Security Vulnerabilities - CVEs Published In 2018
IBM i2 Enterprise Insight Analysis 2.1.7 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 142117.
CVSS Score
5.9
EPSS Score
0.001
Published
2018-12-06
IBM Financial Transaction Manager for Digital Payments for Multi-Platform 3.0.0, 3.0.2, and 3.0.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 151329.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-12-06
IBM Connections 5.0, 5.5, and 6.0 could allow an authenticated user to obtain sensitive information from invalid request error messages. IBM X-Force ID: 153315.
CVSS Score
4.3
EPSS Score
0.002
Published
2018-12-06
In V4L2SliceVideoDecodeAccelerator::Dequeue of v4l2_slice_video_decode_accelerator.cc, there is a possible out of bounds read of a function pointer due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-8.1 Android-9. Android ID: A-112181526.
CVSS Score
7.8
EPSS Score
0.0
Published
2018-12-06
The svpn component of the F5 BIG-IP APM client prior to version 7.1.7.2 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host in a race condition.
CVSS Score
7.0
EPSS Score
0.001
Published
2018-12-06
A Server-Side Template Injection issue was discovered in Crafter CMS 3.0.18. Attackers with developer privileges may execute OS commands by Creating/Editing a template file (.ftl filetype) that triggers a call to freemarker.template.utility.Execute in the FreeMarker library during rendering of a web page.
CVSS Score
8.8
EPSS Score
0.005
Published
2018-12-06
ThinkCMF X2.2.2 has SQL Injection via the functions check() and delete() in CommentadminController.class.php and is exploitable with the manager privilege via the ids[] parameter in a commentadmin action.
CVSS Score
7.2
EPSS Score
0.003
Published
2018-12-06
ThinkCMF X2.2.2 has SQL Injection via the function edit_post() in NavController.class.php and is exploitable with the manager privilege via the parentid parameter in a nav action.
CVSS Score
7.2
EPSS Score
0.003
Published
2018-12-06
ThinkCMF X2.2.2 has SQL Injection via the function delete() in SlideController.class.php and is exploitable with the manager privilege via the ids[] parameter in a slide action.
CVSS Score
7.2
EPSS Score
0.003
Published
2018-12-06
ThinkCMF X2.2.2 has SQL Injection via the function _listorders() in AdminbaseController.class.php and is exploitable with the manager privilege via the listorders[key][1] parameter in a Link listorders action.
CVSS Score
7.2
EPSS Score
0.003
Published
2018-12-06