■ 공간분석의 7가지 타입

 

 

1. Spatial Data Analysis

 

 

 

 

 

 

2. Spatial Autocorrelation

 

 

 

 

 

 

3. Spatial Interpolation

 

 

 

 

 

 

4. Spatial Regression

 

 

 

 

 

 

5. Spatial Interaction

 

 

 

 

 

 

6. Simulation and Modeling

 

 

 

 

 

 

7. Multiple-Point Geostatistics

 

 

 

Posted by manga0713

 

 

 

 

 

 

 

Posted by manga0713

 

 

 

 

본문말씀 : 이사야 51장 17-23절

17.여호와의 손에서 그의 분노의 잔을 마신 예루살렘이여 깰지어다 깰지어다 일어설지어다 네가 이미 비틀걸음 치게 하는 큰 잔을 마셔 다 비웠도다 18.네가 낳은 모든 아들 중에 너를 인도할 자가 없고 네가 양육한 모든 아들 중에 그 손으로 너를 이끌 자도 없도다 19.이 두 가지 일이 네게 닥쳤으니 누가 너를 위하여 슬퍼하랴 곧 황폐와 멸망이요 기근과 칼이라 누가 너를 위로하랴 20.네 아들들이 곤비하여 그물에 걸린 영양 같이 온 거리 모퉁이에 누웠으니 그들에게 여호와의 분노와 네 하나님의 견책이 가득하도다 21.그러므로 너 곤고하며 포도주가 아니라도 취한 자여 이 말을 들으라 22.네 주 여호와, 그의 백성의 억울함을 풀어 주시는 네 하나님이 이같이 말씀하시되 보라 내가 비틀걸음 치게 하는 잔 곧 나의 분노의 큰 잔을 네 손에서 거두어서 네가 다시는 마시지 못하게 하고 23.그 잔을 너를 괴롭게 하던 자들의 손에 두리라 그들은 일찍이 네게 이르기를 엎드리라 우리가 넘어가리라 하던 자들이라 너를 넘어가려는 그들에게 네가 네 허리를 땅과 같게, 길거리와 같게 하였느니라 하시니라

희망을 잃지 말라 (이사야 51장 17-23절)

< 의지를 가지라 >

 오늘날 사방에 쾌락의 수단이 만연해 있다. 또한 많은 사람들이 어떤 것에 중독이 된 상태로 있어서 그것을 끊지 못하는 경우가 많다. 그것은 영적인 의미에서 이스라엘 백성들이 바벨론에 포로생활을 하는 것과 같다. 어떻게 그 중독 상태에서 해방되고 영적인 사슬을 풀 수 있는가? 하나님의 분노로 포로생활을 하게 된 이스라엘 백성들이 해야 될 중요한 일은 ‘깨어 일어서는 것’이다(17절). 하나님이 포로상태에서 해방시켜주기를 원하면 본인이 먼저 그 포로상태에서 벗어나려는 의지를 가져야 한다.

 요한복음 5장을 보면 베데스다 연못가에서 38년 된 병자가 있었다. 전설에는 그 연못이 움직일 때 먼저 들어가는 사람은 병이 치유된다는 얘기가 있었다. 그때 예수님이 그 병자에게 질문했다. “네가 낫고자 하느냐?” 병자가 대답했다. “주여 물이 움직일 때에 나를 못에 넣어주는 사람이 없었습니다.” 그것은 사실 핑계다. 어떻게 38년 동안 물이 움직이는 기회를 한 번도 못 살렸겠는가? 연못에 닿을 정도로 가까이 가서 물이 동하자마자 죽기 살기로 몸을 던지겠다는 굳은 의지가 있으면 그것은 충분히 가능한 일이었다.

 그런 의지도 없이 그냥 탄식했다. “나를 못에 넣어주는 사람이 없어서.” 그는 진심으로 병 낫기를 소원하지 않았다. 즉 병이 낫고자 하는 강렬한 의지가 없었다. 그래서 예수님이 “네가 낫고자 하느냐.”라는 질문부터 하셨다. 그 질문과 예수님의 강렬한 사랑의 눈빛은 병자에게 낫고자 하는 의지를 촉발시켰을 것이다. 그 의지를 읽고 예수님이 말씀했다. “일어나 네 자리를 들고 걸어가라.” 그때 그가 곧 나아서 자기 자리를 들고 걸어가는 놀라운 기적이 일어났다.

 중요한 것은 어떤 것에 대한 의지가 있는가 하는 것이다. 하나님의 그 의지를 읽으시고 응답도 주신다. 어떤 것에 중독된 상태에서 해방을 원하면 자신에게 강력한 해방을 향한 의지가 있어야 한다. 의지도 없이 중독 상태를 은근히 즐기려는 마음이 있으면 하나님이 역사하지 않는다. 축복도 마찬가지다. 축복을 막연하게 원해서 피와 땀과 눈물이란 축복을 향한 후속조치가 없으면 축복은 없다. 축복을 진정으로 원하면 먼저 축복에 대한 강렬한 의지를 가지라.

< 희망을 잃지 말라 >

 아무리 절망적인 상황이라도 그 상황이 뒤바뀔 때가 온다(21-23절). 결코 희망을 잃지 말라. 사람은 희망이 없을 때 더 나쁜 일에 중독된다. 희망이 없으면 쉽게 지치고, 모험도 모르고, 섬길 줄을 모르고, 삶이 단조롭고 안일하게 되고, 옆에 있는 사람들까지 피곤하게 만든다. 그러나 하나님이 주신 꿈과 비전과 사명과 희망을 가지면 열정과 아이디어와 용기가 생긴다. 나쁜 일은 대개 좋은 일과 연결되어 있다. 아무리 최악의 상황에서도 희망을 잃지 말라. 진정으로 희생을 감수하면 이 세상에 어떤 일도 못할 일이 없다.

 다윗은 17세에 사무엘로부터 기름 부음을 받았다. 그러나 13년 동안 사울 왕으로부터 쫓겨 다니기만 했다. 도저히 희망이 보이지 않았다. 사람들은 “이제 안 된다.”고 했을 것이다. 낙심도 수시로 찾아왔을 것이다. 그렇게 낙심과 싸우며 세월이 흘렀다. 더 희망이 없다는 듯이 환경은 그를 압박했다. 선지자가 잘못 예언한 것이라는 말도 들렸다. 자신에게도 그런 생각이 수시로 찾아왔지만 그는 불신 및 낙심과 싸웠다.

 그 기간 동안 서서히 사람이 모이면서 600명이 되었을 때 그들은 나발의 영지를 지켜주었다. 그래서 나발에게 식량을 요구했지만 나발은 거들떠보지도 않고 무시했다. 다윗은 극도로 흥분해서 나발을 죽이려고 했다. 그때 분노를 절제하지 못하고 그는 왕의 자격이 없었다. 다윗은 잠깐 자신이 기름 부음 받은 존재라는 사실을 잊었다. 다윗이 나발을 죽이려 한다는 얘기를 아비가일이 듣고 자신의 어리석은 남편으로 인해서 다윗의 명성에 오명을 남기지 말 것을 권고했다. 그 말을 듣고 다윗이 인생의 목적과 길을 잃지 않게 되었다.

 자신이 가는 길이 하나님이 기뻐하시는 길임을 인식하며 자기 이름의 가치에 해가 되지 않도록 하라. 사람이 낙심에 빠지고 추구하는 일이 오랫동안 이뤄지지 않으면 인생의 초점을 잃고 자신의 위치와 복된 앞날에 대한 비전을 잃을 수가 있다. 다시 인생의 초점을 되찾고 수시로 다가오는 분노의 순간을 잘 극복하라. 자신의 예정된 축복을 믿고 나아가라. 다윗처럼 현재 광야에 있고 낙심의 기운이 끊임없이 찾아오고 끊임없이 “이제 소용없다. 무슨 희망이 있나?”라는 생각이 들어도 하나님의 약속을 붙들고 결코 희망을 잃지 말라.

 비전이 구체화되지 않고 10년, 20년, 30년이 지나도 희망을 잃지 말라. 자신에게 주어진 길을 그대로 가라. 축복을 향한 강력한 의지를 가지고 어떤 희생도 감수하려고 하면 자신을 얽어맨 어둠의 사슬은 언젠가 끊어낼 수 있다. 어둠 속에서 포기하지 말고 희망을 가지고 터널 끝에 보이는 조그만 불빛에 집중해 보라. 그처럼 희망을 가지고 희생을 함으로 영적인 자유를 얻어 누리라.

ⓒ 이한규목사  http://www.john316.or.kr

Posted by manga0713

 

 

 

 

*** 출처: [US-CERT: Bulletin(SB18-057)] 2018년 2월 19일까지 발표된 보안 취약점

 

 

 

 

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

 

High Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
There were no high vulnerabilities recorded this week.
Back to top

 

Medium Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
There were no medium vulnerabilities recorded this week.
Back to top

 

Low Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
There were no low vulnerabilities recorded this week.
Back to top

 

Severity Not Yet Assigned

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
abb -- microscada
 
This vulnerability allows local attackers to escalate privileges on vulnerable installations of ABB MicroSCADA 9.3 with FP 1-2-3. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of the access controls for the installed product files. The installation procedure leaves critical files open to manipulation by any authenticated user. An attacker can leverage this vulnerability to escalate privileges to SYSTEM. Was ZDI-CAN-5097. 2018-02-21 not yet calculated CVE-2018-1168
CONFIRM(link is external)
MISC(link is external)
abb -- netcadops_web_application
 
An Information Exposure issue was discovered in ABB netCADOPS Web Application Version 3.4 and prior, netCADOPS Web Application Version 7.1 and prior, netCADOPS Web Application Version 7.2x and prior, netCADOPS Web Application Version 8.0 and prior, and netCADOPS Web Application Version 8.1 and prior. A vulnerability exists in the password entry section of netCADOPS Web Application that may expose critical database information. 2018-02-20 not yet calculated CVE-2018-5477
BID(link is external)
MISC
adobe -- shockwave_player
 
Adobe Shockwave Player before 11.6.4.634 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-0759. 2018-02-19 not yet calculated CVE-2012-0771
CONFIRM(link is external)
anchor -- anchor
 
An issue was discovered in config/error.php in Anchor 0.12.3. The error log is exposed at an errors.log URI, and contains MySQL credentials if a MySQL error (such as "Too many connections") has occurred. 2018-02-19 not yet calculated CVE-2018-7251
MISC(link is external)
MISC(link is external)
apache -- juddi
 
The console in Apache jUDDI 3.0.0 does not properly escape line feeds, which allows remote authenticated users to spoof log entries via the numRows parameter. 2018-02-19 not yet calculated CVE-2009-4267
CONFIRM
MLIST
apache -- karaf
 
Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service. 2018-02-19 not yet calculated CVE-2016-8750
BID(link is external)
CONFIRM
apache -- oozie
 
Vulnerability allows a user of Apache Oozie 3.1.3-incubating to 4.3.0 and 5.0.0-beta1 to expose private files on the Oozie server process. The malicious user can construct a workflow XML file containing XML directives and configuration that reference sensitive files on the Oozie server host. 2018-02-19 not yet calculated CVE-2017-15712
BID(link is external)
MLIST
apache -- qpid
 
The qpidd broker in Apache Qpid 0.30 and earlier allows remote authenticated users to cause a denial of service (daemon crash) via an AMQP message with (1) an invalid range in a sequence set, (2) content-bearing methods other than message-transfer, or (3) a session-gap control before a corresponding session-attach. 2018-02-21 not yet calculated CVE-2015-0203
BID(link is external)
REDHAT(link is external)
CONFIRM
MISC(link is external)
apache -- tomcat
 
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. 2018-02-23 not yet calculated CVE-2018-1305
MISC
apache -- vcl
 
The Privileges portion of the web GUI and the XMLRPC API in Apache VCL 2.3.x before 2.3.2, 2.2.x before 2.2.2 and 2.1 allow remote authenticated users with nodeAdmin, manageGroup, resourceGrant, or userGrant permissions to gain privileges, cause a denial of service, or conduct cross-site scripting (XSS) attacks by leveraging improper data validation. 2018-02-21 not yet calculated CVE-2013-0267
CONFIRM(link is external)
MLIST
apexis -- apm-h803-mpc_software
 
An issue was discovered in Apexis APM-H803-MPC software, as used with many different models of IP Camera. An unprotected CGI method inside the web application permits an unauthenticated user to bypass the login screen and access the webcam contents including: live video stream, configuration files with all the passwords, system information, and much more. With this vulnerability, anyone can access to a vulnerable webcam with 'super admin' privilege. 2018-02-19 not yet calculated CVE-2017-17101
MISC(link is external)
apexis -- apm_j601_ws
 
Directory traversal vulnerability in Apexis APM-J601-WS cameras with firmware before 17.35.2.49 allows remote attackers to read arbitrary files via unspecified vectors. 2018-02-19 not yet calculated CVE-2014-3972
MISC(link is external)
apngdis -- apngdis
 
Buffer overflow in APNGDis 2.8 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted image containing a malformed image size descriptor in the IHDR chunk. 2018-02-20 not yet calculated CVE-2017-6193
BID(link is external)
EXPLOIT-DB(link is external)
EXPLOIT-DB(link is external)
MISC(link is external)
apngdis -- apngdis
 
Buffer overflow in APNGDis 2.8 and earlier allows a remote attackers to cause denial of service and possibly execute arbitrary code via a crafted image containing a malformed chunk size descriptor. 2018-02-20 not yet calculated CVE-2017-6192
BID(link is external)
EXPLOIT-DB(link is external)
EXPLOIT-DB(link is external)
MISC(link is external)
apple -- cups
 
A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1). 2018-02-16 not yet calculated CVE-2017-18190
MISC
MISC(link is external)
MLIST
armadito -- armadito
 
An issue was discovered in armadito-windows-driver/src/communication.c in Armadito 0.12.7.2. Malware with filenames containing pure UTF-16 characters can bypass detection. The user-mode service will fail to open the file for scanning after the conversion is done from Unicode to ANSI. This happens because characters that cannot be converted from Unicode are replaced with '?' characters. 2018-02-21 not yet calculated CVE-2018-7289
MISC(link is external)
asterisk -- asterisk
 
An issue was discovered in res_http_websocket.c in Asterisk 15.x through 15.2.1. If the HTTP server is enabled (default is disabled), WebSocket payloads of size 0 are mishandled (with a busy loop). 2018-02-21 not yet calculated CVE-2018-7287
CONFIRM(link is external)
SECTRACK(link is external)
CONFIRM
asterisk -- asterisk
 
A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. When processing a SUBSCRIBE request, the res_pjsip_pubsub module stores the accepted formats present in the Accept headers of the request. This code did not limit the number of headers it processed, despite having a fixed limit of 32. If more than 32 Accept headers were present, the code would write outside of its memory and cause a crash. 2018-02-21 not yet calculated CVE-2018-7284
CONFIRM
SECTRACK(link is external)
asterisk -- asterisk
 
A NULL pointer access issue was discovered in Asterisk 15.x through 15.2.1. The RTP support in Asterisk maintains its own registry of dynamic codecs and desired payload numbers. While an SDP negotiation may result in a codec using a different payload number, these desired ones are still stored internally. When an RTP packet was received, this registry would be consulted if the payload number was not found in the negotiated SDP. This registry was incorrectly consulted for all packets, even those which are dynamic. If the payload number resulted in a codec of a different type than the RTP stream (for example, the payload number resulted in a video codec but the stream carried audio), a crash could occur if no stream of that type had been negotiated. This was due to the code incorrectly assuming that a stream of that type would always exist. 2018-02-21 not yet calculated CVE-2018-7285
CONFIRM
SECTRACK(link is external)
asterisk -- asterisk
 
An issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. res_pjsip allows remote authenticated users to crash Asterisk (segmentation fault) by sending a number of SIP INVITE messages on a TCP or TLS connection and then suddenly closing the connection. 2018-02-21 not yet calculated CVE-2018-7286
CONFIRM
SECTRACK(link is external)
CONFIRM
atlassian -- crucible
 
The print snippet resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of a comment on the snippet. 2018-02-19 not yet calculated CVE-2017-18092
BID(link is external)
CONFIRM(link is external)
atlassian -- crucible
 
The view review history resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the invited reviewers for a review. 2018-02-16 not yet calculated CVE-2017-18089
BID(link is external)
CONFIRM(link is external)
atlassian -- crucible
 
The SnippetRPCServiceImpl class in Atlassian Crucible before version 4.5.1 (the fixed version 4.5.x) and before 4.6.0 allows remote attackers to comment on snippets they do not have authorization to access via an improper authorization vulnerability. 2018-02-19 not yet calculated CVE-2017-18095
CONFIRM(link is external)
atlassian -- fisheye
 
Various resources in Atlassian Fisheye before version 4.5.1 (the fixed version for 4.5.x) and before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a commit author. 2018-02-16 not yet calculated CVE-2017-18090
BID(link is external)
CONFIRM(link is external)
atlassian -- floodlight_controller
 
Race condition in the LoadBalancer module in the Atlassian Floodlight Controller before 1.2 allows remote attackers to cause a denial of service (NULL pointer dereference and thread crash) via a state manipulation attack. 2018-02-21 not yet calculated CVE-2015-6569
CONFIRM(link is external)
CONFIRM(link is external)
atlassian -- multiple_products
 
Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allow remote attackers who have permission to add or modify a repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the location setting of a configured repository. 2018-02-19 not yet calculated CVE-2017-18093
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
atlassian -- multiple_products
 
The admin backupprogress action in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the filename of a backup. 2018-02-16 not yet calculated CVE-2017-18091
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
cactus_vpn -- cactus_vpn
 
CactusVPN 5.3.6 for macOS contains a root privilege escalation vulnerability through a setuid root binary called runme. The binary takes a single command line argument and passes this argument to a system() call, thus allowing low privileged users to execute commands as root. 2018-02-21 not yet calculated CVE-2018-7281
MISC(link is external)

carbon_black -- carbon_black


 
A security design issue can allow an unprivileged user to interact with the Carbon Black Sensor and perform unauthorized actions. 2018-02-19 not yet calculated CVE-2016-9568
MISC(link is external)
cisco -- data_center_analytics_framework
 
A vulnerability in the web-based management interface of the Cisco Data Center Analytics Framework application could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information on the affected system. Cisco Bug IDs: CSCvg45105. 2018-02-21 not yet calculated CVE-2018-0145
CONFIRM(link is external)
cisco -- data_center_analytics_framework
 
A vulnerability in the Cisco Data Center Analytics Framework application could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to improper CSRF protection by the affected application. An attacker could exploit this vulnerability by persuading a user of the affected application to click a malicious link. A successful exploit could allow the attacker to submit arbitrary requests and take unauthorized actions on behalf of the user. Cisco Bug IDs: CSCvg45114. 2018-02-21 not yet calculated CVE-2018-0146
CONFIRM(link is external)
cisco -- elastic_services_controller

 
A vulnerability in the use of JSON web tokens by the web-based service portal of Cisco Elastic Services Controller Software could allow an unauthenticated, remote attacker to gain administrative access to an affected system. The vulnerability is due to the presence of static default credentials for the web-based service portal of the affected software. An attacker could exploit this vulnerability by extracting the credentials from an image of the affected software and using those credentials to generate a valid administrative session token for the web-based service portal of any other installation of the affected software. A successful exploit could allow the attacker to gain administrative access to the web-based service portal of an affected system. This vulnerability affects Cisco Elastic Services Controller Software Release 3.0.0. Cisco Bug IDs: CSCvg30884. 2018-02-21 not yet calculated CVE-2018-0130
BID(link is external)
CONFIRM(link is external)
cisco -- elastic_services_controller
 
A vulnerability in the authentication functionality of the web-based service portal of Cisco Elastic Services Controller Software could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrator privileges on an affected system. The vulnerability is due to improper security restrictions that are imposed by the web-based service portal of the affected software. An attacker could exploit this vulnerability by submitting an empty password value to an affected portal when prompted to enter an administrative password for the portal. A successful exploit could allow the attacker to bypass authentication and gain administrator privileges for the web-based service portal of the affected software. This vulnerability affects Cisco Elastic Services Controller Software Release 3.0.0. Cisco Bug IDs: CSCvg29809. 2018-02-21 not yet calculated CVE-2018-0121
BID(link is external)
CONFIRM(link is external)
cisco -- jabber_client_framework
 
A vulnerability in Cisco Jabber Client Framework (JCF) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of an affected device. The vulnerability is due to improper neutralization of script in attributes in a web page. An attacker could exploit this vulnerability by executing arbitrary JavaScript in the Jabber client of the recipient. An exploit could allow the attacker to perform remote code execution. Cisco Bug IDs: CSCve53989. 2018-02-21 not yet calculated CVE-2018-0199
SECTRACK(link is external)
CONFIRM(link is external)
cisco -- jabber_client_framework
 
A vulnerability in Cisco Jabber Client Framework (JCF) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of an affected device. The vulnerability is due to improper neutralization of input during web page generation. An attacker could exploit this vulnerability by embedding media in instant messages. An exploit could allow the attacker to cause the recipient chat client to make outbound requests. Cisco Bug IDs: CSCve54001. 2018-02-21 not yet calculated CVE-2018-0201
SECTRACK(link is external)
CONFIRM(link is external)
cisco -- multiple_products
 
A vulnerability in the web-based management interface of Cisco UCS Director Software and Cisco Integrated Management Controller (IMC) Supervisor Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protection by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the affected interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions, via the user's web browser and with the user's privileges, on an affected system. Cisco Bug IDs: CSCvf71929. 2018-02-21 not yet calculated CVE-2018-0148
SECTRACK(link is external)
CONFIRM(link is external)
cisco -- orime_service_catalog
 
A vulnerability in the web-based interface of Cisco Prime Service Catalog could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web-based interface of an affected product. The vulnerability is due to insufficient validation of user-supplied input by the web-based interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvh65713. 2018-02-21 not yet calculated CVE-2018-0200
SECTRACK(link is external)
CONFIRM(link is external)
cisco -- prime_collaboration_provisioning_tool
 
A vulnerability in the web portal of the Cisco Prime Collaboration Provisioning Tool could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition for individual users. The vulnerability is due to weak login controls. An attacker could exploit this vulnerability by using a brute-force attack (Repeated Bad Login Attempts). A successful exploit could allow the attacker to restrict user access. Manual administrative intervention is required to restore access. Cisco Bug IDs: CSCvd07264. 2018-02-21 not yet calculated CVE-2018-0204
SECTRACK(link is external)
CONFIRM(link is external)
cisco -- prime_collaboration_provisioning_tool
 
A vulnerability in the User Provisioning tab in the Cisco Prime Collaboration Provisioning Tool could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack. The vulnerability is due to improper input validation. An attacker could exploit this vulnerability by placing a malicious string in the Prime Collaboration Provisioning database. A successful exploit could allow the attacker to access Cisco Prime Collaboration Provisioning by injecting crafted data into the database. Cisco Bug IDs: CSCvd86609. 2018-02-21 not yet calculated CVE-2018-0205
SECTRACK(link is external)
CONFIRM(link is external)
cisco -- unified_communications_customer_voice_portal
 
A vulnerability in the Interactive Voice Response (IVR) management connection interface for Cisco Unified Customer Voice Portal (CVP) could allow an unauthenticated, remote attacker to cause the IVR connection to disconnect, creating a system-wide denial of service (DoS) condition. The vulnerability is due to improper handling of a TCP connection request when the IVR connection is already established. An attacker could exploit this vulnerability by initiating a crafted connection to the IP address of the targeted CVP device. An exploit could allow the attacker to disconnect the IVR to CVP connection, creating a DoS condition that prevents the CVP from accepting new, incoming calls while the IVR automatically attempts to re-establish the connection to the CVP. This vulnerability affects Cisco Unified Customer Voice Portal (CVP) Software Release 11.5(1). Cisco Bug IDs: CSCve70560. 2018-02-21 not yet calculated CVE-2018-0139
SECTRACK(link is external)
CONFIRM(link is external)
cisco -- unified_communications_domain_manager
 
A vulnerability in Cisco Unified Communications Domain Manager could allow an unauthenticated, remote attacker to bypass security protections, gain elevated privileges, and execute arbitrary code. The vulnerability is due to insecure key generation during application configuration. An attacker could exploit this vulnerability by using a known insecure key value to bypass security protections by sending arbitrary requests using the insecure key to a targeted application. An exploit could allow the attacker to execute arbitrary code. This vulnerability affects Cisco Unified Communications Domain Manager releases prior to 11.5(2). Cisco Bug IDs: CSCuv67964. 2018-02-21 not yet calculated CVE-2018-0124
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
cisco -- unified_communications_manager
 
A vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the web-based management interface to click a link that submits malicious input to the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvg74815. 2018-02-21 not yet calculated CVE-2018-0206
SECTRACK(link is external)
CONFIRM(link is external)
cisco -- unity_connection
 
A vulnerability in the SMTP relay of Cisco Unity Connection could allow an unauthenticated, remote attacker to send unsolicited email messages, aka a Mail Relay Vulnerability. The vulnerability is due to improper handling of domain information in the affected software. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted requests to the targeted application. A successful exploit could allow the attacker to send email messages to arbitrary addresses. Cisco Bug IDs: CSCvg62215. 2018-02-21 not yet calculated CVE-2018-0203
SECTRACK(link is external)
CONFIRM(link is external)
codeigniter -- codeigniter
 
The xss_clean function in CodeIgniter before 2.1.4 might allow remote attackers to bypass an intended protection mechanism and conduct cross-site scripting (XSS) attacks via an unclosed HTML tag. 2018-02-21 not yet calculated CVE-2013-4891
CONFIRM(link is external)
MISC(link is external)
CONFIRM(link is external)
codeigniter -- codeigniter
 
SQL injection vulnerability in the offset method in the Active Record class in CodeIgniter before 2.2.4 allows remote attackers to execute arbitrary SQL commands via vectors involving the offset variable. 2018-02-21 not yet calculated CVE-2015-5725
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
combodo -- itop
 
Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title. 2018-02-20 not yet calculated CVE-2015-6544
CONFIRM(link is external)
CONFIRM(link is external)
MISC(link is external)
converse.js_inverse.js -- converse.js_inverse.js
 
Converse.js and Inverse.js through 3.3 allow remote attackers to obtain sensitive information because it is too difficult to determine whether safe publication of private data was configured or even intended. For example, users might have an expectation that chatroom bookmarks are private, but the various interacting software components do not necessarily make that happen. 2018-02-19 not yet calculated CVE-2018-6591
MISC(link is external)
d-link -- dir-600m_c1
 
Cross Site Scripting (XSS) exists on the D-Link DIR-600M C1 3.01 via the SSID or the name of a user account. 2018-02-21 not yet calculated CVE-2018-6936
MISC(link is external)
danwin -- danwin_hosting
 
A CSRF issue was found in var/www/html/files.php in DanWin hosting through 2018-02-11 that allows arbitrary remote users to add/delete/modify any files in any hosting account. 2018-02-21 not yet calculated CVE-2018-7308
MISC(link is external)
MISC(link is external)
datto -- multiple_products
 
Datto ALTO and SIRIS devices have a default VNC password. 2018-02-20 not yet calculated CVE-2015-9254
MISC(link is external)
datto -- multiple_products
 
Datto ALTO and SIRIS devices allow remote attackers to obtain sensitive information via access to device/VM restore mount points, because they do not have ACLs by default. 2018-02-20 not yet calculated CVE-2015-9256
MISC(link is external)
datto -- multiple_products
 
Datto ALTO and SIRIS devices allow Remote Code Execution via unauthenticated requests to PHP scripts. 2018-02-20 not yet calculated CVE-2015-2081
MISC(link is external)
datto -- multiple_products
 
Datto ALTO and SIRIS devices allow remote attackers to obtain sensitive information about data, software versions, configuration, and virtual machines via a request to a Web Virtual Directory. 2018-02-20 not yet calculated CVE-2015-9255
MISC(link is external)
dotcms -- dotcms
 
SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_STRUCTURE_direction parameter. 2018-02-19 not yet calculated CVE-2016-10008
MISC(link is external)
dotcms -- dotcms
 
SQL injection vulnerability in the "Marketing > Forms" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_FORM_HANDLER_orderBy parameter. 2018-02-19 not yet calculated CVE-2016-10007
MISC(link is external)
epic -- mychart
 
SQL injection vulnerability in EPIC MyChart allows remote attackers to execute arbitrary SQL commands via the topic parameter to help.asp. 2018-02-20 not yet calculated CVE-2016-6272
MISC(link is external)
EXPLOIT-DB(link is external)
eq-3 -- homematic_ccu2
 
eQ-3 AG HomeMatic CCU2 2.29.22 devices have an open XML-RPC port without authentication. This can be exploited by sending arbitrary XML-RPC requests to control the attached BidCos devices. 2018-02-22 not yet calculated CVE-2018-7301
MISC(link is external)
eq-3 -- homematic_ccu2
 
Remote Code Execution in the TCL script interpreter in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to obtain read/write access and execute system commands on the device. This vulnerability can be exploited by unauthenticated attackers with access to the web interface. 2018-02-22 not yet calculated CVE-2018-7297
MISC(link is external)
eq-3 -- homematic_ccu2
 
In /usr/local/etc/config/addons/mh/loopupd.sh on eQ-3 AG HomeMatic CCU2 2.29.22 devices, software update packages are downloaded via the HTTP protocol, which does not provide any cryptographic protection of the downloaded contents. An attacker with a privileged network position (which could be obtained via DNS spoofing of www.meine-homematic.de or other approaches) can exploit this issue in order to provide arbitrary malicious firmware updates to the CCU2. This can result in a full system compromise. 2018-02-22 not yet calculated CVE-2018-7298
MISC(link is external)
eq-3 -- homematic_ccu2
 
Directory Traversal / Arbitrary File Read in User.getLanguage method in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to read the first line of an arbitrary file on the CCU2's filesystem. This vulnerability can be exploited by unauthenticated attackers with access to the web interface. 2018-02-22 not yet calculated CVE-2018-7296
MISC(link is external)
eq-3 -- homematic_ccu2
 
Directory Traversal / Arbitrary File Write / Remote Code Execution in the User.setLanguage method in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to write arbitrary files to the device's filesystem. This vulnerability can be exploited by unauthenticated attackers with access to the web interface. 2018-02-22 not yet calculated CVE-2018-7300
MISC(link is external)
eq-3 -- homematic_ccu2
 
Remote Code Execution in the addon installation process in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows authenticated attackers to create or overwrite arbitrary files or install malicious software on the device. 2018-02-22 not yet calculated CVE-2018-7299
MISC(link is external)
fllight_sim_labs -- fllight_sim_labs
 
The FSX / P3Dv4 installer 2.0.1.231 for Flight Sim Labs A320-X sends a user's Google account credentials to http://installLog.flightsimlabs.com/LogHandler3.ashx if a pirated serial number has been entered, which allows remote attackers to obtain sensitive information, e.g., by sniffing the network for cleartext HTTP traffic. This behavior was removed in 2.0.1.232. 2018-02-19 not yet calculated CVE-2018-7259
MISC(link is external)
MISC(link is external)
MISC(link is external)
forgerock -- forgerock_am
 
The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs as part of the URL, which allows attackers to obtain sensitive information by finding an ID value in a log file. 2018-02-20 not yet calculated CVE-2018-7272
MISC(link is external)
MISC(link is external)
freexl -- freexl
 
An issue was discovered in FreeXL before 1.0.5. There is a heap-based buffer over-read in the parse_unicode_string function. 2018-02-23 not yet calculated CVE-2018-7438
MISC(link is external)
MISC(link is external)
freexl -- freexl
 
An issue was discovered in FreeXL before 1.0.5. There is a heap-based buffer over-read in a pointer dereference of the parse_SST function. 2018-02-23 not yet calculated CVE-2018-7436
MISC(link is external)
MISC(link is external)
freexl -- freexl
 
An issue was discovered in FreeXL before 1.0.5. There is a heap-based buffer over-read in the function read_mini_biff_next_record. 2018-02-23 not yet calculated CVE-2018-7439
MISC(link is external)
MISC(link is external)
freexl -- freexl
 
An issue was discovered in FreeXL before 1.0.5. There is a heap-based buffer over-read in a memcpy call of the parse_SST function. 2018-02-23 not yet calculated CVE-2018-7437
MISC(link is external)
MISC(link is external)
freexl -- freexl
 
An issue was discovered in FreeXL before 1.0.5. There is a heap-based buffer over-read in the freexl::destroy_cell function. 2018-02-23 not yet calculated CVE-2018-7435
MISC(link is external)
MISC(link is external)

fuji_soft_incorporated -- fs010w

Cross-site scripting vulnerability in FS010W firmware FS010W_00_V1.3.0 and earlier allows an attacker to inject arbitrary web script or HTML via unspecified vectors. 2018-02-23 not yet calculated CVE-2018-0519
JVN(link is external)
fuji_soft_incorporated -- fs010w
 
Cross-site request forgery (CSRF) vulnerability in FS010W firmware FS010W_00_V1.3.0 and earlier allows an attacker to hijack the authentication of administrators via unspecified vectors. 2018-02-23 not yet calculated CVE-2018-0520
JVN(link is external)
ge -- d60_line_distance_relay_devices
 
A Stack-based Buffer Overflow issue was discovered in GE D60 Line Distance Relay devices running firmware Version 7.11 and prior. Multiple stack-based buffer overflow vulnerabilities have been identified, which may allow remote code execution. 2018-02-19 not yet calculated CVE-2018-5475
BID(link is external)
MISC
ge -- d60_line_distance_relay_devices
 
An Improper Restriction of Operations within the Bounds of a Memory Buffer issue was discovered in GE D60 Line Distance Relay devices running firmware Version 7.11 and prior. The SSH functions of the device are vulnerable to buffer overflow conditions that may allow a remote attacker to execute arbitrary code on the device. 2018-02-19 not yet calculated CVE-2018-5473
BID(link is external)
MISC
gnu -- binutils
 
In the coff_pointerize_aux function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, an index is not validated, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted file, as demonstrated by objcopy of a COFF object. 2018-02-17 not yet calculated CVE-2018-7208
BID(link is external)
CONFIRM
gnu -- libcdio
 
realloc_symlink in rock.c in GNU libcdio before 1.0.0 allows remote attackers to cause a denial of service (NULL Pointer Dereference) via a crafted iso file. 2018-02-24 not yet calculated CVE-2017-18199
CONFIRM
CONFIRM
gnu -- libcdio
 
print_iso9660_recurse in iso-info.c in GNU libcdio before 1.0.0 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted iso file. 2018-02-24 not yet calculated CVE-2017-18198
CONFIRM
CONFIRM
go -- go
 
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. 2018-02-16 not yet calculated CVE-2018-7187
CONFIRM(link is external)
google -- android
 
smart/calculator/gallerylock/CalculatorActivity.java in the "Photo,Video Locker-Calculator" application through 18 for Android allows attackers to access files via the backdoor 17621762 PIN. 2018-02-20 not yet calculated CVE-2017-18192
MISC(link is external)
google -- android
 
The "Photo,Video Locker-Calculator" application 12.0 for Android has android:allowBackup="true" in AndroidManifest.xml, which allows attackers to obtain sensitive cleartext information via an "adb backup '-f smart.calculator.gallerylock'" command. 2018-02-20 not yet calculated CVE-2017-16835
MISC(link is external)
hamayeshnegar_cms -- hamayeshnegar_cms
 
SQL injection vulnerability in users/signup.php in the "signup" component in HamayeshNegar CMS allows a remote attacker to execute arbitrary SQL commands via the "utype" parameter. 2018-02-22 not yet calculated CVE-2017-18194
MISC(link is external)
hostapd -- hostapd
 
The eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when used with (1) an internal EAP server or (2) a RADIUS server and EAP-pwd is enabled in a runtime configuration, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message. 2018-02-21 not yet calculated CVE-2015-5314
CONFIRM(link is external)
MLIST(link is external)
UBUNTU(link is external)
DEBIAN
hostapd -- hostapd
 
The eap_pwd_process function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when EAP-pwd is enabled in a network configuration profile, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message. 2018-02-21 not yet calculated CVE-2015-5315
CONFIRM(link is external)
MLIST(link is external)
UBUNTU(link is external)
DEBIAN
hostapd -- hostapd
 
The eap_pwd_perform_confirm_exchange function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before 2.6, when EAP-pwd is enabled in a network configuration profile, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an EAP-pwd Confirm message followed by the Identity exchange. 2018-02-21 not yet calculated CVE-2015-5316
CONFIRM(link is external)
MLIST(link is external)
BID(link is external)
UBUNTU(link is external)
DEBIAN
ibm -- financial_transaction_manager
 
IBM Financial Transaction Manager 3.0.4 and 3.1.0 for ACH Services for Multi-Platform could allow an authenticated user to execute a specially crafted command that could cause a denial of service. IBM X-Force ID: 138376. 2018-02-22 not yet calculated CVE-2018-1391
CONFIRM(link is external)
MISC(link is external)
ibm -- financial_transaction_manager
 
IBM Financial Transaction Manager for ACH Services for Multi-Platform (IBM Control Center 6.0 and 6.1, IBM Financial Transaction Manager 3.0.2, 3.0.3, 3.0.4, and 3.1.0, IBM Transformation Extender Advanced 9.0) is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 135859. 2018-02-21 not yet calculated CVE-2017-1758
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
MISC(link is external)
ibm -- financial_transaction_manager
 
IBM Financial Transaction Manager 3.0.4 and 3.1.0 for ACH Services for Multi-Platform could allow an authenticated user to execute a specially crafted command that could obtain sensitive information. IBM X-Force ID: 138377. 2018-02-22 not yet calculated CVE-2018-1392
CONFIRM(link is external)
MISC(link is external)
ibm -- forms_experience_builder
 
XML external entity (XXE) vulnerability in IBM Forms Experience Builder 8.5, 8.5.1, and 8.6 allows remote authenticated users to obtain sensitive information via crafted XML data. IBM X-Force ID: 112088. 2018-02-21 not yet calculated CVE-2016-0369
CONFIRM(link is external)
XF(link is external)
ibm -- j9_jvm
 
Under certain circumstances, a flaw in the J9 JVM (IBM Runtimes for Java Technology 6.0, 6.1, 7.0, 7.1, and 8.0) allows untrusted code running under a security manager to elevate its privileges. IBM X-Force ID: 138823. 2018-02-22 not yet calculated CVE-2018-1417
SECTRACK(link is external)
MISC(link is external)
CONFIRM(link is external)
ibm -- maximo_anywhere
 
IBM Maximo Anywhere 7.5 and 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 132851. 2018-02-21 not yet calculated CVE-2017-1604
CONFIRM(link is external)
MISC(link is external)
ibm -- maximo_asset_management
 
IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 138821. 2018-02-22 not yet calculated CVE-2018-1415
CONFIRM(link is external)
MISC(link is external)
ibm -- maximo_asset_management
 
IBM Maximo Asset Management 7.5 and 7.6 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 138820. 2018-02-22 not yet calculated CVE-2018-1414
CONFIRM(link is external)
MISC(link is external)
ibm -- notes_diagnostics
 
IBM Notes Diagnostics (IBM Client Application Access and IBM Notes) could allow a local user to execute commands on the system. By crafting a command line sent via the shared memory IPC, which could be tricked into executing an executable chosen by the attacker. IBM X-Force ID: 138710. 2018-02-19 not yet calculated CVE-2018-1411
CONFIRM(link is external)
CONFIRM(link is external)
MISC(link is external)
ibm -- notes_diagnostics
 
IBM Notes Diagnostics (IBM Client Application Access and IBM Notes) could allow a local user to execute commands on the system. By crafting a command line sent via the shared memory IPC, which could be tricked into executing an executable chosen by the attacker. IBM X-Force ID: 138708. 2018-02-19 not yet calculated CVE-2018-1409
CONFIRM(link is external)
CONFIRM(link is external)
MISC(link is external)
ibm -- notes_diagnostics
 
IBM Notes Diagnostics (IBM Client Application Access and IBM Notes) could allow a local user to execute commands on the system. By crafting a command line sent via the shared memory IPC, which could be tricked into executing an executable chosen by the attacker. IBM X-Force ID: 138709. 2018-02-19 not yet calculated CVE-2018-1410
CONFIRM(link is external)
CONFIRM(link is external)
MISC(link is external)
ibm -- rhapsody_dm
 
IBM Rhapsody DM 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 128461. 2018-02-21 not yet calculated CVE-2017-1462
CONFIRM(link is external)
SECTRACK(link is external)
MISC(link is external)
ibm -- security_identity_manager_virtual_appliance
 
IBM Security Identity Manager Virtual Appliance 7.0.x before 7.0.1.3-ISS-SIM-IF0001 does not set the secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session. IBM X-Force ID: 111890. 2018-02-21 not yet calculated CVE-2016-0351
CONFIRM(link is external)
XF(link is external)
ibm -- security_identity_manager_virtual_appliance
 
IBM Security Identity Manager Virtual Appliance 7.0.x before 7.0.1.3-ISS-SIM-IF0001 allows remote authenticated users to obtain sensitive information by reading an error message. IBM X-Force ID: 112072. 2018-02-21 not yet calculated CVE-2016-0367
CONFIRM(link is external)
XF(link is external)
ibm -- security_identity_manager_virtual_appliance
 
IBM Security Identity Manager Virtual Appliance 7.0.x before 7.0.1.3-ISS-SIM-IF0001 might allow remote attackers to obtain sensitive information by leveraging weak encryption. IBM X-Force ID: 112071. 2018-02-21 not yet calculated CVE-2016-0366
CONFIRM(link is external)
XF(link is external)
ibm -- tririga
 
IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.3, and 3.5 before 3.5.0.1 allows remote authenticated users to obtain sensitive information by reading an error message. IBM X-Force ID: 111784. 2018-02-21 not yet calculated CVE-2016-0343
CONFIRM(link is external)
XF(link is external)
ibm -- tririga
 
Cross-site scripting (XSS) vulnerability in the My Reports component in IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.3, and 3.5 before 3.5.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 111785. 2018-02-21 not yet calculated CVE-2016-0344
XF(link is external)
CONFIRM(link is external)
ibm -- tririga
 
Cross-site request forgery (CSRF) vulnerability in IBM TRIRIGA Application Platform 3.3, 3.3.1, 3.3.2, and 3.4 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. IBM X-Force ID: 111813. 2018-02-21 not yet calculated CVE-2016-0348
XF(link is external)
ibm -- tririga
 
IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.3, and 3.5 before 3.5.0.1 allows remote authenticated users to obtain the installation path via vectors involving Birt report rendering. IBM X-Force ID: 111786. 2018-02-21 not yet calculated CVE-2016-0345
XF(link is external)
CONFIRM(link is external)
idashbboards -- idashboards
 
An issue was discovered in iDashboards 9.6b. The SSO implementation is affected by a weak obfuscation library, allowing man-in-the-middle attackers to discover credentials. 2018-02-17 not yet calculated CVE-2018-7211
MISC
idashbboards -- idashboards
 
An issue was discovered in iDashboards 9.6b. It allows remote attackers to obtain sensitive information via a direct request for the idb/config?CMD=installLicense URI, as demonstrated by intranet IP addresses and names of guest accounts. 2018-02-17 not yet calculated CVE-2018-7210
MISC
idashbboards -- idashboards
 
An issue was discovered in iDashboards 9.6b. It allows remote attackers to obtain sensitive information via a direct request for the idashboards/config.xml URI, as demonstrated by intranet URLs for reports. 2018-02-17 not yet calculated CVE-2018-7209
MISC
imagemagick -- imagemagick
 
The ReadTIFFImage function in coders/tiff.c in ImageMagick 7.0.7-23 Q16 does not properly validate the amount of image data in a file, which allows remote attackers to cause a denial of service (memory allocation failure in the AcquireMagickMemory function in MagickCore/memory.c). 2018-02-23 not yet calculated CVE-2018-7443
MISC(link is external)
insteon -- insteon_for_hub_android_app
 
In version 1.9.7 and prior of Insteon's Insteon for Hub Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner. 2018-02-22 not yet calculated CVE-2017-5250
MISC(link is external)
insteon -- insteon_hub
 
In version 1012 and prior of Insteon's Insteon Hub, the radio transmissions used for communication between the hub and connected devices are not encrypted. 2018-02-22 not yet calculated CVE-2017-5251
MISC(link is external)
jenkins -- jenkins
 
An issue was discovered in the Extended Choice Parameter (aka extended-choice-parameter) plugin 0.64 for Jenkins 2.89.3. The PATH_INFO filename is vulnerable to path traversal attacks via ..\ sequences to the /plugin/extended-choice-parameter/js/ URI. 2018-02-20 not yet calculated CVE-2018-6356
MLIST(link is external)
BID(link is external)
CONFIRM(link is external)
joomla! -- joomla! SQL Injection exists in the Google Map Landkarten through 4.2.3 component for Joomla! via the cid or id parameter in a layout=form_markers action, or the map parameter in a layout=default action. 2018-02-17 not yet calculated CVE-2018-6396
BID(link is external)
EXPLOIT-DB(link is external)
joomla! -- joomla! SQL Injection exists in the Solidres 2.5.1 component for Joomla! via the direction parameter in a hub.search action. 2018-02-17 not yet calculated CVE-2018-5980
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the Saxum Numerology 3.0.4 component for Joomla! via the publicid parameter. 2018-02-17 not yet calculated CVE-2018-7177
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the ccNewsletter 2.x component for Joomla! via the id parameter in a task=removeSubscriber action, a related issue to CVE-2011-5099. 2018-02-17 not yet calculated CVE-2018-5989
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla! via the publicid parameter. 2018-02-17 not yet calculated CVE-2018-7180
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the CheckList 1.1.1 component for Joomla! via the title_search, tag_search, name_search, description_search, or filter_order parameter. 2018-02-22 not yet calculated CVE-2018-7318
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
Backup Download exists in the Proclaim 9.1.1 component for Joomla! via a direct request for a .sql file under backup/. 2018-02-22 not yet calculated CVE-2018-7317
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the DT Register 3.2.7 component for Joomla! via a task=edit&id= request. 2018-02-17 not yet calculated CVE-2018-6584
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the Saxum Picker 3.2.10 component for Joomla! via the publicid parameter. 2018-02-17 not yet calculated CVE-2018-7178
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the SquadManagement 1.0.3 component for Joomla! via the id parameter. 2018-02-17 not yet calculated CVE-2018-7179
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the PrayerCenter 3.0.2 component for Joomla! via the sessionid parameter, a different vulnerability than CVE-2008-6429. 2018-02-22 not yet calculated CVE-2018-7314
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the Smart Shoutbox 3.0.0 component for Joomla! via the shoutauthor parameter to the archive URI. 2018-02-17 not yet calculated CVE-2018-5975
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the Gallery WD 1.3.6 component for Joomla! via the tag_id parameter or gallery_id parameter. 2018-02-17 not yet calculated CVE-2018-5981
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the JquickContact 1.3.2.2.1 component for Joomla! via a task=refresh&sid= request. 2018-02-17 not yet calculated CVE-2018-5983
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the Advertisement Board 3.1.0 component for Joomla! via a task=show_rss_categories&catname= request. 2018-02-17 not yet calculated CVE-2018-5982
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the SimpleCalendar 3.1.9 component for Joomla! via the catid array parameter. 2018-02-17 not yet calculated CVE-2018-5974
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the JGive 2.0.9 component for Joomla! via the filter_org_ind_type or campaign_countries parameter. 2018-02-17 not yet calculated CVE-2018-5970
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the Pinterest Clone Social Pinboard 2.0 component for Joomla! via the pin_id or user_id parameter in a task=getlikeinfo action, the ends parameter in a view=gift action, the category parameter in a view=home action, the uid parameter in a view=pindisplay action, the searchVal parameter in a view=search action, or the uid parameter in a view=likes action. 2018-02-17 not yet calculated CVE-2018-5987
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the JTicketing 2.0.16 component for Joomla! via a view=events action with a filter_creator or filter_events_cat parameter. 2018-02-17 not yet calculated CVE-2018-6585
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the MediaLibrary Free 4.0.12 component for Joomla! via the id parameter or the mid array parameter. 2018-02-17 not yet calculated CVE-2018-5971
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the JB Bus 2.3 component for Joomla! via the order_number parameter. 2018-02-17 not yet calculated CVE-2018-6372
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
Reflected XSS in Kubik-Rubik SIGE (aka Simple Image Gallery Extended) before 3.3.0 allows attackers to execute JavaScript in a victim's browser by having them visit a plugins/content/sige/plugin_sige/print.php link with a crafted img, name, or caption parameter. 2018-02-20 not yet calculated CVE-2017-16356
MISC(link is external)
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the Project Log 1.5.3 component for Joomla! via the search parameter. 2018-02-18 not yet calculated CVE-2018-6024
MISC(link is external)
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the JS Autoz 1.0.9 component for Joomla! via the vtype, pre, or prs parameter. 2018-02-17 not yet calculated CVE-2018-6006
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the File Download Tracker 3.0 component for Joomla! via the dynfield[phone] or sess parameter. 2018-02-17 not yet calculated CVE-2018-6004
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the Form Maker 3.6.12 component for Joomla! via the id, from, or to parameter in a view=stats request, a different vulnerability than CVE-2015-2798. 2018-02-17 not yet calculated CVE-2018-5991
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
Arbitrary File Upload exists in the Proclaim 9.1.1 component for Joomla! via a mediafileform action. 2018-02-22 not yet calculated CVE-2018-7316
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the CW Tags 2.0.6 component for Joomla! via the searchtext array parameter. 2018-02-22 not yet calculated CVE-2018-7313
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the Timetable Responsive Schedule 1.5 component for Joomla! via a view=event&alias= request. 2018-02-17 not yet calculated CVE-2018-6583
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the Ek Rishta 2.9 component for Joomla! via the gender, age1, age2, religion, mothertounge, caste, or country parameter. 2018-02-22 not yet calculated CVE-2018-7315
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the JomEstate PRO through 3.7 component for Joomla! via the id parameter in a task=detailed action. 2018-02-17 not yet calculated CVE-2018-6368
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the AllVideos Reloaded 1.2.x component for Joomla! via the divid parameter. 2018-02-17 not yet calculated CVE-2018-5990
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the Staff Master through 1.0 RC 1 component for Joomla! via the name parameter in a view=staff request. 2018-02-17 not yet calculated CVE-2018-5992
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the OS Property Real Estate 3.12.7 component for Joomla! via the cooling_system1, heating_system1, or laundry parameter. 2018-02-22 not yet calculated CVE-2018-7319
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the Alexandria Book Library 3.1.2 component for Joomla! via the letter parameter. 2018-02-22 not yet calculated CVE-2018-7312
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the InviteX 3.0.5 component for Joomla! via the invite_type parameter in a view=invites action. 2018-02-17 not yet calculated CVE-2018-6394
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the Fastball 2.5 component for Joomla! via the season parameter in a view=player action. 2018-02-17 not yet calculated CVE-2018-6373
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the Realpin through 1.5.04 component for Joomla! via the pinboard parameter. 2018-02-17 not yet calculated CVE-2018-6005
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the Aist through 2.0 component for Joomla! via the id parameter in a view=showvacancy request. 2018-02-17 not yet calculated CVE-2018-5993
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the NeoRecruit 4.1 component for Joomla! via the (1) PATH_INFO or (2) name of a .html file under the all-offers/ URI. 2018-02-17 not yet calculated CVE-2018-6370
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
SQL Injection exists in the JS Jobs 1.1.9 component for Joomla! via the zipcode parameter in a newest-jobs request, or the ta parameter in a view_resume request. 2018-02-17 not yet calculated CVE-2018-5994
EXPLOIT-DB(link is external)
joyent -- smartos
 
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Joyent SmartOS release-20170803-20170803T064301Z. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SMBIOC_TREE_RELE ioctl. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the host OS. Was ZDI-CAN-4984. 2018-02-21 not yet calculated CVE-2018-1166
CONFIRM(link is external)
MISC(link is external)
joyent -- smartos
 
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Joyent SmartOS release-20170803-20170803T064301Z. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SMB_IOC_SVCENUM IOCTL. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, heap-based buffer. An attacker can leverage this vulnerability to execute code under the context of the host OS. Was ZDI-CAN-4983. 2018-02-21 not yet calculated CVE-2018-1165
CONFIRM(link is external)
MISC(link is external)
juniper -- appformix_agent
 
A malicious user with unrestricted access to the AppFormix application management platform may be able to access a Python debug console and execute system commands with root privilege. The AppFormix Agent exposes the debug console on a host where AppFormix Agent is executing. If the host is executing AppFormix Agent, an attacker may access the debug console and execute Python commands with root privilege. Affected AppFormix releases are: all versions of 2.7; 2.11 versions prior to 2.11.3; 2.15 versions prior to 2.15.2. Juniper SIRT is not aware of any malicious exploitation of this vulnerability, however, the issue has been seen in a production network. No other Juniper Networks products or platforms are affected by this issue. 2018-02-22 not yet calculated CVE-2018-0015
CONFIRM(link is external)
keyclock -- keycloak
 
It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks. 2018-02-21 not yet calculated CVE-2017-12161
CONFIRM(link is external)
CONFIRM(link is external)
leptonica -- leptonica
 
An issue was discovered in Leptonica through 1.75.3. The gplotMakeOutput function allows command injection via a $(command) approach in the gplot rootname argument. This issue exists because of an incomplete fix for CVE-2018-3836. 2018-02-23 not yet calculated CVE-2018-7440
MISC(link is external)
leptonica -- leptonica
 
An issue was discovered in pixHtmlViewer in prog/htmlviewer.c in Leptonica before 1.75.3. Unsanitized input (rootname) can overflow a buffer, leading potentially to arbitrary code execution or possibly unspecified other impact. 2018-02-19 not yet calculated CVE-2018-7247
MISC(link is external)
leptonica -- leptonica
 
An issue was discovered in Leptonica through 1.75.3. The gplotMakeOutput function does not block '/' characters in the gplot rootname argument, potentially leading to path traversal and arbitrary file overwrite. 2018-02-23 not yet calculated CVE-2018-7442
MISC
leptonica -- leptonica
 
Leptonica before 1.75.3 does not limit the number of characters in a %s format argument to fscanf or sscanf, which allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a long string, as demonstrated by the gplotRead and ptaReadStream functions. 2018-02-16 not yet calculated CVE-2018-7186
MISC
MISC(link is external)
MISC
leptonica -- leptonica
 
Leptonica 1.74.4 constructs unintended pathnames (containing duplicated path components) when operating on files in /tmp subdirectories, which might allow local users to bypass intended file restrictions by leveraging access to a directory located deeper within the /tmp directory tree, as demonstrated by /tmp/ANY/PATH/ANY/PATH/input.tif. 2018-02-23 not yet calculated CVE-2017-18196
MISC
leptonica -- leptonica

 
Leptonica through 1.75.3 uses hardcoded /tmp pathnames, which might allow local users to overwrite arbitrary files or have unspecified other impact by creating files in advance or winning a race condition, as demonstrated by /tmp/junk_split_image.ps in prog/splitimage2pdf.c. 2018-02-23 not yet calculated CVE-2018-7441
MISC
libid3tag -- libid3tag
 
id3_utf16_deserialize() in utf16.c in libid3tag through 0.15.1b misparses ID3v2 tags encoded in UTF-16 with an odd number of bytes, triggering an endless loop allocating memory until an OOM condition is reached, leading to denial-of-service (DoS). 2018-02-20 not yet calculated CVE-2004-2779
MISC
MISC
MISC
libtiff -- libtiff
 
A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.) 2018-02-24 not yet calculated CVE-2018-7456
MISC
MISC(link is external)
libvirt -- libvirt
 
util/virlog.c in libvirt does not properly determine the hostname on LXC container startup, which allows local guest OS users to bypass an intended container protection mechanism and execute arbitrary commands via a crafted NSS module. 2018-02-23 not yet calculated CVE-2018-6764
UBUNTU