SB19-063: Vulnerability Summary for the Week of February 25, 2019

advancemame — advancecomp In AdvanceCOMP 2.1, png_compress in pngex.cc in advpng has an integer overflow upon encountering an invalid PNG size, which results in an attempted memcpy to write into a buffer that is too small. (There is also a heap-based buffer over-read.) 2019-02-27 4.3 CVE-2019-9210
MLIST
MISC auction_website_script_project — auction_website_script PHP Scripts Mall Auction website script 2.0.4 allows parameter tampering of the payment amount. 2019-02-23 4.0 CVE-2019-9063
MISC b3log — symphony An issue was discovered in b3log Symphony (aka Sym) before v3.4.7. XSS exists via the userIntro and userNickname fields to processor/SettingsProcessor.java. 2019-02-25 4.3 CVE-2019-9142
MISC baigo — baigo_cms An issue was discovered in baigo CMS 2.1.1. There is a persistent XSS vulnerability that allows remote attackers to inject arbitrary web script or HTML via the opt[base][BG_SITE_NAME] parameter to the bg_console/index.php?m=opt&c=request URI. 2019-02-28 4.3 CVE-2019-9226
MISC british_airways — entertainment_system The British Airways Entertainment System, as installed on Boeing 777-36N(ER) and possibly other aircraft, does not prevent the USB charging/data-transfer feature from interacting with USB keyboard and mouse devices, which allows physically proximate attackers to conduct unanticipated attacks against Entertainment applications, as demonstrated by using mouse copy-and-paste actions to trigger a Chat buffer overflow or possibly have unspecified other impact. 2019-02-22 4.6 CVE-2019-9019
MISC ca — privileged_access_manager An improper authentication vulnerability in CA Privileged Access Manager 3.x Web-UI jk-manager and jk-status allows a remote attacker to gain sensitive information or alter configuration. 2019-02-26 6.4 CVE-2019-7392
BID
MISC cab_booking_script_project — cab_booking_script PHP Scripts Mall Cab Booking Script 1.0.3 allows Directory Traversal into the parent directory of a jpg or png file. 2019-02-23 5.0 CVE-2019-9064
MISC canonical — ubuntu_linux A potential vulnerability was found in 32-bit builds where an integer overflow during the conversion of scripts to an internal UTF-16 representation could result in allocating a buffer too small for the conversion. This leads to a possible out-of-bounds write. *Note: 64-bit builds are not vulnerable to this issue.*. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3. 2019-02-28 5.0 CVE-2018-12393
BID
BID
SECTRACK
REDHAT
REDHAT
REDHAT
REDHAT
CONFIRM
MLIST
MLIST
GENTOO
GENTOO
UBUNTU
UBUNTU
DEBIAN
DEBIAN
CONFIRM
CONFIRM
CONFIRM carel — pcoweb_card_firmware The Glen Dimplex Deutschland GmbH implementation of the Carel pCOWeb configuration tool allows remote attackers to obtain access via an HTTP session on port 10000, as demonstrated by reading the modem password (which is 1234), or reconfiguring “party mode” or “vacation mode.” 2019-03-01 5.0 CVE-2019-9484
MISC cisco — spa112_firmware A vulnerability in the certificate handling component of the Cisco SPA112, SPA525, and SPA5X5 Series IP Phones could allow an unauthenticated, remote attacker to listen to or control some aspects of a Transport Level Security (TLS)-encrypted Session Initiation Protocol (SIP) conversation. The vulnerability is due to the improper validation of server certificates. An attacker could exploit this vulnerability by crafting a malicious server certificate to present to the client. An exploit could allow an attacker to eavesdrop on TLS-encrypted traffic and potentially route or redirect calls initiated by an affected device. Affected software include version 7.6.2 of the Cisco Small Business SPA525 Series IP Phones and Cisco Small Business SPA5X5 Series IP Phones and version 1.4.2 of the Cisco Small Business SPA500 Series IP Phones and Cisco Small Business SPA112 Series IP Phones. 2019-02-25 5.8 CVE-2019-1683
BID
CISCO citrix — netscaler_application_delivery_controller_firmware Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 allow remote attackers to obtain sensitive plaintext information because of a TLS Padding Oracle Vulnerability when CBC-based cipher suites are enabled. 2019-02-22 4.3 CVE-2019-6485
BID
MISC
MISC cordaware — bestinformed The Scripting and AutoUpdate functionality in Cordaware bestinformed Microsoft Windows client versions before 6.2.1.0 are affected by insecure implementations which allow remote attackers to execute arbitrary commands and escalate privileges. 2019-02-25 4.6 CVE-2019-6265
MISC custom_t-shirt_ecommerce_script_project — custom_t-shirt_ecommerce_script PHP Scripts Mall Custom T-Shirt Ecommerce Script 3.1.1 allows parameter tampering of the payment amount. 2019-02-23 4.0 CVE-2019-9065
MISC d-link — dir-825_rev.b_firmware An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the ntp_server parameter in an ntp_sync.cgi POST request. 2019-02-25 6.5 CVE-2019-9122
MISC d-link — dir-825_rev.b_firmware An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. There is an information disclosure vulnerability via requests for the router_info.xml document. This will reveal the PIN code, MAC address, routing table, firmware version, update time, QOS information, LAN information, and WLAN information of the device. 2019-02-25 5.0 CVE-2019-9126
MISC deltaww — screeneditor Delta Industrial Automation CNCSoft, CNCSoft ScreenEditor Version 1.00.84 and prior. An out-of-bounds read vulnerability may cause the software to crash due to lacking user input validation for processing project files. 2019-02-28 4.3 CVE-2019-6547
BID
MISC etsi — enterprise_transport_security The ETSI Enterprise Transport Security (ETS, formerly known as eTLS) protocol does not provide per-session forward secrecy. 2019-02-26 4.3 CVE-2019-9191
BID
MISC exiv2 — exiv2 An issue was discovered in Exiv2 0.27. There is infinite recursion at Exiv2::Image::printTiffStructure in the file image.cpp. This can be triggered by a crafted file. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. 2019-02-25 6.8 CVE-2019-9143
BID
MISC
MISC exiv2 — exiv2 An issue was discovered in Exiv2 0.27. There is infinite recursion at BigTiffImage::printIFD in the file bigtiffimage.cpp. This can be triggered by a crafted file. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. 2019-02-25 6.8 CVE-2019-9144
BID
MISC
MISC f5 — big-ip_access_policy_manager On BIG-IP 14.1.0-14.1.0.1, TMM may restart and produce a core file when validating SSL certificates in client SSL or server SSL profiles. 2019-02-26 6.4 CVE-2019-6592
BID
CONFIRM f5 — big-ip_access_policy_manager On BIG-IP 11.5.1-11.5.4, 11.6.1, and 12.1.0, a virtual server configured with a Client SSL profile may be vulnerable to a chosen ciphertext attack against CBC ciphers. When exploited, this may result in plaintext recovery of encrypted messages through a man-in-the-middle (MITM) attack, despite the attacker not having gained access to the server’s private key itself. (CVE-2019-6593 also known as Zombie POODLE and GOLDENDOODLE.) 2019-02-26 4.3 CVE-2019-6593
CONFIRM f5 — big-ip_access_policy_manager On BIG-IP 11.5.1-11.6.3.2, 12.1.3.4-12.1.3.7, 13.0.0 HF1-13.1.1.1, and 14.0.0-14.0.0.2, Multi-Path TCP (MPTCP) does not protect against multiple zero length DATA_FINs in the reassembly queue, which can lead to an infinite loop in some circumstances. 2019-02-26 4.3 CVE-2019-6594
CONFIRM f5 — big-ip_access_policy_manager Cross-site scripting (XSS) vulnerability in F5 BIG-IP Access Policy Manager (APM) 11.5.x and 11.6.x Admin Web UI. 2019-02-26 4.3 CVE-2019-6595
BID
CONFIRM freedesktop — poppler A heap-based buffer underwrite exists in ImageStream::getLine() located at Stream.cc in Poppler 0.74.0 that can (for example) be triggered by sending a crafted PDF file to the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. 2019-02-26 6.8 CVE-2019-9200
BID
MISC
MISC gnu — binutils An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a heap-based buffer over-read in d_expression_1 in cp-demangle.c after many recursive calls. 2019-02-23 6.8 CVE-2019-9070
BID
MISC
MISC gnu — binutils An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a stack consumption issue in d_count_templates_scopes in cp-demangle.c after many recursive calls. 2019-02-23 4.3 CVE-2019-9071
BID
MISC
MISC gnu — binutils An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in setup_group in elf.c. 2019-02-23 4.3 CVE-2019-9072
MISC
MISC
MISC gnu — binutils An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in _bfd_elf_slurp_version_tables in elf.c. 2019-02-23 4.3 CVE-2019-9073
MISC gnu — binutils An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an out-of-bounds read leading to a SEGV in bfd_getl32 in libbfd.c, when called from pex64_get_runtime_function in pei-x86_64.c. 2019-02-23 4.3 CVE-2019-9074
MISC gnu — binutils An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c. 2019-02-23 6.8 CVE-2019-9075
MISC gnu — binutils An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in elf_read_notes in elf.c. 2019-02-23 4.3 CVE-2019-9076
MISC gnu — binutils An issue was discovered in GNU Binutils 2.32. It is a heap-based buffer overflow in process_mips_specific in readelf.c via a malformed MIPS option section. 2019-02-23 6.8 CVE-2019-9077
BID
MISC gnu — glibc In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match. 2019-02-25 5.0 CVE-2009-5155
MISC
MISC
MISC
MISC
MISC
MISC
MISC gnu — glibc In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by ‘(\227|)(\\1\\1|t1|\\\2537)+’ in grep. 2019-02-25 5.0 CVE-2018-20796
BID
MISC
MISC gnu — glibc ** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by ‘(|)(\\1\\1)*’ in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern. 2019-02-26 5.0 CVE-2019-9192
MISC gnu — pspp There is a reachable assertion abort in the function write_long_string_missing_values() in data/sys-file-writer.c in libdata.a in GNU PSPP 1.2.0 that will lead to denial of service. 2019-02-27 4.3 CVE-2019-9211
BID
MISC google — android In random_get_bytes of random.c, there is a possible degradation of randomness due to an insecure default value. This could lead to local information disclosure via an insecure wireless connection with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-117508900. 2019-02-28 5.0 CVE-2019-1997
BID
CONFIRM google — android In event_handler of keymaster_app.c, there is possible resource exhaustion due to a table being lost on reboot. This could lead to local denial of service that is not fixed by a factory reset, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-116055338. 2019-02-28 4.9 CVE-2019-1998
BID
CONFIRM gurock — testrail An issue was discovered in Gurock TestRail 5.6.0.3853. An “Unrestricted Upload of File” vulnerability exists in the image-upload form (available in the description editor), allowing remote authenticated users to execute arbitrary code by uploading an image file with an executable extension but a safe Content-Type value, and then accessing it via a direct request to the file in the file-upload directory (if it’s accessible according to the server configuration). 2019-02-25 6.5 CVE-2018-20063
MISC hdfgroup — hdf5 An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5VM_memcpyvv in H5VM.c when called from H5D__compact_readvv in H5Dcompact.c. 2019-02-25 6.8 CVE-2019-9151
MISC hdfgroup — hdf5 An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5MM_xstrdup in H5MM.c when called from H5O_dtype_decode_helper in H5Odtype.c. 2019-02-25 6.8 CVE-2019-9152
MISC hornerautomation — cscape Cscape, 9.80 SP4 and prior. An improper input validation vulnerability may be exploited by processing specially crafted POC files. This may allow an attacker to read confidential information and remotely execute arbitrary code. 2019-02-28 6.8 CVE-2019-6555
BID
MISC hsycms — hsycms An issue was discovered in Hsycms V1.1. There is an XSS vulnerability via the name field to the /book page. 2019-02-25 4.3 CVE-2019-9145
MISC ibm — bigfix_platform IBM BigFix Platform 9.2 and 9.5 could allow an attacker to query the relay remotely and gather information about the updates and fixlets deployed to the associated sites due to not enabling authenticated access. IBM X-Force ID: 156869. 2019-02-27 5.0 CVE-2019-4061
CONFIRM
BID
XF leonerd — libvterm libvterm through 0+bzr726, as used in Vim and other products, mishandles certain out-of-memory conditions, leading to a denial of service (application crash), related to screen.c, state.c, and vterm.c. 2019-02-24 5.0 CVE-2018-20786
MISC
MISC libming — ming Ming (aka libming) 0.4.8 has a NULL pointer dereference in the function getString() in the decompile.c file in libutil.a. 2019-02-24 6.8 CVE-2019-9113
MISC libming — ming Ming (aka libming) 0.4.8 has an out of bounds write vulnerability in the function strcpyext() in the decompile.c file in libutil.a. 2019-02-24 6.8 CVE-2019-9114
MISC linux — linux_kernel In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and write operations possible, leading to an OOPS or local privilege escalation. This affects snmp_version and snmp_helper. 2019-02-25 4.6 CVE-2019-9162
MISC
BID
MISC
MISC
MISC
MISC maccms — maccms Maccms 8.0 allows XSS via the inc/config/cache.php t_key parameter because template/paody/html/vod_type.html mishandles the keywords parameter, and a/tpl/module/db.php only filters the t_name parameter (not t_key). 2019-02-27 4.3 CVE-2019-8410
MISC matio_project — matio An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is a heap-based buffer overflow in the function InflateVarName() in inflate.c when called from ReadNextCell in mat5.c. 2019-02-23 5.0 CVE-2019-9026
MISC
MISC matio_project — matio An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is a heap-based buffer overflow problem in the function ReadNextCell() in mat5.c. 2019-02-23 5.0 CVE-2019-9027
MISC
MISC matio_project — matio An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is a stack-based buffer over-read in the function InflateDimensions() in inflate.c when called from ReadNextCell in mat5.c. 2019-02-23 6.4 CVE-2019-9028
MISC
MISC matio_project — matio An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is an out-of-bounds read with a SEGV in the function Mat_VarReadNextInfo5() in mat5.c. 2019-02-23 5.0 CVE-2019-9029
MISC
MISC matio_project — matio An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is a stack-based buffer over-read in Mat_VarReadNextInfo5() in mat5.c. 2019-02-23 6.4 CVE-2019-9030
MISC
MISC matio_project — matio An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is a NULL pointer dereference in the function Mat_VarFree() in mat.c. 2019-02-23 5.0 CVE-2019-9031
MISC
MISC matio_project — matio An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is an out-of-bounds write problem causing a SEGV in the function Mat_VarFree() in mat.c. 2019-02-23 5.0 CVE-2019-9032
MISC
MISC matio_project — matio An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is a stack-based buffer over-read for the “Rank and Dimension” feature in the function ReadNextCell() in mat5.c. 2019-02-23 6.4 CVE-2019-9033
MISC
MISC matio_project — matio An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is a stack-based buffer over-read for a memcpy in the function ReadNextCell() in mat5.c. 2019-02-23 6.4 CVE-2019-9034
MISC
MISC matio_project — matio An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is a stack-based buffer over-read in the function ReadNextStructField() in mat5.c. 2019-02-23 6.4 CVE-2019-9035
MISC
MISC matio_project — matio An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is a heap-based buffer overflow in the function ReadNextFunctionHandle() in mat5.c. 2019-02-23 5.0 CVE-2019-9036
MISC
MISC matio_project — matio An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is a buffer over-read in the function Mat_VarPrint() in mat.c. 2019-02-23 6.4 CVE-2019-9037
MISC
MISC matio_project — matio An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is an out-of-bounds read problem with a SEGV in the function ReadNextCell() in mat5.c. 2019-02-23 5.0 CVE-2019-9038
MISC
MISC mcafee — agent Buffer Access with Incorrect Length Value in McAfee Agent (MA) 5.x allows remote unauthenticated users to potentially cause a denial of service via specifically crafted UDP packets. 2019-02-28 5.0 CVE-2019-3598
BID
CONFIRM mcafee — agent Information Disclosure vulnerability in Remote logging (which is disabled by default) in McAfee Agent (MA) 5.x allows remote unauthenticated users to access sensitive information via remote logging when it is enabled. 2019-02-28 4.3 CVE-2019-3599
CONFIRM mcafee — endpoint_security Privilege Escalation vulnerability in Microsoft Windows client in McAfee Endpoint Security (ENS) 10.6.1 and earlier allows local users to gain elevated privileges via a specific set of circumstances. 2019-02-28 6.1 CVE-2019-3582
CONFIRM micode — xiaomi_perseus-p-oss drivers/leds/leds-aw2023.c in the led driver for custom Linux kernels on the Xiaomi Redmi 6pro daisy-o-oss phone has several integer overflows because of a left-shifting operation when the right-hand operand can be equal to or greater than the integer length. This can be exploited by a crafted application for denial of service. 2019-02-24 4.3 CVE-2018-20788
MISC mozilla — firefox Mozilla developers and community members reported memory safety bugs present in Firefox 62. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 63. 2019-02-28 6.8 CVE-2018-12388
BID
SECTRACK
CONFIRM
UBUNTU
CONFIRM mozilla — firefox By rewriting the Host: request headers using the webRequest API, a WebExtension can bypass domain restrictions through domain fronting. This would allow access to domains that share a host that are otherwise restricted. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63. 2019-02-28 5.0 CVE-2018-12395
BID
SECTRACK
REDHAT
REDHAT
CONFIRM
MLIST
GENTOO
UBUNTU
DEBIAN
CONFIRM
CONFIRM mozilla — firefox A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events. This allows for potential privilege escalation by the WebExtension on sites where content scripts should not be run. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63. 2019-02-28 4.3 CVE-2018-12396
BID
SECTRACK
REDHAT
REDHAT
CONFIRM
MLIST
GENTOO
UBUNTU
DEBIAN
CONFIRM
CONFIRM mozilla — firefox By using the reflected URL in some special resource URIs, such as chrome:, it is possible to inject stylesheets and bypass Content Security Policy (CSP). This vulnerability affects Firefox < 63. 2019-02-28 4.3 CVE-2018-12398
BID
SECTRACK
CONFIRM
CONFIRM
UBUNTU
CONFIRM mozilla — firefox When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the new protocol. This may result in the user approving a protocol handler that they otherwise would not have. This vulnerability affects Firefox < 63. 2019-02-28 4.3 CVE-2018-12399
BID
SECTRACK
CONFIRM
UBUNTU
CONFIRM mozilla — firefox In private browsing mode on Firefox for Android, favicons are cached in the cache/icons folder as they are in non-private mode. This allows information leakage of sites visited during private browsing sessions. *Note: this issue only affects Firefox for Android. Desktop versions of Firefox are unaffected.*. This vulnerability affects Firefox < 63. 2019-02-28 5.0 CVE-2018-12400
BID
SECTRACK
CONFIRM
CONFIRM mozilla — firefox Some special resource URIs will cause a non-exploitable crash if loaded with optional parameters following a ‘?’ in the parsed string. This could lead to denial of service (DOS) attacks. This vulnerability affects Firefox < 63. 2019-02-28 5.0 CVE-2018-12401
BID
SECTRACK
CONFIRM
UBUNTU
CONFIRM mozilla — firefox The internal WebBrowserPersist code does not use correct origin context for a resource being saved. This manifests when sub-resources are loaded as part of “Save Page As…” functionality. For example, a malicious page could recover a visitor’s Windows username and NTLM hash by including resources otherwise unreachable to the malicious page, if they can convince the visitor to save the complete web page. Similarly, SameSite cookies are sent on cross-origin requests when the “Save Page As…” menu item is selected to save a page, which can result in saving the wrong version of resources based on those cookies. This vulnerability affects Firefox < 63. 2019-02-28 4.3 CVE-2018-12402
BID
SECTRACK
CONFIRM
CONFIRM
UBUNTU
CONFIRM mozilla — firefox If a site is loaded over a HTTPS connection but loads a favicon resource over HTTP, the mixed content warning is not displayed to users. This vulnerability affects Firefox < 63. 2019-02-28 5.0 CVE-2018-12403
BID
SECTRACK
CONFIRM
UBUNTU
CONFIRM mozilla — firefox Mozilla developers and community members reported memory safety bugs present in Firefox 63. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 64. 2019-02-28 6.8 CVE-2018-12406
BID
CONFIRM
UBUNTU
CONFIRM mozilla — firefox A same-origin policy violation allowing the theft of cross-origin URL entries when using the Javascript location property to cause a redirection to another site using performance.getEntries(). This is a same-origin policy violation and could allow for data theft. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64. 2019-02-28 4.3 CVE-2018-18494
BID
REDHAT
REDHAT
REDHAT
REDHAT
CONFIRM
MLIST
UBUNTU
UBUNTU
DEBIAN
DEBIAN
CONFIRM
CONFIRM
CONFIRM mozilla — firefox WebExtension content scripts can be loaded into about: pages in some circumstances, in violation of the permissions granted to extensions. This could allow an extension to interfere with the loading and usage of these pages and use capabilities that were intended to be restricted from extensions. This vulnerability affects Firefox < 64. 2019-02-28 4.3 CVE-2018-18495
BID
CONFIRM
UBUNTU
CONFIRM mozilla — firefox When the RSS Feed preview about:feeds page is framed within another page, it can be used in concert with scripted content for a clickjacking attack that confuses users into downloading and executing an executable file from a temporary directory. *Note: This issue only affects Windows operating systems. Other operating systems are not affected.*. This vulnerability affects Firefox < 64. 2019-02-28 6.8 CVE-2018-18496
BID
CONFIRM
CONFIRM mozilla — firefox Limitations on the URIs allowed to WebExtensions by the browser.windows.create API can be bypassed when a pipe in the URL field is used within the extension to load multiple pages as a single argument. This could allow a malicious WebExtension to open privileged about: or file: locations. This vulnerability affects Firefox < 64. 2019-02-28 4.3 CVE-2018-18497
BID
CONFIRM
UBUNTU
CONFIRM mozilla — firefox A same-origin policy violation allowing the theft of cross-origin URL entries when using a meta http-equiv=”refresh” on a page to cause a redirection to another site using performance.getEntries(). This is a same-origin policy violation and could allow for data theft. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1. 2019-02-28 4.3 CVE-2018-18499
CONFIRM
CONFIRM
CONFIRM
CONFIRM mozilla — firefox_esr Mozilla developers and community members reported memory safety bugs present in Firefox ESR 60.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 60.3 and Thunderbird < 60.3. 2019-02-28 6.8 CVE-2018-12389
BID
BID
SECTRACK
REDHAT
REDHAT
REDHAT
REDHAT
CONFIRM
MLIST
MLIST
GENTOO
GENTOO
UBUNTU
DEBIAN
DEBIAN
CONFIRM
CONFIRM neatorobotics — botvac_connected_firmware Secure boot bypass and memory extraction can be achieved on Neato Botvac Connected 2.2.0 devices. During startup, the AM335x secure boot feature decrypts and executes firmware. Secure boot can be bypassed by starting with certain commands to the USB serial port. Although a power cycle occurs, this does not completely reset the chip: memory contents are still in place. Also, it restarts into a boot menu that enables XMODEM upload and execution of an unsigned QNX IFS system image, thereby completing the bypass of secure boot. Moreover, the attacker can craft custom IFS data and write it to unused memory to extract all memory contents that had previously been present. This includes the original firmware and sensitive information such as Wi-Fi credentials. 2019-02-23 4.4 CVE-2018-20785
MISC netapp — clustered_data_ontap Clustered Data ONTAP versions prior to 9.1P15 and 9.3 prior to 9.3P7 are susceptible to a vulnerability which discloses sensitive information to an unauthenticated user. 2019-02-27 5.0 CVE-2019-5491
BID
CONFIRM netgate — pfsense The expiretable configuration in pfSense 2.4.4_1 establishes block durations that are incompatible with the block durations implemented by sshguard, which might make it easier for attackers to bypass intended access restrictions. 2019-03-01 5.0 CVE-2018-20798
MISC nvidia — gpu_driver NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which the software does not release a resource after its effective lifetime has ended, which may lead to denial of service. 2019-02-27 4.9 CVE-2019-5671
CONFIRM online_food_ordering_script_project — online_food_ordering_script PHP Scripts Mall Online Food Ordering Script 1.0 has Cross-Site Request Forgery (CSRF) in my-account.php. 2019-02-23 6.0 CVE-2019-9062
MISC openssl — openssl If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable “non-stitched” ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). 2019-02-27 4.3 CVE-2019-1559
BID
CONFIRM
MLIST
CONFIRM
UBUNTU
DEBIAN
CONFIRM php — php An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parserr in ext/standard/dns.c for DNS_CAA and DNS_ANY queries. 2019-02-22 5.0 CVE-2019-9022
MISC
DEBIAN php — php An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to read memory outside of allocated areas in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c. 2019-02-22 5.0 CVE-2019-9024
BID
MISC
DEBIAN pluck-cms — pluck An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete a theme (aka topic) via a /admin.php?action=theme_delete&var1= URI. 2019-02-23 5.8 CVE-2019-9048
MISC pluck-cms — pluck An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete modules via a /admin.php?action=module_delete&var1= URI. 2019-02-23 5.8 CVE-2019-9049
MISC pluck-cms — pluck An issue was discovered in Pluck 4.7.9-dev1. It allows administrators to execute arbitrary code by using action=installmodule to upload a ZIP archive, which is then extracted and executed. 2019-02-23 6.5 CVE-2019-9050
MISC pluck-cms — pluck An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete articles via a /admin.php?action=deletepage&var1= URI. 2019-02-23 5.8 CVE-2019-9051
MISC pluck-cms — pluck An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete pictures via a /admin.php?action=deleteimage&var1= URI. 2019-02-23 5.8 CVE-2019-9052
MISC podofo_project — podofo An issue was discovered in PoDoFo 0.9.6. There is an attempted excessive memory allocation in PoDoFo::podofo_calloc in base/PdfMemoryManagement.cpp when called from PoDoFo::PdfPredictorDecoder::PdfPredictorDecoder in base/PdfFiltersPrivate.cpp. 2019-02-27 4.3 CVE-2018-20797
MISC podofo_project — podofo PoDoFo::Impose::PdfTranslator::setSource() in pdftranslator.cpp in PoDoFo 0.9.6 has a NULL pointer dereference that can (for example) be triggered by sending a crafted PDF file to the podofoimpose binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. 2019-02-26 6.8 CVE-2019-9199
MISC
MISC qualcomm — ipq8074_firmware Use of non-time constant memcmp function creates side channel that leaks information and leads to cryptographic issues in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in versions IPQ8074, MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MDM9655, MSM8996AU, QCA8081, QCS605, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 800, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130. 2019-02-25 4.9 CVE-2018-11820
BID
CONFIRM qualcomm — ipq8074_firmware Bytes can be written to fuses from Secure region which can be read later by HLOS in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in versions IPQ8074, MDM9150, MDM9206, MDM9607, MDM9650, MDM9655, MSM8996AU, QCA8081, QCS605, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130. 2019-02-25 4.9 CVE-2018-11864
BID
CONFIRM qualcomm — ipq8074_firmware Improper input validation for argument received from HLOS can lead to buffer overflows and unexpected behavior in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in versions IPQ8074, MDM9150, MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCA8081, QCS605, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130. 2019-02-25 4.6 CVE-2018-11938
BID
CONFIRM qualcomm — mdm9150_firmware Usage of non-time-constant comparison functions can lead to information leakage through side channel analysis in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in versions MDM9150, MDM9206, MDM9607, MDM9650, MDM9655, MSM8996AU, QCS605, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130. 2019-02-25 4.9 CVE-2018-11845
BID
CONFIRM qualcomm — mdm9150_firmware Improper validation of array index can lead to unauthorized access while processing debugFS in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in version MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS605, SD 210/SD 212/SD 205, SD 425, SD 439 / SD 429, SD 615/16/SD 415, SD 625, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24. 2019-02-25 4.6 CVE-2018-13913
CONFIRM qualcomm — mdm9150_firmware Lack of input validation for data received from user space can lead to an out of bound array issue in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in version MDM9150, MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 636, SD 820A, SD 835, SDM630, SDM660, SDX20. 2019-02-25 4.6 CVE-2018-13914
CONFIRM qualcomm — mdm9150_firmware Improperly configured memory protection allows read/write access to modem image from HLOS kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in versions MDM9150, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8996AU, QCS605, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, SDX20, SXR1130. 2019-02-25 6.6 CVE-2018-5839
BID
CONFIRM qualcomm — mdm9607_firmware Improper input validation might result in incorrect app id returned to the caller Instead of returning failure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in versions MDM9607, MDM9650, MDM9655, MSM8996AU, QCS605, SD 210/SD 212/SD 205, SD 410/12, SD 615/16/SD 415, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM630, SDM660, SXR1130. 2019-02-25 5.0 CVE-2018-11935
BID
CONFIRM qualcomm — mdm9650_firmware Improper input validation can lead RW access to secure subsystem from HLOS in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in versions MDM9650, MDM9655, MSM8996AU, QCS605, SD 410/12, SD 615/16/SD 415, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SXR1130. 2019-02-25 6.4 CVE-2018-11932
BID
CONFIRM qualcomm — msm8996au_firmware Exceeding the limit of usage entries are not tracked and the information will be lost causing the content to lose continuity in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in versions MSM8996AU, QCS605, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130. 2019-02-25 4.9 CVE-2018-11948
BID
CONFIRM s-cms — s-cms S-CMS PHP v3.0 has a CSRF vulnerability to add a new admin user via the admin/ajax.php?type=admin&action=add URI, a related issue to CVE-2018-19332. 2019-02-23 6.8 CVE-2019-9040
MISC schoolcms — schoolcms SchoolCMS version 2.3.1 allows file upload via the logo upload feature at admin.php?m=admin&c=site&a=save by using the .jpg extension, changing the Content-Type to image/php, and placing PHP code after the JPEG data. This ultimately allows execution of arbitrary PHP code. 2019-02-26 6.5 CVE-2019-9181
MISC semcosoft — semcosoft A reflected Cross-Site scripting (XSS) vulnerability in SEMCO Semcosoft 5.3 allows remote attackers to inject arbitrary web scripts or HTML via the username parameter to the Login Form. 2019-02-23 4.3 CVE-2018-18692
MISC sitemagic — sitemagic_cms An issue was discovered in Sitemagic CMS v4.4. In the index.php?SMExt=SMFiles URI, the user can upload a .php file to execute arbitrary code, as demonstrated by 404.php. 2019-02-23 6.5 CVE-2019-9042
MISC sublimetext — sublime_text_3 ** DISPUTED ** DLL hijacking is possible in Sublime Text 3 version 3.1.1 build 3176 on 32-bit Windows platforms because a Trojan horse api-ms-win-core-fibers-l1-1-1.dll or api-ms-win-core-localization-l1-2-1.dll file may be loaded if a victim uses sublime_text.exe to open a .txt file within an attacker’s %LOCALAPPDATA%\Temp\sublime_text folder. NOTE: the vendor’s position is “This does not appear to be a bug with Sublime Text, but rather one with Windows that has been patched.” 2019-02-25 6.8 CVE-2019-9116
MISC tecrail — responsive_filemanager tecrail Responsive FileManager 9.13.4 allows remote attackers to delete an arbitrary directory as a consequence of a paths[0] path traversal mitigation bypass through the delete_folder action in execute.php. 2019-02-25 6.4 CVE-2018-20789
EXPLOIT-DB tecrail — responsive_filemanager tecrail Responsive FileManager 9.13.4 allows remote attackers to delete an arbitrary file as a consequence of a paths[0] path traversal mitigation bypass through the delete_file action in execute.php. 2019-02-25 6.4 CVE-2018-20790
EXPLOIT-DB tecrail — responsive_filemanager tecrail Responsive FileManager 9.13.4 allows XSS via a media file upload with an XSS payload in the name, because of mishandling of the media_preview action. 2019-02-25 4.3 CVE-2018-20791
EXPLOIT-DB tecrail — responsive_filemanager tecrail Responsive FileManager 9.13.4 allows remote attackers to read arbitrary file via path traversal with the path parameter, through the get_file action in ajax_calls.php. 2019-02-25 5.0 CVE-2018-20792
EXPLOIT-DB tecrail — responsive_filemanager tecrail Responsive FileManager 9.13.4 allows remote attackers to write to an arbitrary file as a consequence of a paths[0] path traversal mitigation bypass, through the create_file action in execute.php. 2019-02-25 5.0 CVE-2018-20793
EXPLOIT-DB tecrail — responsive_filemanager tecrail Responsive FileManager 9.13.4 allows remote attackers to write to an arbitrary image file (jpg/jpeg/png) via path traversal with the path parameter, through the save_img action in ajax_calls.php. 2019-02-25 5.0 CVE-2018-20794
EXPLOIT-DB tecrail — responsive_filemanager tecrail Responsive FileManager 9.13.4 allows remote attackers to read arbitrary files via path traversal with the path parameter, through the copy_cut action in ajax_calls.php and the paste_clipboard action in execute.php. 2019-02-25 5.0 CVE-2018-20795
EXPLOIT-DB vembu — storegrid Vembu StoreGrid 4.4.x has XSS in interface/registercustomer/onlineregsuccess.php, interface/registerreseller/onlineregfailure.php, interface/registerclient/onlineregfailure.php, and interface/registercustomer/onlineregfailure.php. 2019-02-23 4.3 CVE-2014-10078
MISC
MISC vembu — storegrid In Vembu StoreGrid 4.4.x, the front page of the server web interface leaks the private IP address in the “ipaddress” hidden form value of the HTML source code, which is disclosed because of incorrect processing of an index.php/ trailing slash. 2019-02-23 5.0 CVE-2014-10079
MISC
MISC
MISC wireshark — wireshark In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the TCAP dissector could crash. This was addressed in epan/dissectors/asn1/tcap/tcap.cnf by avoiding NULL pointer dereferences. 2019-02-27 5.0 CVE-2019-9208
BID
MISC
MISC
MISC wireshark — wireshark In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the ASN.1 BER and related dissectors could crash. This was addressed in epan/dissectors/packet-ber.c by preventing a buffer overflow associated with excessive digits in time values. 2019-02-27 5.0 CVE-2019-9209
BID
MISC
MISC
MISC wireshark — wireshark In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the RPCAP dissector could crash. This was addressed in epan/dissectors/packet-rpcap.c by avoiding an attempted dereference of a NULL conversation. 2019-02-27 5.0 CVE-2019-9214
BID
MISC
MISC
MISC woocommerce — woocommerce WooCommerce before 3.5.5 allows XSS via a Photoswipe caption. 2019-02-25 4.3 CVE-2019-9168
MISC wuzhicms — wuzhi_cms XSS exists in WUZHI CMS 4.1.0 via index.php?m=attachment&f=imagecut&v=init&imgurl=[XSS] to coreframe/app/attachment/imagecut.php. 2019-02-24 4.3 CVE-2019-9107
MISC
MISC wuzhicms — wuzhi_cms XSS exists in WUZHI CMS 4.1.0 via index.php?m=message&f=message&v=add&username=[XSS] to coreframe/app/message/message.php. 2019-02-24 4.3 CVE-2019-9109
MISC
MISC wuzhicms — wuzhi_cms XSS exists in WUZHI CMS 4.1.0 via index.php?m=content&f=postinfo&v=listing&set_iframe=[XSS] to coreframe/app/content/postinfo.php. 2019-02-24 4.3 CVE-2019-9110
MISC
MISC wuzhicms — wuzhicms XSS exists in WUZHI CMS 4.1.0 via index.php?m=core&f=map&v=baidumap&x=[XSS]&y=[XSS] to coreframe/app/core/map.php. 2019-02-24 4.3 CVE-2019-9108
MISC
MISC zzzcms — zzzphp There is a CSRF in ZZZCMS zzzphp V1.6.1 via a /admin015/save.php?act=editfile request. It allows PHP code injection by providing a filename in the file parameter, and providing file content in the filetext parameter. 2019-02-26 6.8 CVE-2019-9182
MISC