CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In March 2018

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2018-1000141 284 2018-03-23 2018-04-20
7.5
None Remote Low Not required Partial Partial Partial
I, Librarian version 4.9 and earlier contains an Incorrect Access Control vulnerability in ajaxdiscussion.php that can result in any users gaining unauthorized access (read, write and delete) to project discussions.
2 CVE-2018-1000140 119 Exec Code Overflow 2018-03-23 2018-05-24
7.5
None Remote Low Not required Partial Partial Partial
rsyslog librelp version 1.2.14 and earlier contains a Buffer Overflow vulnerability in the checking of x509 certificates from a peer that can result in Remote code execution. This attack appear to be exploitable a remote attacker that can connect to rsyslog and trigger a stack buffer overflow by sending a specially crafted x509 certificate.
3 CVE-2018-1000139 79 XSS 2018-03-23 2018-04-13
4.3
None Remote Medium Not required None Partial None
I, Librarian version 4.8 and earlier contains a Cross Site Scripting (XSS) vulnerability in "id" parameter in stable.php that can result in an attacker using the XSS to send a malicious script to an unsuspecting user.
4 CVE-2018-1000138 918 2018-03-23 2018-04-13
6.4
None Remote Low Not required Partial Partial None
I, Librarian version 4.8 and earlier contains a SSRF vulnerability in "url" parameter of getFromWeb in functions.php that can result in the attacker abusing functionality on the server to read or update internal resources.
5 CVE-2018-1000137 352 CSRF 2018-03-23 2018-04-12
6.8
None Remote Medium Not required Partial Partial Partial
I, Librarian version 4.8 and earlier contains a Cross site Request Forgery (CSRF) vulnerability in users.php that can result in the password of the admin being forced to be changed without the administrator's knowledge.
6 CVE-2018-1000136 19 Exec Code 2018-03-23 2018-05-14
6.8
None Remote Medium Not required Partial Partial Partial
Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.
7 CVE-2018-1000135 200 +Info 2018-03-20 2018-04-20
5.0
None Remote Low Not required Partial None None
GNOME NetworkManager version 1.10.2 and earlier contains a Information Exposure (CWE-200) vulnerability in DNS resolver that can result in Private DNS queries leaked to local network's DNS servers, while on VPN. This vulnerability appears to have been fixed in Some Ubuntu 16.04 packages were fixed, but later updates removed the fix. cf. https://bugs.launchpad.net/ubuntu/+bug/1754671 an upstream fix does not appear to be available at this time.
8 CVE-2018-1000134 284 2018-03-16 2018-05-24
7.5
None Remote Low Not required Partial Partial Partial
UnboundID LDAP SDK version from commit 801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb up to commit 8471904a02438c03965d21367890276bc25fa5a6, where the issue was reported and fixed contains an Incorrect Access Control vulnerability in process function in SimpleBindRequest class doesn't check for empty password when running in synchronous mode. commit with applied fix https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6#diff-f6cb23b459be1ec17df1da33760087fd that can result in Ability to impersonate any valid user. This attack appear to be exploitable via Providing valid username and empty password against servers that do not do additional validation as per https://tools.ietf.org/html/rfc4513#section-5.1.1. This vulnerability appears to have been fixed in after commit 8471904a02438c03965d21367890276bc25fa5a6.
9 CVE-2018-1000133 264 +Priv 2018-03-16 2018-04-10
6.0
None Remote Medium Single system Partial Partial Partial
Pitchfork version 1.4.6 RC1 contains an Improper Privilege Management vulnerability in Trident Pitchfork components that can result in A standard unprivileged user could gain system administrator permissions within the web portal.. This attack appear to be exploitable via The user must be able to login, and could edit their profile and set the "System Administrator" permission to "yes" on themselves.. This vulnerability appears to have been fixed in 1.4.6 RC2.
10 CVE-2018-1000132 284 2018-03-14 2018-04-13
6.4
None Remote Low Not required Partial Partial None
Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 4.5.1.
11 CVE-2018-1000131 89 Sql 2018-03-14 2018-04-13
7.5
None Remote Low Not required Partial Partial Partial
Pradeep Makone wordpress Support Plus Responsive Ticket System version 9.0.2 and earlier contains a SQL Injection vulnerability in the function to get tickets, the parameter email in cookie was injected that can result in filter the parameter. This attack appear to be exploitable via web site, without login. This vulnerability appears to have been fixed in 9.0.3 and later.
12 CVE-2018-1000130 74 2018-03-14 2018-04-11
6.8
None Remote Medium Not required Partial Partial Partial
A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.
13 CVE-2018-1000129 79 XSS 2018-03-14 2018-04-05
4.3
None Remote Medium Not required None Partial None
An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser.
14 CVE-2018-1000128 Exec Code Overflow 2018-03-13 2018-03-13
0.0
None ??? ??? ??? ??? ??? ???
GPAC MP4Box version prior to commit 90dc7f853d31b0a4e9441cba97feccf36d8b69a4 contains a Buffer Overflow vulnerability in src/media_tools/av_parsers.c, lines 2387-2388: https://github.com/gpac/gpac/blob/84c4e606a1f906cd4b07ad94d19cea2b668f64ad/src/media_tools/av_parsers.c#L2387-L2388 that can result in may allow an attacker to achieve remote code execution. This attack appear to be exploitable via The victim must open a specially crafted MP4 file. This vulnerability appears to have been fixed in after commit 90dc7f853d31b0a4e9441cba97feccf36d8b69a4.
15 CVE-2018-1000127 190 Overflow 2018-03-13 2018-06-07
5.0
None Remote Low Not required None None Partial
memcached version prior to 1.4.37 contains an Integer Overflow vulnerability in items.c:item_free() that can result in data corruption and deadlocks due to items existing in hash table being reused from free list. This attack appear to be exploitable via network connectivity to the memcached service. This vulnerability appears to have been fixed in 1.4.37 and later.
16 CVE-2018-1000126 200 +Info 2018-03-13 2018-04-11
5.0
None Remote Low Not required Partial None None
Ajenti version 2 contains an Information Disclosure vulnerability in Line 176 of the code source that can result in user and system enumeration as well as data from the /etc/ajenti/config.yml file. This attack appears to be exploitable via network connectivity to the web application.
17 CVE-2018-1000125 20 2018-03-13 2018-04-16
7.5
None Remote Low Not required Partial Partial Partial
inversoft prime-jwt version prior to version 1.3.0 or prior to commit 0d94dcef0133d699f21d217e922564adbb83a227 contains an input validation vulnerability in JWTDecoder.decode that can result in a JWT that is decoded and thus implicitly validated even if it lacks a valid signature. This attack appear to be exploitable via an attacker crafting a token with a valid header and body and then requests it to be validated. This vulnerability appears to have been fixed in 1.3.0 and later or after commit 0d94dcef0133d699f21d217e922564adbb83a227.
18 CVE-2018-1000124 611 2018-03-13 2018-04-13
7.5
None Remote Low Not required Partial Partial Partial
I Librarian I-librarian version 4.8 and earlier contains a XML External Entity (XXE) vulnerability in line 154 of importmetadata.php(simplexml_load_string) that can result in an attacker reading the contents of a file and SSRF. This attack appear to be exploitable via posting xml in the Parameter form_import_textarea.
19 CVE-2018-1000123 532 +Info 2018-03-13 2018-04-16
5.0
None Remote Low Not required Partial None None
Ionic Team Cordova plugin iOS Keychain version before commit 18233ca25dfa92cca018b9c0935f43f78fd77fbf contains an Information Exposure Through Log Files (CWE-532) vulnerability in CDVKeychain.m that can result in login, password and other sensitive data leakage. This attack appear to be exploitable via Attacker must have access to victim's iOS logs. This vulnerability appears to have been fixed in after commit 18233ca25dfa92cca018b9c0935f43f78fd77fbf.
20 CVE-2018-1000122 119 DoS Overflow +Info 2018-03-14 2018-05-25
6.4
None Remote Low Not required Partial None Partial
A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage
21 CVE-2018-1000121 476 DoS 2018-03-14 2018-05-25
5.0
None Remote Low Not required None None Partial
A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in the LDAP code that allows an attacker to cause a denial of service
22 CVE-2018-1000120 787 DoS Overflow 2018-03-14 2018-05-25
7.5
None Remote Low Not required Partial Partial Partial
A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse.
23 CVE-2018-1000119 200 +Info CSRF 2018-03-07 2018-04-11
4.3
None Remote Medium Not required Partial None None
Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.
24 CVE-2018-1000118 78 Exec Code Bypass 2018-03-07 2018-04-20
9.3
None Remote Medium Not required Complete Complete Complete
Github Electron version Electron 1.8.2-beta.4 and earlier contains a Command Injection vulnerability in Protocol Handler that can result in command execute. This attack appear to be exploitable via the victim opening an electron protocol handler in their browser. This vulnerability appears to have been fixed in Electron 1.8.2-beta.5. This issue is due to an incomplete fix for CVE-2018-1000006, specifically the black list used was not case insensitive allowing an attacker to potentially bypass it.
25 CVE-2018-1000117 119 Exec Code Overflow 2018-03-07 2018-03-29
7.2
None Local Low Not required Complete Complete Complete
Python Software Foundation CPython version From 3.2 until 3.6.4 on Windows contains a Buffer Overflow vulnerability in os.symlink() function on Windows that can result in Arbitrary code execution, likely escalation of privilege. This attack appears to be exploitable via a python script that creates a symlink with an attacker controlled name or location. This vulnerability appears to have been fixed in 3.7.0 and 3.6.5.
26 CVE-2018-1000116 119 Exec Code Overflow 2018-03-07 2018-03-29
7.5
None Remote Low Not required Partial Partial Partial
NET-SNMP version 5.7.2 contains a heap corruption vulnerability in the UDP protocol handler that can result in command execution.
27 CVE-2018-1000115 20 DoS 2018-03-05 2018-06-07
5.0
None Remote Low Not required None None Partial
Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume (Network Amplification, CWE-406) vulnerability in the UDP support of the memcached server that can result in denial of service via network flood (traffic amplification of 1:50,000 has been reported by reliable sources). This attack appear to be exploitable via network connectivity to port 11211 UDP. This vulnerability appears to have been fixed in 1.5.6 due to the disabling of the UDP protocol by default.
28 CVE-2018-1000114 285 2018-03-13 2018-04-04
4.0
None Remote Low Single system None Partial None
An improper authorization vulnerability exists in Jenkins Promoted Builds Plugin 2.31.1 and earlier in Status.java and ManualCondition.java that allow an attacker with read access to jobs to perform promotions.
29 CVE-2018-1000113 79 XSS 2018-03-13 2018-04-04
3.5
None Remote Medium Single system None Partial None
A cross-site scripting vulnerability exists in Jenkins TestLink Plugin 2.12 and earlier in TestLinkBuildAction/summary.jelly and others that allow an attacker who can control e.g. TestLink report names to have Jenkins serve arbitrary HTML and JavaScript
30 CVE-2018-1000112 285 2018-03-13 2018-04-04
5.0
None Remote Low Not required Partial None None
An improper authorization vulnerability exists in Jenkins Mercurial Plugin version 2.2 and earlier in MercurialStatus.java that allows an attacker with network access to obtain a list of nodes and users.
31 CVE-2018-1000111 285 2018-03-13 2018-04-04
5.0
None Remote Low Not required Partial None None
An improper authorization vulnerability exists in Jenkins Subversion Plugin version 2.10.2 and earlier in SubversionStatus.java and SubversionRepositoryStatus.java that allows an attacker with network access to obtain a list of nodes and users.
32 CVE-2018-1000110 285 2018-03-13 2018-04-04
5.0
None Remote Low Not required Partial None None
An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of nodes and users.
33 CVE-2018-1000109 285 2018-03-13 2018-04-04
4.0
None Remote Low Single system Partial None None
An improper authorization vulnerability exists in Jenkins Google Play Android Publisher Plugin version 1.6 and earlier in GooglePlayBuildStepDescriptor.java that allow an attacker to obtain credential IDs.
34 CVE-2018-1000108 79 XSS 2018-03-13 2018-04-04
4.3
None Remote Medium Not required None Partial None
A cross-site scripting vulnerability exists in Jenkins CppNCSS Plugin 1.1 and earlier in AbstractProjectAction/index.jelly that allow an attacker to craft links to Jenkins URLs that run arbitrary JavaScript in the user's browser when accessed.
35 CVE-2018-1000107 285 2018-03-13 2018-04-10
4.0
None Remote Low Single system None Partial None
An improper authorization vulnerability exists in Jenkins Job and Node Ownership Plugin 0.11.0 and earlier in OwnershipDescription.java, JobOwnerJobProperty.java, and OwnerNodeProperty.java that allow an attacker with Job/Configure or Computer/Configure permission and without Ownership related permissions to override ownership metadata.
36 CVE-2018-1000106 285 2018-03-13 2018-04-04
5.5
None Remote Low Single system None Partial Partial
An improper authorization vulnerability exists in Jenkins Gerrit Trigger Plugin 2.27.4 and earlier in GerritManagement.java, GerritServer.java, and PluginImpl.java that allows an attacker with Overall/Read access to modify the Gerrit configuration in Jenkins.
37 CVE-2018-1000105 285 2018-03-13 2018-04-04
4.0
None Remote Low Single system Partial None None
An improper authorization vulnerability exists in Jenkins Gerrit Trigger Plugin 2.27.4 and earlier in GerritManagement.java, GerritServer.java, and PluginImpl.java that allows an attacker with Overall/Read access to retrieve some configuration information about Gerrit in Jenkins.
38 CVE-2018-1000104 255 2018-03-13 2018-04-11
2.1
None Local Low Not required Partial None None
A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured keystore and private key passwords.
39 CVE-2018-1000101 119 Overflow 2018-03-06 2018-03-29
7.5
None Remote Low Not required Partial Partial Partial
Mingw-w64 version 5.0.3 and earlier contains an Improper Null Termination (CWE-170) vulnerability in mingw-w64-crt (libc)->(v)snprintf that can result in The bug may be used to corrupt subsequent string functions. This attack appear to be exploitable via Depending on the usage, worst case: network.
40 CVE-2018-1000100 119 Overflow 2018-03-06 2018-03-26
6.8
None Remote Medium Not required Partial Partial Partial
GPAC MP4Box version 0.7.1 and earlier contains a Buffer Overflow vulnerability in src/isomedia/avc_ext.c lines 2417 to 2420 that can result in Heap chunks being modified, this could lead to RCE. This attack appear to be exploitable via an attacker supplied MP4 file that when run by the victim may result in RCE.
41 CVE-2018-1000099 476 2018-03-12 2018-04-11
5.0
None Remote Low Not required None None Partial
Teluu PJSIP version 2.7.1 and earlier contains a Access of Null/Uninitialized Pointer vulnerability in pjmedia SDP parsing that can result in Crash. This attack appear to be exploitable via Sending a specially crafted message. This vulnerability appears to have been fixed in 2.7.2.
42 CVE-2018-1000098 190 Overflow 2018-03-12 2018-04-11
5.0
None Remote Low Not required None None Partial
Teluu PJSIP version 2.7.1 and earlier contains a Integer Overflow vulnerability in pjmedia SDP parsing that can result in Crash. This attack appear to be exploitable via Sending a specially crafted message. This vulnerability appears to have been fixed in 2.7.2.
43 CVE-2018-1000097 119 Exec Code Overflow 2018-03-12 2018-04-13
6.8
None Remote Medium Not required Partial Partial Partial
Sharutils sharutils (unshar command) version 4.15.2 contains a Buffer Overflow vulnerability in Affected component on the file unshar.c at line 75, function looks_like_c_code. Failure to perform checking of the buffer containing input line. that can result in Could lead to code execution. This attack appear to be exploitable via Victim have to run unshar command on a specially crafted file..
44 CVE-2018-1000096 295 2018-03-12 2018-04-11
6.8
None Remote Medium Not required Partial Partial Partial
brianleroux tiny-json-http version all versions since commit 9b8e74a232bba4701844e07bcba794173b0238a8 (Oct 29 2016) contains a Missing SSL certificate validation vulnerability in The libraries core functionality is affected. that can result in Exposes the user to man-in-the-middle attacks.
45 CVE-2018-1000095 79 XSS 2018-03-12 2018-04-09
3.5
None Remote Medium Single system None Partial None
oVirt version 4.2.0 to 4.2.2 contains a Cross Site Scripting (XSS) vulnerability in the name/description of VMs portion of the web admin application. This vulnerability appears to have been fixed in version 4.2.3.
46 CVE-2018-1000094 434 Exec Code 2018-03-12 2018-04-10
6.5
None Remote Low Single system Partial Partial Partial
CMS Made Simple version 2.2.5 contains a Remote Code Execution vulnerability in File Manager that can result in Allows an authenticated admin that has access to the file manager to execute code on the server. This attack appear to be exploitable via File upload -> copy to any extension.
47 CVE-2018-1000093 352 Exec Code 2018-03-13 2018-04-05
6.8
None Remote Medium Not required Partial Partial Partial
CryptoNote version version 0.8.9 and possibly later contain a local RPC server which does not require authentication, as a result the walletd and the simplewallet RPC daemons will process any commands sent to them, resulting in remote command execution and a takeover of the cryptocurrency wallet if an attacker can trick an application such as a web browser into connecting and sending a command for example. This attack appears to be exploitable via a victim visiting a webpage hosting malicious content that trigger such behavior.
48 CVE-2018-1000092 352 CSRF 2018-03-13 2018-04-10
6.8
None Remote Medium Not required Partial Partial Partial
CMS Made Simple version versions 2.2.5 contains a Cross ite Request Forgery (CSRF) vulnerability in Admin profile page that can result in Details can be found here http://dev.cmsmadesimple.org/bug/view/11715. This attack appear to be exploitable via A specially crafted web page. This vulnerability appears to have been fixed in 2.2.6.
49 CVE-2018-1000091 119 Exec Code Overflow 2018-03-13 2018-04-10
6.5
None Remote Low Single system Partial Partial Partial
KadNode version version 2.2.0 contains a Buffer Overflow vulnerability in Arguments when starting up the binary that can result in Control of program execution flow, leading to remote code execution.
50 CVE-2018-1000090 611 DoS 2018-03-13 2018-04-13
7.8
None Remote Low Not required None None Complete
textpattern version version 4.6.2 contains a XML Injection vulnerability in Import XML feature that can result in Denial of service in context to the web server by exhausting server memory resources. This attack appear to be exploitable via Uploading a specially crafted XML file.
Total number of vulnerabilities : 1339   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.