Search
Total
7597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-13873 | 1 Apple | 4 Iphone Os, Mac Os X, Tvos and 1 more | 2019-03-08 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11 is affected. macOS before 10.13 is affected. tvOS before 11 is affected. watchOS before 4 is affected. The issue involves the "Kernel" component. It allows attackers to obtain sensitive network-activity information about arbitrary apps via a crafted app. | |||||
| CVE-2017-2493 | 2 Apple, Microsoft | 5 Icloud, Iphone Os, Safari and 2 more | 2019-03-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. iCloud before 6.2 on Windows is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted elements on a web site. | |||||
| CVE-2018-4104 | 1 Apple | 4 Iphone Os, Mac Os X, Tvos and 1 more | 2019-03-08 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app. | |||||
| CVE-2017-13869 | 1 Apple | 4 Iphone Os, Mac Os X, Tvos and 1 more | 2019-03-08 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app. | |||||
| CVE-2018-4185 | 1 Apple | 4 Iphone Os, Mac Os X, Tvos and 1 more | 2019-03-08 | 5.0 MEDIUM | 7.5 HIGH |
| In iOS before 11.3, tvOS before 11.3, watchOS before 4.3, and macOS before High Sierra 10.13.4, an information disclosure issue existed in the transition of program state. This issue was addressed with improved state handling. | |||||
| CVE-2017-2448 | 1 Apple | 4 Iphone Os, Mac Os X, Tvos and 1 more | 2019-03-08 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 10.3 is affected. macOS before 10.12.4 is affected. tvOS before 10.2 is affected. The issue involves the "Keychain" component. It allows man-in-the-middle attackers to bypass an iCloud Keychain secret protection mechanism by leveraging lack of authentication for OTR packets. | |||||
| CVE-2017-13865 | 1 Apple | 4 Iphone Os, Mac Os X, Tvos and 1 more | 2019-03-08 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app. | |||||
| CVE-2017-13852 | 1 Apple | 4 Iphone Os, Mac Os X, Tvos and 1 more | 2019-03-08 | 4.3 MEDIUM | 3.3 LOW |
| An issue was discovered in certain Apple products. iOS before 11.1 is affected. macOS before 10.13.1 is affected. tvOS before 11.1 is affected. watchOS before 4.1 is affected. The issue involves the "Kernel" component. It allows attackers to monitor arbitrary apps via a crafted app that accesses process information at a high rate. | |||||
| CVE-2017-7116 | 1 Apple | 3 Iphone Os, Tvos, Watchos | 2019-03-08 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in certain Apple products. iOS before 11 is affected. tvOS before 11 is affected. watchOS before 4 is affected. The issue involves the "Wi-Fi" component. It might allow remote attackers to read data from kernel memory locations via crafted Wi-Fi traffic. | |||||
| CVE-2017-11122 | 2 Apple, Broadcom | 4 Iphone Os, Tvos, Bcm4355c0 and 1 more | 2019-03-08 | 5.0 MEDIUM | 7.5 HIGH |
| On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56, an attacker can trigger an information leak due to insufficient length validation, related to ICMPv6 router advertisement offloading. | |||||
| CVE-2017-7090 | 2 Apple, Microsoft | 6 Icloud, Iphone Os, Itunes and 3 more | 2019-03-08 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in certain Apple products. iOS before 11 is affected. Safari before 11 is affected. iCloud before 7.0 on Windows is affected. iTunes before 12.7 on Windows is affected. tvOS before 11 is affected. The issue involves the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive cookie information via a custom URL scheme. | |||||
| CVE-2018-8056 | 1 Cobub | 1 Razor | 2019-03-08 | 5.0 MEDIUM | 7.5 HIGH |
| Physical path Leakage exists in Western Bridge Cobub Razor 0.8.0 via an invalid channel_name parameter to /index.php?/manage/channel/addchannel or a direct request to /export.php. | |||||
| CVE-2018-1322 | 1 Apache | 1 Syncope | 2019-03-08 | 4.0 MEDIUM | 4.9 MEDIUM |
| An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters. | |||||
| CVE-2018-4221 | 1 Apple | 2 Iphone Os, Mac Os X | 2019-03-08 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. The issue involves the "Security" component. It allows web sites to track users by leveraging the transmission of S/MIME client certificates. | |||||
| CVE-2018-5131 | 4 Canonical, Debian, Mozilla and 1 more | 9 Ubuntu Linux, Debian Linux, Firefox and 6 more | 2019-03-08 | 4.3 MEDIUM | 5.9 MEDIUM |
| Under certain circumstances the "fetch()" API can return transient local copies of resources that were sent with a "no-store" or "no-cache" cache header instead of downloading a copy from the network as it should. This can result in previously stored, locally cached data of a website being accessible to users if they share a common profile while browsing. This vulnerability affects Firefox ESR < 52.7 and Firefox < 59. | |||||
| CVE-2018-15132 | 2 Netapp, Php | 2 Storage Automation Store, Php | 2019-03-08 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in ext/standard/link_win32.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. The linkinfo function on Windows doesn't implement the open_basedir check. This could be abused to find files on paths outside of the allowed directories. | |||||
| CVE-2015-2080 | 2 Eclipse, Fedoraproject | 2 Jetty, Fedora | 2019-03-08 | 5.0 MEDIUM | 7.5 HIGH |
| The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak. | |||||
| CVE-2018-5750 | 4 Canonical, Debian, Linux and 1 more | 10 Ubuntu Linux, Debian Linux, Linux Kernel and 7 more | 2019-03-07 | 2.1 LOW | 5.5 MEDIUM |
| The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call. | |||||
| CVE-2018-8770 | 1 Westernbridgegroup | 1 Razor | 2019-03-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| Physical path Leakage exists in Western Bridge Cobub Razor 0.8.0 via generate.php, controllers/getConfigTest.php, controllers/getUpdateTest.php, controllers/postclientdataTest.php, controllers/posterrorTest.php, controllers/posteventTest.php, controllers/posttagTest.php, controllers/postusinglogTest.php, fixtures/Controller_fixt.php, fixtures/Controller_fixt2.php, fixtures/view_fixt2.php, libs/ipTest.php, or models/commonDbfix.php in tests/. | |||||
| CVE-2016-6721 | 1 Google | 1 Android | 2019-03-07 | 4.3 MEDIUM | 5.5 MEDIUM |
| An information disclosure vulnerability in Mediaserver in Android 6.x before 2016-11-01 and 7.0 before 2016-11-01 could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without permission. Android ID: A-30875060. | |||||
| CVE-2016-6722 | 1 Google | 1 Android | 2019-03-07 | 4.3 MEDIUM | 5.5 MEDIUM |
| An information disclosure vulnerability in libstagefright in Mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-11-01, and 7.0 before 2016-11-01 could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without permission. Android ID: A-31091777. | |||||
| CVE-2016-6720 | 1 Google | 1 Android | 2019-03-07 | 4.3 MEDIUM | 5.5 MEDIUM |
| An information disclosure vulnerability in libstagefright in Mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-11-01, and 7.0 before 2016-11-01 could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without permission. Android ID: A-29422020. | |||||
| CVE-2016-6709 | 1 Google | 1 Android | 2019-03-07 | 4.3 MEDIUM | 5.9 MEDIUM |
| An information disclosure vulnerability in Conscrypt and BoringSSL in Android 6.x before 2016-11-01 and 7.0 before 2016-11-01 could enable a man-in-the-middle attacker to gain access to sensitive information if a non-standard cipher suite is used by an application. This issue is rated as High because it could be used to access data without permission. Android ID: A-31081987. | |||||
| CVE-2018-9526 | 1 Google | 1 Android | 2019-03-07 | 5.0 MEDIUM | 7.5 HIGH |
| In device configuration data, there is an improperly configured setting. This could lead to remote disclosure of device location. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-112159033 | |||||
| CVE-2018-15919 | 2 Netapp, Openbsd | 7 Cloud Backup, Cn1610, Cn1610 Firmware and 4 more | 2019-03-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.' | |||||
| CVE-2018-16539 | 4 Artifex, Canonical, Debian and 1 more | 9 Ghostscript, Ubuntu Linux, Debian Linux and 6 more | 2019-03-07 | 4.3 MEDIUM | 5.5 MEDIUM |
| In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use incorrect access checking in temp file handling to disclose contents of files on the system otherwise not readable. | |||||
| CVE-2018-4226 | 2 Apple, Microsoft | 6 Icloud, Iphone Os, Itunes and 3 more | 2019-03-07 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. watchOS before 4.3.1 is affected. The issue involves the "Security" component. It allows local users to bypass intended restrictions on the reading of sensitive user information. | |||||
| CVE-2016-7386 | 2 Microsoft, Nvidia | 2 Windows, Gpu Driver | 2019-03-07 | 2.1 LOW | 5.5 MEDIUM |
| For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU Display Driver R340 before 342.00 and R375 before 375.63 contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape ID 0x70000D4 which may lead to leaking of kernel memory contents to user space through an uninitialized buffer. | |||||
| CVE-2018-11275 | 1 Google | 1 Android | 2019-03-05 | 4.9 MEDIUM | 5.5 MEDIUM |
| In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, when flashing image using FastbootLib if size is not divisible by block size, information leak occurs. | |||||
| CVE-2016-5611 | 1 Oracle | 1 Vm Virtualbox | 2019-03-04 | 2.1 LOW | 4.3 MEDIUM |
| Unspecified vulnerability in the Oracle VM VirtualBox component before 5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users to affect confidentiality via vectors related to Core. | |||||
| CVE-2016-5584 | 3 Debian, Mariadb, Oracle | 3 Debian Linux, Mariadb, Mysql | 2019-03-04 | 3.5 LOW | 4.4 MEDIUM |
| Unspecified vulnerability in Oracle MySQL 5.5.52 and earlier, 5.6.33 and earlier, and 5.7.15 and earlier allows remote administrators to affect confidentiality via vectors related to Server: Security: Encryption. | |||||
| CVE-2018-20151 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-04 | 5.0 MEDIUM | 7.5 HIGH |
| In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default. | |||||
| CVE-2018-6099 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Linux Desktop and 2 more | 2019-03-01 | 4.3 MEDIUM | 6.5 MEDIUM |
| A lack of CORS checks in Blink in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to leak limited cross-origin data via a crafted HTML page. | |||||
| CVE-2018-7273 | 1 Linux | 1 Linux Kernel | 2019-03-01 | 4.9 MEDIUM | 5.5 MEDIUM |
| In the Linux kernel through 4.15.4, the floppy driver reveals the addresses of kernel functions and global variables using printk calls within the function show_floppy in drivers/block/floppy.c. An attacker can read this information from dmesg and use the addresses to find the locations of kernel code and data and bypass kernel security protections such as KASLR. | |||||
| CVE-2018-1306 | 1 Apache | 1 Pluto | 2019-03-01 | 5.0 MEDIUM | 7.5 HIGH |
| The PortletV3AnnotatedDemo Multipart Portlet war file code provided in Apache Pluto version 3.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to restrict path information provided during a file upload. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information. | |||||
| CVE-2018-6095 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Linux Desktop and 2 more | 2019-03-01 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate dismissal of file picker on keyboard events in Blink in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to read local files via a crafted HTML page. | |||||
| CVE-2018-12400 | 2 Google, Mozilla | 2 Android, Firefox | 2019-03-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| In private browsing mode on Firefox for Android, favicons are cached in the cache/icons folder as they are in non-private mode. This allows information leakage of sites visited during private browsing sessions. *Note: this issue only affects Firefox for Android. Desktop versions of Firefox are unaffected.*. This vulnerability affects Firefox < 63. | |||||
| CVE-2018-12397 | 4 Canonical, Debian, Mozilla and 1 more | 8 Ubuntu Linux, Debian Linux, Firefox and 5 more | 2019-03-01 | 3.6 LOW | 7.1 HIGH |
| A WebExtension can request access to local files without the warning prompt stating that the extension will "Access your data for all websites" being displayed to the user. This allows extensions to run content scripts in local pages without permission warnings when a local file is opened. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63. | |||||
| CVE-2018-8024 | 2 Apache, Mozilla | 2 Spark, Firefox | 2019-02-28 | 4.9 MEDIUM | 5.4 MEDIUM |
| In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this type of attack, current versions of Firefox (and possibly others) do not. | |||||
| CVE-2018-11845 | 1 Qualcomm | 80 Mdm9150, Mdm9150 Firmware, Mdm9206 and 77 more | 2019-02-28 | 4.9 MEDIUM | 5.5 MEDIUM |
| Usage of non-time-constant comparison functions can lead to information leakage through side channel analysis in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in versions MDM9150, MDM9206, MDM9607, MDM9650, MDM9655, MSM8996AU, QCS605, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130. | |||||
| CVE-2008-0085 | 1 Microsoft | 7 Data Engine, Sql Server, Sql Server Desktop Engine and 4 more | 2019-02-28 | 5.0 MEDIUM | N/A |
| SQL Server 7.0 SP4, 2000 SP4, 2005 SP1 and SP2, 2000 Desktop Engine (MSDE 2000) SP4, 2005 Express Edition SP1 and SP2, and 2000 Desktop Engine (WMSDE); Microsoft Data Engine (MSDE) 1.0 SP4; and Internal Database (WYukon) SP2 does not initialize memory pages when reallocating memory, which allows database operators to obtain sensitive information (database contents) via unknown vectors related to memory page reuse. | |||||
| CVE-2018-9842 | 1 Cyberark | 1 Password Vault | 2019-02-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| CyberArk Password Vault before 9.7 allows remote attackers to obtain sensitive information from process memory by replaying a logon message. | |||||
| CVE-2019-0647 | 1 Microsoft | 1 Team Foundation Server | 2019-02-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team. | |||||
| CVE-2016-4995 | 1 Theforeman | 1 Foreman | 2019-02-26 | 3.5 LOW | 5.3 MEDIUM |
| Foreman before 1.11.4 and 1.12.x before 1.12.1 does not properly restrict access to preview provisioning templates, which allows remote authenticated users with permission to view some hosts to obtain sensitive host configuration information via a URL with a hostname. | |||||
| CVE-2019-7312 | 1 Primx | 3 Zed, Zedmail, Zonecentral | 2019-02-26 | 5.0 MEDIUM | 5.3 MEDIUM |
| Limited plaintext disclosure exists in PRIMX Zed Entreprise for Windows before 6.1.2240, Zed Entreprise for Windows (ANSSI qualification submission) before 6.1.2150, Zed Entreprise for Mac before 2.0.199, Zed Entreprise for Linux before 2.0.199, Zed Pro for Windows before 1.0.195, Zed Pro for Mac before 1.0.199, Zed Pro for Linux before 1.0.199, Zed Free for Windows before 1.0.195, Zed Free for Mac before 1.0.199, and Zed Free for Linux before 1.0.199. Analyzing a Zed container can lead to the disclosure of plaintext content of very small files (a few bytes) stored into it. | |||||
| CVE-2018-14979 | 1 Asus | 2 Zenfone 3 Max, Zenfone 3 Max Firmware | 2019-02-22 | 1.9 LOW | 4.7 MEDIUM |
| The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed app with a package name of com.asus.loguploader (versionCode=1570000275, versionName=7.0.0.55_170515). This app contains an exported service app component named com.asus.loguploader.LogUploaderService that, when accessed with a particular action string, will write a bugreport (kernel log, logcat log, and the state of system services including the text of active notifications), Wi-Fi Passwords, and other system data to external storage (sdcard). Any app with the READ_EXTERNAL_STORAGE permission on this device can read this data from the sdcard after it has been dumped there by the com.asus.loguploader. Third-party apps are not allowed to directly create a bugreport or access the user's stored wireless network credentials. | |||||
| CVE-2016-3159 | 4 Debian, Fedoraproject, Oracle and 1 more | 4 Debian Linux, Fedora, Vm Server and 1 more | 2019-02-21 | 1.7 LOW | 3.8 LOW |
| The fpu_fxrstor function in arch/x86/i387.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2076. | |||||
| CVE-2018-1296 | 1 Apache | 1 Hadoop | 2019-02-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. | |||||
| CVE-2019-7628 | 1 Redhat | 1 Pagure | 2019-02-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable solution. (E-mailing a substring of the API key was an attempted, but rejected, solution.) | |||||
| CVE-2018-15656 | 1 42gears | 1 Suremdm | 2019-02-19 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the registration API endpoint in 42Gears SureMDM before 2018-11-27. An attacker can submit a GET request to /api/register/:email, where :email is a base64 encoded e-mail address, to receive confirmation as to whether a user account exists in the system with the specified e-mail address. The request must be made with an "apiKey" value in the "ApiKey" header. | |||||