Vulnerabilities (CVE)

CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-6491 1 Microfocus 1 Ucmdb Configuration Manager 2019-10-09 7.2 HIGH 9.8 CRITICAL
Local Escalation of Privilege vulnerability to Micro Focus Universal CMDB, versions 10.20, 10.21, 10.22, 10.30, 10.31, 10.32, 10.33, 11.00. The vulnerability could be remotely exploited to Local Escalation of Privilege.
CVE-2018-6499 1 Microfocus 9 Autopass License Server, Data Center Automation, Hybrid Cloud Management and 6 more 2019-10-09 7.5 HIGH 9.8 CRITICAL
Remote Code Execution in the following products Hybrid Cloud Management Containerized Suite HCM2017.11, HCM2018.02, HCM2018.05, Operations Bridge Containerized Suite 2017.11, 2018.02, 2018.05, Data Center Automation Containerized Suite 2017.01 until 2018.05, Service Management Automation Suite 2017.11, 2018.02, 2018.05, Service Virtualization (SV) with floating licenses using Any version using APLS older than 10.7, Unified Functional Testing (UFT) with floating licenses using Any version using APLS older than 10.7, Network Virtualization (NV) with floating licenses using Any version using APLS older than 10.7 and Network Operations Management (NOM) Suite CDF 2017.11, 2018.02, 2018.05 will allow Remote Code Execution.
CVE-2018-4853 1 Siemens 4 Siclock Tc100, Siclock Tc100 Firmware, Siclock Tc400 and 1 more 2019-10-09 10.0 HIGH 9.8 CRITICAL
A vulnerability has been identified in SICLOCK TC100 (All versions) and SICLOCK TC400 (All versions). An attacker with network access to port 69/udp could modify the firmware of the device.
CVE-2018-5439 1 Nortekcontrol 2 Emerge E3, Emerge E3 Firmware 2019-10-09 10.0 HIGH 9.8 CRITICAL
A Command Injection issue was discovered in Nortek Linear eMerge E3 series Versions V0.32-07e and prior. A remote attacker may be able to execute arbitrary code on a target machine with elevated privileges.
CVE-2018-6667 1 Mcafee 1 Mcafee Web Gateway 2019-10-09 7.5 HIGH 9.8 CRITICAL
Authentication Bypass vulnerability in the administrative user interface in McAfee Web Gateway 7.8.1.0 through 7.8.1.5 allows remote attackers to execute arbitrary code via Java management extensions (JMX).
CVE-2018-6331 1 Facebook 1 Buck 2019-10-09 7.5 HIGH 9.8 CRITICAL
Buck parser-cache command loads/saves state using Java serialized object. If the state information is maliciously crafted, deserializing it could lead to code execution. This issue affects Buck versions prior to v2018.06.25.01.
CVE-2018-6333 1 Facebook 1 Nuclide 2019-10-09 7.5 HIGH 9.8 CRITICAL
The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when rendering. As a result, a malicious URL could be used to render HTML and other content inside of the editor's context, which could potentially be chained to lead to code execution. This issue affected Nuclide prior to v0.290.0.
CVE-2018-6334 1 Facebook 1 Hhvm 2019-10-09 7.5 HIGH 9.8 CRITICAL
Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below).
CVE-2018-5435 1 Tibco 5 Spotfire Analyst, Spotfire Analytics Platform For Aws, Spotfire Deployment Kit and 2 more 2019-10-09 10.0 HIGH 9.8 CRITICAL
The TIBCO Spotfire Client and TIBCO Spotfire Web Player Client components of TIBCO Software Inc.'s TIBCO Spotfire Analyst, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Deployment Kit, TIBCO Spotfire Desktop, and TIBCO Spotfire Desktop Language Packs contain multiple vulnerabilities that may allow for remote code execution. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analyst: versions up to and including 7.8.0; 7.9.0; 7.9.1; 7.10.0; 7.10.1; 7.11.0; 7.12.0, TIBCO Spotfire Analytics Platform for AWS Marketplace: versions up to and including 7.12.0, TIBCO Spotfire Deployment Kit: versions up to and including 7.8.0; 7.9.0;7.9.1;7.10.0;7.10.1;7.11.0; 7.12.0, TIBCO Spotfire Desktop: versions up to and including 7.8.0; 7.9.0; 7.9.1; 7.10.0; 7.10.1; 7.11.0;7.12.0, TIBCO Spotfire Desktop Language Packs: versions up to and including 7.8.0; 7.9.0; 7.9.1; 7.10.0; 7.10.1; 7.11.0.
CVE-2018-5379 5 Canonical, Debian, Quagga and 2 more 10 Ubuntu Linux, Debian Linux, Quagga and 7 more 2019-10-09 7.5 HIGH 9.8 CRITICAL
The Quagga BGP daemon (bgpd) prior to version 1.2.3 can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes. A successful attack could cause a denial of service or potentially allow an attacker to execute arbitrary code.
CVE-2018-5474 1 Philips 1 Intellispace Portal 2019-10-09 7.5 HIGH 9.8 CRITICAL
Philips Intellispace Portal all versions 7.0.x and 8.0.x have an input validation vulnerability that could allow a remote attacker to execute arbitrary code or cause the application to crash.
CVE-2018-5472 1 Philips 1 Intellispace Portal 2019-10-09 7.5 HIGH 9.8 CRITICAL
Philips Intellispace Portal all versions 7.0.x and 8.0.x have an insecure windows permissions vulnerability that could allow an attacker to gain unauthorized access and in some cases escalate their level of privilege or execute arbitrary code.
CVE-2018-5469 1 Belden 134 Hirschmann M1-8mm-sc, Hirschmann M1-8sfp, Hirschmann M1-8sm-sc and 131 more 2019-10-09 7.5 HIGH 9.8 CRITICAL
An Improper Restriction of Excessive Authentication Attempts issue was discovered in Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches. An improper restriction of excessive authentication vulnerability in the web interface has been identified, which may allow an attacker to brute force authentication.
CVE-2018-5468 1 Philips 1 Intellispace Portal 2019-10-09 7.5 HIGH 9.8 CRITICAL
Philips Intellispace Portal all versions 7.0.x and 8.0.x have a remote desktop access vulnerability that could allow an attacker to gain unauthorized access and in some cases escalate their level of privilege or execute arbitrary code
CVE-2018-6486 1 Microfocus 2 Fortify Audit Workbench, Fortify Software Security Center 2019-10-09 7.5 HIGH 9.8 CRITICAL
XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection.
CVE-2018-6498 1 Microfocus 5 Data Center Automation, Hybrid Cloud Management, Network Operations Management and 2 more 2019-10-09 7.5 HIGH 9.8 CRITICAL
Remote Code Execution in the following products Hybrid Cloud Management Containerized Suite HCM2017.11, HCM2018.02, HCM2018.05, Operations Bridge Containerized Suite 2017.11, 2018.02, 2018.05, Data Center Automation Containerized Suite 2017.01 until 2018.05, Service Management Automation Suite 2017.11, 2018.02, 2018.05 and Network Operations Management (NOM) Suite CDF 2017.11, 2018.02, 2018.05 will allow Remote Code Execution.
CVE-2018-2404 1 Sap 1 Disclosure Management 2019-10-09 7.5 HIGH 9.8 CRITICAL
SAP Disclosure Management 10.1 allows an attacker to upload any file without proper file format validation.
CVE-2018-3779 1 Activesupport Project 1 Activesupport 2019-10-09 10.0 HIGH 9.8 CRITICAL
active-support ruby gem 5.2.0 could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2018-3767 1 Memcachier 1 Memjs 2019-10-09 6.4 MEDIUM 9.1 CRITICAL
`memjs` versions <= 1.1.0 allocates and stores buffers on typed input, resulting in DoS and uninitialized memory usage.
CVE-2018-3746 1 Pdfinfojs Project 1 Pdfinfojs 2019-10-09 10.0 HIGH 9.8 CRITICAL
The pdfinfojs NPM module versions <= 0.3.6 has a command injection vulnerability that allows an attacker to execute arbitrary commands on the victim's machine.
CVE-2018-3745 1 Atob Project 1 Atob 2019-10-09 6.4 MEDIUM 9.1 CRITICAL
atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.
CVE-2018-3744 1 Html-pages Project 1 Html-pages 2019-10-09 5.0 MEDIUM 9.8 CRITICAL
The html-pages node module contains a path traversal vulnerabilities that allows an attacker to read any file from the server with cURL.
CVE-2018-3739 1 Https-proxy-agent Project 1 Https-proxy-agent 2019-10-09 6.4 MEDIUM 9.1 CRITICAL
https-proxy-agent before 2.1.1 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON).
CVE-2018-3774 1 Url-parse Project 1 Url-parse 2019-10-09 7.5 HIGH 10.0 CRITICAL
Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.
CVE-2018-3777 1 Restforce 1 Restforce 2019-10-09 7.5 HIGH 9.8 CRITICAL
Insufficient URI encoding in restforce before 3.0.0 allows attacker to inject arbitrary parameters into Salesforce API requests.
CVE-2018-3822 1 Elastic 1 X-pack 2019-10-09 7.5 HIGH 9.8 CRITICAL
X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal. An attacker might have been able to impersonate a legitimate user if the SAML Identity Provider allows for self registration with arbitrary identifiers and the attacker can register an account which an identifier that shares a suffix with a legitimate account. Both of those conditions must be true in order to exploit this flaw.
CVE-2018-2418 1 Sap 1 Maxdb Odbc Driver 2019-10-09 7.5 HIGH 9.8 CRITICAL
SAP MaxDB ODBC driver (all versions before 7.9.09.07) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.
CVE-2018-2420 1 Sap 1 Internet Graphics Server 2019-10-09 7.5 HIGH 9.8 CRITICAL
SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, allows an attacker to upload any file (including script files) without proper file format validation.
CVE-2018-3772 1 Whereis Project 1 Whereis 2019-10-09 7.5 HIGH 9.8 CRITICAL
Concatenating unsanitized user input in the `whereis` npm module < 0.4.1 allowed an attacker to execute arbitrary commands. The `whereis` module is deprecated and it is recommended to use the `which` npm module instead.
CVE-2018-3785 1 Git-dummy-commit Project 1 Git-dummy-commit 2019-10-09 10.0 HIGH 9.8 CRITICAL
A command injection in git-dummy-commit v1.3.0 allows os level commands to be executed due to an unescaped parameter.
CVE-2018-3786 1 Eggjs 1 Egg-scripts 2019-10-09 10.0 HIGH 9.8 CRITICAL
A command injection vulnerability in egg-scripts <v2.8.1 allows arbitrary shell command execution through a maliciously crafted command line argument.
CVE-2018-1789 1 Ibm 1 Api Connect 2019-10-09 6.5 MEDIUM 9.9 CRITICAL
IBM API Connect v2018.1.0 through v2018.3.4 could allow an attacker to send a specially crafted request to conduct a server side request forgery attack. IBM X-Force ID: 148939.
CVE-2018-1818 1 Ibm 1 Security Guardium 2019-10-09 7.5 HIGH 9.8 CRITICAL
IBM Security Guardium 10 and 10.5 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 150022.
CVE-2018-1969 1 Ibm 1 Security Identity Manager 2019-10-09 6.5 MEDIUM 9.9 CRITICAL
IBM Security Identity Manager 6.0.0 allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. IBM X-Force ID: 153750.
CVE-2018-1904 1 Ibm 1 Websphere Application Server 2019-10-09 7.5 HIGH 9.8 CRITICAL
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through an administrative client class with a serialized object from untrusted sources. IBM X-Force ID: 152533.
CVE-2018-1851 1 Ibm 1 Websphere Application Server 2019-10-09 7.5 HIGH 9.8 CRITICAL
IBM WebSphere Application Server Liberty OpenID Connect could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization. By sending a specially-crafted request to the RP service, an attacker could exploit this vulnerability to execute arbitrary code. IBM X-Force ID: 150999.
CVE-2018-1822 1 Ibm 4 Flashsystem 840, Flashsystem 840 Firmware, Flashsystem 900 and 1 more 2019-10-09 10.0 HIGH 9.8 CRITICAL
IBM FlashSystem 900 product GUI allows a specially crafted attack to bypass the authentication requirements of the system, resulting in the ability to remotely change the superuser password. This can be used by an attacker to gain administrative control or to deny service. IBM X-Force ID: 150296.
CVE-2018-20248 1 Foxitsoftware 1 Quick Pdf Library 2019-10-09 7.5 HIGH 9.8 CRITICAL
In Foxit Quick PDF Library (all versions prior to 16.12), issue where loading a malformed or malicious PDF containing invalid xref table pointers or invalid xref table data using the LoadFromFile, LoadFromString, LoadFromStream, DAOpenFile or DAOpenFileReadOnly functions may result in an access violation caused by out of bounds memory access.
CVE-2018-1944 1 Ibm 1 Security Identity Governance And Intelligence 2019-10-09 7.5 HIGH 9.8 CRITICAL
IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 153386.
CVE-2018-1994 1 Ibm 2 Infosphere Information Server On Cloud, Infosphere Metadata Asset Manager 2019-10-09 7.5 HIGH 9.8 CRITICAL
IBM InfoSphere Information Server 11.5 and 11.7 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 154494.
CVE-2018-1821 1 Ibm 1 Operational Decision Manager 2019-10-09 6.4 MEDIUM 9.1 CRITICAL
IBM Operational Decision Management 8.5, 8.6, 8.7, 8.8, and 8.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150170.
CVE-2018-1078 1 Opendaylight 1 Openflow 2019-10-09 7.5 HIGH 9.8 CRITICAL
OpenDayLight version Carbon SR3 and earlier contain a vulnerability during node reconciliation that can result in traffic flows that should be expired or should expire shortly being re-installed and their timers reset resulting in traffic being allowed that should be expired.
CVE-2018-1132 1 Opendaylight 1 Sdninterfaceapp 2019-10-09 7.5 HIGH 9.8 CRITICAL
A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database (SQLite) without authenticating to the controller or SDNInterfaceapp. SDNInterface has been deprecated in OpenDayLight since it was last used in the final Carbon series release. In addition to the component not being included in OpenDayLight in newer releases, the SDNInterface component is not packaged in the opendaylight package included in RHEL.
CVE-2018-1373 1 Ibm 1 Security Guardium Big Data Intelligence 2019-10-09 5.0 MEDIUM 9.8 CRITICAL
IBM Security Guardium Big Data Intelligence (SonarG) 3.1 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 137773.
CVE-2018-1722 1 Ibm 1 Security Access Manager 2019-10-09 10.0 HIGH 10.0 CRITICAL
IBM Security Access Manager Appliance 9.0.4.0 and 9.0.5.0 could allow remote code execution when Advanced Access Control or Federation services are running. IBM X-Force ID: 147370.
CVE-2018-1264 1 Pivotal Software 1 Cloud Foundry Log Cache 2019-10-09 5.0 MEDIUM 9.8 CRITICAL
Cloud Foundry Log Cache, versions prior to 1.1.1, logs its UAA client secret on startup as part of its envstruct report. A remote attacker who has gained access to the Log Cache VM can read this secret, gaining all privileges held by the Log Cache UAA client. In the worst case, if this client is an admin, the attacker would gain complete control over the Foundation.
CVE-2018-1072 2 Ovirt, Redhat 2 Ovirt, Enterprise Virtualization Manager 2019-10-09 5.0 MEDIUM 9.8 CRITICAL
ovirt-engine before version ovirt 4.2.2 is vulnerable to an information exposure through log files. When engine-backup was run with one of the options "--provision*db", the database username and password were logged in cleartext. Sharing the provisioning log might inadvertently leak database passwords.
CVE-2018-1712 1 Ibm 1 Api Connect 2019-10-09 7.5 HIGH 9.9 CRITICAL
IBM API Connect's Developer Portal 5.0.0.0 through 5.0.8.3 is vulnerable to Server Side Request Forgery. An attacker, using specially crafted input parameters can trick the server into making potentially malicious calls within the trusted network. IBM X-Force ID: 146370.
CVE-2018-1469 1 Ibm 1 Api Connect 2019-10-09 10.0 HIGH 9.8 CRITICAL
IBM API Connect Developer Portal 5.0.0.0 through 5.0.8.2 could allow an unauthenticated attacker to execute system commands using specially crafted HTTP requests. IBM X-Force ID: 140605.
CVE-2018-1742 1 Ibm 1 Security Key Lifecycle Manager 2019-10-09 7.2 HIGH 9.3 CRITICAL
IBM Tivoli Key Lifecycle Manager 2.6, 2.7, and 3.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 148421.