Unknown · CVSS Not scored
The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the wbuser parameter.
Published Feb 20, 2019 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server 2016 allows a security feature bypass, due to how Edge handles different-origin requests, aka "Microsoft Edge Security Feature Bypass".
Published Feb 15, 2018 · Updated Sep 17, 2024
Unknown · CVSS Not scored
An issue was discovered in iDashboards 9.6b. It allows remote attackers to obtain sensitive information via a direct request for the idb/config?CMD=installLicense URI, as demonstrated by intranet IP addresses and names of guest accounts.
Published Feb 18, 2018 · Updated Sep 17, 2024
Unknown · CVSS Not scored
An issue was discovered in xpdf 4.00. An infinite loop in XRef::Xref allows an attacker to cause denial of service because loop detection exists only for tables, not streams.
Published Feb 15, 2018 · Updated Sep 17, 2024
Unknown · CVSS Not scored
rdesktop versions up to and including v1.8.3 contain an Integer Overflow that leads to an Out-Of-Bounds Write in function process_bitmap_updates() and results in a memory corruption and possibly even a remote code execution.
Published Feb 5, 2019 · Updated Sep 17, 2024
Unknown · CVSS Not scored
LCDS Laquis SCADA prior to version 4.1.0.4150 allows the opening of a specially crafted report format file that may cause an out of bounds read, which may cause a system crash, allow data exfiltration, or remote code execution.
Published Feb 5, 2019 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter.
Published Feb 20, 2019 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The Windows kernel in Windows 10 versions 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an elevation of privilege vulnerability due to how objects in memory are handled, aka "Windows Kernel Elevation of Privilege Vulnerability".
Published Feb 15, 2018 · Updated Sep 17, 2024
Critical · CVSS 9.1
An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN prior to version 4.5.0.9. A login message with a specially crafted username can cause an SQL injection, resulting in authentication bypass, which could give access to the TURN server administrator web portal. An attacker can log in via the external interface of the TURN server to trigger this vulnerability.
Published Feb 5, 2019 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Local Privilege Escalation in Kaspersky Secure Mail Gateway version 1.1.
Published Feb 6, 2018 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Microsoft Edge and ChakraCore in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows remote code execution, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2018-0834, CVE-2018-0835, CVE-2018-0836, CVE-2018-0837, CVE-2018-0838, CVE-2018-0840, CVE-2018-0856, CVE-2018-0857, CVE-2018-0858, CVE-2018-0859, CVE-2018-0861, and CVE-2018-0866.
Published Feb 15, 2018 · Updated Sep 17, 2024
Unknown · CVSS Not scored
rdesktop versions up to and including v1.8.3 contain an Out-Of-Bounds Read in function rdpdr_process() that results in an information leak.
Published Feb 5, 2019 · Updated Sep 16, 2024
Unknown · CVSS Not scored
rdesktop versions up to and including v1.8.3 contain a Heap-Based Buffer Overflow in function ui_clip_handle_data() that results in a memory corruption and probably even a remote code execution.
Published Feb 5, 2019 · Updated Sep 16, 2024
Unknown · CVSS Not scored
dijit.Editor in Dojo Toolkit 1.13 allows XSS via the onload attribute of an SVG element.
Published Feb 2, 2018 · Updated Sep 16, 2024
Unknown · CVSS Not scored
In bta_ag_parse_cmer of bta_ag_cmd.cc in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out-of-bounds write due to a missing bounds check. This could lead to remote code execution in the bluetooth server with no additional execution privileges needed. User interaction is not needed for exploitation. Android ID: A-112860487.
Published Feb 12, 2019 · Updated Sep 16, 2024
Unknown · CVSS Not scored
IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5 and 5.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 138435.
Published Feb 27, 2018 · Updated Sep 16, 2024
Unknown · CVSS Not scored
ChakraCore allows remote code execution, due to how the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2018-0834, CVE-2018-0835, CVE-2018-0836, CVE-2018-0837, CVE-2018-0838, CVE-2018-0840, CVE-2018-0856, CVE-2018-0857, CVE-2018-0859, CVE-2018-0860, CVE-2018-0861, and CVE-2018-0866.
Published Feb 15, 2018 · Updated Sep 16, 2024
Unknown · CVSS Not scored
The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location that could be manipulated by the up_projectid widget preference setting.
Published Feb 13, 2019 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Z-BlogPHP 1.5.1 allows remote attackers to discover the full path via a direct request to zb_system/function/lib/upload.php.
Published Feb 8, 2018 · Updated Sep 16, 2024
Unknown · CVSS Not scored
The Microsoft Windows Embedded OpenType (EOT) font engine in Microsoft Windows 7 SP1 and Windows Server 2008 R2 allows information disclosure, due to how the Windows EOT font engine handles embedded fonts, aka "Windows EOT Font Engine Information Disclosure Vulnerability". This CVE ID is unique from CVE-2018-0755, CVE-2018-0760, and CVE-2018-0761.
Published Feb 15, 2018 · Updated Sep 16, 2024
Unknown · CVSS Not scored
NVIDIA Tegra OpenMax driver (libnvomx) contains a vulnerability in which the software delivers extra data with the buffer and does not properly validated the extra data, which may lead to denial of service or escalation of privileges. Android ID: A-80198474.
Published Feb 13, 2019 · Updated Sep 16, 2024
Medium · CVSS 4.3
IBM DataPower Gateway 2018.4.1.0, 7.6.0.0 through 7.6.0.11, 7.5.2.0 through 7.5.2.18, 7.5.1.0 through 7.5.1.18, 7.5.0.0 through 7.5.0.19, and 7.7.0.0 through 7.7.1.3 could allow an authenticated user to inject arbitrary messages that would be displayed on the UI. IBM X-Force ID: 144892.
Published Feb 7, 2019 · Updated Sep 16, 2024
Unknown · CVSS Not scored
In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008264.
Published Feb 6, 2018 · Updated Sep 16, 2024
Unknown · CVSS Not scored
ATTO FibreBridge 7500N firmware version 2.95 is susceptible to a vulnerability which allows attackers to cause a Denial of Service (DoS).
Published Feb 12, 2019 · Updated Sep 16, 2024
Unknown · CVSS Not scored
An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. There is Blind SQL Injection.
Published Feb 10, 2019 · Updated Sep 16, 2024
Unknown · CVSS Not scored
The Windows kernel in Windows 10 version 1709 and Windows Server, version 1709 allows an information disclosure vulnerability due to how objects in memory are handled, aka "Windows Kernel Information Disclosure Vulnerability". This CVE is unique from CVE-2018-0742, CVE-2018-0756, CVE-2018-0809 and CVE-2018-0820.
Published Feb 15, 2018 · Updated Sep 16, 2024
Unknown · CVSS Not scored
The Windows Common Log File System (CLFS) driver in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an elevation of privilege vulnerability due to how objects in memory are handled, aka "Windows Common Log File System Driver Elevation Of Privilege Vulnerability". This CVE is unique from CVE-2018-0846.
Published Feb 15, 2018 · Updated Sep 16, 2024
Unknown · CVSS Not scored
An issue was discovered on RLE Wi-MGR/FDS-Wi 6.2 devices. Persistent XSS exists in the web server. Remote attackers can inject malicious JavaScript code using the device's BACnet implementation. This is similar to a Cross Protocol Injection with SNMP.
Published Feb 21, 2018 · Updated Sep 16, 2024
Unknown · CVSS Not scored
An Authentication Bypass issue exists in Solutions Business Manager (SBM) (formerly Serena Business Manager (SBM)) versions prior to 11.5.
Published Feb 12, 2019 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Microsoft Office 2007 SP2, Microsoft Office Word Viewer, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1 and RT SP1, Microsoft Office 2016, and Microsoft Office 2016 Click-to-Run (C2R) allow a remote code execution vulnerability, due to how Office handles objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE is unique from CVE-2018-0852.
Published Feb 15, 2018 · Updated Sep 16, 2024
Unknown · CVSS Not scored
LCDS Laquis SCADA prior to version 4.1.0.4150 allows taking in user input without proper authorization or sanitation, which may allow an attacker to execute remote code on the server.
Published Feb 5, 2019 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Microsoft Identity Manager 2016 SP1 allows an attacker to gain elevated privileges when it does not properly sanitize a specially crafted attribute value being displayed to a user on an affected MIM 2016 server, aka "Microsoft Identity Manager XSS Elevation of Privilege Vulnerability."
Published Feb 26, 2018 · Updated Sep 16, 2024
Unknown · CVSS Not scored
MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts.
Published Feb 21, 2018 · Updated Sep 16, 2024
Unknown · CVSS Not scored
TRENDnet TEW-751DR v1.03B03, TEW-752DRU v1.03B01, and TEW733GR v1.03B01 devices allow authentication bypass via an AUTHORIZED_GROUP=1 value, as demonstrated by a request for getcfg.php.
Published Feb 14, 2018 · Updated Sep 16, 2024
Unknown · CVSS Not scored
rdesktop versions up to and including v1.8.3 contain a Heap-Based Buffer Overflow in function process_plane() that results in a memory corruption and probably even a remote code execution.
Published Feb 5, 2019 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Code injection vulnerability in the installer for Intel(R) USB 3.0 eXtensible Host Controller Driver for Microsoft Windows 7 before version 5.0.4.43v2 may allow a user to potentially enable escalation of privilege via local access.
Published Feb 18, 2019 · Updated Sep 16, 2024
Unknown · CVSS Not scored
SharePoint Server 2016 allows an elevation of privilege vulnerability due to how web requests are handled, aka "Microsoft SharePoint Elevation of Privilege Vulnerability".
Published Feb 15, 2018 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Symantec Ghost Solution Suite (GSS) versions prior to 3.3 RU1 may be susceptible to a DLL hijacking vulnerability, which is a type of issue whereby a potential attacker attempts to execute unexpected code on your machine. This occurs via placement of a potentially foreign file (DLL) that the attacker then attempts to run via a linked application.
Published Feb 8, 2019 · Updated Sep 16, 2024
Unknown · CVSS Not scored
In WatchDog Anti-Malware 2.74.186.150, the driver file (ZAMGUARD32.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x80002054.
Published Feb 5, 2018 · Updated Sep 16, 2024
Unknown · CVSS Not scored
In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x99008210.
Published Feb 6, 2018 · Updated Sep 16, 2024
Unknown · CVSS Not scored
In bta_hh_ctrl_dat_act of bta_hh_act.cc in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Android ID: A-116108738.
Published Feb 12, 2019 · Updated Sep 16, 2024
Unknown · CVSS Not scored
LCDS Laquis SCADA prior to version 4.1.0.4150 allows an attacker using a specially crafted project file to supply a pointer for a controlled memory address, which may allow remote code execution, data exfiltration, or cause a system crash.
Published Feb 5, 2019 · Updated Sep 16, 2024
Unknown · CVSS Not scored
In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.
Published Feb 27, 2019 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows remote code execution, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2018-0834, CVE-2018-0835, CVE-2018-0836, CVE-2018-0837, CVE-2018-0838, CVE-2018-0840, CVE-2018-0856, CVE-2018-0857, CVE-2018-0858, CVE-2018-0859, CVE-2018-0860, and CVE-2018-0861.
Published Feb 15, 2018 · Updated Sep 16, 2024
Unknown · CVSS Not scored
IBM Financial Transaction Manager 3.0.4 and 3.1.0 for ACH Services for Multi-Platform could allow an authenticated user to execute a specially crafted command that could cause a denial of service. IBM X-Force ID: 138376.
Published Feb 22, 2018 · Updated Sep 16, 2024
High · CVSS 8.8
An exploitable out of bounds write exists in the CAL parsing functionality of Canvas Draw version 5.0.0. A specially crafted CAL image processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution.
Published Feb 6, 2019 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Path Traversal vulnerability in Photo Station versions: 5.7.2 and earlier in QTS 4.3.4, 5.4.4 and earlier in QTS 4.3.3, 5.2.8 and earlier in QTS 4.2.6 could allow remote attackers to access sensitive information on the device.
Published Feb 1, 2019 · Updated Sep 16, 2024
Unknown · CVSS Not scored
IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 138821.
Published Feb 22, 2018 · Updated Sep 16, 2024
Unknown · CVSS Not scored
In Apache Allura before 1.8.0, unauthenticated attackers may retrieve arbitrary files through the Allura web application. Some webservers used with Allura, such as Nginx, Apache/mod_wsgi or paster may prevent the attack from succeeding. Others, such as gunicorn do not prevent it and leave Allura vulnerable.
Published Feb 6, 2018 · Updated Sep 16, 2024
Medium · CVSS 4
IBM Security Identity Manager 7.0.1 Virtual Appliance does not invalidate session tokens when the logout button is pressed. The lack of proper session termination may allow attackers with local access to login into a closed browser session. IBM X-Force ID: 153658.
Published Feb 4, 2019 · Updated Sep 16, 2024