Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1698 | 1 Ibm | 1 Maximo Asset Management | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Maximo Asset Management 7.6 through 7.6.3 could allow an unauthenticated attacker to obtain sensitive information from error messages. IBM X-Force ID: 145967. | |||||
| CVE-2018-1610 | 1 Ibm | 1 Rational Doors Next Generation | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| IBM Rational DOORS Next Generation 5.0 through 5.0.2 and 6.0 through 6.0.6 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 143931. | |||||
| CVE-2018-1656 | 3 Ibm, Oracle, Redhat | 6 Sdk, Enterprise Manager Base Platform, Enterprise Linux Desktop and 3 more | 2019-10-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Technology Edition 6.0 , 7.0, and 8.0) does not protect against path traversal attacks when extracting compressed dump files. IBM X-Force ID: 144882. | |||||
| CVE-2018-1660 | 1 Ibm | 1 Websphere Portal | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-force ID: 144886. | |||||
| CVE-2018-1706 | 1 Ibm | 1 Spectrum Symphony | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| IBM Spectrum Symphony 7.2.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 146341. | |||||
| CVE-2018-1639 | 1 Ibm | 1 Jazz Reporting Service | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Report Builder of Jazz Reporting Service 5.0 through 5.0.2 and 6.0 through 6.0.6 could allow an authenticated user to obtain sensitive information beyond its assigned privileges. IBM X-Force ID: 144579. | |||||
| CVE-2018-1279 | 1 Pivotal Software | 1 Rabbitmq | 2019-10-09 | 3.3 LOW | 6.5 MEDIUM |
| Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster. | |||||
| CVE-2018-1688 | 1 Ibm | 7 Rational Collaborative Lifecycle Management, Rational Doors Next Generation, Rational Engineering Lifecycle Manager and 4 more | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management 5.0 through 6.0.6) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 145509. | |||||
| CVE-2018-1643 | 1 Ibm | 1 Websphere Application Server | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Installation Verification Tool of IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 144588 | |||||
| CVE-2018-1644 | 1 Ibm | 1 Websphere Commerce | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM WebSphere Commerce Enterprise, Professional, Express, and Developer 9.0.0.0 - 9.0.0.4, 8.0.0.0 - 8.0.0.19, 8.0.1.0 - 8.0.1.13, 8.0.3.0 - 8.0.3.6, 8.0.4.0 - 8.0.4.14, and 7.0.0.0 Feature Pack 8 could allow an authenticated user to obtain sensitive information about another user. | |||||
| CVE-2018-1650 | 1 Ibm | 1 Qradar Incident Forensics | 2019-10-09 | 2.1 LOW | 5.5 MEDIUM |
| IBM QRadar SIEM 7.2 and 7.3 uses hard-coded credentials which could allow an attacker to bypass the authentication configured by the administrator. IBM X-Force ID: 144656. | |||||
| CVE-2018-1657 | 1 Ibm | 1 Rational Publishing Engine | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| IBM Publishing Engine 2.1.2, 6.0.5, and 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-force ID: 144883. | |||||
| CVE-2018-1659 | 1 Ibm | 1 Rational Engineering Lifecycle Manager | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 144885. | |||||
| CVE-2018-1672 | 1 Ibm | 1 Websphere Portal | 2019-10-09 | 6.5 MEDIUM | 6.3 MEDIUM |
| IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 may fail to set the correct user context in certain impersonation scenarios, which can allow a user to act with the identity of a different user. IBM X-Force ID: 144958. | |||||
| CVE-2018-1686 | 1 Ibm | 1 Maximo Asset Management | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| IBM Maximo Asset Management 7.6 through 7.6.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 145505. | |||||
| CVE-2018-19013 | 1 Omron | 1 Cx-supervisor | 2019-10-09 | 4.9 MEDIUM | 5.0 MEDIUM |
| An attacker could inject commands to delete files and/or delete the contents of a file on CX-Supervisor (Versions 3.42 and prior) through a specially crafted project file. | |||||
| CVE-2018-17955 | 1 Opensuse | 1 Yast2-multipath | 2019-10-09 | 3.6 LOW | 5.5 MEDIUM |
| In yast2-multipath before version 4.1.1 a static temporary filename allows local attackers to overwrite files on systems without symlink protection | |||||
| CVE-2018-18990 | 1 Lcds | 1 Laquis Scada | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| LCDS Laquis SCADA prior to version 4.1.0.4150 allows a user-supplied path in file operations prior to proper validation. An attacker can leverage this vulnerability to disclose sensitive information under the context of the web server process. | |||||
| CVE-2018-19020 | 1 Omron | 1 Cx-supervisor | 2019-10-09 | 3.5 LOW | 5.0 MEDIUM |
| When CX-Supervisor (Versions 3.42 and prior) processes project files and tampers with the value of an offset, an attacker can force the application to read a value outside of an array. | |||||
| CVE-2018-18991 | 1 Spidercontrol | 1 Scada Webserver | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected cross-site scripting (non-persistent) in SCADA WebServer (Versions prior to 2.03.0001) could allow an attacker to send a crafted URL that contains JavaScript, which can be reflected off the web application to the victim's browser. | |||||
| CVE-2018-18807 | 1 Tibco | 1 Statistica Server | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| The web application of the TIBCO Statistica component of TIBCO Software Inc.'s TIBCO Statistica Server contains vulnerabilities which may allow an authenticated user to perform cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Statistica Server versions up to and including 13.4.0. | |||||
| CVE-2018-19006 | 1 Osisoft | 1 Pi Vision | 2019-10-09 | 3.5 LOW | 4.8 MEDIUM |
| OSIsoft PI Vision, versions PI Vision 2017, and PI Vision 2017 R2, The application contains a cross-site scripting vulnerability where displays that reference AF elements and attributes containing JavaScript are affected. This vulnerability requires the ability of authorized AF users to store JavaScript in AF elements and attributes. | |||||
| CVE-2018-19010 | 1 Draeger | 8 Delta Xl, Delta Xl Firmware, Infinity Delta and 5 more | 2019-10-09 | 3.3 LOW | 6.5 MEDIUM |
| Drager Infinity Delta, Infinity Delta, all versions, Delta XL, all versions, Kappa, all version, and Infinity Explorer C700, all versions. A malformed network packet may cause the monitor to reboot. By repeatedly sending the malformed network packet, an attacker may be able to disrupt patient monitoring by causing the monitor to repeatedly reboot until it falls back to default configuration and loses network connectivity. | |||||
| CVE-2018-19014 | 1 Draeger | 8 Delta Xl, Delta Xl Firmware, Infinity Delta and 5 more | 2019-10-09 | 3.3 LOW | 6.5 MEDIUM |
| Drager Infinity Delta, Infinity Delta, all versions, Delta XL, all versions, Kappa, all version, and Infinity Explorer C700, all versions. Log files are accessible over an unauthenticated network connection. By accessing the log files, an attacker is able to gain insights about internals of the patient monitor, the location of the monitor, and wired network configuration. | |||||
| CVE-2018-19000 | 1 Lcds | 1 Laquis Scada | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| LCDS Laquis SCADA prior to version 4.1.0.4150 allows an authentication bypass, which may allow an attacker access to sensitive data. | |||||
| CVE-2018-19001 | 1 Philips | 1 Healthsuite Health | 2019-10-09 | 4.6 MEDIUM | 4.3 MEDIUM |
| Philips HealthSuite Health Android App, all versions. The software uses simple encryption that is not strong enough for the level of protection required. | |||||
| CVE-2018-18591 | 1 Microfocus | 1 Service Manager | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| A potential unauthorized disclosure of data vulnerability has been identified in Micro Focus Service Manager versions: 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51. The vulnerability could be exploited to release unauthorized disclosure of data. | |||||
| CVE-2018-17919 | 1 Xiongmaitech | 1 Xmeye P2p Cloud Server | 2019-10-09 | 6.4 MEDIUM | 6.5 MEDIUM |
| All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server may allow an attacker to use an undocumented user account "default" with its default password to login to XMeye and access/view video streams. | |||||
| CVE-2018-17923 | 1 Sagaradio | 2 Saga1-l8b, Saga1-l8b Firmware | 2019-10-09 | 6.9 MEDIUM | 6.9 MEDIUM |
| SAGA1-L8B with any firmware versions prior to A0.10 are vulnerable to an attack that an attacker with physical access to the product may able to reprogram it. | |||||
| CVE-2018-17925 | 1 Ge | 1 Ifix | 2019-10-09 | 4.4 MEDIUM | 4.8 MEDIUM |
| Multiple instances of this vulnerability (Unsafe ActiveX Control Marked Safe For Scripting) have been identified in the third-party ActiveX object provided to GE iFIX versions 2.0 - 5.8 by Gigasoft. Only the independent use of the Gigasoft charting package outside the iFIX product may expose users to the reported vulnerability. The reported method shown to impact Internet Explorer is not exposed in the iFIX product, nor is the core functionality of the iFIX product known to be impacted. | |||||
| CVE-2018-17928 | 1 Abb | 2 Cms-770, Cms-770 Firmware | 2019-10-09 | 3.3 LOW | 6.5 MEDIUM |
| The product CMS-770 (Software Versions 1.7.1 and prior)is vulnerable that an attacker can read sensitive configuration files by bypassing the user authentication mechanism. | |||||
| CVE-2018-18813 | 1 Tibco | 2 Spotfire Analytics Platform For Aws, Spotfire Server | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Spotfire web server component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains multiple vulnerabilities that may allow persistent and reflected cross-site scripting attacks. Affected releases are TIBCO Software Inc. TIBCO Spotfire Analytics Platform for AWS Marketplace: versions up to and including 10.0.0, and TIBCO Spotfire Server: versions up to and including 7.10.1; 7.11.0; 7.11.1; 7.12.0; 7.13.0; 7.14.0; 10.0.0. | |||||
| CVE-2018-17931 | 1 Vecna | 2 Vgo, Vgo Firmware | 2019-10-09 | 7.2 HIGH | 6.8 MEDIUM |
| If an attacker has physical access to the VGo Robot (Versions 3.0.3.52164 and 3.0.3.53662. Prior versions may also be affected) they may be able to alter scripts, which may allow code execution with root privileges. | |||||
| CVE-2018-17926 | 1 Abb | 3 Eth-fw Firmware, Fw Firmware, M2m Ethernet | 2019-10-09 | 3.3 LOW | 4.3 MEDIUM |
| The product M2M ETHERNET (FW Versions 2.22 and prior, ETH-FW Versions 1.01 and prior) is vulnerable in that an attacker can upload a malicious language file by bypassing the user authentication mechanism. | |||||
| CVE-2018-18816 | 1 Tibco | 3 Jasperreports Server, Jaspersoft, Jaspersoft Reporting And Analytics | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| The repository component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS contains a persistent cross site scripting vulnerability. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi- Tenancy versions up to and including 7.1.0, and TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0. | |||||
| CVE-2018-17917 | 1 Xiongmaitech | 1 Xmeye P2p Cloud Server | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server may allow an attacker to use MAC addresses to enumerate potential Cloud IDs. Using this ID, the attacker can discover and connect to valid devices using one of the supported apps. | |||||
| CVE-2018-17904 | 1 Geovap | 1 Reliance 4 | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reliance 4 SCADA/HMI, Version 4.7.3 Update 3 and prior. This vulnerability could allow an unauthorized attacker to inject arbitrary code. | |||||
| CVE-2018-17902 | 1 Yokogawa | 8 Fcj, Fcj Firmware, Fcn-100 and 5 more | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The application utilizes multiple methods of session management which could result in a denial of service to the remote management functions. | |||||
| CVE-2018-19644 | 1 Microfocus | 1 Solutions Business Manager | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected cross site script issue in Micro Focus Solutions Business Manager (SBM) (formerly Serena Business Manager (SBM)) versions prior to 11.5. | |||||
| CVE-2018-18997 | 1 Abb | 4 Gate-e1, Gate-e1 Firmware, Gate-e2 and 1 more | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Pluto Safety PLC Gateway Ethernet devices in ABB GATE-E1 and GATE-E2 all versions allows an unauthenticated attacker using the administrative web interface to insert an HTML/Javascript payload into any of the device properties, which may allow an attacker to display/execute the payload in a visitor browser. | |||||
| CVE-2018-18985 | 1 Tridium | 3 Niagara, Niagara Ax Framework, Niagara Enterprise Security | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4 a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality. | |||||
| CVE-2018-16465 | 1 Nextcloud | 1 Nextcloud Server | 2019-10-09 | 4.3 MEDIUM | 5.3 MEDIUM |
| Missing state in Nextcloud Server prior to 14.0.0 would not enforce the use of a second factor at login if the the provider of the second factor failed to load. | |||||
| CVE-2018-16555 | 1 Siemens | 8 Scalance S602, Scalance S602 Firmware, Scalance S612 and 5 more | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability has been identified in SCALANCE S602 (All versions < V4.0.1.1), SCALANCE S612 (All versions < V4.0.1.1), SCALANCE S623 (All versions < V4.0.1.1), SCALANCE S627-2M (All versions < V4.0.1.1). The integrated web server could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user must be logged into the web interface in order for the exploitation to succeed. At the stage of publishing this security advisory no public exploitation is known. | |||||
| CVE-2018-16852 | 1 Samba | 1 Samba | 2019-10-09 | 3.5 LOW | 4.4 MEDIUM |
| Samba from version 4.9.0 and before version 4.9.3 is vulnerable to a NULL pointer de-reference. During the processing of an DNS zone in the DNS management DCE/RPC server, the internal DNS server or the Samba DLZ plugin for BIND9, if the DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS property is set, the server will follow a NULL pointer and terminate. There is no further vulnerability associated with this issue, merely a denial of service. | |||||
| CVE-2018-17489 | 1 Hidglobal | 1 Easylobby Solo | 2019-10-09 | 2.1 LOW | 5.5 MEDIUM |
| EasyLobby Solo could allow a local attacker to obtain sensitive information, caused by the storing of the social security number in plaintext. By visiting the kiosk and viewing the Visitor table of the database, an attacker could exploit this vulnerability to view stored social security numbers. | |||||
| CVE-2018-16477 | 1 Rubyonrails | 1 Rails | 2019-10-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them executed inline. Additionally, if combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path. This vulnerability has been fixed in version 5.2.1.1. | |||||
| CVE-2018-16853 | 1 Samba | 1 Samba | 2019-10-09 | 4.3 MEDIUM | 5.9 MEDIUM |
| Samba from version 4.7.0 has a vulnerability that allows a user in a Samba AD domain to crash the KDC when Samba is built in the non-default MIT Kerberos configuration. With this advisory the Samba Team clarify that the MIT Kerberos build of the Samba AD DC is considered experimental. Therefore the Samba Team will not issue security patches for this configuration. Additionally, Samba 4.7.12, 4.8.7 and 4.9.3 have been issued as security releases to prevent building of the AD DC with MIT Kerberos unless --with-experimental-mit-ad-dc is specified to the configure command. | |||||
| CVE-2018-16459 | 1 Exceljs Project | 1 Exceljs | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An unescaped payload in exceljs <v1.6 allows a possible XSS via cell value when worksheet is displayed in browser. | |||||
| CVE-2018-16464 | 1 Nextcloud | 1 Nextcloud Server | 2019-10-09 | 3.5 LOW | 5.7 MEDIUM |
| A missing access check in Nextcloud Server prior to 14.0.0 could lead to continued access to password protected link shares when the owner had changed the password. | |||||
| CVE-2018-16851 | 3 Canonical, Debian, Samba | 3 Ubuntu Linux, Debian Linux, Samba | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Samba from version 4.0.0 and before versions 4.7.12, 4.8.7, 4.9.3 is vulnerable to a denial of service. During the processing of an LDAP search before Samba's AD DC returns the LDAP entries to the client, the entries are cached in a single memory object with a maximum size of 256MB. When this size is reached, the Samba process providing the LDAP service will follow the NULL pointer, terminating the process. There is no further vulnerability associated with this issue, merely a denial of service. | |||||
