The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2018-19813 | Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The page /VPortal/mgtconsole/Subscribers.jsp has reflected XSS via the ConnPoolName or GroupId parameter. | MEDIUM | Dec 17, 2018 |
| CVE-2018-19814 | Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The page /VPortal/mgtconsole/Subscriptions.jsp has reflected XSS via the ConnPoolName or GroupId parameter. | MEDIUM | Dec 17, 2018 |
| CVE-2018-19815 | Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The page /VPortal/mgtconsole/UserPopupAddNewProp.jsp has reflected XSS via the ConnPoolName parameter. | MEDIUM | Dec 17, 2018 |
| CVE-2018-19816 | Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The page /VPortal/mgtconsole/categorytree/ChooseCategory.jsp has reflected XSS via the ConnPoolName parameter. | MEDIUM | Dec 17, 2018 |
| CVE-2018-19817 | Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The page /VPortal/mgtconsole/AdminAuthorisationFrame.jsp has reflected XSS via the ConnPoolName or GroupId parameter. | MEDIUM | Dec 17, 2018 |
| CVE-2018-19818 | Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The page /VPortal/mgtconsole/Contacts.jsp has reflected XSS via the ConnPoolName parameter. | MEDIUM | Dec 17, 2018 |
| CVE-2018-19819 | Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The page /VPortal/mgtconsole/Rights.jsp has reflected XSS via the ConnPoolName parameter. | MEDIUM | Dec 17, 2018 |
| CVE-2018-19820 | Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The page /VPortal/mgtconsole/Roles.jsp has reflected XSS via the ConnPoolName parameter. | MEDIUM | Dec 17, 2018 |
| CVE-2018-19821 | Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The page /VPortal/mgtconsole/SecurityPolicies.jsp has reflected XSS via the ConnPoolName parameter. | MEDIUM | Dec 17, 2018 |
| CVE-2018-19822 | Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The page /VPortal/mgtconsole/SharedCriteria.jsp has reflected XSS via the ConnPoolName or GroupId parameter. | MEDIUM | Dec 17, 2018 |
| CVE-2018-19828 | Artica Integria IMS 5.0.83 has XSS via the search_string parameter. | MEDIUM | Dec 17, 2018 |
| CVE-2018-19933 | Bolt CMS <3.6.2 allows XSS via text input click preview button as demonstrated by the Title field of a Configured and New Entry. | MEDIUM | Dec 17, 2018 |
| CVE-2018-19936 | PrinterOn Enterprise 4.1.4 allows Arbitrary File Deletion. | MEDIUM | Dec 17, 2018 |
| CVE-2018-19974 | In YARA 3.8.1, bytecode in a specially crafted compiled rule can read uninitialized data from VM scratch memory in libyara/exec.c. This can allow attackers to discover addresses in the real stack (not the YARA virtual stack). | MEDIUM | Dec 17, 2018 |
| CVE-2018-19975 | In YARA 3.8.1, bytecode in a specially crafted compiled rule can read data from any arbitrary address in memory, in libyara/exec.c. Specifically, OP_COUNT can read a DWORD. | HIGH | Dec 17, 2018 |
| CVE-2018-19976 | In YARA 3.8.1, bytecode in a specially crafted compiled rule is exposed to information about its environment, in libyara/exec.c. This is a consequence of the design of the YARA virtual machine. | MEDIUM | Dec 17, 2018 |
| CVE-2018-20027 | The yaml_parse.load method in Pylearn2 allows code injection. | HIGH | Dec 17, 2018 |
| CVE-2018-20092 | PTC ThingWorx Platform through 8.3.0 is vulnerable to a directory traversal attack on ZIP files via a POST request. | MEDIUM | Dec 17, 2018 |
| CVE-2018-20133 | ymlref allows code injection. | HIGH | Dec 17, 2018 |
| CVE-2018-20168 | Google gVisor before 2018-08-22 reuses a pagetable in a different level with the paging-structure cache intact, which allows attackers to cause a denial of service (physical address not valid panic) via a crafted application. | MEDIUM | Dec 17, 2018 |
| CVE-2018-20171 | An issue was discovered in Nagios XI before 5.5.8. The url parameter of rss_dashlet/magpierss/scripts/magpie_simple.php is not filtered, resulting in an XSS vulnerability. | MEDIUM | Dec 17, 2018 |
| CVE-2018-20172 | An issue was discovered in Nagios XI before 5.5.8. The rss_url parameter of rss_dashlet/magpierss/scripts/magpie_slashbox.php is not filtered, resulting in an XSS vulnerability. | MEDIUM | Dec 17, 2018 |
| CVE-2018-20173 | Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API. | HIGH | Dec 17, 2018 |
| CVE-2018-20184 | In GraphicsMagick 1.4 snapshot-20181209 Q8, there is a heap-based buffer overflow in the WriteTGAImage function of tga.c, which allows attackers to cause a denial of service via a crafted image file, because the number of rows or columns can exceed the pixel-dimension restrictions of the TGA specification. | MEDIUM | Dec 17, 2018 |
| CVE-2018-20185 | In GraphicsMagick 1.4 snapshot-20181209 Q8 on 32-bit platforms, there is a heap-based buffer over-read in the ReadBMPImage function of bmp.c, which allows attackers to cause a denial of service via a crafted bmp image file. This only affects GraphicsMagick installations with customized BMP limits. | LOW | Dec 17, 2018 |
| CVE-2018-20186 | An issue was discovered in Bento4 1.5.1-627. AP4_Sample::ReadData in Core/Ap4Sample.cpp allows attackers to trigger an attempted excessive memory allocation, related to AP4_DataBuffer::SetDataSize and AP4_DataBuffer::ReallocateBuffer in Core/Ap4DataBuffer.cpp. | MEDIUM | Dec 17, 2018 |
| CVE-2018-20188 | FUEL CMS 1.4.3 has CSRF via users/create/ to add an administrator account. | MEDIUM | Dec 17, 2018 |
| CVE-2018-20190 | In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file. | MEDIUM | Dec 17, 2018 |
| CVE-2018-6085 | Re-entry of a destructor in Networking Disk Cache in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to execute arbitrary code via a crafted HTML page. | Medium | Dec 17, 2018 |
| CVE-2018-6086 | A double-eviction in the Incognito mode cache that lead to a user-after-free in Networking Disk Cache in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to execute arbitrary code via a crafted HTML page. | Medium | Dec 17, 2018 |
| CVE-2018-6087 | A use-after-free in WebAssembly in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. | Medium | Dec 17, 2018 |
| CVE-2018-6088 | An iterator-invalidation bug in PDFium in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. | Medium | Dec 17, 2018 |
| CVE-2018-6089 | A lack of CORS checks, after a Service Worker redirected to a cross-origin PDF, in Service Worker in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to leak limited cross-origin data via a crafted HTML page. | Medium | Dec 17, 2018 |
| CVE-2018-6090 | An integer overflow that lead to a heap buffer-overflow in Skia in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. | Medium | Dec 17, 2018 |
| CVE-2018-6092 | An integer overflow on 32-bit systems in WebAssembly in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. | Medium | Dec 17, 2018 |
| CVE-2018-6094 | Inline metadata in GarbageCollection in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | Medium | Dec 17, 2018 |
| CVE-2018-6095 | Inappropriate dismissal of file picker on keyboard events in Blink in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to read local files via a crafted HTML page. | Medium | Dec 17, 2018 |
| CVE-2018-6098 | Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | Medium | Dec 17, 2018 |
| CVE-2018-6099 | A lack of CORS checks in Blink in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to leak limited cross-origin data via a crafted HTML page. | Medium | Dec 17, 2018 |
| CVE-2018-6102 | Missing confusable characters in Internationalization in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. | Medium | Dec 17, 2018 |
| CVE-2018-6103 | A stagnant permission prompt in Prompts in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to bypass permission policy via a crafted HTML page. | Medium | Dec 17, 2018 |
| CVE-2018-6104 | Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | Medium | Dec 17, 2018 |
| CVE-2018-6105 | Incorrect handling of confusable characters in Omnibox in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | Medium | Dec 17, 2018 |
| CVE-2018-6107 | Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | Medium | Dec 17, 2018 |
| CVE-2018-6108 | Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted HTML page. | Medium | Dec 17, 2018 |
| CVE-2018-6115 | Inappropriate setting of the SEE_MASK_FLAG_NO_UI flag in file downloads in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to potentially bypass OS malware checks via a crafted HTML page. | Medium | Dec 17, 2018 |
| CVE-2018-6116 | A nullptr dereference in WebAssembly in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. | Medium | Dec 17, 2018 |
| CVE-2018-7797 | A URL redirection vulnerability exists in Power Monitoring Expert, Energy Expert (formerly Power Manager) - EcoStruxure Power Monitoring Expert (PME) v8.2 (all editions), EcoStruxure Energy Expert 1.3 (formerly Power Manager), EcoStruxure Power SCADA Operation (PSO) 8.2 Advanced Reports and Dashboards Module, EcoStruxure Power Monitoring Expert (PME) v9.0, EcoStruxure Energy Expert v2.0, and EcoStruxure Power SCADA Operation (PSO) 9.0 Advanced Reports and Dashboards Module which could cause a phishing attack when redirected to a malicious site. | MEDIUM | Dec 17, 2018 |
| CVE-2018-7804 | A URL Redirection to Untrusted Site vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 where a user clicking on a specially crafted link can be redirected to a URL of the attacker\'s choosing. | MEDIUM | Dec 17, 2018 |
| CVE-2018-7812 | An Information Exposure through Discrepancy vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 where the web server sends different responses in a way that exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. | MEDIUM | Dec 17, 2018 |
