Vulnerability Summary for the Week of September 17, 2018
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9 Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9 Entries may include additional information provided by organizations and efforts sponsored by Ug-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of Ug-CERT analysis.
High Vulnerabilities Primary CVSS Source & Vendor -- Product Description Published Score Patch Info There were no high vulnerabilities recorded this week.
Back to top
Medium Vulnerabilities Primary CVSS Source & Vendor -- Product Description Published Score Patch Info There were no medium vulnerabilities recorded this week.
Back to top
Low Vulnerabilities Primary CVSS Source & Vendor -- Product Description Published Score Patch Info There were no low vulnerabilities recorded this week.
Back to top
Severity Not Yet Assigned Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info CVE- 2018- not 15546 Accusoft PrizmDoc version 13.3 and earlier yet CONFI accusoft -- prizmdoc contains a Stored Cross-Site Scripting issue 2018- calcul RM through a crafted PDF file. 09-18 ated MISC
CVE- 2018- 8041 CONFI not RM Apache Camel's Mail 2.20.0 through 2.20.3, yet BID apache -- camel 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to 2018- calcul CONFI path traversal. 09-17 ated RM
In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a bit by using chroot to change the root directory to protect files outside of the Karaf install directory; it can be further CVE- locked down by defining a security manager 2018- policy that limits file system access to those 11786 directories beneath the Karaf home that are CONFI necessary for the system to run. However, this not RM still allows anyone with ssh access to the Karaf yet CONFI apache -- karaf process to read and write a large number of files 2018- calcul RM as the Karaf process user. 09-18 ated MLIST
In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed CVE- in Karaf, it is available at .../system/console and 2018- requires authentication to access it. One part of 11787 the console is a Gogo shell/console that gives CONFI access to the command line console of Karaf via not RM a Web browser, and when navigated to it is yet CONFI available at .../system/console/gogo. Trying to apache -- karaf 2018- calcul RM go directly to that URL does require 09-18 ated MLIST authentication. And optional bundle that some Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info applications use is the Pax Web Extender Whiteboard, it is part of the pax-war feature and perhaps others. When it is installed, the Gogo console becomes available at another URL .../gogo/, and that URL is not secured giving access to the Karaf console to unauthenticated users. A mitigation for the issue is to manually stop/uninstall Gogo plugin bundle that is installed with the webconsole feature, although of course this removes the console from the .../system/console application, not only from the unauthenticated endpoint. One could also stop/uninstall the Pax Web Extender Whiteboard, but other components/applications may require it and so their functionality would be reduced/compromised.
Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse not CVE- the timing difference of when the JWT yet 2018- apache -- mesos validation function returns to reveal the correct 2018- calcul 8023 HMAC value. 09-21 ated MLIST
CVE- not 2018- A potential Remote Code Execution bug exists yet 11780 apache -- spamassassin with the PDFInfo plugin in Apache 2018- calcul BID SpamAssassin before 3.4.2. 09-17 ated MLIST
not CVE- yet 2018- apache -- spamassassin Apache SpamAssassin 3.4.2 fixes a local user 2018- calcul 11781 code injection in the meta rule syntax. 09-17 ated MLIST Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts. In Apache SpamAssassin, using HTML::Parser, we setup an object and hook into the begin and end tag event handlers In both cases, the "open" event is immediately followed by a "close" event - even if the tag *does not* close in the HTML being parsed. Because of this, we are missing the "text" event to deal with the object normally. This can cause carefully crafted emails that might take more scan time than expected leading to a Denial of Service. The issue is possibly a bug or design decision in HTML::Parser that specifically impacts the way Apache SpamAssassin uses the module with poorly formed html. The exploit has been seen in the CVE- wild but not believed to have been purposefully not 2017- part of a Denial of Service attempt. We are yet 15705 apache -- spamassassin concerned that there may be attempts to abuse 2018- calcul BID the vulnerability in the future. 09-17 ated MLIST
In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. not CVE- They were therefore vulnerable to an entity yet 2018- apache -- tika expansion vulnerability which can lead to a 2018- calcul 11761 denial of service attack. 09-19 ated MLIST
In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) not CVE- and the input file has an embedded file with an yet 2018- apache -- tika absolute path, such as "C:/evil.bat", tika-app 2018- calcul 11762 would overwrite that file. 09-19 ated MLIST
not CVE- In Apache Tika 1.2 to 1.18, a carefully crafted yet 2018- apache -- tika file can trigger an infinite loop in the 2018- calcul 8017 IptcAnpaParser. 09-19 ated MLIST Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info Artifex Ghostscript before 9.25 allowed a user- CVE- writable error exception table, which could be not 2018- used by remote attackers able to supply crafted yet 17183 artifex -- ghostscript PostScript to potentially overwrite or replace 2018- calcul MISC error handlers to inject code. 09-19 ated MISC
blocking_request.cgi on ASUS GT-AC5300 devices through 3.0.0.4.384_32738 allows not CVE- remote attackers to cause a denial of service yet 2018- asus -- gt-ac5300 (NULL pointer dereference and device crash) 2018- calcul 17127 via a request that lacks a timestap parameter. 09-17 ated MISC
CVE- 2018- The administrative smart-commits resource in 13398 Atlassian Fisheye and Crucible before version not CONFI 4.5.4 allows remote attackers to modify smart- yet RM atlassian -- fisheye_and_crucible commit settings via a Cross-site request forgery 2018- calcul CONFI (CSRF) vulnerability. 09-18 ated RM
CVE- not 2018- The DEISER "Profields - Project Custom yet 16281 Fields" app before 6.0.2 for Jira has Incorrect 2018- calcul CONFI atlassian -- jira Access Control. 09-21 ated RM
CVE- An issue has been discovered in mpruett Audio not 2018- File Library (aka audiofile) 0.3.6. A heap-based yet 17095 audiofile -- audiofile buffer overflow in Expand3To4Module::run has 2018- calcul MISC occurred when running sfconvert. 09-16 ated MISC
A CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration CVE- Designer could allow an attacker to add, change, not 2018- avaya -- or remove administrative settings. Affected yet 15612 aura_orchestration_designer versions of Avaya Aura Orchestration Designer 2018- calcul CONFI include all versions up to 7.2.1. 09-21 ated RM
CVE- not 2018- A cross-site scripting (XSS) vulnerability in the avaya -- yet 15613 Runtime Config component of Avaya Aura aura_orchestration_designer 2018- calcul CONFI Orchestration Designer could result in malicious 09-21 ated RM content being returned to the user. Affected Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1.
CVE- Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 2018- 0.15.2, and 0.16.x before 0.16.3 and Bitcoin 17144 Knots 0.14.x through 0.16.x before 0.16.3 allow not MISC a remote denial of service (application crash) yet MISC bitcoin_core -- bitcoin_core exploitable by miners via duplicate input. An 2018- calcul MISC attacker can make bitcoind or Bitcoin-Qt crash. 09-19 ated MISC
A directory traversal vulnerability in the CVE- Connect Service of the BlackBerry Enterprise not 2018- blackberry -- Mobility Server (BEMS) 2.8.17.29 and earlier yet 8889 enterprise_mobility_server could allow an attacker to retrieve arbitrary files 2018- calcul CONFI in the context of a BEMS administrator account. 09-19 ated RM
An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR CVE- (Hot Module Replacement). Anyone can receive not 2018- the HMR message sent by the WebSocket server yet 14730 browserify-hmr -- browserify-hmr via a ws://127.0.0.1:3123/ connection from any 2018- calcul MISC origin. 09-21 ated MISC
CVE- 2018- not 17061 BullGuard Safe Browsing before 18.1.355.9 yet MISC bullguard -- safe_browsing allows XSS on Google, Bing, and Yahoo! pages 2018- calcul CONFI via domains indexed in search results. 09-15 ated RM
An issue was discovered in CIRCONTROL not CVE- CirCarLife before 4.3. There is system software yet 2018- circontrol -- circarlife information disclosure due to lack of 2018- calcul 16671 authentication for /html/device-id. 09-18 ated MISC
An issue was discovered in CIRCONTROL not CVE- CirCarLife before 4.3. There is internal yet 2018- circontrol -- circarlife installation path disclosure due to the lack of 2018- calcul 16668 authentication for /html/repository. 09-18 ated MISC Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info An issue was discovered in CIRCONTROL not CVE- CirCarLife before 4.3. There is PLC status yet 2018- circontrol -- circarlife disclosure due to lack of authentication for 2018- calcul 16670 /html/devstat.html. 09-18 ated MISC
An issue was discovered in CIRCONTROL Open Charge Point Protocol (OCPP) before 1.5.0, as used in CirCarLife, PowerStudio, and other products. Due to storage of credentials in not CVE- circontrol -- XML files, an unprivileged user can look at yet 2018- open_charge_point_protocol /services/config/config.xml for the admin 2018- calcul 16669 credentials of the ocpp and circarlife panels. 09-18 ated MISC
Cloud Foundry Container Runtime (kubo- release), versions prior to 0.14.0, may leak UAA CVE- and vCenter credentials to application logs. A not 2018- cloud_foundry_foundation -- malicious user with the ability to read the yet 1223 container_runtime application logs could use these credentials to 2018- calcul CONFI escalate privileges. 09-17 ated RM
Cloud Foundry Garden-runC release, versions prior to 1.16.1, prevents deletion of some app environments based on file attributes. A remote CVE- authenticated malicious user may create and not 2018- cloud_foundry_foundation -- delete apps with crafted file attributes to cause a yet 11084 garden-runc denial of service for new app instances or 2018- calcul CONFI scaling up of existing apps. 09-18 ated RM
CVE- not 2018- CScms 4.1 allows arbitrary directory deletion yet 17125 cscms -- cscms via a dir=..\\ substring to 2018- calcul MISC plugins\sys\admin\Plugins.php. 09-17 ated MISC
CVE- not 2018- CScms 4.1 allows remote code execution, as yet 17126 cscms -- cscms demonstrated by 1');eval($_POST[cmd]);# in 2018- calcul MISC Web Name to upload\plugins\sys\Install.php. 09-17 ated MISC
Stored XSS exists in CuppaCMS through 2018- not CVE- 09-03 via an yet 2018- cuppacms -- cuppacms administrator/#/component/table_manager/view/ 2018- calcul 17300 cu_menus section name. 09-21 ated MISC Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info not CVE- DedeCMS 5.7 SP2 allows XML injection, and yet 2018- dedecms -- dedecms resultant remote code execution, via a " The mintToken function of a smart contract implementation for PolyAi (AI), an Ethereum not CVE- token, has an integer overflow that allows the yet 2018- owner of the contract to set the balance of an 2018- calcul 17050 ethereum -- minttoken_token arbitrary user to any value. 09-21 ated MISC Exiv2::ul2Data in types.cpp in Exiv2 v0.26 not CVE- allows remote attackers to cause a denial of yet 2018- service (heap-based buffer overflow) via a 2018- calcul 17230 exiv2 -- exiv2 crafted image file. 09-19 ated MISC not CVE- An issue was discovered in Exiv2 v0.26. The yet 2018- function Exiv2::DataValue::copy in value.cpp 2018- calcul 17282 exiv2 -- exiv2 has a NULL pointer dereference. 09-20 ated MISC 2018- Exiv2::d2Data in types.cpp in Exiv2 v0.26 not CVE- exiv2 -- exiv2 09-19 allows remote attackers to cause a denial of yet 2018- Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info service (heap-based buffer overflow) via a calcul 17229 crafted image file. ated MISC CVE- 2018- 14643 BID An authentication bypass flaw was found in the REDH smart_proxy_dynflow component used by AT Foreman. A malicious attacker can use this flaw not CONFI to remotely execute arbitrary commands on yet RM foreman -- foreman machines managed by vulnerable Foreman 2018- calcul CONFI instances, in a highly privileged context. 09-21 ated RM An exploitable buffer overflow vulnerability exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running not CVE- application firmware 2.52.2.43. A specially yet 2017- crafted request on port 10000 can cause a buffer 2018- calcul 2875 foscam -- c1_indoor_hd_camera overflow resulting in overwriting arbitrary data. 09-19 ated MISC An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept not CVE- HTTP connections will be able to fully yet 2017- compromise the device by creating a rogue 2018- calcul 2856 foscam -- c1_indoor_hd_camera HTTP server. 09-17 ated MISC An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during the not CVE- SoftAP configuration resulting in command yet 2017- injection. An attacker can simply send an HTTP 2018- calcul 2873 foscam -- c1_indoor_hd_camera request to the device to trigger this vulnerability. 09-19 ated MISC An exploitable buffer overflow vulnerability exists in the Multi-Camera interface used by the 2018- Foscam C1 Indoor HD Camera running not CVE- foscam -- c1_indoor_hd_camera 09-19 application firmware 2.52.2.43. A specially yet 2017- Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info crafted request on port 10000 can cause a buffer calcul 2876 overflow resulting in overwriting arbitrary data. ated MISC An information disclosure vulnerability exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application not CVE- firmware 2.52.2.43. A specially crafted request yet 2017- on port 10001 can allow for a user to retrieve 2018- calcul 2874 foscam -- c1_indoor_hd_camera sensitive information without authentication. 09-17 ated MISC Insufficient security checks exist in the recovery procedure used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A HTTP request can allow for a user to perform a firmware upgrade using a crafted image. Before any firmware upgrades in this image are not CVE- flashed to the device, binaries as well as yet 2017- arguments to shell commands contained in the 2018- calcul 2872 foscam -- c1_indoor_hd_camera image are executed with elevated privileges. 09-17 ated MISC A missing error check exists in the Multi- Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port not CVE- 10001 could allow an attacker to reset the user yet 2017- accounts to factory defaults, without 2018- calcul 2877 foscam -- c1_indoor_hd_camera authentication. 09-19 ated MISC An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept not CVE- HTTP connections will be able to fully yet 2017- compromise the device by creating a rogue 2018- calcul 2855 foscam -- c1_indoor_hd_camera HTTP server. 09-19 ated MISC An exploitable buffer overflow vulnerability exists in the UPnP implementation used by the Foscam C1 Indoor HD Camera running not CVE- application firmware 2.52.2.43. A specially yet 2017- crafted UPnP discovery response can cause a 2018- calcul 2879 buffer overflow resulting in overwriting foscam -- c1_indoor_hd_camera 09-19 ated MISC arbitrary data. An attacker needs to be in the Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info same subnetwork and reply to a discovery message to trigger this vulnerability. An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept not CVE- HTTP connections will be able to fully yet 2017- compromise the device by creating a rogue 2018- calcul 2857 foscam -- c1_indoor_hd_camera HTTP server. 09-17 ated MISC An exploitable buffer overflow vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted HTTP request can cause a buffer not CVE- overflow resulting in overwriting arbitrary data. yet 2017- foscam -- c1_indoor_hd_camera An attacker can simply send an HTTP request to 2018- calcul 2878 the device to trigger this vulnerability. 09-19 ated MISC An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept not CVE- HTTP connections will be able to fully yet 2017- foscam -- c1_indoor_hd_camera compromise the device by creating a rogue 2018- calcul 2854 HTTP server. 09-17 ated MISC CVE- 2013- 7203 CONFI gitolite before commit fa06a34 might allow not RM local users to read arbitrary files in repositories yet FEDOR via vectors related to the user umask when 2018- calcul A gitolite -- gitolite running gitolite setup. 09-21 ated MLIST CVE- not gitolite commit fa06a34 through 3.5.3 might 2013- yet allow attackers to have unspecified impact via 4451 gitolite -- gitolite 2018- calcul vectors involving world-writable permissions CONFI 09-21 ated when creating (1) ~/.gitolite.rc, (2) ~/.gitolite, or RM Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info (3) ~/repositories/gitolite-admin.git on fresh CONFI installs. RM MLIST BID The html package (aka x/net/html) through 2018-09-17 in Go mishandles not CVE- The html package (aka x/net/html) through 2018-09-17 in Go mishandles not CVE- CVE- 2018- In all android releases (Android for MSM, 11869 Firefox OS for MSM, QRD Android) from CAF not CONFI using the linux kernel, lack of length validation yet RM check for value received from firmware can lead 2018- calcul CONFI google -- android to buffer overflow in WMA handler. 09-18 ated RM CVE- 2018- 11842 In all android releases (Android for MSM, CONFI Firefox OS for MSM, QRD Android) from CAF RM using the linux kernel, during wlan association, not CONFI driver allocates memory. In case the mem yet RM allocation fails driver does a mem free though 2018- calcul CONFI google -- android the memory was not allocated. 09-18 ated RM CVE- In all android releases (Android for MSM, 2018- Firefox OS for MSM, QRD Android) from CAF 11886 using the linux kernel, lack of check while not CONFI calculating the MPDU data length will cause an yet RM integer overflow and then to buffer overflow in 2018- calcul CONFI google -- android WLAN function. 09-19 ated RM Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info CVE- 2018- In all android releases (Android for MSM, 11891 Firefox OS for MSM, QRD Android) from CAF not CONFI using the linux kernel, lack of check on the yet RM length of array while accessing can lead to an 2018- calcul CONFI google -- android out of bound read in WLAN HOST function. 09-19 ated RM CVE- 2018- 11297 In all android releases (Android for MSM, CONFI Firefox OS for MSM, QRD Android) from CAF RM using the linux kernel, a buffer over-read can not CONFI occur In the WMA NDP event handler functions yet RM due to lack of validation of input value 2018- calcul CONFI google -- android event_info which is received from FW. 09-18 ated RM CVE- In all android releases (Android for MSM, 2018- Firefox OS for MSM, QRD Android) from CAF 11897 using the linux kernel, while processing diag not CONFI event after associating to a network out of yet RM bounds read occurs if ssid of the network joined 2018- calcul CONFI google -- android is greater than max limit. 09-19 ated RM CVE- 2018- In all android releases (Android for MSM, 11818 Firefox OS for MSM, QRD Android) from CAF CONFI using the linux kernel, LUT configuration is RM passed down to driver from userspace via ioctl. not CONFI Simultaneous update from userspace while yet RM kernel drivers are updating LUT registers can 2018- calcul CONFI google -- android lead to race condition. 09-18 ated RM CVE- 2018- In all android releases (Android for MSM, 11898 Firefox OS for MSM, QRD Android) from CAF not CONFI using the linux kernel, while processing start bss yet RM request from upper layer, out of bounds read 2018- calcul CONFI google -- android occurs if ssid length is greater than maximum. 09-19 ated RM Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info CONFI RM In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, WLAN handler CVE- indication from the firmware gets the 2018- information for 4 access categories. While 11294 processing this information only the first 3 AC not CONFI information is copied due to the improper yet RM conditional logic used to compare with the max 2018- calcul CONFI google -- android number of categories. 09-18 ated RM CVE- In all android releases (Android for MSM, 2018- Firefox OS for MSM, QRD Android) from CAF 11883 using the linux kernel, in policy mgr unit test if not CONFI mode parameter in wlan function is given an out yet RM of bound value it can cause an out of bound 2018- calcul CONFI google -- android access while accessing the PCL table. 09-19 ated RM CVE- 2017- In all android releases (Android for MSM, 15844 Firefox OS for MSM, QRD Android) from CAF not CONFI using the linux kernel, while processing the yet RM function for writing device values into flash, 2018- calcul CONFI google -- android uninitialized memory can be written to flash. 09-18 ated RM CVE- 2018- In all android releases (Android for MSM, 11902 Firefox OS for MSM, QRD Android) from CAF not CONFI using the linux kernel, lack of length validation yet RM check for value received from firmware can lead 2018- calcul CONFI google -- android to OOB access in WLAN HOST. 09-19 ated RM In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF CVE- using the linux kernel, lack of check of input not 2018- received from userspace before copying into yet 11302 buffer can lead to potential array overflow in 2018- calcul CONFI google -- android WLAN. 09-18 ated RM Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info CONFI RM CVE- 2018- 11300 In all android releases (Android for MSM, CONFI Firefox OS for MSM, QRD Android) from CAF RM using the linux kernel, callback executed from not CONFI the other thread has freed memory which is also yet RM used in wlan function and may result in to a 2018- calcul CONFI google -- android "Use after free" scenario. 09-18 ated RM CVE- In all android releases (Android for MSM, 2018- Firefox OS for MSM, QRD Android) from CAF 11293 using the linux kernel, in CONFI wma_ndp_confirm_event_handler and RM wma_ndp_indication_event_handler, ndp_cfg not CONFI len and num_ndp_app_info is from fw. If they yet RM are not checked, it may cause buffer over-read 2018- calcul CONFI google -- android once the value is too large. 09-18 ated RM CVE- In all android releases (Android for MSM, 2018- Firefox OS for MSM, QRD Android) from CAF 11895 using the linux kernel, improper length check not CONFI Validation in WLAN function can lead to driver yet RM writes the default rsn capabilities to the memory 2018- calcul CONFI google -- android not allocated to the frame. 09-19 ated RM CVE- In all android releases (Android for MSM, 2018- Firefox OS for MSM, QRD Android) from CAF 11889 using the linux kernel, when requesting rssi not CONFI timeout, access invalid memory may occur since yet RM local variable 'context' stack data of wlan 2018- calcul CONFI google -- android function is free. 09-19 ated RM CVE- not 2018- yet In all android releases (Android for MSM, 11832 2018- calcul Firefox OS for MSM, QRD Android) from CAF CONFI google -- android 09-18 ated using the linux kernel, lack of input size RM Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info validation before copying to buffer in PMIC CONFI function can lead to heap overflow. RM CVE- 2018- In all android releases (Android for MSM, 11878 Firefox OS for MSM, QRD Android) from CAF not CONFI using the linux kernel, possibility of invalid yet RM memory access while processing driver 2018- calcul CONFI google -- android command in WLAN function. 09-19 ated RM CVE- In all android releases (Android for MSM, 2018- Firefox OS for MSM, QRD Android) from CAF 11868 using the linux kernel, lack of length validation not CONFI check for value received from firmware can lead yet RM to buffer overflow in nan response event 2018- calcul CONFI google -- android handler. 09-18 ated RM CVE- In all android releases (Android for MSM, 2018- Firefox OS for MSM, QRD Android) from CAF 11894 using the linux kernel, while processing not CONFI preferred network offload scan results integer yet RM overflow may lead to buffer overflow when 2018- calcul CONFI google -- android large frame length is received from FW. 09-19 ated RM CVE- In all android releases (Android for MSM, 2018- Firefox OS for MSM, QRD Android) from CAF 11852 using the linux kernel, improper check In the not CONFI WMA API for the inputs received from the yet RM firmware and then fills the same to the host 2018- calcul CONFI google -- android structure will lead to OOB write. 09-18 ated RM CVE- In all android releases (Android for MSM, 2018- Firefox OS for MSM, QRD Android) from CAF 11903 using the linux kernel, lack of length validation not CONFI check for value received from caller function yet RM used as an array index for WMA interfaces can 2018- calcul CONFI google -- android lead to OOB write in WLAN HOST. 09-19 ated RM Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info CVE- In all android releases (Android for MSM, 2018- Firefox OS for MSM, QRD Android) from CAF 11893 using the linux kernel, while processing vendor not CONFI scan request, when input argument - length of yet RM request IEs is greater than maximum can lead to 2018- calcul CONFI google -- android a buffer overflow. 09-19 ated RM CVE- 2018- 11301 CONFI In all android releases (Android for MSM, RM Firefox OS for MSM, QRD Android) from CAF not CONFI using the linux kernel, lack of check on buffer yet RM length while processing debug log event from 2018- calcul CONFI google -- android firmware can lead to an integer overflow. 09-18 ated RM CVE- In all android releases (Android for MSM, 2017- Firefox OS for MSM, QRD Android) from CAF 15828 using the linux kernel, while accessing the not CONFI keystore in LK, an integer overflow yet RM vulnerability exists which may potentially lead 2018- calcul CONFI google -- android to a buffer overflow. 09-18 ated RM CVE- 2018- In all android releases (Android for MSM, 11843 Firefox OS for MSM, QRD Android) from CAF not CONFI using the linux kernel, lack fo check on return yet RM value in WMA response handler can lead to 2018- calcul CONFI google -- android potential use after free. 09-18 ated RM CVE- 2018- 11904 CONFI In all android releases (Android for MSM, RM Firefox OS for MSM, QRD Android) from CAF CONFI using the linux kernel, asynchronous callbacks not RM received a pointer to a callers local variable. yet CONFI Should the caller return early (e.g., timeout), the 2018- calcul RM google -- android callback will dereference an invalid pointer. 09-19 ated CONFI Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info RM CONFI RM CONFI RM CONFI RM CONFI RM CONFI RM CVE- 2017- 15825 CONFI In all android releases (Android for MSM, RM Firefox OS for MSM, QRD Android) from CAF not CONFI using the linux kernel, while processing a gpt yet RM update, an out of bounds memory access may 2018- calcul CONFI google -- android potentially occur. 09-18 ated RM CVE- 2018- In all android releases (Android for MSM, 11851 Firefox OS for MSM, QRD Android) from CAF not CONFI using the linux kernel, lack of check on input yet RM received to calculate the buffer length can lead 2018- calcul CONFI google -- android to out of bound write to kernel stack. 09-18 ated RM CVE- 2018- In all android releases (Android for MSM, 11860 Firefox OS for MSM, QRD Android) from CAF not CONFI using the linux kernel, a potential buffer over yet RM flow could occur while processing the ndp event 2018- calcul CONFI google -- android due to lack of check on the message length. 09-18 ated RM CVE- In all android releases (Android for MSM, 2018- not Firefox OS for MSM, QRD Android) from CAF 11295 yet using the linux kernel, WMA handler carries a CONFI 2018- calcul fixed event data from the firmware to the host . RM google -- android 09-18 ated If the length and anqp length from this event CONFI Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info data exceeds the max length, an OOB write RM would happen. CONFI RM CVE- 2018- In all android releases (Android for MSM, 11827 Firefox OS for MSM, QRD Android) from CAF not CONFI using the linux kernel, improper validation of yet RM array index in WMA roam synchronization 2018- calcul CONFI google -- android handler can lead to OOB write. 09-18 ated RM In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF CVE- using the linux kernel, when WLAN FW has not 2018- filled the vdev id correctly in stats events then 11299 WLAN host driver tries to access interface array not CONFI without proper bound check which can lead to yet RM invalid memory access and as a side effect 2018- calcul CONFI google -- android kernel panic or page fault. 09-18 ated RM CVE- 2018- 11296 CONFI In all android releases (Android for MSM, RM Firefox OS for MSM, QRD Android) from CAF not CONFI using the linux kernel, while processing a yet RM message from firmware in WLAN handler, a 2018- calcul CONFI google -- android buffer overwrite can occur. 09-18 ated RM CVE- In all android releases (Android for MSM, 2018- Firefox OS for MSM, QRD Android) from CAF 11840 using the linux kernel, while processing the not CONFI WLAN driver command ioctl a temporary buffer yet RM used to construct the reply message may be 2018- calcul CONFI google -- android freed twice. 09-18 ated RM CVE- not 2018- yet In all android releases (Android for MSM, 11836 2018- calcul Firefox OS for MSM, QRD Android) from CAF CONFI google -- android 09-18 ated using the linux kernel, improper length check RM Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info can lead to out-of-bounds access in WLAN CONFI function. RM CONFI RM CVE- In all android releases (Android for MSM, 2018- Firefox OS for MSM, QRD Android) from CAF 11863 using the linux kernel, lack of check of input not CONFI received from firmware to calculate the length of yet RM WMA roam synch buffer can lead to buffer 2018- calcul CONFI google -- android overwrite during memcpy. 09-18 ated RM CVE- 2018- In all android releases (Android for MSM, 11826 Firefox OS for MSM, QRD Android) from CAF not CONFI using the linux kernel, lack of check on integer yet RM overflow while calculating memory can lead to 2018- calcul CONFI google -- android Buffer overflow in WLAN ext scan handler. 09-18 ated RM CVE- 2018- 11270 In all android releases (Android for MSM, CONFI Firefox OS for MSM, QRD Android) from CAF RM using the linux kernel, memory allocated with not CONFI devm_kzalloc is automatically released by the yet RM google -- android kernel if the probe function fails with an error 2018- calcul CONFI code. This may result in data corruption. 09-18 ated RM CVE- 2018- In all android releases (Android for MSM, 3573 Firefox OS for MSM, QRD Android) from CAF not CONFI using the linux kernel, while relocating kernel yet RM google -- android images with a specially crafted boot image, an 2018- calcul CONFI out of bounds access can occur. 09-19 ated RM In all android releases (Android for MSM, CVE- not Firefox OS for MSM, QRD Android) from CAF 2018- yet using the linux kernel, 'voice_svc_dev' is 11273 google -- android 2018- calcul allocated as a device-managed resource. If error CONFI 09-18 ated 'cdev_alloc_err' occurs, 'device_destroy' will RM Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info free all associated resources, including CONFI 'voice_svc_dev' leading to a double free. RM CONFI RM CONFI RM CVE- 2018- In all android releases (Android for MSM, 11265 Firefox OS for MSM, QRD Android) from CAF CONFI using the linux kernel, possible buffer overflow RM while incrementing the log_buf of type uint64_t not CONFI in memcpy function, since the log_buf pointer yet RM google -- android can access the memory beyond the size to store 2018- calcul CONFI the data after pointer increment. 09-18 ated RM In all android releases (Android for MSM, CVE- Firefox OS for MSM, QRD Android) from CAF 2018- using the linux kernel, while processing user- 11280 space there is no size validation of the NAT not CONFI entry input. If the user input size of the NAT yet RM google -- android entry is greater than the max allowed size, 2018- calcul CONFI memory exhaustion will occur. 09-18 ated RM CVE- 2018- In all android releases (Android for MSM, 11286 Firefox OS for MSM, QRD Android) from CAF not CONFI using the linux kernel, while accessing global yet RM google -- android variable "debug_client" in multi-thread manner, 2018- calcul CONFI Use after free issue occurs 09-18 ated RM CVE- 2018- 3574 In all android releases (Android for MSM, CONFI Firefox OS for MSM, QRD Android) from CAF RM using the linux kernel, userspace can request CONFI ION cache maintenance on a secure ION buffer RM for which the ION_FLAG_SECURE ion flag is not CONFI not set and cause the kernel to attempt to yet RM google -- android perform cache maintenance on memory which 2018- calcul CONFI does not belong to HLOS. 09-19 ated RM Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info CONFI RM In all android releases (Android for MSM, CVE- Firefox OS for MSM, QRD Android) from CAF 2018- using the linux kernel, while processing 11298 SET_PASSPOINT_LIST vendor command CONFI HDD does not make sure that the realm string RM that gets passed by upper-layer is NULL not CONFI terminated. This may lead to buffer overflow as yet RM google -- android strlen is used to get realm string length to 2018- calcul CONFI construct the PASSPOINT WMA command. 09-18 ated RM CVE- 2018- 11274 In all android releases (Android for MSM, not CONFI Firefox OS for MSM, QRD Android) from CAF yet RM google -- android using the linux kernel, buffer overflow may 2018- calcul CONFI occur when payload size is extremely large. 09-18 ated RM CVE- In all android releases (Android for MSM, 2017- Firefox OS for MSM, QRD Android) from CAF 15818 using the linux kernel, while loading a user not CONFI application in qseecom, an integer overflow yet RM google -- android could potentially occur if the application 2018- calcul CONFI partition size is rounded up to page_size. 09-18 ated RM CVE- 2018- In all android releases (Android for MSM, 11275 Firefox OS for MSM, QRD Android) from CAF not CONFI using the linux kernel, when flashing image yet RM google -- android using FastbootLib if size is not divisible by 2018- calcul CONFI block size, information leak occurs. 09-18 ated RM CVE- 2018- In all android releases (Android for MSM, 5905 Firefox OS for MSM, QRD Android) from CAF not CONFI using the linux kernel, a race condition while yet RM google -- android accessing num of clients in DIAG services can 2018- calcul CONFI lead to out of boundary access. 09-19 ated RM Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info CONFI RM CONFI RM In all android releases (Android for MSM, CVE- Firefox OS for MSM, QRD Android) from CAF 2018- using the linux kernel, Venus HW searches for 11278 start code when decoding input bit stream not CONFI buffers. If start code is not found in entire buffer, yet RM google -- android there is over-fetch beyond allocation length. 2018- calcul CONFI This leads to page fault. 09-18 ated RM CVE- 2018- In all android releases (Android for MSM, 11276 Firefox OS for MSM, QRD Android) from CAF CONFI using the linux kernel, double free of memory RM allocation is possible in Kernel when it explicitly not CONFI tries to free that memory on driver probe failure, yet RM google -- android since memory allocated is automatically freed 2018- calcul CONFI on probe. 09-18 ated RM CVE- 2018- 11281 In all android releases (Android for MSM, CONFI Firefox OS for MSM, QRD Android) from CAF RM using the linux kernel, while calling CONFI IPA_IOC_MDFY_RT_RULE IPA IOCTL, RM header entry is not checked before use. If not CONFI IPA_IOC_MDFY_RT_RULE IOCTL called for yet RM google -- android header entries formerly deleted, a Use after free 2018- calcul CONFI condition will occur. 09-18 ated RM CVE- A flaw was discovered in the HPACK decoder 2018- of HAProxy, before 1.8.14, that is used for not 14645 HTTP/2. An out-of-bounds read access in yet CONFI haproxy -- hpack_decoder hpack_valid_idx() resulted in a remote crash and 2018- calcul RM denial of service. 09-21 ated MLIST Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info A SIGFPE signal is raised in the function H5D__chunk_set_info_real() of H5Dchunk.c in the HDF HDF5 1.10.3 library during an not CVE- attempted parse of a crafted HDF file, because yet 2018- hdf -- hdf5 of incorrect protection against division by zero. 2018- calcul 17237 This issue is different from CVE-2018-11207. 09-20 ated MISC Memory leak in the H5O__chunk_deserialize() function in H5Ocache.c in the HDF HDF5 not CVE- through 1.10.3 library allows attackers to cause a yet 2018- hdf -- hdf5 denial of service (memory consumption) via a 2018- calcul 17234 crafted HDF5 file. 09-20 ated MISC A SIGFPE signal is raised in the function H5D__create_chunk_file_map_hyper() of H5Dchunk.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted not CVE- HDF file, because of incorrect protection against yet 2018- hdf -- hdf5 division by zero. It could allow a remote denial 2018- calcul 17233 of service attack. 09-20 ated MISC Huawei smartphones Mate10 with versions earlier before ALP-AL00B 8.0.0.110(C00) have a Factory Reset Protection (FRP) bypass vulnerability. The system does not sufficiently verify the permission, an attacker uses a data cable to connect the smartphone to the computer CVE- and then perform some specific operations. not 2018- Successful exploit could allow the attacker yet 7991 huawei -- mate10_smartphones bypass the FRP protection to access the system 2018- calcul CONFI setting page. 09-18 ated RM Huawei Mate RS smartphones with the versions CVE- before NEO-AL00D 8.1.0.167(C786) have a not 2018- lock-screen bypass vulnerability. An attacker yet 7929 huawei -- mate_rs_smartphones could unlock and use the phone through certain 2018- calcul CONFI operations. 09-18 ated RM The unzip function in ZipUtil.java in Hutool not CVE- before 4.1.12 allows remote attackers to yet 2018- hutool -- hutool overwrite arbitrary files via directory traversal 2018- calcul 17297 sequences in a filename within a ZIP archive. 09-21 ated MISC Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info CVE- 2018- 17141 CONFI RM MLIST HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow MLIST remote attackers to execute arbitrary code via a BUGT dial-in session that provides a FAX page with not RAQ the JPEG bit enabled, which is mishandled in yet DEBIA hylafax -- fax_software FaxModem::writeECMData() in the 2018- calcul N faxd/CopyQuality.c++ file. 09-21 ated MISC IBM Business Process Manager 8.5 through 8.6 and 18.0.0.0 through 18.0.0.1 are vulnerable to CVE- SQL injection. A remote attacker could send 2018- specially-crafted SQL statements, which could not 1674 allow the attacker to view, add, modify or delete yet XF ibm -- business_process_manager information in the back-end database. IBM X- 2018- calcul CONFI Force ID: 145109. 09-20 ated RM CVE- 2018- 1685 IBM DB2 for Linux, UNIX and Windows SECTR ibm -- (includes DB2 Connect Server) 9.7, 10.1, 10.5, not ACK db2_for_linux_and_unix_and_winand 11.1 contains a vulnerability in db2cacpy yet XF dows that could allow a local user to read any file on 2018- calcul CONFI the system. IBM X-Force ID: 145502. 09-21 ated RM IBM DB2 for Linux, UNIX and Windows CVE- (includes DB2 Connect Server) 10.1, 10.5, and 2018- ibm -- 11.1 tool db2licm is affected by buffer overflow not 1710 db2_for_linux_and_unix_and_winvulnerability that can potentially result in yet XF dows arbitrary code execution. IBM X-Force ID: 2018- calcul CONFI 146364. 09-21 ated RM IBM DB2 for Linux, UNIX and Windows CVE- (includes DB2 Connect Server) 9.7, 10.1, 10.5, 2018- ibm -- and 11.1 could allow a local user to to gain not 1711 db2_for_linux_and_unix_and_winprivileges due to allowing modificaiton of yet XF dows columns of existing tasks. IBM X-Force ID: 2018- calcul CONFI 146369. 09-21 ated RM Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info IBM GPFS (IBM Spectrum Scale 5.0.1.0 and 5.0.1.1) allows a local, unprivileged user to CVE- cause a kernel panic on a node running GPFS by 2018- accessing a file that is stored on a GPFS file not 1782 system with mmap, or by executing a crafted file yet XF ibm -- gpfs stored on a GPFS file system. IBM X-Force ID: 2018- calcul CONFI 148805. 09-19 ated RM CVE- IBM Sterling B2B Integrator Standard Edition 2018- 5.2.6.0 and 6.2.6.1 could allow a local user to not 1800 obtain highly sensitive information during a yet XF ibm -- sterling_b2b_integrator short time period when installation is occuring. 2018- calcul CONFI IBM X-Force ID: 149607. 09-20 ated RM CVE- IBM Tivoli Monitoring 6.2.3 through 6.2.3.5 2017- and 6.3.0 through 6.3.0.7 are vulnerable to both not 1794 TEPS user privilege escalation and possible yet XF ibm -- tivoli_monitoring denial of service due to unconstrained memory 2018- calcul CONFI growth. IBM X-Force ID: 137039. 09-19 ated RM An exploitable heap overflow vulnerability exists in the ipStringCreate function of Iceni Argus Version 6.6.05. A specially crafted pdf not CVE- file can cause an integer overflow resulting in yet 2017- iceni -- argus heap overflow. An attacker can send file to 2018- calcul 2777 trigger this vulnerability. 09-17 ated MISC An exploitable information leak vulnerability exists in Insteon Hub running firmware version 1012. The HTTP server implementation incorrectly checks the number of GET parameters supplied, leading to an arbitrarily not CVE- controlled information leak on the whole device yet 2017- memory. An attacker can send an authenticated 2018- calcul 14443 insteon -- insteon_hub HTTP request to trigger this vulnerability. 09-17 ated MISC Platform sample code firmware in 4th CVE- Generation Intel Core Processor, 5th Generation not 2018- Intel Core Processor, 6th Generation Intel Core yet 12169 Processor, 7th Generation Intel Core Processor intel -- core_processor 2018- calcul CONFI and 8th Generation Intel Core Processor 09-21 ated RM contains a logic error which may allow physical Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info attacker to potentially bypass firmware authentication. The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because there is an integer overflow during a check for whether a location exceeds the EXIF data length. This is analogous to the CVE-2016-3822 not CVE- integer overflow in exif.c. This gpsinfo.c yet 2018- vulnerability is unrelated to the CVE-2018- 2018- calcul 17088 jhead -- jhead 16554 gpsinfo.c vulnerability. 09-16 ated MISC CVE- not 2018- The JCK Editor component 6.4.4 for Joomla! yet 17254 allows SQL Injection via the 2018- calcul EXPLO joomla! -- joomla! jtreelink/dialogs/links.php parent parameter. 09-20 ated IT-DB The CWJoomla CW Article Attachments PRO CVE- extension before 2.0.7 and CW Article not 2018- Attachments FREE extension before 1.0.6 for yet 14592 Joomla! allow SQL Injection within 2018- calcul CONFI joomla! -- joomla! download.php. 09-20 ated RM CVE- Kibana versions 5.3.0 to 6.4.1 had a cross-site 2018- scripting (XSS) vulnerability via the source field 3830 formatter that could allow an attacker to obtain not CONFI sensitive information from or perform yet RM kibana -- kibana destructive actions on behalf of other Kibana 2018- calcul CONFI users. 09-19 ated RM not CVE- LG SuperSign CMS allows remote attackers to yet 2018- lg -- supersign_cms execute arbitrary code via the sourceUri 2018- calcul 17173 parameter to qsr_server/device/getThumbnail. 09-21 ated MISC not CVE- LG SuperSign CMS allows reading of arbitrary yet 2018- lg -- supersign_cms files via signEzUI/playlist/edit/upload/..%2f 2018- calcul 16288 URIs. 09-14 ated MISC Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info EXPLO IT-DB The matchCurrentInput function inside lou_translateString.c of Liblouis prior to 3.7 CVE- does not check the input string's length, allowing not 2018- attackers to cause a denial of service (application yet 17294 crash via out-of-bounds read) by crafting an 2018- calcul MISC liblouis -- liblouis input file with certain translation dictionaries. 09-21 ated MISC The function mp4v2::impl::MP4Track::FinishSdtp() in mp4track.cpp in libmp4v2 2.1.0 mishandles not CVE- compatibleBrand while processing a crafted mp4 yet 2018- file, which leads to a heap-based buffer over- 2018- calcul 17235 libmp4v2 -- libmp4v2 read, causing denial of service. 09-20 ated MISC not CVE- The function MP4Free() in mp4property.cpp in yet 2018- libmp4v2 2.1.0 internally calls free() on a 2018- calcul 17236 libmp4v2 -- libmp4v2 invalid pointer, raising a SIGABRT signal. 09-20 ated MISC An issue was discovered in libsvg2 through 2012-10-19. The svgGetNextPathField function not CVE- in svg_string.c returns its input pointer in certain yet 2018- circumstances, which might result in a memory 2018- calcul 17332 libsvg2 -- libsvg2 leak caused by wasteful malloc calls. 09-22 ated MISC An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in the svgGetNextPathField function in svg_string.c allows remote attackers to cause a not CVE- denial of service (application crash) or possibly yet 2018- have unspecified other impact because a strncpy 2018- calcul 17334 libsvg2 -- libsvg2 copy limit is miscalculated. 09-22 ated MISC An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in svgStringToLength in svg_types.c allows remote not CVE- attackers to cause a denial of service (application yet 2018- crash) or possibly have unspecified other impact 2018- calcul 17333 libsvg2 -- libsvg2 because sscanf is misused. 09-22 ated MISC Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info An issue was discovered in LibTIFF 4.0.9. CVE- There are two out-of-bounds writes in cpTags in 2018- tools/tiff2bw.c and tools/pal2rgb.c, which can not 17101 cause a denial of service (application crash) or yet MISC libtiff -- libtiff possibly have unspecified other impact via a 2018- calcul BID crafted image file. 09-16 ated MISC An issue was discovered in LibTIFF 4.0.9. CVE- There is a int32 overflow in multiply_ms in not 2018- tools/ppm2tiff.c, which can cause a denial of yet 17100 libtiff -- libtiff service (crash) or possibly have unspecified 2018- calcul MISC other impact via a crafted image file. 09-16 ated MISC In LimeSurvey 3.14.7, HTML Injection and not CVE- Stored XSS have been discovered in the yet 2018- limesurvey -- limesurvey appendix via the surveyls_title parameter to 2018- calcul 17003 /index.php?r=admin/survey/sa/insert. 09-21 ated MISC LINK-NET LW-N605R devices with firmware CVE- 12.20.2.1486 allow Remote Code Execution via 2018- shell metacharacters in the HOST field of the not 16752 ping feature at adm/systools.asp. Authentication yet MISC link-net -- lw-n605r_devices is needed but the default password of admin for 2018- calcul EXPLO the admin account may be used in some cases. 09-20 ated IT-DB Linksys Velop 1.1.2.187020 devices allow unauthenticated command injection, providing an attacker with full root access, via cgi- bin/zbtest.cgi or cgi-bin/zbtest2.cgi (scripts that can be discovered with binwalk on the firmware, but are not visible in the web interface). This occurs because shell metacharacters in the query string are mishandled by ShellExecute, as not CVE- demonstrated by the yet 2018- linksys -- velop zbtest.cgi?cmd=level&level= substring. This can 2018- calcul 17208 also be exploited via CSRF. 09-19 ated MISC CVE- 2018- An issue was discovered in the Linux kernel not 17182 through 4.18.8. The vmacache_flush_all yet MISC function in mm/vmacache.c mishandles linux -- kernel 2018- calcul MISC sequence number overflows. An attacker can 09-19 ated MISC trigger a use-after-free (and possibly gain Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info privileges) via certain thread creation, map, unmap, invalidation, and dereference operations. CVE- 2018- An issue was discovered in the Linux kernel 16597 through 4.18.6. Incorrect access checking in not CONFI overlayfs mounts could be used by local yet RM linux -- kernel attackers to modify or truncate files in the 2018- calcul CONFI underlying filesystem. 09-21 ated RM A security flaw was found in the ip_frag_reasm() function in CVE- net/ipv4/ip_fragment.c in the Linux kernel from 2018- 4.19-rc1 to 4.19-rc3 inclusive, which can cause a 14641 later system crash in ip_do_fragment(). With CONFI certain non-default, but non-rare, configuration not RM of a victim host, an attacker can trigger this yet CONFI linux -- kernel crash remotely, thus leading to a remote denial- 2018- calcul RM of-service. 09-18 ated MLIST The fallback function of a simple lottery smart contract implementation for Lucky9io, an Ethereum gambling game, generates a random value with the publicly readable variable entry_number. This variable is private, yet it is readable by eth.getStorageAt function. Also, attackers can purchase a ticket at a low price by directly calling the fallback function with small not CVE- msg.value, because the developer set the yet 2018- currency unit incorrectly. Therefore, it allows 2018- calcul 17071 lucky9io -- lucky9io attackers to always win and get rewards. 09-18 ated MISC CVE- 2018- 16515 CONFI Matrix Synapse before 0.33.3.1 allows remote RM attackers to spoof events and possibly have not FEDOR unspecified other impacts by leveraging yet A matrix -- synapse improper transaction and event signature 2018- calcul CONFI validation. 09-18 ated RM Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info CVE- Bypassing password security vulnerability in 2017- McAfee Application and Change Control not 3912 mcafee -- (MACC) 7.0.1 and 6.2.0 allows authenticated yet BID application_and_change_control users to perform arbitrary command execution 2018- calcul CONFI via a command-line utility. 09-18 ated RM Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client CVE- in McAfee Application and Change Control not 2018- mcafee -- (MACC) 8.0.0 Hotfix 4 and earlier allows yet 6690 application_and_change_control authenticated users to execute arbitrary code via 2018- calcul CONFI file transfer from external system. 09-18 ated RM An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use CVE- (TOCTOU) race condition during a specific not 2018- mcafee -- scanning sequence, the unprivileged user is able yet 6693 endpoint_security_for_linux_threato perform a privilege escalation to delete 2018- calcul CONFI t_prevention arbitrary files. 09-18 ated RM not CVE- MetInfo 6.1.0 has XSS in doexport() in yet 2018- metinfo -- metinfo app/system/feedback/admin/feedback_admin.cla 2018- calcul 17129 ss.php via the class1 field. 09-17 ated MISC A potential Directory Traversal Security CVE- vulnerability has been identified in ArcSight not 2018- micro_focus -- Management Center (ArcMC) in all versions yet 6500 arcsight_management_center prior to 2.81. This vulnerability could be 2018- calcul CONFI remotely exploited to allow Directory Traversal. 09-20 ated RM A potential Reflected Cross-Site Scripting (XSS) Security vulnerability has been identified in CVE- ArcSight Management Center (ArcMC) in all not 2018- micro_focus -- versions prior to 2.81. This vulnerability could yet 6502 arcsight_management_center be exploited to allow for Reflected Cross-site 2018- calcul CONFI Scripting (XSS). 09-20 ated RM micro_focus -- A potential Unauthenticated File Download CVE- arcsight_management_center 2018- vulnerability has been identified in ArcSight not 2018- 09-20 Management Center (ArcMC) in all versions yet 6505 Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info prior to 2.81. This vulnerability could be calcul CONFI exploited to allow for Unauthenticated File ated RM Downloads. Potential security vulnerability of Insufficient CVE- Access Controls has been identified in ArcSight not 2018- micro_focus -- Management Center (ArcMC) for versions prior yet 6501 arcsight_management_center to 2.81. This vulnerability could be exploited to 2018- calcul CONFI allow for insufficient access controls. 09-20 ated RM A potential Access Control vulnerability has CVE- been identified in ArcSight Management Center not 2018- micro_focus -- (ArcMC) in all versions prior to 2.81. This yet 6503 arcsight_management_center vulnerability could be exploited to allow for 2018- calcul CONFI vulnerable Access Controls. 09-20 ated RM A potential Cross-Site Request Forgery (CSRF) vulnerability has been identified in ArcSight CVE- Management Center (ArcMC) in all versions not 2018- micro_focus -- prior to 2.81. This vulnerability could be yet 6504 arcsight_management_center exploited to allow for Cross-Site Request 2018- calcul CONFI Forgery (CSRF). 09-20 ated RM CVE- 2018- 16794 MISC FULLD microsoft -- Microsoft ADFS 4.0 Windows Server 2016 and not ISC active_directory_federation_servi previous (Active Directory Federation Services) yet BID ces_windows_server has an SSRF vulnerability via the txtBoxEmail 2018- calcul BUGT parameter in /adfs/ls. 09-18 ated RAQ CVE- 2018- 16793 Rollup 18 for Microsoft Exchange Server 2010 MISC SP3 and previous versions has an SSRF not FULLD vulnerability via the username parameter in yet ISC microsoft -- exchange_server /owa/auth/logon.aspx in the OWA (Outlook 2018- calcul BUGT Web Access) login page. 09-21 ated RAQ microweber -- microweber 2018- An issue was discovered in Microweber 1.0.7. not CVE- 09-16 There is a CSRF attack (against the admin user) yet 2018- Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info that can add an administrative account via calcul 17104 api/save_user. ated CONFI RM MISC CONFI RM CVE- admin/index.php in Monstra CMS 3.0.4 allows not 2018- arbitrary file deletion via yet 16819 monstra -- cms id=filesmanager&path=uploads/...... //./...... //./& 2018- calcul MISC delete_file= requests. 09-18 ated MISC CVE- admin/index.php in Monstra CMS 3.0.4 allows not 2018- arbitrary directory listing via yet 16820 monstra -- cms id=filesmanager&path=uploads/...... //./...... //./ 2018- calcul MISC requests. 09-18 ated MISC CVE- 2018- moodle before versions 3.5.2, 3.4.5, 3.3.8 is 14631 vulnerable to a boost theme - blog search GET CONFI parameter insufficiently filtered. The RM breadcrumb navigation provided by Boost theme BID when displaying search results of a blog were not CONFI insufficiently filtered, which could result in yet RM moodle -- moodle reflected XSS if a user followed a malicious link 2018- calcul CONFI containing JavaScript in the search parameter. 09-17 ated RM CVE- 2018- 14630 CONFI RM moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 BID is vulnerable to an XML import of ddwtos could CONFI lead to intentional remote code execution. When RM importing legacy 'drag and drop into text' CONFI (ddwtos) type quiz questions, it was possible to not RM inject and execute PHP code from within the yet FULLD moodle -- moodle imported questions, either intentionally or by 2018- calcul ISC importing questions from an untrusted source. 09-17 ated MISC Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info A command injection vulnerability in the web CVE- server functionality of Moxa EDR-810 V4.2 2018- build 18041013 allows remote attackers to not 16282 execute arbitrary OS commands with root yet MISC moxa -- edr-810 privilege via the caname parameter to the 2018- calcul CONFI /xml/net_WebCADELETEGetValue URI. 09-20 ated RM not CVE- A Persistent XSS issue was discovered in the yet 2018- mybb -- mybb Visual Editor in MyBB before 1.8.19 via a 2018- calcul 17128 Video MyCode. 09-17 ated MISC not CVE- yet 2018- navigate -- cms Navigate CMS 2.8 has Reflected XSS via the 2018- calcul 17255 navigate.php fid parameter. 09-20 ated MISC A replay issue was discovered on Neato Botvac Connected 2.2.0 devices. Manual control mode requires authentication, but once recorded, the authentication (always transmitted in cleartext) not CVE- can be replayed to /bin/webserver on port 8081. yet 2018- neato_robotics -- botvac There are no nonces, and timestamps are not 2018- calcul 17176 checked at all. 09-18 ated MISC An issue was discovered on Neato Botvac Connected 2.2.0 devices. They execute unauthenticated manual drive commands (sent to /bin/webserver on port 8081) if they already have an active session. Commands like forward, back, arc-left, arc-right, pivot-left, and pivot- right are executed even though the web socket replies with { "message" : "invalid authorization header" }. Without an active session, commands are still interpreted, but (except for eco-on and not CVE- eco-off) have no effect, since without active yet 2018- neato_robotics -- botvac driving, a driving direction does not change 2018- calcul 17178 anything. 09-18 ated MISC An issue was discovered on Neato Botvac not CVE- Connected 2.2.0 and Botvac 85 1.2.1 devices. yet 2018- Static encryption is used for the copying of so- neato_robotics -- botvac 2018- calcul 17177 called "black box" logs (event logs and core 09-18 ated MISC dumps) to a USB stick. These logs are RC4- Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info encrypted with a 9-character password of *^JEd4W!I that is obfuscated by hiding it within a custom /bin/rc4_crypt binary. not CVE- nmap4j 1.1.0 allows attackers to execute yet 2018- arbitrary commands via shell metacharacters in 2018- calcul 17228 nmap4j -- nmap4j an includeHosts call. 09-19 ated MISC A stack-based buffer overflow was discovered in the xtimor NMEA library (aka nmealib) 0.5.3. nmea_parse() in parser.c allows an attacker to not CVE- trigger denial of service (even arbitrary code yet 2018- execution in a certain context) in a product using 2018- calcul 17174 nmealib -- nmealib this library via malformed data. 09-21 ated MISC CVE- 2018- NUUO's NVRMini2 3.8.0 and below contains a not 1150 backdoor that would allow an unauthenticated yet CONFI nuuo -- nvrmini2 remote attacker to take over user accounts if the 2018- calcul RM file /tmp/moses exists. 09-19 ated MISC CVE- 2018- 1149 CONFI not RM cgi_system in NUUO's NVRMini2 3.8.0 and yet CONFI nuuo -- nvrmini2 below allows remote attackers to execute 2018- calcul RM arbitrary code via crafted HTTP requests. 09-19 ated MISC CVE- Cross-site scripting (XSS) vulnerability in the 2017- Open-Xchange webmail before 7.6.3-rev28 not 6913 allows remote attackers to inject arbitrary web yet MISC open-xchange -- webmail script or HTML via the event attribute in a time 2018- calcul CONFI tag. 09-18 ated RM An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The decode_bundle function not CVE- inside lib/ofp-actions.c is affected by a buffer yet 2018- open_vswitch -- open_vswitch over-read issue during BUNDLE action 2018- calcul 17206 decoding. 09-19 ated MISC Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, affecting parse_group_prop_ntr_selection_method in lib/ofp-util.c. When decoding a group mod, it validates the group type and command after the whole group mod has been decoded. The OF1.5 decoder, however, tries to use the type and command earlier, when it might still be invalid. not CVE- This causes an assertion failure (via yet 2018- OVS_NOT_REACHED). ovs-vswitchd does not 2018- calcul 17204 open_vswitch -- openvswitch enable support for OpenFlow 1.5 by default. 09-19 ated MISC An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, affecting ofproto_rule_insert__ in ofproto/ofproto.c. During bundle commit, flows that are added in a bundle are applied to ofproto in order. If a flow cannot be added (e.g., the flow action is a go-to for a group id that does not exist), OvS tries to revert back all previous flows that were successfully applied from the same bundle. This is possible since OvS maintains list of old flows that were replaced by flows from the bundle. While reinserting old flows, OvS has an assertion failure due to a check on rule state != RULE_INITIALIZED. This would work for not CVE- new flows, but for an old flow the rule state is yet 2018- open_vswitch -- openvswitch RULE_REMOVED. The assertion failure causes 2018- calcul 17205 an OvS crash. 09-19 ated MISC Cross-site scripting (XSS) vulnerability in the not CVE- Orgs Page in Open-AudIT Professional edition yet 2018- in 2.2.7 allows remote attackers to inject 2018- calcul 16607 opmantek -- open-audit arbitrary web script via the Orgs name field. 09-19 ated MISC An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The portal component CVE- is delivered with an insecure default User Profile not 2018- community configuration that allows oracle -- yet 16959 anonymous users to retrieve the account names webcenter_interaction_portal 2018- calcul BID of all portal users via /portal/server.pt/user/user/ 09-17 ated MISC requests. When WCI is synchronised with Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info Active Directory (AD), this vulnerability can expose the account names of all AD users. The AjaxControl component of Oracle WebCenter Interaction Portal 10.3.3 does not validate the names of pages when processing page rename requests. Pages can be renamed to include characters unsupported for URIs by the web server hosting the WCI Portal software (such as IIS). Renaming pages to include CVE- unsupported characters, such as 0x7f, prevents not 2018- oracle -- these pages from being accessed over the web yet 16956 webcenter_interaction_portal server, causing a Denial of Service (DoS) to the 2018- calcul BID page. 09-17 ated MISC The login function of Oracle WebCenter Interaction Portal 10.3.3 is vulnerable to CVE- reflected cross-site scripting (XSS). The content not 2018- oracle -- of the in_hi_redirect parameter, when prefixed yet 16955 webcenter_interaction_portal with the https:// scheme, is unsafely reflected in 2018- calcul BID a HTML META tag in the HTTP response. 09-17 ated MISC The AjaxView::DisplayResponse() function of the portalpages.dll assembly in Oracle CVE- WebCenter Interaction Portal 10.3.3 is not 2018- oracle -- vulnerable to reflected cross-site scripting yet 16953 webcenter_interaction_portal (XSS). User input from the name parameter is 2018- calcul BID unsafely reflected in the server response. 09-17 ated MISC An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The login function of CVE- the portal is vulnerable to insecure redirection not 2018- oracle -- (also called an open redirect). The in_hi_redirect yet 16954 webcenter_interaction_portal parameter is not validated by the application 2018- calcul BID after a successful login. 09-17 ated MISC An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The ASP.NET_SessionID primary session cookie, CVE- when Internet Information Services (IIS) with not 2018- ASP.NET is used, is not protected with the oracle -- yet 16958 HttpOnly attribute. The attribute cannot be webcenter_interaction_portal 2018- calcul BID enabled by customers. Consequently, this cookie 09-17 ated MISC is exposed to session hijacking attacks should an Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info adversary be able to execute JavaScript in the origin of the portal installation. The Oracle WebCenter Interaction Portal 10.3.3 CVE- does not implement protection against Cross-site not 2018- oracle -- Request Forgery in its design. The impact is yet 16952 webcenter_interaction_portal sensitive actions in the portal (such as changing 2018- calcul BID a portal user's password). 09-17 ated MISC The Oracle WebCenter Interaction 10.3.3 search service queryd.exe binary is compiled with the i1g2s3c4 hardcoded password. Authentication to the Oracle WCI search service uses this hardcoded password and cannot be customised CVE- by customers. An adversary able to access this not 2018- service over a network could perform search yet 16957 oracle -- webcenter_interaction queries to extract large quantities of sensitive 2018- calcul BID information from the WCI installation. 09-17 ated MISC not CVE- An issue was discovered in OTCMS 3.61. XSS yet 2018- otcms -- otcms exists in admin/share_switch.php via these 2018- calcul 17086 parameters: fieldName fieldName2 tabName. 09-16 ated MISC not CVE- An issue was discovered in OTCMS 3.61. XSS yet 2018- otcms -- otcms exists in admin/users.php via these parameters: 2018- calcul 17085 dataTypeCN dataMode dataModeStr. 09-16 ated MISC An issue was discovered in HMRServer.js in Parcel parcel-bundler. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). CVE- Anyone can receive the HMR message sent by 2018- the WebSocket server via a ws://127.0.0.1 14731 connection (with a random TCP port number) MISC from any origin. The random port number can be not CONFI found by connecting to http://127.0.0.1 and yet RM parcel -- parcel-bundler reading the "new WebSocket" line in the source 2018- calcul CONFI code. 09-21 ated RM 2018- FruityWifi (aka PatatasFritas/PatataWifi) 2.1 not CVE- patatasfritas -- patatawifi 09-21 allows remote attackers to execute arbitrary yet 2018- Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info commands via shell metacharacters in the calcul 17317 io_mode, ap_mode, io_action, io_in_iface, ated MISC io_in_set, io_in_ip, io_in_mask, io_in_gw, MISC io_out_iface, io_out_set, io_out_mask, io_out_gw, iface, or domain parameter to /www/script/config_iface.php, or the newSSID, hostapd_secure, hostapd_wpa_passphrase, or supplicant_ssid parameter to /www/page_config.php. CVE- The Apache2 component in PHP before 5.6.38, 2018- 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 17082 7.2.x before 7.2.10 allows XSS via the body of a MISC "Transfer-Encoding: chunked" request, because not MISC the bucket brigade is mishandled in the yet MISC php -- php php_handler function in 2018- calcul MISC sapi/apache2handler/sapi_apache2.c. 09-16 ated MLIST not CVE- admin/web_config.php in PHPMyWind 5.5 yet 2018- phpmywind -- phpmywind allows Admin users to execute arbitrary code via 2018- calcul 17133 the rewrite url setting. 09-17 ated MISC not CVE- admin/goods_update.php in PHPMyWind 5.5 yet 2018- phpmywind -- phpmywind allows Admin users to execute arbitrary code via 2018- calcul 17132 the attrvalue[] array parameter. 09-17 ated MISC not CVE- yet 2018- phpmywind -- phpmywind PHPMyWind 5.5 has XSS in member.php via an 2018- calcul 17130 HTTP Referer header, 09-17 ated MISC not CVE- admin/web_config.php in PHPMyWind 5.5 yet 2018- phpmywind -- phpmywind allows Admin users to execute arbitrary code via 2018- calcul 17131 the varvalue field. 09-17 ated MISC admin/web_config.php in PHPMyWind 5.5 not CVE- allows Admin users to execute arbitrary code via yet 2018- phpmywind -- phpmywind the cfg_author field in conjunction with a crafted 2018- calcul 17134 cfg_webpath field. 09-17 ated MISC Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info Pivotal Usage Service in Pivotal Application Service, versions 2.0 prior to 2.0.21 and 2.1 prior to 2.1.13 and 2.2 prior to 2.2.5, contains a bug which may allow escalation of privileges. A CVE- space developer with access to the system org not 2018- may be able to access an artifact which contains yet 11086 pivotal -- applications_service the CF admin credential, allowing them to 2018- calcul CONFI escalate to an admin role. 09-17 ated RM Pivotal Applications Manager in Pivotal Application Service, versions 2.0 prior to 2.0.21 and 2.1 prior to 2.1.13 and 2.2 prior to 2.2.5, contains a bug which may allow escalation of CVE- privileges. A space developer with access to the not 2018- system org may be able to access an artifact yet 11088 pivotal -- applications_service which contains the CF admin credential, 2018- calcul CONFI allowing them to escalate to an admin role. 09-17 ated RM Pivotal Cloud Cache, versions prior to 1.3.1, CVE- prints a superuser password in plain text during not 2018- BOSH deployment logs. A malicious user with yet 1198 pivotal -- cloud_cache access to the logs could escalate their privileges 2018- calcul CONFI using this password. 09-17 ated RM This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of PoDoFo. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within PdfEncoding::ParseToUnicode. The issue results from the lack of proper validation of user- supplied data, which can result in a memory corruption condition. An attacker can leverage not CVE- this in conjunction with other vulnerabilities to yet 2018- podofo_project -- podofo execute arbitrary code in the context of the 2018- calcul 14320 current process. Was ZDI-CAN-5673. 09-17 ated MISC Prezi Next 1.3.101.11 has a documented purpose of creating HTML5 presentations but has not CVE- SE_DEBUG_PRIVILEGE on Windows, which yet 2018- prezi -- next might allow attackers to bypass intended access 2018- calcul 17137 restrictions. 09-17 ated MISC Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info A code execution vulnerability exists in ProcessMaker Enterprise Core 3.0.1.7- community. A specially crafted web request can cause unsafe deserialization potentially resulting not CVE- processmaker -- in PHP code being executed. An attacker can yet 2016- processmaker_enterprise_core send a crafted web parameter to trigger this 2018- calcul 9045 vulnerability. 09-17 ated MISC In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" CVE- option, which allows a request that was intended 2018- to expose no fields to instead expose all fields (if not 17175 the schema is being filtered dynamically using yet MISC the "only" option, and there is a user role that 2018- calcul MISC python -- marshmallow_library produces an empty value for "only"). 09-18 ated MISC Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper CVE- Neutralization of Special Elements used in a 2018- Command ('Command Injection') vulnerability 100080 in shutil module (make_archive function) that 2 can result in Denial of service, Information gain CONFI via injection of arbitrary files on the system or RM entire drive. This attack appear to be exploitable CONFI via Passage of unfiltered user input to the not RM python_software_foundation -- function. This vulnerability appears to have been yet CONFI python fixed in after commit 2018- calcul RM add531a1e55b0a739b0f42582f1c9747e5649ace. 09-18 ated MISC The QBee MultiSensor Camera through 4.16.4 accepts unencrypted network traffic from clients CVE- (such as the QBee Cam application through 2018- 1.0.5 for Android and the Swisscom Home not 16225 application up to 10.7.2 for Android), which yet MISC qbee -- multisensor_camera results in an attacker being able to reuse cookies 2018- calcul FULLD to bypass authentication and disable the camera. 09-18 ated ISC In Snapdragon (Automobile ,Mobile) in version CVE- MSM8996AU, SD 425, SD 427, SD 430, SD 2017- not 435, SD 450, SD 625, SD 650/52, SD 820, SD 18302 yet 820A, SD 835, SDA660, SDM429, SDM439, SECTR 2018- calcul SDM630, SDM632, SDM636, SDM660, ACK qualcomm -- android 09-20 ated Snapdragon_High_Med_2016, a crafted HLOS CONFI Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info client can modify the structure in memory RM passed to a QSEE application between the time CONFI of check and the time of use, resulting in RM arbitrary writes to TZ kernel memory regions. In Small Cell SoC and Snapdragon (Automobile, Mobile, Wear) in version FSM9055, FSM9955, MDM9607, MDM9640, MDM9650, CVE- MSM8909W, SD 425, SD 427, SD 430, SD 2017- 435, SD 450, SD 617, SD 625, SD 650/52, SD 18301 820, SD 820A, SD 835, SD 845, SDM630, SECTR SDM636, SDM660, SDX20, ACK Snapdragon_High_Med_2016, providing the not CONFI NULL argument of ICE regulator while yet RM processing create key IOCTL results in system 2018- calcul CONFI qualcomm -- android restart. 09-20 ated RM In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD CVE- 415, SD 617, SD 625, SD 650/52, SD 810, SD 2017- 820, SD 820A, SD 835, SDA660, SDM429, 18314 SDM439, SDM630, SDM632, SDM636, not CONFI SDM660, Snapdragon_High_Med_2016, on TZ yet RM cold boot the CNOC_QDSS RG0 locked by 2018- calcul CONFI qualcomm -- android xBL_SEC is cleared by TZ. 09-20 ated RM In Snapdragon (Automobile, Mobile, Wear) in version MDM9607, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD CVE- 425, SD 427, SD 430, SD 435, SD 450, SD 617, 2017- SD 625, SD 650/52, SD 820, SD 820A, SD 835, 18280 SDM429, SDM439, SDM632, SECTR Snapdragon_High_Med_2016, when a Trusted ACK Application has opened the SPI/I2C interface to not CONFI a particular device, it is possible for another yet RM qualcomm -- android Trusted Application to read the data on this open 2018- calcul CONFI interface by calling the SPI/I2C read function. 09-20 ated RM Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, CVE- QCA6584, SD 210/SD 212/SD 205, SD 425, SD 2018- 427, SD 430, SD 435, SD 450, SD 625, SD 11290 650/52, SD 820A, SD 845, SDM429, SDM439, CONFI SDM630, SDM632, SDM636, SDM660, RM SDX20, Snapdragon_High_Med_2016, MAC not CONFI address randomization performed during probe yet RM qualcomm -- android requests is not done properly due to a flawed 2018- calcul CONFI RNG in use. 09-20 ated RM In Snapdragon (Mobile, Wear) in version MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD CVE- 835, Snapdragon_High_Med_2016, a double not 2018- free of ASN1 heap memory used for EUTRA yet 11982 qualcomm -- android CAP container occurs during UTRAN to LTE 2018- calcul CONFI Capability inquiry procedure. 09-20 ated RM In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, CVE- QCA6574AU, QCA6584, SD 210/SD 212/SD 2018- 205, SD 410/12, SD 425, SD 427, SD 430, SD 11292 435, SD 450, SD 615/16/SD 415, SD 625, SD CONFI 650/52, SD 820A, SDM429, SDM439, RM SDM630, SDM632, SDM636, SDM660, not CONFI Snapdragon_High_Med_2016, lack of input yet RM qualcomm -- android validation in WLANWMI command handlers 2018- calcul CONFI can lead to integer & heap overflows. 09-20 ated RM In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9635M, CVE- MDM9640, MDM9645, MDM9650, not 2018- MDM9655, MSM8909W, MSM8996AU, SD yet 11269 210/SD 212/SD 205, SD 425, SD 427, SD 430, qualcomm -- android 2018- calcul CONFI SD 435, SD 450, SD 625, SD 650/52, SD 810, 09-20 ated RM SD 820, SD 820A, SD 835, SD 845, SD 850, Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, SDX20, Snapdragon_High_Med_2016, a potential buffer overflow exists when parsing TFTP options. In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, CVE- SDM632, SDM636, SDM660, SDM710, 2018- Snapdragon_High_Med_2016, MAC address 5871 randomization performed during probe requests not CONFI (for privacy reasons) is not done properly due to yet RM qualcomm -- android a flawed RNG which produces repeating output 2018- calcul CONFI much earlier than expected. 09-20 ated RM In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 820, SD 820A, CVE- SD 835, SD 845, SD 850, SDA660, SDM429, 2018- SDM439, SDM630, SDM632, SDM636, 11287 SDM660, SDM710, not CONFI Snapdragon_High_Med_2016, incorrect control yet RM qualcomm -- android flow implementation in Video while checking 2018- calcul CONFI buffer sufficiency. 09-20 ated RM In Snapdragon (Automobile, Mobile, Wear) in version MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SDA660, the com.qualcomm.embms is a vendor CVE- package deployed in the system image which not 2018- has an inadequate permission level and allows yet 11277 any application installed from Play Store to qualcomm -- android 2018- calcul CONFI request this permission at install-time. The 09-20 ated RM system application interfaces with the Radio Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info Interface Layer leading to potential access control issue. In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, CVE- SDM632, SDM636, SDM660, SDM710, not 2018- SDX20, Snapdragon_High_Med_2016, a yet 11268 qualcomm -- android potential buffer overflow exists when parsing 2018- calcul CONFI TFTP options. 09-20 ated RM In Snapdragon (Automobile, Mobile, Wear) in version IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, CVE- SDM636, SDM660, SDM710, 2018- Snapdragon_High_Med_2016, MAC address 5837 randomization performed during probe requests not CONFI is not done properly due to a flawed RNG which yet RM qualcomm -- android produced repeating output much earlier than 2018- calcul CONFI expected. 09-20 ated RM In Snapdragon (Automobile, Mobile, Wear) in version IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDM630, SDM632, SDM636, CVE- SDM660, SDX20, not 2018- Snapdragon_High_Med_2016, cryptographic yet 11291 qualcomm -- android issues due to the random number generator was 2018- calcul CONFI not a strong one in NAN. 09-20 ated RM Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD CVE- 650/52, SD 810, SD 820, SD 820A, SD 835, SD 2018- 845, SDA660, SDM429, SDM439, SDM630, 11285 SDM632, SDM636, SDM660, SDM710, not CONFI SDX20, Snapdragon_High_Med_2016, while yet RM qualcomm -- android parsing FLAC file with corrupted picture block, 2018- calcul CONFI a buffer over-read can occur. 09-20 ated RM In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9615, MDM9640, MDM9650, MDM9655, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDX20, Snapdragon_High_Med_2016, when CVE- sending an malformed XML data to not 2018- deviceprogrammer/firehose it may do an out of yet 11267 qualcomm -- android bounds buffer write allowing a region of 2018- calcul CONFI memory to be filled with 0x20. 09-20 ated RM CVE- An issue was discovered in QuickAppsCMS not 2018- (aka QACMS) through 2.0.0-beta2. A CSRF yet 17102 quickapps -- quickappscms vulnerability can change the administrator 2018- calcul MISC password via the user/me URI. 09-16 ated MISC An information leak vulnerability was found in Undertow. If all headers are not written out in CVE- the first write() call then the code that handles not 2018- flushing the buffer will always write out the full yet 14642 red_hat -- undertow contents of the writevBuffer buffer, which may 2018- calcul CONFI contain data from previous requests. 09-18 ated RM On the RICOH MP 2001 printer, HTML ricoh -- mp_2001_printer 2018- Injection and Stored XSS vulnerabilities have not CVE- 09-21 been discovered in the area of adding addresses yet 2018- Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info via the entryNameIn parameter to calcul 17002 /web/entry/en/address/adrsSetUserWizard.cgi. ated MISC On the RICOH SP 4510SF printer, HTML Injection and Stored XSS vulnerabilities have not CVE- been discovered in the area of adding addresses yet 2018- ricoh -- sp_4510sf_printer via the entryNameIn parameter to 2018- calcul 17001 /web/entry/en/address/adrsSetUserWizard.cgi. 09-21 ated MISC Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. This vulnerability may allow a remote threat actor to intentionally send a malformed CIP packet to Port 44818, causing the software application to stop responding and CVE- crash. This vulnerability also has the potential to not 2018- exploit a buffer overflow condition, which may yet 14829 rockwell_automation -- allow the threat actor to remotely execute 2018- calcul MISC rslinx_classic arbitrary code. 09-20 ated MISC Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. A remote, unauthenticated threat actor may intentionally send specially crafted Ethernet/IP packets to Port 44818, not CVE- causing the software application to stop yet 2018- rockwell_automation -- responding and crash. The user must restart the 2018- calcul 14827 rslinx_classic software to regain functionality. 09-20 ated MISC Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. This vulnerability may allow a remote, unauthenticated threat actor to intentionally send a malformed CIP packet to CVE- Port 44818, causing the RSLinx Classic not 2018- rockwell_automation -- application to terminate. The user will need to yet 14821 rslinx_classic manually restart the software to regain 2018- calcul MISC functionality. 09-20 ated MISC An exploitable buffer overflow vulnerability exists in the /cameras/XXXX/clips handler of video-core's HTTP server of Samsung not CVE- SmartThings Hub STH-ETH-250-Firmware yet 2018- version 0.20.17. The strncpy call overflows the samsung -- smarthings_hub-sth- 2018- calcul 3894 destination buffer, which has a size of 52 bytes. eth-250 09-21 ated MISC An attacker can send an arbitrarily long Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info "startTime" value in order to exploit this vulnerability. An exploitable buffer overflow vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250-Firmware version 0.20.17. The strncpy overflows the destination buffer, which not CVE- samsung -- smarthings_hub-sth- has a size of 160 bytes. An attacker can send an yet 2018- eth-250 arbitrarily long "directory" value in order to 2018- calcul 3877 exploit this vulnerability. 09-21 ated MISC An exploitable stack-based buffer overflow vulnerability exists in the retrieval of database fields in the video-core HTTP server of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The strcpy call overflows the destination buffer, which has a not CVE- samsung -- smarthings_hub_sth- size of 64 bytes. An attacker can send an yet 2018- eth-250 arbitrarily long "bucket" value in order to exploit 2018- calcul 3915 this vulnerability. 09-21 ated MISC An exploitable buffer overflow vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250-Firmware version 0.20.17. The strncpy overflows the destination buffer, which not CVE- samsung -- smarthings_hub_sth- has a size of 128 bytes. An attacker can send an yet 2018- eth-250 arbitrarily long "secretKey" value in order to 2018- calcul 3873 exploit this vulnerability. 09-21 ated MISC An exploitable stack-based buffer overflow vulnerability exists in the retrieval of database fields in the video-core HTTP server of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The strcpy call overflows the destination buffer, which has a not CVE- samsung -- smarthings_hub_sth- size of 2000 bytes. An attacker can send an yet 2018- eth-250 arbitrarily long "sessionToken" value in order to 2018- calcul 3914 exploit this vulnerability. 09-21 ated MISC Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info An exploitable buffer overflow vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250-Firmware version 0.20.17. The strncpy overflows the destination buffer, which not CVE- samsung -- smarthings_hub_sth- has a size of 64 bytes. An attacker can send an yet 2018- eth-250 arbitrarily long "bucket" value in order to exploit 2018- calcul 3876 this vulnerability. 09-21 ated MISC An exploitable stack-based buffer overflow vulnerability exists in the retrieval of database fields in the video-core HTTP server of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The strcpy call overflows the destination buffer, which has a not CVE- samsung -- smarthings_hub_sth- size of 32 bytes. An attacker can send an yet 2018- eth-250 arbitrarily long "accessKey" value in order to 2018- calcul 3913 exploit this vulnerability. 09-21 ated MISC An exploitable buffer overflow vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250-Firmware version 0.20.17. The strncpy overflows the destination buffer, which not CVE- samsung -- smarthings_hub_sth- has a size of 32 bytes. An attacker can send an yet 2018- eth-250 arbitrarily long "accessKey" value in order to 2018- calcul 3874 exploit this vulnerability. 09-21 ated MISC An exploitable stack-based buffer overflow vulnerability exists in the retrieval of a database field in video-core's HTTP server of Samsung SmartThings Hub. The video-core process insecurely extracts the shard.videoHostURL field from its SQLite database, leading to a not CVE- buffer overflow on the stack. An attacker can yet 2018- samsung -- smarthings_hub send an HTTP request to trigger this 2018- calcul 3906 vulnerability. 09-21 ated MISC An exploitable buffer overflow vulnerability exists in the Samsung WifiScan handler of not CVE- video-core's HTTP server of Samsung yet 2018- SmartThings Hub STH-ETH-250 - Firmware samsung -- wifiscan 2018- calcul 3865 version 0.20.17. The strcpy overflows the 09-20 ated MISC destination buffer, which has a size of 40 bytes. Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info An attacker can send an arbitrarily long "cameraIp" value in order to exploit this vulnerability. An exploitable buffer overflow vulnerability exists in the Samsung WifiScan handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The strcpy overflows the destination buffer, which has a size of 40 bytes. not CVE- An attacker can send an arbitrarily long yet 2018- samsung -- wifiscan "password" value in order to exploit this 2018- calcul 3864 vulnerability. 09-20 ated MISC The SBIbuddy (aka com.sbi.erupee) application 1.41 and 1.42 for Android might allow attackers not CVE- to perform Account Takeover attacks by yet 2018- sbi -- sbibuddy intercepting a security-question response during 2018- calcul 17108 the initial configuration of the application. 09-16 ated MISC CVE- SeaCMS 6.64 allows arbitrary directory listing not 2018- via yet 16821 seacms -- seacms upload/admin/admin_template.php?path=../temp 2018- calcul MISC lets/../../ requests. 09-21 ated MISC not CVE- An issue was discovered in SeaCMS 6.64. XSS yet 2018- seacms -- seacms exists in admin_datarelate.php via the time or 2018- calcul 17321 maxHit parameter in a dorandomset action. 09-21 ated MISC CVE- not 2018- yet 16822 seacms -- seacms SeaCMS 6.64 allows SQL Injection via the 2018- calcul MISC upload/admin/admin_video.php order parameter. 09-21 ated MISC An issue was discovered in SeaCMS 6.64. XSS not CVE- exists in admin_video.php via the action, area, yet 2018- seacms -- seacms type, yuyan, jqtype, v_isunion, v_recycled, 2018- calcul 17062 v_ismoney, or v_ispsd parameter. 09-16 ated MISC Simple POS 4.0.24 allows SQL Injection via a CVE- simple_pos_pool -- simple_pos 2018- products/get_products/ not 2018- 09-17 columns[0][search][value] parameter in the yet 17110 Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info management panel, as demonstrated by calcul EXPLO products/get_products/1. ated IT-DB SQL injection vulnerability in archivebot.py in docmarionum1 Slack ArchiveBot (aka slack- not CVE- archive-bot) before 2018-09-19 allows remote yet 2018- slack-archive-bot -- slack-archive- attackers to execute arbitrary SQL commands 2018- calcul 17232 bot via the text parameter to cursor.execute(). 09-20 ated MISC CVE- 2018- 13982 MISC CONFI RM CONFI Smarty_Security::isTrustedResourceDir() in RM Smarty before 3.1.33 is prone to a path traversal CONFI vulnerability due to insufficient template code RM sanitization. This allows attackers controlling not CONFI the executed template code to bypass the trusted yet RM smarty -- smarty directory security restriction and read arbitrary 2018- calcul CONFI files. 09-18 ated RM An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover CVE- installer files (installer.php and installer- not 2018- backup.php), an attacker can inject PHP code yet 17207 snap_creek -- duplicator into wp-config.php during the database setup 2018- calcul MISC step, achieving arbitrary code execution. 09-19 ated MISC An issue was discovered on SoftCase T-Router build 20112017 devices. A remote attacker can read and write to arbitrary files on the system as not CVE- root, as demonstrated by code execution after yet 2018- softcase -- t-router writing to a crontab file. This is fixed in 2018- calcul 11241 production builds as of Spring 2018. 09-21 ated MISC An issue was discovered on SoftCase T-Router not CVE- build 20112017 devices. There are no yet 2018- restrictions on the 'exec command' feature of the softcase -- t-router 2018- calcul 11240 T-Router protocol. If the command syntax is 09-21 ated MISC correct, there is code execution both on the other Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info modem and on the main servers. This is fixed in production builds as of Spring 2018. The BPMDetect class in BPMDetect.cpp in CVE- libSoundTouch.a in Olli Parviainen SoundTouch not 2018- 2.0 allows remote attackers to cause a denial of yet 17096 service (assertion failure and application exit), as 2018- calcul MISC soundtouch -- soundtouch demonstrated by SoundStretch. 09-16 ated MISC The WavFileBase class in WavFile.cpp in Olli CVE- Parviainen SoundTouch 2.0 allows remote not 2018- attackers to cause a denial of service (double yet 17097 soundtouch -- soundtouch free) or possibly have unspecified other impact, 2018- calcul MISC as demonstrated by SoundStretch. 09-16 ated MISC The WavFileBase class in WavFile.cpp in Olli Parviainen SoundTouch 2.0 allows remote CVE- attackers to cause a denial of service (heap not 2018- corruption from size inconsistency) or possibly yet 17098 soundtouch -- soundtouch have unspecified other impact, as demonstrated 2018- calcul MISC by SoundStretch. 09-16 ated MISC An XSS issue was discovered in Subsonic Media Server 6.1.1. The podcast subscription form is affected by a stored XSS vulnerability in the add parameter to podcastReceiverAdmin.view; no administrator access is required. By injecting a JavaScript not CVE- payload, this flaw could be used to manipulate a yet 2018- subsonic -- media_server user's session, or elevate privileges by targeting 2018- calcul 9282 an administrative user. 09-21 ated MISC An issue was discovered in Subsonic 6.1.1. The music tags feature is affected by three stored cross-site scripting vulnerabilities in the c0- param2, c0-param3, and c0-param4 parameters not CVE- to dwr/call/plaincall/tagService.setTags.dwr that yet 2018- subsonic -- subsonic could be used to steal session information of a 2018- calcul 14691 victim. 09-21 ated MISC not CVE- An issue was discovered in Subsonic 6.1.1. The yet 2018- radio settings are affected by three stored cross- subsonic -- subsonic 2018- calcul 14688 site scripting vulnerabilities in the name[x], 09-21 ated MISC streamUrl[x], homepageUrl[x] parameters Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info (where x is an integer) to internetRadioSettings.view that could be used to steal session information of a victim. An issue was discovered in Subsonic 6.1.1. The general settings are affected by two stored cross- site scripting vulnerabilities in the title and not CVE- subtitle parameters to generalSettings.view that yet 2018- subsonic -- subsonic could be used to steal session information of a 2018- calcul 14690 victim. 09-21 ated MISC An issue was discovered in Subsonic 6.1.1. The transcoding settings are affected by five stored cross-site scripting vulnerabilities in the name[x], sourceformats[x], targetFormat[x], not CVE- step1[x], and step2[x] parameters (where x is an yet 2018- subsonic -- subsonic integer) to transcodingSettings.view that could 2018- calcul 14689 be used to steal session information of a victim. 09-21 ated MISC The Symantec Messaging Gateway product prior to 10.6.6 may be susceptible to a XML external entity (XXE) exploit, which is a type of issue where XML input containing a reference to an CVE- external entity is processed by a weakly 2018- configured XML parser. The attack uses file not 12243 URI schemes or relative paths in the system yet BID symantec -- messaging_gateway identifier to access files that should not normally 2018- calcul CONFI be accessible. 09-19 ated RM The Symantec Messaging Gateway product prior CVE- to 10.6.6 may be susceptible to an authentication 2018- bypass exploit, which is a type of issue that can not 12242 allow attackers to potentially circumvent yet BID symantec -- messaging_gateway security mechanisms currently in place and gain 2018- calcul CONFI access to the system or network. 09-19 ated RM Tec4Data SmartCooler, all versions prior to firmware 180806, the device responds to a not CVE- remote unauthenticated reboot command that yet 2018- tec4data -- smartcooler may be used to perform a denial of service 2018- calcul 14796 attack. 09-20 ated MISC thewebfosters -- ultimatepos 2018- UltimatePOS 2.5 allows users to upload not CVE- 09-17 arbitrary files, which leads to remote command yet 2018- Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info execution by posting to a /products URI with calcul 17139 PHP code in a .php file with the image/jpeg ated EXPLO content type. IT-DB In Tinyftp Tinyftpd 1.1, a buffer overflow exists not CVE- in the text variable of the do_mkd function in the yet 2018- tinyftp -- tinyftpd ftpproto.c file. An attacker can overwrite ebp via 2018- calcul 17106 a long pathname. 09-16 ated MISC CVE- 2017- Tor Browser on Windows before 8.0 allows 16639 remote attackers to bypass the intended MISC anonymity feature and discover a client IP not BID address, a different vulnerability than CVE- yet BUGT 2017-16541. User interaction is required to 2018- calcul RAQ torproject.org -- tor_browser trigger this vulnerability. 09-14 ated MISC upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI handlers. The issue results from the lack of proper validation of a user- CVE- supplied string before using it to execute a not 2018- system call. An attacker can leverage this yet 15832 ubisoft -- uplay_desktop_client vulnerability to execute code under the context 2018- calcul EXPLO of the current process. 09-20 ated IT-DB An issue was discovered in UCMS 1.4.6. not CVE- aaddpost.php has stored XSS via the yet 2018- sadmin/aindex.php minfo parameter in a 2018- calcul 17320 ucms -- ucms sadmin_aaddpost action. 09-21 ated MISC UDisks 2.8.0 has a format string vulnerability in udisks_log in udiskslogging.c, allowing attackers to obtain sensitive information (stack contents), cause a denial of service (memory not CVE- corruption), or possibly have unspecified other yet 2018- impact via a malformed filesystem label, as 2018- calcul 17336 udisks -- udisks demonstrated by %d or %n substrings. 09-22 ated MISC Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info CVE- not 2018- CouchDB in Vectra Networks Cognito Brain yet 14889 vectra_networks -- and Sensor before 4.3 contains a local code 2018- calcul CONFI cognito_brain_and_sensor execution vulnerability. 09-21 ated RM CVE- not 2018- vectra_networks -- Vectra Networks Cognito Brain and Sensor yet 14890 cognito_brain_and_sensor before 4.2 contains a cross-site scripting (XSS) 2018- calcul CONFI vulnerability in the Web Management Console. 09-21 ated RM CVE- not 2018- vectra_networks -- Management Console in Vectra Networks yet 14891 cognito_brain_and_sensor Cognito Brain and Sensor before 4.3 contains a 2018- calcul CONFI local privilege escalation vulnerability. 09-21 ated RM The Wallabag application 2.2.3 to 2.3.2 is affected by one cross-site scripting (XSS) vulnerability that is stored within the configuration page. This vulnerability enables the execution of a JavaScript payload each time an administrator visits the configuration page. not CVE- The vulnerability can be exploited with yet 2018- wallabag -- wallabag authentication and used to target administrators 2018- calcul 11352 and steal their sessions. 09-21 ated MISC There exists a partial Denial of Service vulnerability in Wanscam HW0021 IP Cameras. not CVE- An attacker could craft a malicious POST yet 2018- wanscam -- hw0021_ip_camera request to crash the ONVIF service on such a 2018- calcul 13111 device. 09-21 ated MISC An issue was discovered in WAVM before 2018-09-16. The run function in Programs/wavm/wavm.cpp does not check CVE- whether there is Emscripten memory to store the not 2018- command-line arguments passed by the input yet 17293 WebAssembly file's main function, which wavm -- wavm 2018- calcul MISC allows attackers to cause a denial of service 09-21 ated MISC (application crash by NULL pointer dereference) Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info or possibly have unspecified other impact by crafting certain WebAssembly files. An issue was discovered in WAVM before 2018-09-16. The loadModule function in Include/Inline/CLI.h lacks checking of the file CVE- length before a file magic comparison, allowing not 2018- attackers to cause a Denial of Service yet 17292 wavm -- wavm (application crash caused by out-of-bounds read) 2018- calcul MISC by crafting a file that has fewer than 4 bytes. 09-21 ated MISC An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are CVE- able to steal developer's code because the origin 2018- of requests is not checked by the WebSocket 14732 server, which is used for HMR (Hot Module MISC Replacement). Anyone can receive the HMR not CONFI webpack_dev_server -- message sent by the WebSocket server via a yet RM webpack_dev_server ws://127.0.0.1:8080/ connection from any 2018- calcul CONFI origin. 09-21 ated RM not CVE- WECON PLC Editor version 1.3.3U may allow yet 2018- wecon -- plc_editor an attacker to execute code under the current 2018- calcul 14792 process when processing project files. 09-19 ated MISC It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. CVE- The invoked CGI will check if a valid session is 2018- present and bound to the user's IP address.) It not 17153 was found that it is possible for an western_digital -- yet BID unauthenticated attacker to create a valid session my_cloud_device 2018- calcul MISC without a login. The network_mgr.cgi CGI 09-18 ated MISC module contains a command called Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie. CVE- not 2018- The Quizlord plugin through 2.0 for WordPress yet 17140 wordpress -- wordpress is prone to Stored XSS via the title parameter in 2018- calcul EXPLO a ql_insert action to wp-admin/admin.php. 09-17 ated IT-DB CVE- The Jibu Pro plugin through 1.7 for WordPress not 2018- is prone to Stored XSS via the wp- yet 17138 wordpress -- wordpress content/plugins/jibu-pro/quiz_action.php name 2018- calcul EXPLO (aka Quiz Name) field. 09-17 ated IT-DB not CVE- An issue has been discovered in mackyle xar yet 2018- 1.6.1. There is a NULL pointer dereference in 2018- calcul 17094 xar -- xar xar_unserialize in lib/archive.c. 09-16 ated MISC not CVE- An issue has been discovered in mackyle xar yet 2018- 1.6.1. There is a NULL pointer dereference in 2018- calcul 17093 xar -- xar xar_get_path in lib/util.c. 09-16 ated MISC Cross-site scripting (XSS) vulnerability in not CVE- index.php/index/category/index in YUNUCMS yet 2018- yunucms -- yunucms 1.1.4 allows remote attackers to inject arbitrary 2018- calcul 17322 web script or HTML via the area parameter. 09-21 ated MISC Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search not CVE- zoho -- field to the yet 2018- manageengine_desktop_central /advsearch.do?SUBREQUEST=XMLHTTP 2018- calcul 16833 URI. 09-21 ated MISC Global Search in Zoho ManageEngine CVE- zoho -- manageengine_opmanager OpManager before 12.3 123205 allows SQL 2018- not 2018- Injection. 09-20 yet 17243 Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info calcul CONFI ated RM Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to CVE- add an admin user via not 2018- zoho -- /api/json/v2/admin/addUser or conduct a SQL yet 17283 manageengine_opsmanager Injection attack via the 2018- calcul MISC /api/json/device/setManaged name parameter. 09-20 ated MISC In Zoho ManageEngine SupportCenter Plus not CVE- zoho -- 8.1.0, there is HTML Injection and Stored XSS yet 2018- manageengine_supportcenter via the /ServiceContractDef.do contractName 2018- calcul 16965 parameter. 09-21 ated MISC not CVE- yet 2018- zzcms -- zzcms zzcms 8.3 contains a SQL Injection vulnerability 2018- calcul 17136 in /user/check.php via a Client-Ip HTTP header. 09-17 ated MISC