-2018-16651
CONFIRM
phpscriptsmall.com — olx_clone_scriptPHP Scripts Mall Olx Clone 3.4.2 has XSS.2018-09-07not yet calculatedCVE-2018-16454
MISC
pidgin — pidgin
 
Pidgin version <2.11.0 contains a vulnerability in X.509 Certificates imports specifically due to improper check of return values from gnutls_x509_crt_init() and gnutls_x509_crt_import() that can result in code execution. This attack appear to be exploitable via custom X.509 certificate from another client. This vulnerability appears to have been fixed in 2.11.0.2018-09-05not yet calculatedCVE-2016-1000030
CONFIRM
CONFIRM
CONFIRM
GENTOO
CONFIRM
pon_software — explzhDirectory traversal vulnerability in Explzh v.7.58 and earlier allows an attacker to read arbitrary files via unspecified vectors.2018-09-04not yet calculatedCVE-2018-0646
JVN
CONFIRM
poppler — poppler
 
In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause infinite recursion via a crafted file. A remote attacker can leverage this for a DoS attack.2018-09-06not yet calculatedCVE-2018-16646
MISC
prim’x — zed!A directory traversal vulnerability with remote code execution in Prim’X Zed! FREE through 1.0 build 186 and Zed! Limited Edition through 6.1 build 2208 allows creation of arbitrary files on a user’s workstation using crafted ZED! containers because the watermark loading function can place an executable file into a Startup folder.2018-09-05not yet calculatedCVE-2018-16518
MISC
proconf — proconf
 
In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allows any author to view and grab all submitted papers (Title and Abstract) and their authors’ personal information (Name, Email, Organization, and Position) by changing the value of Paper ID (the pid parameter).2018-09-06not yet calculatedCVE-2018-16606
MISC
protonvpn — protonvpn
 
An exploitable code execution vulnerability exists in the connect functionality of ProtonVPN VPN client 1.5.1. A specially crafted configuration file can cause a privilege escalation, resulting in the ability to execute arbitrary commands with the system’s privileges.2018-09-07not yet calculatedCVE-2018-4010
MISC
pulse_secure — connect_secure_and_policy_securedownload.cgi in Pulse Secure Pulse Connect Secure 8.1RX before 8.1R13 and 8.3RX before 8.3R4 and Pulse Policy Secure through 5.2RX before 5.2R10 and 5.4RX before 5.4R4 have an Open Redirect Vulnerability.2018-09-06not yet calculatedCVE-2018-14366
CONFIRM
pulse_secure — connect_secure_and_policy_secure
 
A vulnerability has been discovered in login.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.1RX before 8.1R12 and 8.3RX before 8.3R2 and Pulse Policy Secure (PPS) 5.2RX before 5.2R9 and 5.4RX before 5.4R2 wherein an http(s) Host header received from the browser is trusted without validation.2018-09-06not yet calculatedCVE-2018-6320
CONFIRM

pulse_secure — pulse_desktop_client
 

The Pulse Secure Desktop (macOS) 5.3RX before 5.3R5 and 9.0R1 has a Privilege Escalation Vulnerability.2018-09-06not yet calculatedCVE-2018-15726
CONFIRM
pulse_secure — pulse_desktop_client
 
In Pulse Secure Pulse Desktop Client 5.3RX before 5.3R5 and 9.0R1, there is a Privilege Escalation Vulnerability with Dynamic Certificate Trust.2018-09-06not yet calculatedCVE-2018-16261
CONFIRM

pulse_secure — pulse_desktop_client
 

The Pulse Secure Desktop (macOS) 5.3RX before 5.3R5 and 9.0R1 has a Format String Vulnerability.2018-09-06not yet calculatedCVE-2018-15749
CONFIRM

pulse_secure — pulse_desktop_client
 

The Pulse Secure Desktop (macOS) has a Privilege Escalation Vulnerability.2018-09-06not yet calculatedCVE-2018-15865
CONFIRM
red_hat — enterprise_linux_server_and_gluster_storage_serverA flaw was found in the way dic_unserialize function of glusterfs does not handle negative key length values. An attacker could use this flaw to read memory from other locations into the stored dict value.2018-09-04not yet calculatedCVE-2018-10911
REDHAT
REDHAT
CONFIRM
CONFIRM
red_hat — enterprise_linux_server_and_gluster_storage_serverAn information disclosure vulnerability was discovered in glusterfs server. An attacker could issue a xattr request via glusterfs FUSE to determine the existence of any file.2018-09-04not yet calculatedCVE-2018-10913
REDHAT
REDHAT
CONFIRM
CONFIRM
red_hat — enterprise_linux_server_and_gluster_storage_serverA flaw was found in RPC request using gfs2_create_req in glusterfs server. An authenticated attacker could use this flaw to create arbitrary files and execute arbitrary code on glusterfs server nodes.2018-09-04not yet calculatedCVE-2018-10929
REDHAT
REDHAT
CONFIRM
red_hat — enterprise_linux_server_and_gluster_storage_serverIt was found that glusterfs server does not properly sanitize file paths in the “trusted.io-stats-dump” extended attribute which is used by the “debug/io-stats” translator. Attacker can use this flaw to create files and execute arbitrary code. To exploit this attacker would require sufficient access to modify the extended attributes of files on a gluster volume.2018-09-04not yet calculatedCVE-2018-10904
REDHAT
REDHAT
CONFIRM
CONFIRM
red_hat — enterprise_linux_server_and_gluster_storage_serverIt was found that the “mknod” call derived from mknod(2) can create files pointing to devices on a glusterfs server node. An authenticated attacker could use this to create an arbitrary device and read data from any device attached to the glusterfs server node.2018-09-04not yet calculatedCVE-2018-10923
REDHAT
REDHAT
CONFIRM
red_hat — enterprise_linux_server_and_gluster_storage_serverIt was found that an attacker could issue a xattr request via glusterfs FUSE to cause gluster brick process to crash which will result in a remote denial of service. If gluster multiplexing is enabled this will result in a crash of multiple bricks and gluster volumes.2018-09-04not yet calculatedCVE-2018-10914
REDHAT
REDHAT
CONFIRM
red_hat — enterprise_linux_server_and_gluster_storage_serverIt was found that glusterfs server is vulnerable to multiple stack based buffer overflows due to functions in server-rpc-fopc.c allocating fixed size buffers using ‘alloca(3)’. An authenticated attacker could exploit this by mounting a gluster volume and sending a string longer that the fixed buffer size to cause crash or potential code execution.2018-09-04not yet calculatedCVE-2018-10907
REDHAT
REDHAT
CONFIRM
CONFIRM
red_hat — enterprise_linux_server_and_gluster_storage_serverA flaw was found in RPC request using gfs3_mknod_req supported by glusterfs server. An authenticated attacker could use this flaw to write files to an arbitrary location via path traversal and execute arbitrary code on a glusterfs server node.2018-09-04not yet calculatedCVE-2018-10926
REDHAT
REDHAT
CONFIRM
red_hat — enterprise_linux_server_and_gluster_storage_serverA flaw was found in RPC request using gfs3_lookup_req in glusterfs server. An authenticated attacker could use this flaw to leak information and execute remote denial of service by crashing gluster brick process.2018-09-04not yet calculatedCVE-2018-10927
REDHAT
REDHAT
CONFIRM
red_hat — enterprise_linux_server_and_gluster_storage_serverIt was discovered that fsync(2) system call in glusterfs client code leaks memory. An authenticated attacker could use this flaw to launch a denial of service attack by making gluster clients consume memory of the host machine.2018-09-04not yet calculatedCVE-2018-10924
CONFIRM
CONFIRM
red_hat — enterprise_linux_server_and_gluster_storage_serverA flaw was found in RPC request using gfs3_symlink_req in glusterfs server which allows symlink destinations to point to file paths outside of the gluster volume. An authenticated attacker could use this flaw to create arbitrary symlinks pointing anywhere on the server and execute arbitrary code on glusterfs server nodes.2018-09-04not yet calculatedCVE-2018-10928
REDHAT
REDHAT
CONFIRM
red_hat — enterprise_linux_server_and_gluster_storage_serverA flaw was found in RPC request using gfs3_rename_req in glusterfs server. An authenticated attacker could use this flaw to write to a destination outside the gluster volume.2018-09-04not yet calculatedCVE-2018-10930
REDHAT
REDHAT
CONFIRM
CONFIRM
redhat — 389-ds-base
 
A vulnerability was discovered in 389-ds-base through versions 1.3.7.10, 1.3.8.8 and 1.4.0.16. The lock controlling the error log was not correctly used when re-opening the log file in log__error_emergency(). An attacker could send a flood of modifications to a very large DN, which would cause slapd to crash.2018-09-06not yet calculatedCVE-2018-14624
CONFIRM
MISC
rejucms — rejucms
 
rejucms 2.1 has XSS via the ucenter/cms_user_add.php u_name parameter.2018-09-07not yet calculatedCVE-2018-16653
MISC
seacms — seacmsAn issue was discovered in SeaCMS 6.61. adm1n/admin_reslib.php has SSRF via the url parameter.2018-09-04not yet calculatedCVE-2018-16444
MISC
seacms — seacmsSeaCMS V6.61 has XSS via the admin_video.php v_content parameter, related to the site name.2018-09-02not yet calculatedCVE-2018-16348
MISC
seacms — seacmsAn issue was discovered in SeaCMS through 6.61. adm1n/admin_database.php allows remote attackers to delete arbitrary files via directory traversal sequences in the bakfiles parameter. This can allow the product to be reinstalled by deleting install_lock.txt.2018-09-04not yet calculatedCVE-2018-16446
MISC
seacms — seacms
 
An issue was discovered in SeaCMS through 6.61. SQL injection exists via the tid parameter in an adm1n/admin_topic_vod.php request.2018-09-04not yet calculatedCVE-2018-16445
MISC
seacms –seacms
 
SeaCMS 6.61 allows remote attackers to execute arbitrary code because parseIf() in include/main.class.php does not block use of $GLOBALS.2018-09-02not yet calculatedCVE-2018-16343
MISC
MISC
showdoc — showdoc
 
ShowDoc v1.8.0 has XSS via a new page.2018-09-02not yet calculatedCVE-2018-16342
MISC
six_apart — movable_type
 
Cross-site scripting vulnerability in Movable Type versions prior to Ver. 6.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2018-09-04not yet calculatedCVE-2018-0672
JVN
solarwinds — dameware_mini_remote_control
 
SolarWinds DameWare Mini Remote Control before 12.1 has a Buffer Overflow.2018-09-07not yet calculatedCVE-2018-12897
MISC
sony — digital_paper_app
 
Untrusted search path vulnerability in The installer of Digital Paper App version 1.4.0.16050 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.2018-09-04not yet calculatedCVE-2018-0656
JVN
CONFIRM
subsonic — subsonic
 
daneren2005 DSub for Subsonic (Android client) version 5.4.1 contains a CWE-295: Improper Certificate Validation vulnerability in HTTPS Client that can result in Any non-CA signed server certificate, including self signed and expired, are accepted by the client. This attack appear to be exploitable via The victim connects to a server that’s MITM/Proxied by an attacker.2018-09-06not yet calculatedCVE-2018-1000664
CONFIRM
sympa — sympa
 
sympa version 6.2.16 and later contains a CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in The “referer” parameter of the wwsympa.fcgi login action. that can result in Open redirection and reflected XSS via data URIs. This attack appear to be exploitable via Victim’s browser must follow a URL supplied by the attacker. This vulnerability appears to have been fixed in none available.2018-09-06not yet calculatedCVE-2018-1000671
MISC
team_viewer — team_viewer
 
TeamViewer 10.x through 13.x allows remote attackers to bypass the brute-force authentication protection mechanism by skipping the “Cancel” step, which makes it easier to determine the correct value of the default 4-digit PIN.2018-09-05not yet calculatedCVE-2018-16550
MISC
technicolor — technicolor_tg558v
 
Technicolor TG588V V2 devices allow remote attackers to cause a denial of service (networking outage) via a flood of random MAC addresses, as demonstrated by macof. NOTE: this might overlap CVE-2018-15852 and CVE-2018-15907.2018-09-06not yet calculatedCVE-2018-16310
MISC
theethereumlottery — theethereumlottery
 
The “PayWinner” function of a simplelottery smart contract implementation for The Ethereum Lottery, an Ethereum gambling game, generates a random value with publicly readable variable “maxTickets” (which is private, yet predictable and readable by the eth.getStorageAt function). Therefore, it allows attackers to always win and get rewards.2018-09-07not yet calculatedCVE-2018-15552
MISC
thinkphp — think_php
 
ThinkPHP before 5.1.23 allows SQL Injection via the public/index/index/test/index query string.2018-09-02not yet calculatedCVE-2018-16385
MISC
tock — tock
 
TOCK version prior to commit 42f7f36e74088036068d62253e1d8fb26605feed. For example dfde28196cd12071fcf6669f7654be7df482b85d contains a Insecure Permissions vulnerability in Function get_package_name in the file kernel/src/tbfheader.rs, variable “pub package_name: &’static str,” in the file process.rs that can result in A tock capsule (untrusted driver) could access arbitrary memory by using only safe code. This vulnerability appears to have been fixed in commit 42f7f36e74088036068d62253e1d8fb26605feed.2018-09-06not yet calculatedCVE-2018-1000660
CONFIRM
tough-cookie — tough-cookieNodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.2018-09-05not yet calculatedCVE-2016-1000232
REDHAT
REDHAT
CONFIRM
CONFIRM
CONFIRM
CONFIRM
MISC
twistlock — authz_broker
 
In Twistlock AuthZ Broker 0.1, regular expressions are mishandled, as demonstrated by containers/aa/pause?aaa=/start to bypass a policy in which “docker start” is allowed but “docker pause” is not allowed.2018-09-03not yet calculatedCVE-2018-16398
MISC
MISC
ubiquiti_networks — multiple_products
 
The web management interface of Ubiquiti airMAX, airFiber, airGateway and EdgeSwitch XP (formerly TOUGHSwitch) allows an unauthenticated attacker to upload and write arbitrary files using directory traversal techniques. An attacker can exploit this vulnerability to gain root privileges. This vulnerability is fixed in the following product versions (fixes released in July 2015, all prior versions are affected): airMAX AC 7.1.3; airMAX M (and airRouter) 5.6.2 XM/XW/TI, 5.5.11 XM/TI, and 5.5.10u2 XW; airGateway 1.1.5; airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1, and AF5 2.2.1; airOS 4 XS2/XS5 4.0.4; and EdgeSwitch XP (formerly TOUGHSwitch) 1.3.2.2018-09-05not yet calculatedCVE-2015-9266
MISC
CONFIRM
CONFIRM
MISC
EXPLOIT-DB
EXPLOIT-DB
MISC
ubuntu — orca
 
Buffer overflow in Ubuntu14.04 ORCA (Online Receipt Computer Advantage) 4.8.0 (panda-client2) 1:1.4.9+p41-u4jma1 and earlier, Ubuntu14.04 ORCA (Online Receipt Computer Advantage) 5.0.0 (panda-client2) 1:2.0.0+p48-u4jma1 and earlier, and Ubuntu16.04 ORCA (Online Receipt Computer Advantage) 5.0.0 (panda-client2) 1:2.0.0+p48-u5jma1 and earlier allows authenticated attackers to cause denial-of-service (DoS) condition via unspecified vectors.2018-09-07not yet calculatedCVE-2018-0644
JVN
CONFIRM
ubuntu — orca
 
Ubuntu14.04 ORCA (Online Receipt Computer Advantage) 4.8.0 (panda-server) 1:1.4.9+p41-u4jma1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via unspecified vectors.2018-09-07not yet calculatedCVE-2018-0643
JVN
CONFIRM
umbraengineering — psA command Injection in ps package versions <1.0.0 for Node.js allowed arbitrary commands to be executed when attacker controls the PID.2018-09-07not yet calculatedCVE-2018-16460
MISC
vanilla — vanilla
 
Vanilla before 2.6.1 allows SQL injection via an invitationID array to /profile/deleteInvitation, related to applications/dashboard/models/class.invitationmodel.php and applications/dashboard/controllers/class.profilecontroller.php.2018-09-03not yet calculatedCVE-2018-16410
MISC
MISC
vivotek — fd8177_devices
 
VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code (issue 2 of 2) via eventscript.cgi.2018-09-05not yet calculatedCVE-2018-14771
CONFIRM
MISC
vivotek — fd8177_devices
 
VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow CSRF.2018-09-05not yet calculatedCVE-2018-14769
CONFIRM
MISC
vivotek — fd8177_devices
 
VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code (issue 1 of 2) via the ONVIF interface, (/onvif/device_service).2018-09-05not yet calculatedCVE-2018-14770
CONFIRM
MISC
weaselcms — weaselcmsThere is a PHP code upload vulnerability in WeaselCMS 0.3.6 via index.php because code can be embedded at the end of a .png file when the image/png content type is used.2018-09-02not yet calculatedCVE-2018-16352
MISC
weseek — growiCross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the modal for creating Wiki page.2018-09-07not yet calculatedCVE-2018-0654
JVN
CONFIRM
weseek — growiCross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via Wiki page view.2018-09-07not yet calculatedCVE-2018-0653
JVN
CONFIRM
weseek — growiCross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the UserGroup Management section of admin page.2018-09-07not yet calculatedCVE-2018-0652
JVN
CONFIRM
weseek — growiCross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the app settings section of admin page.2018-09-07not yet calculatedCVE-2018-0655
JVN
CONFIRM
wildfly — wildfly
 
The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not honour configuration when SSL transport is required. Servers before this version that are configured with the following setting allow clients to create plaintext connections: 2018-09-04not yet calculatedCVE-2018-14627
CONFIRM
CONFIRM
wordpress — wordpress
 
The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via the lang parameter in a wp-admin/admin.php?page=wp_file_manager request because set_transient is used in file_folder_manager.php and there is an echo of lang in libwpfilemanager.php.2018-09-07not yet calculatedCVE-2018-16363
MISC
MISC
CONFIRM
wordpress — wordpress
 
WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time.2018-09-06not yet calculatedCVE-2018-1000773
MISC
MISC
wordpress — wordpress
 
WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.92018-09-06not yet calculatedCVE-2017-1000600
MISC
MISC
wordpress — wordpress
 
The UserPro plugin through 4.9.23 for WordPress allows XSS via the shortcode parameter in a userpro_shortcode_template action to wp-admin/admin-ajax.php.2018-09-06not yet calculatedCVE-2018-16285
MISC
MISC
wuzhi — cmsWUZHI CMS 4.1.0 has XSS via the index.php?m=core&f=set&v=basic form[statcode] parameter.2018-09-02not yet calculatedCVE-2018-16350
MISC

wuzhi — cms

WUZHI CMS 4.1.0 has XSS via the index.php?m=link&f=index&v=add form[remark] parameter.2018-09-02not yet calculatedCVE-2018-16349
MISC
xiaomi — miwifi_xiaomi_55dd_devices
 
An “Out-of-band resource load” issue was discovered on Xiaomi MIWiFi Xiaomi_55DD Version 2.8.50 devices. It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. If a domain name (containing a random string) is used in the HTTP Host header, the application performs an HTTP request to the specified domain. The response from that request is then included in the application’s own response.2018-09-05not yet calculatedCVE-2018-16307
MISC
xpdf — xpdf
 
SplashXPath::strokeAdjust in splash/SplashXPath.cc in Xpdf 4.00 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted pdf file, as demonstrated by pdftoppm.2018-09-02not yet calculatedCVE-2018-16368
MISC
xpdf — xpdf
 
XRef::fetch in XRef.cc in Xpdf 4.00 allows remote attackers to cause a denial of service (stack consumption) via a crafted pdf file, related to AcroForm::scanField, as demonstrated by pdftohtml. NOTE: this might overlap CVE-2018-7453.2018-09-02not yet calculatedCVE-2018-16369
MISC
yayoi — multiple_productsUntrusted search path vulnerability in Multiple Yayoi 17 Series products (Yayoi Kaikei 17 Series Ver.23.1.1 and earlier, Yayoi Aoiro Shinkoku 17 Ver.23.1.1 and earlier, Yayoi Kyuuyo 17 Ver.20.1.4 and earlier, Yayoi Kyuuyo Keisan 17 Ver.20.1.4 and earlier, Yayoi Hanbai 17 Series Ver. 20.0.2 and earlier, and Yayoi Kokyaku Kanri 17 Ver.11.0.2 and earlier) allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. This flaw exists within the handling of msjet49.dll loaded by the vulnerable products.2018-09-07not yet calculatedCVE-2018-0623
JVN
yayoi — multiple_products
 
Untrusted search path vulnerability in Multiple Yayoi 17 Series products (Yayoi Kaikei 17 Series Ver.23.1.1 and earlier, Yayoi Aoiro Shinkoku 17 Ver.23.1.1 and earlier, Yayoi Kyuuyo 17 Ver.20.1.4 and earlier, Yayoi Kyuuyo Keisan 17 Ver.20.1.4 and earlier, Yayoi Hanbai 17 Series Ver.20.0.2 and earlier, and Yayoi Kokyaku Kanri 17 Ver.11.0.2 and earlier) allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. This flaw exists within the handling of ykkapi.dll loaded by the vulnerable products.2018-09-07not yet calculatedCVE-2018-0624
JVN
yfcmf — yfcmf
 
admin/admin/adminsave.html in YFCMF v3.0 allows CSRF to add an administrator account.2018-09-03not yet calculatedCVE-2018-16431
MISC
zephyr — zephyr_rtos
 
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get() that can result in CPU Page Fault (error code 0x00000010). This attack appear to be exploitable via a malicious application call the vulnerable kernel APIs (system sys_ring_buf_get() and sys_ring_buf_put).2018-09-06not yet calculatedCVE-2018-1000800
CONFIRM
zsh — zsh
 
An issue was discovered in zsh before 5.6. Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one.2018-09-05not yet calculatedCVE-2018-13259
MISC
MISC
MISC
zsh — zsh
 
An issue was discovered in zsh before 5.6. The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line.2018-09-05not yet calculatedCVE-2018-0502
MISC
MISC
MISC
zurmo — zurmo
 
Zurmo 3.2.4 Stable allows XSS via app/index.php/accounts/default/details?id=2&kanbanBoard=1&openToTaskId=1.2018-09-07not yet calculatedCVE-2018-16654
MISC
zzcms — zzcms
 
An issue was discovered in zzcms 8.3. It allows remote attackers to delete arbitrary files via directory traversal sequences in the flv parameter. This can be leveraged for database access by deleting install.lock.2018-09-02not yet calculatedCVE-2018-16344
MISC
zziplib — zziplib
 
An issue was discovered in ZZIPlib through 0.13.69. There is a memory leak triggered in the function __zzip_parse_root_directory in zip.c, which will lead to a denial of service attack.2018-09-05not yet calculatedCVE-2018-16548
MISC

Back to top


This product is provided subject to this Notification and this Privacy & Use policy.

This entry was posted in Alerts. Bookmark the permalink.