Search
Total
2136 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-1748 | 1 Apple | 4 Iphone Os, Mac Os X, Tvos and 1 more | 2019-03-25 | 4.3 MEDIUM | 3.3 LOW |
| IOHIDFamily in Apple iOS before 9.3, OS X before 10.11.4, tvOS before 9.2, and watchOS before 2.2 allows attackers to obtain sensitive kernel memory-layout information via a crafted app. | |||||
| CVE-2017-5607 | 1 Splunk | 1 Splunk | 2019-03-20 | 3.5 LOW | 3.5 LOW |
| Splunk Enterprise 5.0.x before 5.0.18, 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.13.1, 6.3.x before 6.3.10, 6.4.x before 6.4.6, and 6.5.x before 6.5.3 and Splunk Light before 6.5.2 assigns the $C JS property to the global Window namespace, which might allow remote attackers to obtain sensitive logged-in username and version-related information via a crafted webpage. | |||||
| CVE-2016-4583 | 2 Apple, Webkitgtk | 5 Iphone Os, Safari, Tvos and 2 more | 2019-03-20 | 2.6 LOW | 3.1 LOW |
| WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to bypass the Same Origin Policy and obtain image date from an unintended web site via a timing attack involving an SVG document. | |||||
| CVE-2017-2826 | 2 Debian, Zabbix | 2 Debian Linux, Zabbix | 2019-03-13 | 4.3 MEDIUM | 3.7 LOW |
| An information disclosure vulnerability exists in the iConfig proxy request of Zabbix server 2.4.X. A specially crafted iConfig proxy request can cause the Zabbix server to send the configuration information of any Zabbix proxy, resulting in information disclosure. An attacker can make requests from an active Zabbix proxy to trigger this vulnerability. | |||||
| CVE-2016-4664 | 1 Apple | 3 Iphone Os, Tvos, Watchos | 2019-03-08 | 4.3 MEDIUM | 3.3 LOW |
| An issue was discovered in certain Apple products. iOS before 10.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "Sandbox Profiles" component, which allows attackers to read photo-directory metadata via a crafted app. | |||||
| CVE-2016-4665 | 1 Apple | 3 Iphone Os, Tvos, Watchos | 2019-03-08 | 4.3 MEDIUM | 3.3 LOW |
| An issue was discovered in certain Apple products. iOS before 10.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "Sandbox Profiles" component, which allows attackers to read audio-recording metadata via a crafted app. | |||||
| CVE-2014-4407 | 1 Apple | 3 Iphone Os, Mac Os X, Tvos | 2019-03-08 | 4.3 MEDIUM | 3.3 LOW |
| IOKit in Apple iOS before 8 and Apple TV before 7 does not properly initialize kernel memory, which allows attackers to obtain sensitive memory-content information via an application that makes crafted IOKit function calls. | |||||
| CVE-2017-13852 | 1 Apple | 4 Iphone Os, Mac Os X, Tvos and 1 more | 2019-03-08 | 4.3 MEDIUM | 3.3 LOW |
| An issue was discovered in certain Apple products. iOS before 11.1 is affected. macOS before 10.13.1 is affected. tvOS before 11.1 is affected. watchOS before 4.1 is affected. The issue involves the "Kernel" component. It allows attackers to monitor arbitrary apps via a crafted app that accesses process information at a high rate. | |||||
| CVE-2016-8288 | 1 Oracle | 1 Mysql | 2019-03-07 | 4.9 MEDIUM | 3.1 LOW |
| Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier allows remote authenticated users to affect integrity via vectors related to Server: InnoDB Plugin. | |||||
| CVE-2016-8284 | 1 Oracle | 1 Mysql | 2019-03-07 | 1.2 LOW | 1.8 LOW |
| Unspecified vulnerability in Oracle MySQL 5.6.31 and earlier and 5.7.13 and earlier allows local users to affect availability via vectors related to Server: Replication. | |||||
| CVE-2018-5693 | 1 Linuxmagic | 1 Magicspam | 2019-03-06 | 2.1 LOW | 3.3 LOW |
| The LinuxMagic MagicSpam extension before 2.0.14-1 for Plesk allows local users to discover mailbox names by reading /var/log/magicspam/mslog. | |||||
| CVE-2018-6382 | 1 Mantisbt | 1 Mantisbt | 2019-03-04 | 2.1 LOW | 3.3 LOW |
| ** DISPUTED ** MantisBT 2.10.0 allows local users to conduct SQL Injection attacks via the vendor/adodb/adodb-php/server.php sql parameter in a request to the 127.0.0.1 IP address. NOTE: the vendor disputes the significance of this report because server.php is intended to execute arbitrary SQL statements on behalf of authenticated users from 127.0.0.1, and the issue does not have an authentication bypass. | |||||
| CVE-2016-3159 | 4 Debian, Fedoraproject, Oracle and 1 more | 4 Debian Linux, Fedora, Vm Server and 1 more | 2019-02-21 | 1.7 LOW | 3.8 LOW |
| The fpu_fxrstor function in arch/x86/i387.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2076. | |||||
| CVE-2018-19148 | 1 Caddyserver | 1 Caddy | 2019-01-30 | 4.3 MEDIUM | 3.7 LOW |
| Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames. Specifically, when unable to match a Host header with a vhost in its configuration, it serves the X.509 certificate for a randomly selected vhost in its configuration. Repeated requests (with a nonexistent hostname in the Host header) permit full enumeration of all certificates on the server. This generally permits an attacker to easily and accurately discover the existence of and relationships among hostnames that weren't meant to be public, though this information could likely have been discovered via other methods with additional effort. | |||||
| CVE-2018-16738 | 2 Debian, Tinc-vpn | 2 Debian Linux, Tinc | 2019-01-03 | 4.3 MEDIUM | 3.7 LOW |
| tinc 1.0.30 through 1.0.34 has a broken authentication protocol, although there is a partial mitigation. This is fixed in 1.1. | |||||
| CVE-2018-19421 | 1 Get-simple | 1 Getsimple Cms | 2018-12-28 | 4.0 MEDIUM | 3.8 LOW |
| In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but Internet Explorer render HTML elements in a .eml file, because of admin/upload-uploadify.php, and validate_safe_file in admin/inc/security_functions.php. | |||||
| CVE-2018-19420 | 1 Get-simple | 1 Getsimple Cms | 2018-12-28 | 4.0 MEDIUM | 3.8 LOW |
| In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but there are several alternative cases in which HTML can be executed, such as a file with no extension or an unrecognized extension (e.g., the test or test.asdf filename), because of admin/upload-uploadify.php, and validate_safe_file in admin/inc/security_functions.php. | |||||
| CVE-2016-4486 | 3 Canonical, Linux, Novell | 10 Ubuntu Linux, Linux Kernel, Suse Linux Enterprise Debuginfo and 7 more | 2018-12-20 | 2.1 LOW | 3.3 LOW |
| The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message. | |||||
| CVE-2018-16252 | 1 Fspro | 1 Event Log Explorer | 2018-12-04 | 2.1 LOW | 3.3 LOW |
| FsPro Labs Event Log Explorer 4.6.1.2115 has ".elx" FileType XML External Entity Injection. | |||||
| CVE-2018-6262 | 1 Nvidia | 1 Geforce Experience | 2018-11-23 | 1.9 LOW | 2.5 LOW |
| NVIDIA GeForce Experience prior to 3.15 contains a vulnerability when GameStream is enabled where limited sensitive user information may be available to users with system access, which may lead to information disclosure. | |||||
| CVE-2018-16968 | 1 Citrix | 1 Sharefile Storagezones Controller | 2018-11-23 | 3.5 LOW | 3.1 LOW |
| Citrix ShareFile StorageZones Controller before 5.4.2 allows Directory Traversal. | |||||
| CVE-2018-8366 | 1 Microsoft | 2 Edge, Windows 10 | 2018-11-20 | 2.6 LOW | 3.1 LOW |
| An information disclosure vulnerability exists when the Microsoft Edge Fetch API incorrectly handles a filtered response type, aka "Microsoft Edge Information Disclosure Vulnerability." This affects Microsoft Edge. | |||||
| CVE-2018-6053 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2018-11-20 | 4.3 MEDIUM | 3.3 LOW |
| Inappropriate implementation in New Tab Page in Google Chrome prior to 64.0.3282.119 allowed a local attacker to view website thumbnail images after clearing browser data via a crafted HTML page. | |||||
| CVE-2015-7548 | 1 Openstack | 1 Nova | 2018-11-16 | 2.1 LOW | 3.5 LOW |
| OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty), when using libvirt to spawn instances and use_cow_images is set to false, allow remote authenticated users to read arbitrary files by overwriting an instance disk with a crafted image and requesting a snapshot. | |||||
| CVE-2018-6259 | 1 Nvidia | 1 Geforce Experience | 2018-11-06 | 1.9 LOW | 2.5 LOW |
| NVIDIA GeForce Experience all versions prior to 3.14.1 contains a potential vulnerability when GameStream is enabled, an attacker has system access, and certain system features are enabled, where limited information disclosure may be possible. | |||||
| CVE-2018-10424 | 1 1234n | 1 Minicms | 2018-10-30 | 4.0 MEDIUM | 2.7 LOW |
| mc-admin/post-edit.php in MiniCMS 1.10 allows full path disclosure via a modified id field. | |||||
| CVE-2018-10423 | 1 1234n | 1 Minicms | 2018-10-30 | 4.0 MEDIUM | 2.7 LOW |
| mc-admin/post.php in MiniCMS 1.10 allows remote attackers to obtain a directory listing of the top-level directory of the web root via a link that becomes available after posting an article. | |||||
| CVE-2014-9770 | 1 Opensuse | 1 Opensuse | 2018-10-30 | 2.1 LOW | 3.3 LOW |
| tmpfiles.d/systemd.conf in systemd before 214 uses weak permissions for journal files under (1) /run/log/journal/%m and (2) /var/log/journal/%m, which allows local users to obtain sensitive information by reading these files. | |||||
| CVE-2015-7758 | 2 Gummi Project, Opensuse | 3 Gummi, Leap, Opensuse | 2018-10-30 | 2.1 LOW | 3.3 LOW |
| Gummi 0.6.5 allows local users to write to arbitrary files via a symlink attack on a temporary dot file that uses the name of an existing file and a (1) .aux, (2) .log, (3) .out, (4) .pdf, or (5) .toc extension for the file name, as demonstrated by .thesis.tex.aux. | |||||
| CVE-2016-7657 | 1 Apple | 3 Iphone Os, Mac Os X, Watchos | 2018-10-30 | 4.3 MEDIUM | 3.3 LOW |
| An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "IOKit" component. It allows attackers to obtain sensitive information from kernel memory via a crafted app. | |||||
| CVE-2015-8842 | 1 Opensuse | 1 Opensuse | 2018-10-30 | 2.1 LOW | 3.3 LOW |
| tmpfiles.d/systemd.conf in systemd before 229 uses weak permissions for /var/log/journal/%m/system.journal, which allows local users to obtain sensitive information by reading the file. | |||||
| CVE-2016-7714 | 1 Apple | 3 Iphone Os, Mac Os X, Watchos | 2018-10-30 | 2.1 LOW | 3.3 LOW |
| An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "IOKit" component. It allows local users to obtain sensitive kernel memory-layout information via unspecified vectors. | |||||
| CVE-2016-0688 | 1 Oracle | 1 Weblogic Server | 2018-10-30 | 2.6 LOW | 3.7 LOW |
| Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, and 12.1.3 allows remote attackers to affect integrity via vectors related to Core Components. | |||||
| CVE-2016-5166 | 2 Google, Opensuse | 2 Chrome, Leap | 2018-10-30 | 2.6 LOW | 3.1 LOW |
| The download implementation in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux does not properly restrict saving a file:// URL that is referenced by an http:// URL, which makes it easier for user-assisted remote attackers to discover NetNTLM hashes and conduct SMB relay attacks via a crafted web page that is accessed with the "Save page as" menu choice. | |||||
| CVE-2018-0660 | 1 Hibara | 1 Attachecase | 2018-10-30 | 4.3 MEDIUM | 3.3 LOW |
| Directory traversal vulnerability in ver.2.8.4.0 and earlier and ver.3.3.0.0 and earlier allows an attacker to create arbitrary files via specially crafted ATC file. | |||||
| CVE-2018-7938 | 1 Huawei | 2 P10, P10 Firmware | 2018-10-26 | 4.3 MEDIUM | 3.3 LOW |
| P10 Huawei smartphones with the versions before Victoria-AL00AC00B217 have an information leak vulnerability due to the lack of permission validation. An attacker tricks a user into installing a malicious application on the smart phone, and the application can read some hardware serial number, which may cause sensitive information leak. | |||||
| CVE-2014-6049 | 1 Phpmyfaq | 1 Phpmyfaq | 2018-10-23 | 5.5 MEDIUM | 2.7 LOW |
| phpMyFAQ before 2.8.13 allows remote authenticated users with admin privileges to bypass authorization via a crafted instance ID parameter. | |||||
| CVE-2018-16237 | 1 Damicms | 1 Damicms | 2018-10-19 | 4.0 MEDIUM | 2.7 LOW |
| An issue was discovered in damiCMS V6.0.1. There is Directory Traversal via '|' characters in the s parameter to admin.php, as demonstrated by an admin.php?s=Tpl/Add/id/c:|windows|win.ini URI. | |||||
| CVE-2016-4027 | 1 Open-xchange | 1 Open-xchange Appsuite | 2018-10-19 | 3.5 LOW | 3.5 LOW |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared environments. However the setting was incorrectly recognized and cookies were stored regardless of this setting when the login was performed using a non-interactive login method. In case the setting was enforced by middleware configuration or the user went through the interactive login page, the workflow was correct. Cookies with authentication information may become available to other users on shared environments. In case the user did not properly log out from the session, third parties with access to the same client can access a user's account. | |||||
| CVE-2015-6644 | 1 Google | 1 Android | 2018-10-17 | 4.3 MEDIUM | 3.3 LOW |
| Bouncy Castle in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to obtain sensitive information via a crafted application, aka internal bug 24106146. | |||||
| CVE-2016-7227 | 1 Microsoft | 2 Edge, Internet Explorer | 2018-10-12 | 2.6 LOW | 3.1 LOW |
| The scripting engines in Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to determine the existence of local files via unspecified vectors, aka "Microsoft Browser Information Disclosure Vulnerability." | |||||
| CVE-2016-7220 | 1 Microsoft | 1 Windows 10 | 2018-10-12 | 2.1 LOW | 3.3 LOW |
| Virtual Secure Mode in Microsoft Windows 10 allows local users to obtain sensitive information via a crafted application, aka "Virtual Secure Mode Information Disclosure Vulnerability." | |||||
| CVE-2016-7239 | 1 Microsoft | 2 Edge, Internet Explorer | 2018-10-12 | 2.6 LOW | 3.1 LOW |
| The RegEx class in the XSS filter in Microsoft Internet Explorer 9 through 11 and Microsoft Edge allows remote attackers to conduct cross-site scripting (XSS) attacks and obtain sensitive information via unspecified vectors, aka "Microsoft Browser Information Disclosure Vulnerability." | |||||
| CVE-2016-7199 | 1 Microsoft | 2 Edge, Internet Explorer | 2018-10-12 | 2.6 LOW | 3.1 LOW |
| Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to bypass the Same Origin Policy and obtain sensitive window-state information via a crafted web site, aka "Microsoft Browser Information Disclosure Vulnerability." | |||||
| CVE-2016-7204 | 1 Microsoft | 1 Edge | 2018-10-12 | 2.6 LOW | 3.1 LOW |
| Microsoft Edge allows remote attackers to access arbitrary "My Documents" files via a crafted web site, aka "Microsoft Edge Information Disclosure Vulnerability." | |||||
| CVE-2016-7214 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2018-10-12 | 2.1 LOW | 3.3 LOW |
| The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow local users to bypass the ASLR protection mechanism via a crafted application, aka "Win32k Information Disclosure Vulnerability." | |||||
| CVE-2016-3291 | 1 Microsoft | 2 Edge, Internet Explorer | 2018-10-12 | 2.6 LOW | 2.4 LOW |
| Microsoft Internet Explorer 11 and Microsoft Edge mishandle cross-origin requests, which allows remote attackers to obtain sensitive information via a crafted web site, aka "Microsoft Browser Information Disclosure Vulnerability." | |||||
| CVE-2016-3354 | 1 Microsoft | 7 Windows 10, Windows 7, Windows 8.1 and 4 more | 2018-10-12 | 4.3 MEDIUM | 3.3 LOW |
| The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows local users to bypass the ASLR protection mechanism via a crafted application, aka "GDI Information Disclosure Vulnerability." | |||||
| CVE-2016-3251 | 1 Microsoft | 7 Windows 10, Windows 7, Windows 8.1 and 4 more | 2018-10-12 | 2.1 LOW | 2.8 LOW |
| The GDI component in the kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to obtain sensitive kernel-address information via a crafted application, aka "Win32k Information Disclosure Vulnerability." | |||||
| CVE-2016-3344 | 1 Microsoft | 1 Windows 10 | 2018-10-12 | 2.1 LOW | 3.3 LOW |
| The Secure Kernel Mode feature in Microsoft Windows 10 Gold and 1511 allows local users to obtain sensitive information via a crafted application, aka "Windows Secure Kernel Mode Information Disclosure Vulnerability." | |||||