[자동화된 인공지능 학습용 데이터 추출]

 

 

 

 

*** 출처: [iitp] 농업 분야 인공지능을 위한 데이터 구축 - 정휘웅 수석, 조용빈 팀장

*** 문서:

file4947737572933786518-185901.pdf

 

 

 

 

 

I. 서론

 

- 농업 분야는 개인정보가 없으며 수집이 쉽고 활용도가 매우 넓으므로 최근 인공지능을 적용하기 위한 연구가 가장 활발하게 이루어지고 있다.

 

- 농업 분야 인공지능의 학습 과정의 지원을 위해서는 방대한 분량의 정제된 기반 자료와 이를 통해 얻고자 하는 답을 미리 정해둔 정교한 데이터 세트가 필요하다.

 

- 농업이나 기타 산업 분야에서는 최적화된 답을 기계가 정의할 수 없으므로 사람의 힘을 빌려 각 결과에 적합한 데이터 세트를 만들어두어야 한다.

 

- 예를 들어, 특정 작물에 대한 인공지능 최적화를 하는 경우, 그 최종 결과물 목표가 최소 생산비용인지, 최고 품질인지, 최다 생산량인지 등에 대한 인간의 희망사항을 인공지능이 결정할 수 없으므로 이 각각의 환경에 대한 데이터 세트가 어느 정도 마련되어 있어야 한다. 각 학습 단계에서 추출된 최적화된 값들은 인간이 최종적으로 판단할 수밖에 없다.

 

 

 

II. 농업 인공지능 해외사례와 활용 방안

 

 

1. 해외사례 분석

 

- 미국을 비롯한 선진국은 농업 로봇, 작물 및 토양 모니터링, 예측 분석의 세 분야에서 인공지능을 적극적으로 도입하고 있다.

 

 

○ 농업 로봇

 

- 인간 작업자보다 작물을 더 많이 더 빠른 속도로 수확하는 등의 필수 농업 작업을 처리하는 자율 로봇을 개발하고 있다.

 

- 미 Blue River Technology는 시각인지시스템을 통해 잡초에 정확히 제초제를 살포하는 See Spray 로봇을 통해 제초제 살포량을 80% 줄이고 비용은 90% 이상 줄였다고 밝혔다.

 

 

○ 작물 및 토양 모니터링

 

- 컴퓨터 시각인지 및 심층 학습 알고리즘을 활용하여 농민이나 무인항공기가 촬영한 데이터를 소프트웨어로 처리하여 작물 및 토양의 건강을 측정하고 모니터링하는 기술

 

- 독일, PET사의 Plantix, 토양의 잠재적 결함과 영양결핍 발견, 잎사귀를 촬영한 데이터를 국가별로 수집된 다양한 데이터와 비교하여 해충이나 질별을 사전에 감별하는 기술 개발 진행 중

 

 

○ 예측 분석

 

- 미국, aWhere사, 질병 및 해충의 존재를 날씨 정보에서 예측하는 서비스 제공

 

 

 

2. AI가 농업에 도움을 줄 수 있는 곳

 

- 인간이 처리하기 어렵거나 시간이 많이 필요한 반복적인 작업에 해법을 제공할 수 있다.

 

 

○ 작물과 병해충 감별

 

- 작물별 병해충의 종류는 매우 다양하며 그 진행 양상도 다르다. 잎의 특성에 따라 병에 대한 정보를 추적하는 방법이 많이 개발되고 있으나 그 질병 수가 문제이다.

 

- 해외의 경우 잎의 수맥 형태를 통해 작물의 유전학적 근원을 추적할 수 있는 기술도 개발되었다.

 

 

○ 초기 감염 측정

 

- 특정 밭이나 일부 작물에 인간의 눈으로 확인 가능한 수준의 감염이 일어나는 경우 이미 그 구역의 작물 대부분에 병해충이 번져 피해를 복구하기 어려운 경우가 매우 많이 발생한다.

 

- Kamlesh(2018)는 최근 초분광카메라와 뉴럴 네트워크를 통한 학습 알고리즘을 이용하여 질병의 사전 징후를 발견할 수 있다고 주장

 

 

○ 작물 발육상황 감지

 

- 발육상태를 감지함으로 수확 시기를 자동으로 확인할 수 있고, 로봇이 판매에 적합한 크기와 생육 상태를 확인하여 자동으로 수확할 수도 있다.

 

- 미국, 애그리보틱스(Agribotix)와 프리시전호크(PrecisionHawk)사는 드론이나 센서를 통한 작물 상태 분석 기술 보유

 

 

 

III. 농업 분야 인공지능을 위한 기반 데이터 구축

 

 

1. 사진데이터의 구축과 데이터 인프라 구축

 

- 가장 많이 활용될 수 있는 분야는 사진으로 촬영된 정보의 학습이 될 것이다.

 

- 기초 데이터의 배경이 다르고, 해상도도 낮은 경우 학습 환경에 활용되기에는 어려움이 많다.

 

- 또한 국내에서는 관련 메타데이터의 수도 부족한 편

 

- 예를 들어, 하나의 단계 혹은 동일 질병에 대해서 각각 단계별로 적정 수준의 이미지를 수집하기 위해서는 각도, 광량 등에 따른 세부적인 정보가 함께 확보되어야 한다.

 

 

○ 개별 질병별로 15건의 이미지를 수집한다고 가정 할 때, 데이터별로 포함되어야 하는 메타데이터 분류

 

- 작물의 종류: 어떤 작물인지에 대한 기본 어휘 정보, 학명을 기준으로 하여 영어, 한국어 등 다국어로 구성될 수 있다.

 

- 품종의 종류: 어느 품종인지를 설명해야 한다. 사과의 수백 종류의 품종이 있으며, 계속 개량종이 등장하고 있다.

 

- 질병의 종류: 각 질병의 라이브러리 수만큼이나 학습 데이터가 축적되어 있어야 한다.

 

- 질병 진척 단계에 따른 이미지: 질병이 진척됨에 따라서 정도가 다를 수 있으므로 해당 현상에 대한 촬영이 필요하다. 수집이 가능한 경우 각 단계에 대한 적합한 사진 정보들이 촬영되고 메타정보에 기록되어야 한다.

 

- 촬영 해상도: 촬영 해상도에 따라서 고해상도, 중해상도, 저해상도롤 구분해야 한다.

 

- 촬영 날짜와 시간: 날짜와 시간에 따라서 해당 시간에 채광량이 다를 수 있으므로 구분해야 한다.

 

- 촬영장소: 잎이나 과일 하나만을 떼어서 하거나 실제 농장에서 촬영하는 방법으로 분리될 수 있어야 한다.

 

- 폭, 넓이, 크기: 그 크기를 측정할 수 있는 표준화된 측량정보가 제공되어야 한다.

 

- 실루엣 영역정보와 분광 촬영 정보: 흑과 백으로 구분된 실루엣 정보로 제공되는 잎 구분 정보 등은 인공지능시스템이 잎을 우선적으로 추적하는 등의 어려운 정보 탐색 과정을 거치지 않고 빠르게 현상을 파악하는데 도움을 줄 것이다. 아울러 분광 촬영 정보는 병해충, 발육상태 등과 관련된 초기 데이터를 구축하고 관련된 정보를 제공하는 데 도움을 줄 수 있을 것이다. 이는 기본 사진 촬영 정보와 연계되어 함께 제공되어야 할 것이다.

 

※ 메타 데이터 세트를 기준으로 촬영되어야 하는 데이터의 수

 

- 2개의 작물, 4개의 품종, 6개의 질병, 각 질병별 6개의 단계, 3가지의 촬영 해상도, 4개 날짜, 12시간, 3가지 날씨, 이에 대한 학습과 테스트 데이터(2가지 유형), 유형별 유효 학습 데이터 15개, 촬영 장소 2개를 고려한다면 총 7,464,960건의 이미지를 촬영해야 하며 각각에 대한 메타데이터가 입력되어야 한다.

 

- 여기에 실루엣 정보와 분광 관련 정보가 추가된다면 더 큰 분량의 정보들이 함께 저장되어야 한다.

 

- 촬영된 정보에 대해서 어떤 병이며 단계가 어떤 상태인지는 전문가의 판별 작업이 함께 이루어져야 한다.

 

- 따라서 이에 대한 병해충 정보 등에 대한 전문가 지식이 함께 입력되어야 한다.

 

 

2. 측정 데이터의 저장소

 

- 농업에서 인공지능시스템이 최적화된 값을 찾기 위해서는 최적화된 사례를 찾아서 모범 데이터 세트를 만들어야 하며, 아울러 최악의 결과를 낳은 데이터 세트 역시 만들어서 이들을 함께 고려해야 한다.

 

- 각각 기상상태, 온도상태, 습도상태 등에 대한 시계열 기반의 데이터 세트가 만들어져야 한다.

 

 

3. 전문 용어 및 의미망 데이터

 

- 해당 사진에 대한 정보들이 명확하게 입력되어야 농업 종사들이 어떤 조처를 할 수 있고 앞으로 어떻게 상황이 플러 갈 것인지에 대해 예측하고 대응책을 세울 수 있을 것

 

- 사과의 예를 들면, '홍로', '스타크림슨', '스퍼어리 브레이즈' 등과 같은 사과 품종 이름들의 정보가 라이브러리에 명확하게 기재가 되어 있고, 과실과 잎 정보들에 대해서 표준화된 정보 구조가 만들어져 있어야만 온전한 인공지능 기반 데이터 세트로서 역할을 할 수 있을 것

 

 

 

IV. 향후 개발되어야 할 기술들

 

 

1. 데이터 구축의 간소화 및 자동 인덱싱

 

2. 표준화된 데이터 저장소와 오픈 데이터

 

Posted by manga0713

 

 

 

 

*** 출처: [iitp] 스마트 스피커 시장에서 앞서가는 아마존, 제2라운드는 '디스플레이' 탑재 스피커

*** 문서:

file4357685885908973594-185904.pdf

 

 

 

 

■ IDC에 따르면 스마트홈 기기 시장에서 가장 활기찬 부문은 스마트 스피커와 비디오 엔터테인먼트 기기 분야임

 

 

■ 스마트 스피커 시장에서 현재는 아마존이 과반을 점유하고 있으나 5년 후에는 구글이 아마존과 비슷한 수준으로 올라설 것으로 전망

 

 

 

 

[플랫폼별 전세계 스마트 스피커 판매대수 전망]

 

 

 

 

■ 아마존, 시장 주도권 유지를 위해 디스플레이를 탑재한 스피커 출시

 

- 다른 사용자 경험 제공, 동영상 뉴스 재생, 날씨 표시, 홈 네트워크 카메라와 연결하여 카메라 모니터로 사용 등

 

 

○ 에코 스팟(Echo Spot)

 

- 직경 2.5인치의 원형 디스플레이 탑재

 

 

○ 에코 쇼(Echo Show)

 

- 7인치 디스플레이

 

 

 

 

 

 

 

○ 에코 룩(Echo Look)

 

- 이용자의 전신 프로필을 촬영할 수 있음

 

 

 

 

 

 

 

 

■ 구글, 구글 어시스턴트를 이용할 수 있는 디스플레이 탑재 기기 출시 발표

 

 

○ 레노버 스마트 디스플레이(Lenovo Smart Display)

 

 

 

 

 

 

 

 

- 아직 에코 스팟이 제공하지 못하고 있는 영상 통화 기능 탑재

 

- 일정, 지도, TV, 유튜브, 유튜브 TV 시청, 요리 레시피 등의 콘텐츠를 이용할 수 있음

 

 

 

■ 스마트 스피커 업체들은 디스플레이를 탑재하는 것 외에, 기업용 솔루션 시장을 겨냥한 다양한 제품 개발을 통해서도 시장 확대를 도모하고 있음

Posted by manga0713

 

[Contact Center AI, Reference architecture]

 

 

 

 

*** 출처: [iitp] 구글 '콜센터 AI' 서비스 발표, 상담원과 AI의 협업 솔루션임을 강조

*** 문서:

file1475132122588007514-185903.pdf

 

 

 

 

■ 컨택트 센터 AI(Contact Center AI)

 

- 콜센터 상담원(오퍼레이터)들의 업무를 AI로 대행해 주는 기업용 솔루션

 

- 고객의 질문이 간단한 것이라면 질문에 직접 대답하고 대응이 필요할 경우에는 문의자를 적합한 직원에게 연결 해 줌

 

- 기존의 트리형 전화시스템을 상담원이 전화를 받기 전에 가상 AI 직원이 질문에 답하는 시스템으로 바꾼 것, 구글 컨택트 센터 AI가 맥락 정보를 제공하기 때문에 상담원이 전화를 넘겨 받은 후에도 같은 질문을 반복할 필요가 없다고 함

 

 

 

■ eBay, 초기 베타 테스트 참여

 

- 다음의 3가지 문제를 해결하는 것을 목표로 삼음

 

① 고객이 짜증나는 트리형 전화시스템을 돌아다니면서 끝없는 질문에 응답해서야 겨우 기업이 고객의 전화 목적을 파악하게 되는 현상으로, 이 때문에 대부분의 문의 전화는 중도에 상담원 직접 통화 요청으로 이어지게 됨

 

② 반복적으로 똑같은 정보를 제공하는 현상으로, 마침내 상담원과 통화하게 되더라도 문의 시간의 절반은 이미 앞에서 입력하고 대답했던 정보를 다시 제공하는데 소요되는 경우가 많음

 

③ 고객 문의를 해결하기 위해 상담원이 접근할 수 있는 정보에 한계가 있다는 점으로, 어렵게 상담원과 연결되어도 결국 고객은 문제를 해결하지 못하게 됨

 

 

 

 

 

 

 

 

■ 컨택트 센터 AI에 통합된 인공지능 대화봇

 

- 인공지능 가상 비서 '듀플렉스(Duplex)'와 유사한 기술 적용

 

- 컨택트 센터 AI는 처음부터 자신이 컴퓨터임을 밝히고 인간의 톤으로 소비자와 대화를 시작 함

 

- 개방 형식의 템플릿이 없는 대화 모델로 소비자와 대화하며 요구 사항을 확인하고 소비자의 발언에 임기응변으로 대응 함

 

 

 

 

 

[컨택트 센터 AI 대화봇과 소비자의 대화 내용]

 

 

 

- 소비자의 의도를 파악하여 대응하는 동시에 대화 정보를 기록하며, 고객의 요구와 이어지는 파생 요구를 추론해 적합 직원에 연결하는 기능도 수행

 

- 상담원이 소비자와 대화를 진행하면 AI는 대화를 실시간으로 분석해 소비자의 의도를 파악하고 최적의 상품을 상담원에게 추천하는 기능까지 수행

 

 

 

 

Posted by manga0713

 

 

 

*** 출처: [US-CERT: Bulletin(SB18-225)] 2018년 8월 6일까지 발표된 보안 취약점

 

 

 

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

 

High Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
There were no high vulnerabilities recorded this week.
Back to top

 

Medium Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
There were no medium vulnerabilities recorded this week.
Back to top

 

Low Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
There were no low vulnerabilities recorded this week.
Back to top

 

Severity Not Yet Assigned

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
aedes -- aedes
 
Improper authorization in aedes version <0.35.0 will publish a LWT in a channel when a client is not authorized. 2018-08-08 not yet calculated CVE-2018-3778
MISC(link is external)
MISC(link is external)
MISC(link is external)
apache -- airflow It was noticed an XSS in certain 404 pages that could be exploited to perform an XSS attack. Chrome will detect this as a reflected XSS attempt and prevent the page from loading. Firefox and other browsers don't, and are vulnerable to this attack. Mitigation: The fix for this is to upgrade to Apache Airflow 1.9.0 or above. 2018-08-06 not yet calculated CVE-2017-12614
MLIST
arubanetworks -- airwave Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to an XML external entities (XXE). XXEs are a way to permit XML parsers to access storage that exist on external systems. If an unprivileged user is permitted to control the contents of XML files, XXE can be used as an attack vector. Because the XML parser has access to the local filesystem and runs with the permissions of the web server, it can access any file that is readable by the web server and copy it to an external system of the attacker's choosing. This could include files that contain passwords, which could then lead to privilege escalation. 2018-08-06 not yet calculated CVE-2016-8526
CONFIRM(link is external)
BID(link is external)
EXPLOIT-DB(link is external)
arubanetworks -- airwave Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to a reflected cross-site scripting (XSS). The vulnerability is present in the VisualRF component of AirWave. By exploiting this vulnerability, an attacker who can trick a logged-in AirWave administrative user into clicking a link could obtain sensitive information, such as session cookies or passwords. The vulnerability requires that an administrative users click on the malicious link while currently logged into AirWave in the same browser. 2018-08-06 not yet calculated CVE-2016-8527
CONFIRM(link is external)
BID(link is external)
EXPLOIT-DB(link is external)
arubanetworks -- arubaos Multiple memory corruption flaws are present in ArubaOS which could allow an unauthenticated user to crash ArubaOS processes. With sufficient time and effort, it is possible these vulnerabilities could lead to the ability to execute arbitrary code - remote code execution has not yet been confirmed. 2018-08-06 not yet calculated CVE-2017-9003
CONFIRM(link is external)
SECTRACK(link is external)
arubanetworks -- arubaos ArubaOS, all versions prior to 6.3.1.25, 6.4 prior to 6.4.4.16, 6.5.x prior to 6.5.1.9, 6.5.2, 6.5.3 prior to 6.5.3.3, 6.5.4 prior to 6.5.4.2, 8.x prior to 8.1.0.4 FIPS and non-FIPS versions of software are both affected equally is vulnerable to unauthenticated arbitrary file access. An unauthenticated user with network access to an Aruba mobility controller on TCP port 8080 or 8081 may be able to access arbitrary files stored on the mobility controller. Ports 8080 and 8081 are used for captive portal functionality and are listening, by default, on all IP interfaces of the mobility controller, including captive portal interfaces. The attacker could access files which could contain passwords, keys, and other sensitive information that could lead to full system compromise. 2018-08-06 not yet calculated CVE-2017-9000
CONFIRM(link is external)
SECTRACK(link is external)
arubanetworks -- clearpass Aruba ClearPass prior to 6.6.9 has a vulnerability in the API that helps to coordinate cluster actions. An authenticated user with the "mon" permission could use this vulnerability to obtain cluster credentials which could allow privilege escalation. This vulnerability is only present when authenticated as a user with "mon" permission. 2018-08-06 not yet calculated CVE-2018-7059
CONFIRM(link is external)
arubanetworks -- clearpass Aruba ClearPass 6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1 is vulnerable to CSRF attacks against authenticated users. An attacker could manipulate an authenticated user into performing actions on the web administrative interface. 2018-08-06 not yet calculated CVE-2018-7060
CONFIRM(link is external)
arubanetworks -- clearpass Aruba ClearPass, all versions of 6.6.x prior to 6.6.9 are affected by an authentication bypass vulnerability, an attacker can leverage this vulnerability to gain administrator privileges on the system. The vulnerability is exposed only on ClearPass web interfaces, including administrative, guest captive portal, and API. Customers who do not expose ClearPass web interfaces to untrusted users are impacted to a lesser extent. 2018-08-06 not yet calculated CVE-2018-7058
CONFIRM(link is external)
arubanetworks -- clearpass Aruba ClearPass 6.6.3 and later includes a feature called "SSH Lockout", which causes ClearPass to lock accounts with too many login failures through SSH. When this feature is enabled, an unauthenticated remote command execution vulnerability is present which could allow an unauthenticated user to execute arbitrary commands on the underlying operating system with "root" privilege level. This vulnerability is only present when a specific feature has been enabled. The SSH Lockout feature is not enabled by default, so only systems which have enabled this feature are vulnerable. 2018-08-06 not yet calculated CVE-2017-9001
CONFIRM(link is external)
arubanetworks -- clearpass All versions of Aruba ClearPass prior to 6.6.8 contain reflected cross-site scripting vulnerabilities. By exploiting this vulnerability, an attacker who can trick a logged-in ClearPass administrative user into clicking a link could obtain sensitive information, such as session cookies or passwords. The vulnerability requires that an administrative users click on the malicious link while currently logged into ClearPass in the same browser. 2018-08-06 not yet calculated CVE-2017-9002
CONFIRM(link is external)
asus -- hg100_devices ASUS HG100 devices allow denial of service via an IPv4 packet flood. 2018-08-10 not yet calculated CVE-2018-11492
MISC(link is external)
atlassian -- cloudtoken Unauthenticated access to cloudtoken daemon on Linux via network from version 0.1.1 before version 0.1.24 allows attackers on the same subnet to gain temporary AWS credentials for the users' roles. 2018-08-10 not yet calculated CVE-2018-13390
MISC
auracms -- auracms
 
AuraCMS 2.3 allows XSS via a Bukutamu -> AddGuestbook action. 2018-08-07 not yet calculated CVE-2018-15199
MISC(link is external)
celalink -- clr-m20_devices CeLa Link CLR-M20 devices allow unauthorized users to upload any file (e.g., asp, aspx, cfm, html, jhtml, jsp, or shtml), which causes remote code execution as well. Because of the WebDAV feature, it is possible to upload arbitrary files by utilizing the PUT method. 2018-08-07 not yet calculated CVE-2018-15137
MISC(link is external)
cgit -- cgit
 
cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request. 2018-08-03 not yet calculated CVE-2018-14912
MISC
MLIST
MISC(link is external)
DEBIAN
cisco -- thor Stack-based buffer overflow in the Cisco Thor decoder before commit 18de8f9f0762c3a542b1122589edb8af859d9813 allows local users to cause a denial of service (segmentation fault) and execute arbitrary code via a crafted non-conformant Thor bitstream. 2018-08-09 not yet calculated CVE-2018-0429
CONFIRM(link is external)
cobbler -- cobbler
 
It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon. 2018-08-09 not yet calculated CVE-2018-10931
REDHAT(link is external)
CONFIRM(link is external)
coremail -- coremail
 
Cross-site scripting (XSS) vulnerability in intervalCheck.jsp in Coremail XT 3.0 allows remote attackers to inject arbitrary web script or HTML via the sid parameter. 2018-08-10 not yet calculated CVE-2018-14503
MISC(link is external)
couchdb -- couchdb CouchDB administrative users before 2.2.0 can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system's user under which CouchDB runs, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows a CouchDB admin user to gain arbitrary remote code execution, bypassing CVE-2017-12636 and CVE-2018-8007. 2018-08-08 not yet calculated CVE-2018-11769
BID(link is external)
MISC
craft -- cms
 
A Server Side Template Injection (SSTI) was discovered in the SEOmatic plugin before 3.1.4 for Craft CMS, because requests that don't match any elements incorrectly generate the canonicalUrl, and can lead to execution of Twig code. 2018-08-06 not yet calculated CVE-2018-14716
MISC(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
EXPLOIT-DB(link is external)
crestron -- tsw-x60_and_mc3 For Crestron TSW-X60 version prior to 2.001.0037.001 and MC3 version prior to 1.502.0047.001, The devices are shipped with authentication disabled, and there is no indication to users that they need to take steps to enable it. When compromised, the access to the CTP console is left open. 2018-08-10 not yet calculated CVE-2018-10630
MISC
crestron -- tsw-x60_and_mc3 Crestron TSW-X60 all versions prior to 2.001.0037.001 and MC3 all versions prior to 1.502.0047.00, The passwords for special sudo accounts may be calculated using information accessible to those with regular user privileges. Attackers could decipher these passwords, which may allow them to execute hidden API calls and escape the CTP console sandbox environment with elevated privileges. 2018-08-10 not yet calculated CVE-2018-13341
MISC
csrf-magic -- csrf-magic
 
In csrf-magic before 1.0.4, if $GLOBALS['csrf']['secret'] is not configured, the Anti-CSRF Token used is predictable and would permit an attacker to bypass the CSRF protections, because an automatically generated secret is not used. 2018-08-07 not yet calculated CVE-2013-7464
MISC
MISC(link is external)
MISC(link is external)
dell -- wyse_management_suite Dell WMS versions 1.1 and prior are impacted by multiple unquoted service path vulnerabilities. Affected software installs multiple services incorrectly by specifying the paths to the service executables without quotes. This could potentially allow a low-privileged local user to execute arbitrary executables with elevated privileges. 2018-08-10 not yet calculated CVE-2018-11063
MISC(link is external)
dell_emc -- data_protection_advisor_and_data_protection_appliance Dell EMC Data Protection Advisor, versions 6.2, 6,3, 6.4, 6.5 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 contain a XML External Entity (XXE) Injection vulnerability in the REST API. An authenticated remote malicious user could potentially exploit this vulnerability to read certain system files in the server or cause denial of service by supplying specially crafted Document Type Definitions (DTDs) in an XML request. 2018-08-10 not yet calculated CVE-2018-11048
FULLDISC
SECTRACK(link is external)
dilawar -- sound An issue has been found in dilawar sound through 2017-11-27. The end of openWavFile in wav-file.cc has Mismatched Memory Management Routines (operator new [] versus operator delete). 2018-08-05 not yet calculated CVE-2018-14948
MISC(link is external)
MISC(link is external)
django -- django
 
django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. 2018-08-03 not yet calculated CVE-2018-14574
BID(link is external)
SECTRACK(link is external)
UBUNTU(link is external)
DEBIAN
CONFIRM(link is external)
drupal -- drupal
 
Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations. 2018-08-06 not yet calculated CVE-2017-6920
BID(link is external)
SECTRACK(link is external)
CONFIRM
emlsoft -- emlsoft An issue was discovered in EMLsoft 5.4.5. The eml/upload/eml/?action=user&do=add page allows CSRF. 2018-08-06 not yet calculated CVE-2018-14966
MISC(link is external)
emlsoft -- emlsoft An issue was discovered in EMLsoft 5.4.5. The eml/upload/eml/?action=address&do=add page allows CSRF. 2018-08-06 not yet calculated CVE-2018-14965
MISC(link is external)
emlsoft -- emlsoft An issue was discovered in EMLsoft 5.4.5. upload\eml\action\action.address.php has SQL Injection via the numPerPage parameter. 2018-08-06 not yet calculated CVE-2018-14968
MISC(link is external)
emlsoft -- emlsoft An issue was discovered in EMLsoft 5.4.5. upload\eml\action\action.user.php has SQL Injection via the numPerPage parameter. 2018-08-06 not yet calculated CVE-2018-14967
MISC(link is external)
emlsoft -- emlsoft An issue was discovered in EMLsoft 5.4.5. XSS exists via the eml/upload/eml/?action=address&do=edit page. 2018-08-06 not yet calculated CVE-2018-14964
MISC(link is external)
ethereum -- eether_token An integer overflow in the unprotected distributeToken function of a smart contract implementation for EETHER (EETHER), an Ethereum ERC20 token, will lead to an unauthorized increase of an attacker's digital assets. 2018-08-08 not yet calculated CVE-2018-11561
MISC(link is external)
ethereum -- megacryptopolis The doPayouts() function of the smart contract implementation for MegaCryptoPolis, an Ethereum game, has a Denial of Service vulnerability. If a smart contract that has a fallback function always causing exceptions buys a land, users cannot buy lands near that contract's land, because those purchase attempts will not be completed unless the doPayouts() function successfully sends Ether to certain neighbors. 2018-08-06 not yet calculated CVE-2018-13877
MISC(link is external)
ethereum -- mycryptochamp The randMod() function of the smart contract implementation for MyCryptoChamp, an Ethereum game, generates a random value with publicly readable variables such as the current block information and a private variable, (which can be read with a getStorageAt call). Therefore, attackers can get powerful champs/items and get rewards. 2018-08-07 not yet calculated CVE-2018-12885
MISC(link is external)
MISC(link is external)
MISC(link is external)
ethereum -- smartmesh_token The transferProxy and approveProxy functions of a smart contract implementation for SmartMesh (SMT), an Ethereum ERC20 token, allow attackers to accomplish an unauthorized transfer of digital assets because replay attacks can occur with the same-named functions (with the same signatures) in other tokens: First (FST), GG Token (GG), M2C Mesh Network (MTC), M2C Mesh Network (mesh), and UG Token (UGT). 2018-08-10 not yet calculated CVE-2018-10769
MISC(link is external)
freebsd -- freebsd One of the data structures that holds TCP segments in all versions of FreeBSD prior to 11.2-RELEASE-p1, 11.1-RELEASE-p12, and 10.4-RELEASE-p10 uses an inefficient algorithm to reassemble the data. This causes the CPU time spent on segment processing to grow linearly with the number of segments in the reassembly queue. An attacker who has the ability to send TCP traffic to a victim system can degrade the victim system's network performance and/or consume excessive CPU by exploiting the inefficiency of TCP reassembly handling, with relatively small bandwidth cost. 2018-08-09 not yet calculated CVE-2018-6922
SECTRACK(link is external)
FREEBSD
gitea_and_gogs -- gitea_and_gogs
 
An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services. 2018-08-07 not yet calculated CVE-2018-15192
MISC(link is external)
MISC(link is external)
gogs -- gogs A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue / link. 2018-08-07 not yet calculated CVE-2018-15193
MISC(link is external)
gogs -- gogs
 
Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go. 2018-08-07 not yet calculated CVE-2018-15178
MISC(link is external)
MISC(link is external)
gxlcms -- gxlcms
 
In Gxlcms 2.0, a news/index.php?s=Admin-Admin-Insert CSRF attack can add an administrator account. 2018-08-07 not yet calculated CVE-2018-15177
MISC(link is external)
harmonic -- nsg_9000_devices Harmonic NSG 9000 devices have a default password of nsgadmin for the admin account, a default password of nsgguest for the guest account, and a default password of nsgconfig for the config account. 2018-08-05 not yet calculated CVE-2018-14943
MISC(link is external)
harmonic -- nsg_9000_devices Harmonic NSG 9000 devices allow remote authenticated users to read the webapp.py source code via a direct request for the /webapp.py URI. 2018-08-05 not yet calculated CVE-2018-14941
MISC(link is external)
harmonic -- nsg_9000_devices Harmonic NSG 9000 devices allow remote authenticated users to conduct directory traversal attacks, as demonstrated by "POST /PY/EMULATION_GET_FILE" or "POST /PY/EMULATION_EXPORT" with FileName=../../../passwd in the POST data. 2018-08-05 not yet calculated CVE-2018-14942
MISC(link is external)

hewlett_packard_enterprise -- arcsight_winc_connector

A remote code execution security vulnerability has been identified in all versions of the HP ArcSight WINC Connector prior to v7.3.0. 2018-08-06 not yet calculated CVE-2016-4391
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
hewlett_packard_enterprise -- business_service_management A remote code execution vulnerability was identified in HP Business Service Management (BSM) using Apache Commons Collection Java Deserialization versions v9.20-v9.26 2018-08-06 not yet calculated CVE-2016-4405
BID(link is external)
CONFIRM(link is external)
hewlett_packard_enterprise -- business_service_management A remote cross site scripting vulnerability has been identified in HP Business Service Management software v9.1x, v9.20 - v9.25IP1. 2018-08-06 not yet calculated CVE-2016-4392
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
hewlett_packard_enterprise -- centralview_fraud_risk_management HPE has identified a remote privilege escalation vulnerability in HPE CentralView Fraud Risk Management earlier than version CV 6.1. This isssue is resolved in HF16 for HPE CV 6.1 or subsequent version. 2018-08-06 not yet calculated CVE-2017-8992
CONFIRM(link is external)
hewlett_packard_enterprise -- centralview_fraud_risk_management HPE has identified a remote disclosure of information vulnerability in HPE CentralView Fraud Risk Management earlier than version CV 6.1. This isssue is resolved in HF16 for HPE CV 6.1 or subsequent version. 2018-08-06 not yet calculated CVE-2018-7070
CONFIRM(link is external)
hewlett_packard_enterprise -- centralview_fraud_risk_management
 
HPE has identified a remote HOST header attack vulnerability in HPE CentralView Fraud Risk Management earlier than version CV 6.1. This isssue is resolved in HF16 for HPE CV 6.1 or subsequent version. 2018-08-06 not yet calculated CVE-2018-7068
CONFIRM(link is external)
hewlett_packard_enterprise -- centralview_fraud_risk_management
 
HPE has identified a remote unauthenticated access to files vulnerability in HPE CentralView Fraud Risk Management earlier than version CV 6.1. This isssue is resolved in HF16 for HPE CV 6.1 or subsequent version. 2018-08-06 not yet calculated CVE-2018-7069
CONFIRM(link is external)
hewlett_packard_enterprise -- centralview_fraud_risk_management
 
HPE has identified a cross site scripting (XSS) vulnerability in HPE CentralView Fraud Risk Management earlier than version CV 6.1. This isssue is resolved in HF16 for HPE CV 6.1 or subsequent version. 2018-08-06 not yet calculated CVE-2017-8991
CONFIRM(link is external)
hewlett_packard_enterprise -- icewall_sso_dfw
 
A security vulnerability in HPE IceWall SSO Dfw 10.0 and 11.0 on RHEL, HP-UX, and Windows could be exploited remotely to allow URL Redirection. 2018-08-06 not yet calculated CVE-2017-8989
CONFIRM(link is external)
hewlett_packard_enterprise -- integrated_lights_out A Unauthenticated Remote Denial of Service vulnerability was identified in HPE Integrated Lights-Out 3 (iLO 3) version v1.88 only. The vulnerability is resolved in iLO3 v1.89 or subsequent versions. 2018-08-06 not yet calculated CVE-2017-8987
SECTRACK(link is external)
CONFIRM(link is external)
hewlett_packard_enterprise -- integrated_lights_out A remote code execution was identified in HPE Integrated Lights-Out 4 (iLO 4) earlier than version v2.60 and HPE Integrated Lights-Out 5 (iLO 5) earlier than version v1.30. 2018-08-06 not yet calculated CVE-2018-7078
SECTRACK(link is external)
CONFIRM(link is external)
hewlett_packard_enterprise -- integrated_lights_out
 
A remote cross site scripting vulnerability was identified in HPE iLO 3 all version prior to v1.88 and HPE iLO 4 all versions prior to v2.44. 2018-08-06 not yet calculated CVE-2016-4406
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
hewlett_packard_enterprise -- intelligent_management_center A potential security vulnerability has been identified in HPE Intelligent Management Center Platform (IMC Plat) 7.3 E0506P09. The vulnerability could be remotely exploited to allow for remote directory traversal leading to arbitrary file deletion. 2018-08-06 not yet calculated CVE-2018-7092
SECTRACK(link is external)
CONFIRM(link is external)
hewlett_packard_enterprise -- intelligent_management_center_wireless_service_manager
 
A remote code execution vulnerability was identified in HPE Intelligent Management Center (iMC) Wireless Service Manager (WSM) Software earlier than version WSM 7.3 (E0506). This issue was resolved in HPE IMC Wireless Services Manager Software IMC WSM 7.3 E0506P01 or subsequent version. 2018-08-06 not yet calculated CVE-2017-8990
SECTRACK(link is external)
CONFIRM(link is external)
hewlett_packard_enterprise -- intelligent_management_center
 
A remote code execution vulnerability was identified in HPE Intelligent Management Center (iMC) PLAT 7.3 E0506P07. The vulnerability was resolved in iMC PLAT 7.3 E0605P04 or subsequent version. 2018-08-06 not yet calculated CVE-2018-7074
SECTRACK(link is external)
CONFIRM(link is external)
hewlett_packard_enterprise -- intelligent_management_center
 
A remote cross-site scripting (XSS) vulnerability was identified in HPE Intelligent Management Center (iMC) PLAT version v7.3 (E0506). The vulnerability is fixed in Intelligent Management Center PLAT 7.3 E0605P04 or subsequent version. 2018-08-06 not yet calculated CVE-2018-7075
CONFIRM(link is external)
hewlett_packard_enterprise -- keyview A security vulnerability was identified in the Filter SDK component of HP KeyView earlier than v11.2. The vulnerability could be exploited remotely to allow code execution via a memory allocation issue. 2018-08-06 not yet calculated CVE-2016-4404
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
hewlett_packard_enterprise -- keyview A security vulnerability was identified in the Filter SDK component of HP KeyView earlier than v11.2. The vulnerability could be exploited remotely to allow code execution via buffer overflow. 2018-08-06 not yet calculated CVE-2016-4402
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
hewlett_packard_enterprise -- keyview A security vulnerability was identified in the Filter SDK component of HP KeyView earlier than v11.2. The vulnerability could be exploited remotely to allow code execution via memory corruption. 2018-08-06 not yet calculated CVE-2016-4403
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
hewlett_packard_enterprise -- moonshot_provisioning_manager
 
A remote bypass of security restrictions vulnerability was identified in HPE Moonshot Provisioning Manager prior to v1.24. 2018-08-06 not yet calculated CVE-2018-7072
CONFIRM(link is external)
MISC(link is external)
hewlett_packard_enterprise -- moonshot_provisioning_manager
 
A local arbitrary file modification vulnerability was identified in HPE Moonshot Provisioning Manager prior to v1.24. 2018-08-06 not yet calculated CVE-2018-7073
CONFIRM(link is external)
UBUNTU(link is external)
MISC(link is external)
hewlett_packard_enterprise -- network_function_virtualization_director
 
HPE has identified a remote access to sensitive information vulnerability in HPE Network Function Virtualization Director (NFVD) 4.2.1 prior to gui patch 3. 2018-08-06 not yet calculated CVE-2018-7071
CONFIRM(link is external)
hewlett_packard_enterprise -- network_node_manager_i A security vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10. The vulnerability could result in cross-site scripting (XSS). 2018-08-06 not yet calculated CVE-2016-4400
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
hewlett_packard_enterprise -- network_node_manager_i A local code execution security vulnerability was identified in HP Network Node Manager i (NNMi) v10.00, v10.10 and v10.20 Software. 2018-08-06 not yet calculated CVE-2016-4397
BID(link is external)
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
hewlett_packard_enterprise -- network_node_manager_i A security vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10. The vulnerability could result in cross-site scripting (XSS). 2018-08-06 not yet calculated CVE-2016-4399
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
hewlett_packard_enterprise -- network_node_manager_i A remote arbitrary code execution vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10 using Java Deserialization. 2018-08-06 not yet calculated CVE-2016-4398
BID(link is external)
CONFIRM(link is external)
hewlett_packard_enterprise -- restful_interface_tool A remote execution of arbitrary code vulnerability has been identified in HPE RESTful Interface Tool 1.5, 2.0 (hprest-1.5-79.x86_64.rpm, ilorest-2.0-403.x86_64.rpm). The issue is resolved in iLOREST v2.1 or subsequent versions. 2018-08-06 not yet calculated CVE-2017-8968
CONFIRM(link is external)
hewlett_packard_enterprise -- xp_command_view_advanced_edition
 
A Remote Bypass of Security Restrictions vulnerability was identified in HPE XP Command View Advanced Edition Software Earlier than 8.5.3-00. The vulnerability impacts DevMgr Earlier than 8.5.3-00 (for Windows, Linux), RepMgr earlier than 8.5.3-00 (for Windows, Linux) and HDLM earlier than 8.5.3-00 (for Windows, Linux, Solaris, AIX). 2018-08-06 not yet calculated CVE-2017-8988
CONFIRM(link is external)
hewlett_packard_enterprise -- xp_p9000_command_view_advanced_edition
 
HPE XP P9000 Command View Advanced Edition Software (CVAE) has open URL redirection vulnerability in versions 7.0.0-00 to earlier than 8.60-00 of DevMgr, TSMgr and RepMgr. 2018-08-06 not yet calculated CVE-2018-7091
CONFIRM(link is external)
hewlett_packard_enterprise -- xp_p9000_command_view_advanced_edition
 
HPE XP P9000 Command View Advanced Edition Software (CVAE) has local and remote cross site scripting vulnerability in versions 7.0.0-00 to earlier than 8.60-00 of DevMgr, TSMgr and RepMgr. 2018-08-06 not yet calculated CVE-2018-7090
CONFIRM(link is external)
hitachi -- command_suite An Information Exposure issue was discovered in Hitachi Command Suite 8.5.3. A remote attacker may be able to exploit a flaw in the permission of messaging that may allow for information exposure via a crafted message. 2018-08-09 not yet calculated CVE-2018-14735
CONFIRM(link is external)
ibm -- jazz_foundation_products IBM Jazz Foundation products (IBM Rational DOORS Next Generation 5.0 through 5.0.2 and 6.0 through 6.0.5) are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 139025. 2018-08-06 not yet calculated CVE-2018-1422
CONFIRM(link is external)
BID(link is external)
XF(link is external)
ibm -- maximo_asset_management IBM Maximo Asset Management 7.6 through 7.6.3 installs with a default administrator account that a remote intruder could use to gain administrator access to the system. This vulnerability is due to an incomplete fix for CVE-2015-4966. IBM X-Force ID: 142116. 2018-08-03 not yet calculated CVE-2018-1524
XF(link is external)
CONFIRM(link is external)
ibm -- maximo_asset_management IBM Maximo Asset Management 7.6 through 7.6.3 could allow an authenticated user to obtain sensitive information from the WhoAmI API. IBM X-Force ID: 142290. 2018-08-06 not yet calculated CVE-2018-1528
BID(link is external)
XF(link is external)
CONFIRM(link is external)
ibm -- rhapsody_model_manager IBM Rhapsody Model Manager 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 145510. 2018-08-07 not yet calculated CVE-2018-1690
CONFIRM(link is external)
XF(link is external)
ibm -- security_identity_governance_virtual_appliance IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 126859. 2018-08-06 not yet calculated CVE-2017-1366
CONFIRM(link is external)
XF(link is external)
ibm -- security_identity_governance_virtual_appliance IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 generates an error message that includes sensitive information about its environment, users, or associated data. IBM X-Force ID: 127400. 2018-08-06 not yet calculated CVE-2017-1412
CONFIRM(link is external)
XF(link is external)
ibm -- security_identity_governance_virtual_appliance IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 could allow a local attacker to inject commands into malicious files that could be executed by the administrator. IBM X-Force ID: 135855. 2018-08-06 not yet calculated CVE-2017-1755
CONFIRM(link is external)
XF(link is external)
ibm -- security_identity_governance_virtual_appliance IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 126861. 2018-08-06 not yet calculated CVE-2017-1368
CONFIRM(link is external)
XF(link is external)
ibm -- security_identity_governance_virtual_appliance IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 127399. 2018-08-06 not yet calculated CVE-2017-1411
CONFIRM(link is external)
XF(link is external)
ibm -- security_identity_governance_virtual_appliance IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 127342. 2018-08-06 not yet calculated CVE-2017-1396
CONFIRM(link is external)
XF(link is external)
ibm -- security_identity_governance_virtual_appliance IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 127396. 2018-08-06 not yet calculated CVE-2017-1409
CONFIRM(link is external)
XF(link is external)
ibm -- websphere_mq IBM WebSphere MQ 8.0.0.2 through 8.0.0.8 and 9.0.0.0 through 9.0.0.3 could allow users to have more authority than they should have if an MQ administrator creates an invalid user group name. IBM X-Force ID: 142888. 2018-08-06 not yet calculated CVE-2018-1551
BID(link is external)
XF(link is external)
CONFIRM(link is external)
ignited -- cms An issue was discovered in Ignited CMS through 2017-02-19. ign/index.php/admin/pages/add_page allows a CSRF attack to add pages. 2018-08-08 not yet calculated CVE-2018-15203
MISC(link is external)
insteon -- hub Specially crafted commands sent through the PubNub service in Insteon Hub 2245-222 with firmware version 1012 can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability.At 0x9d014cc0 the value for the cmd key is copied using strcpy to the buffer at $sp+0x11c. This buffer is 20 bytes large, sending anything longer will cause a buffer overflow. 2018-08-06 not yet calculated CVE-2017-16252
MISC(link is external)
insteon -- hub An exploitable buffer overflow vulnerability exists in the PubNub message handler for the 'ad' channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. 2018-08-06 not yet calculated CVE-2017-14447
MISC(link is external)
jenkins -- jenkins
 
jenkins-email-ext before version 2.57.1 is vulnerable to an Information Exposure. The Email Extension Plugins is able to send emails to a dynamically created list of users based on the changelogs, like authors of SCM changes since the last successful build. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses. 2018-08-06 not yet calculated CVE-2017-2654
CONFIRM(link is external)
CONFIRM(link is external)
jiofi -- 4g_hotspot_m2s_devices JioFi 4G Hotspot M2S devices allow attackers to cause a denial of service (secure configuration outage) via an XSS payload in the SSID name and Security Key fields. 2018-08-09 not yet calculated CVE-2018-15181
MISC(link is external)
jpeg_encoder -- jpeg_encoder An issue has been found in jpeg_encoder through 2015-11-27. It is a heap-based buffer overflow in the function readFromBMP in jpeg_encoder.cpp. 2018-08-05 not yet calculated CVE-2018-14945
MISC(link is external)
MISC(link is external)
jpeg_encoder -- jpeg_encoder
 
An issue has been found in jpeg_encoder through 2015-11-27. It is a SEGV in the function readFromBMP in jpeg_encoder.cpp. The signal is caused by an out-of-bounds write. 2018-08-05 not yet calculated CVE-2018-14944
MISC(link is external)
MISC(link is external)
juunan06 -- ecommerce An issue was discovered in Juunan06 eCommerce through 2018-08-05. There is a CSRF vulnerability in ee/eBoutique/app/template/includes/crudTreatment.php that can add new users and add products. 2018-08-08 not yet calculated CVE-2018-15202
MISC(link is external)
laravel -- framework In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack. 2018-08-09 not yet calculated CVE-2018-15133
CONFIRM(link is external)
libpq -- libpq
 
A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected. 2018-08-09 not yet calculated CVE-2018-10915
CONFIRM(link is external)
DEBIAN
CONFIRM
libreoffice -- libreoffice The get_app_path function in desktop/unx/source/start.c in LibreOffice through 6.0.5 mishandles the realpath function in certain environments such as FreeBSD libc, which might allow attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact if LibreOffice is automatically launched during web browsing with pathnames controlled by a remote web site. 2018-08-05 not yet calculated CVE-2018-14939
BID(link is external)
MISC
libtiff -- libtiff
 
ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. 2018-08-08 not yet calculated CVE-2018-15209
MISC
linux -- kernel The swiotlb_print_info function in lib/swiotlb.c in the Linux kernel through 4.14.14 allows local users to obtain sensitive address information by reading dmesg data from a "software IO TLB" printk call. 2018-08-07 not yet calculated CVE-2018-5953
BID(link is external)
MISC(link is external)
linux -- kernel The pcpu_embed_first_chunk function in mm/percpu.c in the Linux kernel through 4.14.14 allows local users to obtain sensitive address information by reading dmesg data from a "pages/cpu" printk call. 2018-08-07 not yet calculated CVE-2018-5995
BID(link is external)
MISC(link is external)
linux -- kernel
 
The aoedisk_debugfs_show function in drivers/block/aoe/aoeblk.c in the Linux kernel through 4.16.4rc4 allows local users to obtain sensitive address information by reading "ffree: " lines in a debugfs file. 2018-08-10 not yet calculated CVE-2018-7754
CONFIRM(link is external)
MISC(link is external)
linux -- kernel
 
Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service. 2018-08-06 not yet calculated CVE-2018-5390
BID(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
CONFIRM
UBUNTU(link is external)
UBUNTU(link is external)
DEBIAN
CERT-VN
CONFIRM(link is external)
lxc-user-nic -- lxc-user-nic
 
lxc-user-nic when asked to delete a network interface will unconditionally open a user provided path. This code path may be used by an unprivileged user to check for the existence of a path which they wouldn't otherwise be able to reach. It may also be used to trigger side effects by causing a (read-only) open of special kernel files (ptmx, proc, sys). Affected releases are LXC: 2.0 versions above and including 2.0.9; 3.0 versions above and including 3.0.0, prior to 3.0.2. 2018-08-10 not yet calculated CVE-2018-6556
CONFIRM(link is external)
CONFIRM(link is external)
UBUNTU(link is external)
medtronic -- mycarelink_and_patient_monitor A vulnerability was discovered in all versions of Medtronic MyCareLink 24950 and 24952 Patient Monitor. The affected product's update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data to the Medtronic CareLink network. 2018-08-10 not yet calculated CVE-2018-10626
BID(link is external)
MISC
medtronic -- mycarelink_and_patient_monitor A vulnerability was discovered in all versions of Medtronic MyCareLink 24950 and 24952 Patient Monitor. The affected products use per-product credentials that are stored in a recoverable format. An attacker can use these credentials for network authentication and encryption of local data at rest. 2018-08-10 not yet calculated CVE-2018-10622
BID(link is external)
MISC
multiple_vendors -- bluetooth_firmware_and_operating_system_software_drivers
 
Bluetooth firmware or operating system software drivers in macOS versions before 10.13, High Sierra and iOS versions before 11.4, and Android versions before the 2018-06-05 patch may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device. 2018-08-07 not yet calculated CVE-2018-5383
MISC(link is external)
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
CERT-VN
netcomm_wireless -- 4g_lte_light_industrial_m2m_router NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The directory of the device is listed openly without authentication. 2018-08-10 not yet calculated CVE-2018-14785
MISC
netcomm_wireless -- 4g_lte_light_industrial_m2m_router NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. A cross-site request forgery condition can occur, allowing an attacker to change passwords of the device remotely. 2018-08-10 not yet calculated CVE-2018-14783
MISC
netcomm_wireless -- 4g_lte_light_industrial_m2m_router NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device is vulnerable to several cross-site scripting attacks, allowing a remote attacker to run arbitrary code on the device. 2018-08-10 not yet calculated CVE-2018-14784
MISC
netcomm_wireless -- 4g_lte_light_industrial_m2m_router NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device allows access to configuration files and profiles without authenticating the user. 2018-08-10 not yet calculated CVE-2018-14782
MISC
netiq -- edirectory Unvalidated redirect vulnerability in in NetIQ eDirectory before 9.1.1 HF1. 2018-08-09 not yet calculated CVE-2018-7692
MISC(link is external)
netiq -- edirectory Information leakage vulnerability in NetIQ eDirectory before 9.1.1 HF1 due to shared memory usage. 2018-08-09 not yet calculated CVE-2018-7686
MISC(link is external)
nmap -- nmap
 
Nmap through 7.70, when the -sV option is used, allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted TCP-based service. 2018-08-07 not yet calculated CVE-2018-15173
MISC(link is external)
MISC(link is external)
ocs_inventory_ng -- ocs_inventory_server Unrestricted file upload (with remote code execution) in require/mail/NotificationMail.php in Webconsole in OCS Inventory NG OCS Inventory Server through 2.5 allows a privileged user to gain access to the server via a template file containing PHP code, because file extensions other than .html are permitted. 2018-08-06 not yet calculated CVE-2018-14857
FULLDISC
SECTRACK(link is external)
CONFIRM(link is external)
onethink -- onethink An issue was discovered in OneThink v1.1. There is a CSRF vulnerability in admin.php?s=/User/add.html that can add a user. 2018-08-07 not yet calculated CVE-2018-15198
MISC(link is external)
onethink -- onethink
 
An issue was discovered in OneThink v1.1. There is a CSRF vulnerability in admin.php?s=/AuthManager/addToGroup.html that can endow administrator privileges. 2018-08-07 not yet calculated CVE-2018-15197
MISC(link is external)
oracle -- database_server A vulnerability was discovered in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18. Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Java VM. While the vulnerability is in Java VM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java VM. CVSS 3.0 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 2018-08-10 not yet calculated CVE-2018-3110
CONFIRM(link is external)
pdf2json -- pdf2json An issue has been found in PDF2JSON 0.69. The HtmlString class in ImgOutputDev.cc has Mismatched Memory Management Routines (malloc versus operator delete). 2018-08-05 not yet calculated CVE-2018-14946
MISC(link is external)
MISC(link is external)
pdf2json -- pdf2json An issue has been found in PDF2JSON 0.69. XmlFontAccu::CSStyle in XmlFonts.cc has Mismatched Memory Management Routines (operator new [] versus operator delete). 2018-08-05 not yet calculated CVE-2018-14947
MISC(link is external)
MISC(link is external)
php -- php
 
An issue was discovered in ext/standard/link_win32.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. The linkinfo function on Windows doesn't implement the open_basedir check. This could be abused to find files on paths outside of the allowed directories. 2018-08-07 not yet calculated CVE-2018-15132
MISC(link is external)
MISC(link is external)
MISC(link is external)
MISC(link is external)
phpcms -- phpcms
 
PHPCMS 9 allows remote attackers to cause a denial of service (resource consumption) via large font_size, height, and width parameters in an api.php?op=checkcode request. 2018-08-05 not yet calculated CVE-2018-14940
MISC(link is external)
phpscriptsmall.com -- advanced_real_estate_script PHP Scripts Mall advanced-real-estate-script 4.0.9 has CSRF via edit-profile.php. 2018-08-10 not yet calculated CVE-2018-15187
MISC(link is external)
phpscriptsmall.com -- advanced_real_estate_script PHP Scripts Mall advanced-real-estate-script has XSS via the Name field of a profile. 2018-08-10 not yet calculated CVE-2018-15189
MISC(link is external)
phpscriptsmall.com -- advanced_real_estate_script PHP Scripts Mall advanced-real-estate-script 4.0.9 allows remote attackers to cause a denial of service (page structure loss) via crafted JavaScript code in the Name field of a profile. 2018-08-10 not yet calculated CVE-2018-15188
MISC(link is external)
phpscriptsmall.com -- basic_b2b_script PHP Scripts Mall Basic B2B Script 2.0.0 has Reflected and Stored XSS via the First name, Last name, Address 1, City, State, and Company name fields. 2018-08-03 not yet calculated CVE-2018-14541
MISC(link is external)
EXPLOIT-DB(link is external)
phpscriptsmall.com -- car_rental_script PHP Scripts Mall Car Rental Script 2.0.8 has XSS via the FirstName and LastName fields. 2018-08-09 not yet calculated CVE-2018-15182
MISC(link is external)
phpscriptsmall.com -- cms_auditor_website PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has CSRF via client/auditor/updprofile.php. 2018-08-10 not yet calculated CVE-2018-15186
MISC(link is external)
phpscriptsmall.com -- hotel_booking_script PHP Scripts Mall hotel-booking-script 2.0.4 allows XSS via the First Name, Last Name, or Address field. 2018-08-10 not yet calculated CVE-2018-15190
MISC(link is external)
phpscriptsmall.com -- hotel_booking_script PHP Scripts Mall hotel-booking-script 2.0.4 allows remote attackers to cause a denial of service via crafted JavaScript code in the First Name, Last Name, or Address field. 2018-08-10 not yet calculated CVE-2018-15191
MISC(link is external)
phpscriptsmall.com -- naukri_clone_script PHP Scripts Mall Naukri / Shine / Jobsite Clone Script 3.0.4 has Stored XSS via the USERNAME field, a related issue to CVE-2018-6795. 2018-08-09 not yet calculated CVE-2018-15184
MISC(link is external)
phpscriptsmall.com -- naukri_clone_script PHP Scripts Mall Naukri / Shine / Jobsite Clone Script 3.0.4 allows remote attackers to cause a denial of service (page update outage) via crafted PHP and JavaScript code in the "Current Position" field. 2018-08-10 not yet calculated CVE-2018-15185
MISC(link is external)
phpscriptsmall.com -- php_template_store_script PHP Template Store Script 3.0.6 allows XSS via the Address line 1, Address Line 2, Bank name, or A/C Holder name field in a profile. 2018-08-06 not yet calculated CVE-2018-14869
MISC(link is external)
EXPLOIT-DB(link is external)
phpscriptsmall.com -- resume_builder_script PHP Scripts Mall Myperfectresume / JobHero / Resume Clone Script 2.0.6 has Stored XSS via the Full Name and Title fields. 2018-08-09 not yet calculated CVE-2018-15183
MISC(link is external)
postgresql -- postgresql It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table, they could exploit this to update other columns in the same table. 2018-08-09 not yet calculated CVE-2018-10925
CONFIRM(link is external)
DEBIAN
CONFIRM
qcms -- qcms An issue was discovered in QCMS 3.0.1. upload/System/Controller/backend/product.php has XSS. 2018-08-06 not yet calculated CVE-2018-14973
MISC(link is external)
qcms -- qcms An issue was discovered in QCMS 3.0.1. upload/System/Controller/backend/user.php has XSS. 2018-08-06 not yet calculated CVE-2018-14971
MISC(link is external)
qcms -- qcms An issue was discovered in QCMS 3.0.1. upload/System/Controller/backend/category.php has XSS. 2018-08-06 not yet calculated CVE-2018-14976
MISC(link is external)
qcms -- qcms An issue was discovered in QCMS 3.0.1. upload/System/Controller/backend/down.php has XSS. 2018-08-06 not yet calculated CVE-2018-14972
MISC(link is external)
qcms -- qcms An issue was discovered in QCMS 3.0.1. upload/System/Controller/backend/slideshow.php has XSS. 2018-08-06 not yet calculated CVE-2018-14970
MISC(link is external)
qcms -- qcms An issue was discovered in QCMS 3.0.1. upload/System/Controller/backend/album.php has XSS. 2018-08-06 not yet calculated CVE-2018-14975
MISC(link is external)
qcms -- qcms An issue was discovered in QCMS 3.0.1. upload/System/Controller/guest.php has XSS, as demonstrated by the name parameter, a different vulnerability than CVE-2018-8070. 2018-08-06 not yet calculated CVE-2018-14977
MISC(link is external)
qcms -- qcms An issue was discovered in QCMS 3.0.1. CSRF exists via the backend/user/admin/add.html URI. 2018-08-06 not yet calculated CVE-2018-14978
MISC(link is external)
qcms -- qcms An issue was discovered in QCMS 3.0.1. upload/System/Controller/backend/news.php has XSS. 2018-08-06 not yet calculated CVE-2018-14974
MISC(link is external)
qcms -- qcms
 
An issue was discovered in QCMS 3.0.1. upload/System/Controller/backend/system.php has XSS. 2018-08-06 not yet calculated CVE-2018-14969
MISC(link is external)
responsive_filemanager -- responsive_filemanager upload.php in Responsive FileManager 9.13.1 allows SSRF via the url parameter. 2018-08-03 not yet calculated CVE-2018-14728
MISC(link is external)
EXPLOIT-DB(link is external)
rubygems -- active-support_gem active-support ruby gem 5.2.0 could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system. 2018-08-10 not yet calculated CVE-2018-3779
MISC(link is external)
siemens -- automation_license_manager A vulnerability has been identified in Automation License Manager 5 (All versions < 5.3.4.4). An attacker with network access to the device could send specially crafted network packets to determine whether or not a network port on another remote system is accessible or not. This allows the attacker to do basic network scanning using the victims machine. Successful exploitation requires a network connection to the affected device. The attacker does not need privileges, no user interaction is required. The impact is limited to determining whether or not a port on a target system is accessible by the affected device. 2018-08-07 not yet calculated CVE-2018-11456
CONFIRM(link is external)
siemens -- automation_license_manager A vulnerability has been identified in Automation License Manager 5 (All versions < 5.3.4.4), Automation License Manager 6 (All versions < 6.0.1). A directory traversal vulnerability could allow a remote attacker to move arbitrary files, which can result in code execution, compromising confidentiality, integrity and availability of the system. Successful exploitation requires a network connection to the affected device. The attacker does not need privileges or special conditions of the system, but user interaction is required. 2018-08-07 not yet calculated CVE-2018-11455
CONFIRM(link is external)
siemens -- simatic_step_7_and_simatic_wincc A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V10, V11, V12 (All versions), SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V13 (All versions), SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V14 (All versions < V14 SP1 Update 6), SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V15 (All versions < V15 Update 2). Improper file permissions in the default installation of TIA Portal may allow an attacker with local file system access to insert specially crafted files which may prevent TIA Portal startup (Denial-of-Service) or lead to local code execution. No special privileges are required, but the victim needs to attempt to start TIA Portal after the manipulation. 2018-08-07 not yet calculated CVE-2018-11453
CONFIRM(link is external)
siemens -- simatic_step_7_and_simatic_wincc A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V10, V11, V12 (All versions), SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V13 (All versions), SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V14 (All versions < V14 SP1 Update 6), SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V15 (All versions < V15 Update 2). Improper file permissions in the default installation of TIA Portal may allow an attacker with local file system access to manipulate resources which may be transferred to devices and executed there by a different user. No special privileges are required, but the victim needs to transfer the manipulated files to a device. Execution is caused on the target device rather than on the PG device. 2018-08-07 not yet calculated CVE-2018-11454
CONFIRM(link is external)
squirrelmail -- squirrelmail The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<svg><a xlink:href=" attack. 2018-08-05 not yet calculated CVE-2018-14950
MISC(link is external)
MISC
MISC(link is external)
squirrelmail -- squirrelmail The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<form action='data:text" attack. 2018-08-05 not yet calculated CVE-2018-14951
MISC(link is external)
MISC
MISC(link is external)
squirrelmail -- squirrelmail The mail message display page in SquirrelMail through 1.4.22 has XSS via the formaction attribute. 2018-08-05 not yet calculated CVE-2018-14954
MISC(link is external)
MISC
MISC(link is external)
squirrelmail -- squirrelmail The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math xlink:href=" attack. 2018-08-05 not yet calculated CVE-2018-14953
MISC(link is external)
MISC
MISC(link is external)
squirrelmail -- squirrelmail The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math><maction xlink:href=" attack. 2018-08-05 not yet calculated CVE-2018-14952
MISC(link is external)
MISC
MISC(link is external)
squirrelmail -- squirrelmail The mail message display page in SquirrelMail through 1.4.22 has XSS via SVG animations (animate to attribute). 2018-08-05 not yet calculated CVE-2018-14955
MISC(link is external)
MISC
MISC(link is external)
symfony -- symfony An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack, aka Directory Traversal. 2018-08-06 not yet calculated CVE-2017-16654
CONFIRM(link is external)
CONFIRM(link is external)
DEBIAN
symfony -- symfony An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. When a form is submitted by the user, the request handler classes of the Form component merge POST data and uploaded files data into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. A user can send a crafted HTTP request where the value of a "FileType" is sent as normal POST data that could be interpreted as a local file path on the server-side (for example, "file:///etc/passwd"). If the application did not perform any additional checks about the value submitted to the "FileType", the contents of the given file on the server could have been exposed to the attacker. 2018-08-06 not yet calculated CVE-2017-16790
CONFIRM(link is external)
DEBIAN
symfony -- symfony An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks. 2018-08-06 not yet calculated CVE-2017-16653
CONFIRM(link is external)
CONFIRM(link is external)
DEBIAN
thinksaas -- thinksaas ThinkSAAS through 2018-07-25 has XSS via the index.php?app=group&ac=create&ts=do groupdesc parameter. 2018-08-07 not yet calculated CVE-2018-15130
MISC(link is external)
thinksaas -- thinksaas ThinkSAAS through 2018-07-25 has XSS via the index.php?app=article&ac=comment&ts=do content parameter. 2018-08-07 not yet calculated CVE-2018-15129
MISC(link is external)
tibco -- activematrix_businessworks The BusinessWorks engine component of TIBCO Software Inc.'s TIBCO ActiveMatrix BusinessWorks, TIBCO ActiveMatrix BusinessWorks for z/Linux, and TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric contains a vulnerability that may allow XML eXternal Entity (XXE) attacks via incoming network messages, and may disclose the contents of files accessible to a running BusinessWorks engine Affected releases are TIBCO Software Inc. TIBCO ActiveMatrix BusinessWorks: versions up to and including 5.13.0, TIBCO ActiveMatrix BusinessWorks for z/Linux: versions up to and including 5.13.0, TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric: versions up to and including 5.13.0. 2018-08-08 not yet calculated CVE-2018-12408
BID(link is external)
MISC(link is external)
CONFIRM(link is external)
ubuntu -- ubuntu
 
The CUPS AppArmor profile incorrectly confined the dnssd backend due to use of hard links. A local attacker could possibly use this issue to escape confinement. This flaw affects versions prior to 2.2.7-1ubuntu2.1 in Ubuntu 18.04 LTS, prior to 2.2.4-7ubuntu3.1 in Ubuntu 17.10, prior to 2.1.3-4ubuntu0.5 in Ubuntu 16.04 LTS, and prior to 1.7.2-0ubuntu1.10 in Ubuntu 14.04 LTS. 2018-08-10 not yet calculated CVE-2018-6553
MLIST
UBUNTU(link is external)
DEBIAN
vdsm -- vdsm
 
It was found that vdsm before version 4.20.37 invokes qemu-img on untrusted inputs without limiting resources. By uploading a specially crafted image, an attacker could cause the qemu-img process to consume unbounded amounts of memory of CPU time, causing a denial of service condition that could potentially impact other users of the host. 2018-08-09 not yet calculated CVE-2018-10908
MISC
CONFIRM(link is external)
MISC
weaselcms -- weaselcms An issue was discovered in WeaselCMS v0.3.5. CSRF can update the website settings (such as the theme, title, and description) via index.php. 2018-08-05 not yet calculated CVE-2018-14958
MISC(link is external)
weaselcms -- weaselcms An issue was discovered in WeaselCMS v0.3.5. CSRF can create new pages via an index.php?b=pages&a=new URI. 2018-08-05 not yet calculated CVE-2018-14959
MISC(link is external)
wolf -- cms
 
Wolf CMS 0.8.3.1 has XSS in the Snippets tab, as demonstrated by a ?/admin/snippet/edit/1 URI. 2018-08-10 not yet calculated CVE-2018-14837