Security Vulnerabilities - CVEs Published In 2018
IBM API Connect 5.0.0.0 and 5.0.8.4 is affected by a NoSQL Injection in MongoDB connector for the LoopBack framework. IBM X-Force ID: 148807.
CVSS Score
7.1
EPSS Score
0.003
Published
2018-12-20
IBM API Connect 5.0.0.0 through 5.0.8.4 allows a user with limited 'API Administrator level access to give themselves full 'Administrator' level access through the members functionality. IBM X-Force ID: 153914.
CVSS Score
7.2
EPSS Score
0.003
Published
2018-12-20
In Veraport G3 ALL on MacOS, a race condition when calling the Veraport API allow remote attacker to cause arbitrary file download and execution. This results in remote code execution.
CVSS Score
8.0
EPSS Score
0.01
Published
2018-12-20
In Veraport G3 ALL on MacOS, due to insufficient domain validation, It is possible to overwrite installation file to malicious file. A remote unauthenticated attacker may use this vulnerability to execute arbitrary file.
CVSS Score
8.0
EPSS Score
0.005
Published
2018-12-20
KMPlayer 4.2.2.15 and earlier have a Heap Based Buffer Overflow Vulnerability. It could be exploited with a crafted FLV format file. The problem is that more frame data is copied to heap memory than the size specified in the frame header. This results in a memory corruption and remote code execution.
CVSS Score
8.0
EPSS Score
0.031
Published
2018-12-20
All versions up to ZXCLOUD iRAI V5.01.05 of the ZTE uSmartView product are impacted by untrusted search path vulnerability, which may allow an unauthorized user to perform unauthorized operations.
CVSS Score
5.1
EPSS Score
0.003
Published
2018-12-20
A whitelist bypass vulnerability in McAfee Application Control / Change Control 7.0.1 and before allows a remote or local user to execute blacklisted files through an ASP.NET form.
CVSS Score
6.3
EPSS Score
0.001
Published
2018-12-20
CVE-2018-8653
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID is unique from CVE-2018-8643.
Known exploited
CVSS Score
7.5
EPSS Score
0.353
Published
2018-12-20
An issue was discovered in Steve Pallen Coherence before 0.5.2 that is similar to a Mass Assignment vulnerability. In particular, "registration" endpoints (e.g., creating, editing, updating) allow users to update any coherence_fields data. For example, users can automatically confirm their accounts by sending the confirmed_at parameter with their registration request.
CVSS Score
6.5
EPSS Score
0.002
Published
2018-12-20
A stored cross-site scripting (XSS) vulnerability in the web administration user interface of Pulse Secure Virtual Traffic Manager may allow a remote authenticated attacker to inject web script or HTML via a crafted website and steal sensitive data and credentials. Affected releases are Pulse Secure Virtual Traffic Manager 9.9 versions prior to 9.9r2 and 10.4r1.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-12-20