CVE-2018-19454

The connected document identifies a concrete vulnerability in yiisoft/yii2: information disclosure caused by credentials (e.g., HTTP auth username/password) being logged in the application’s logging target (\yii\log\Target). An attacker who can access the log files could retrieve these credential...

CVE-2018-8085

Veracode entry VERACODE:13415 documents a SAML Signature Relocation vulnerability affecting passport-wsfed-saml2. The issue arises because the validation function does not ensure the Signature element is located correctly within an Assertion, enabling signature relocation attacks. The provided ma...

CVE-2018-20142

CVE-2018-20142 (reserved CVE) | Affected component: the sharrre library. Vulnerability: Cross-site scripting (XSS) vulnerability in which a remote attacker can inject arbitrary JavaScript into a victim’s browser via the location hash. Impact (as described): attacker could steal session tokens or ...

CVE-2018-14578

The connected Veracode entry identifies a concrete vulnerability in yiisoft/yii2: CSRF due to unvalidated request methods in yii\web\Request::getMethod(), allowing an attacker to bypass CSRF token checks by downgrading the HTTP method to read methods such as GET, HEAD or OPTIONS.

CVE-2017-11859

Technical details for CVE-2017-11859 are not publicly available in the provided documents. Monitor for updates; no affected products, root cause, or remediation information is disclosed here.

CVE-2018-8548

The connected VERACODE entry (VERACODE:8014) describes a Remote Code Execution vulnerability in microsoft.chakracore, caused by how the scripting engine renders objects in memory, allowing arbitrary code execution in the context of the authenticated user. The CVE mapping to CVE-2018-8548 is not p...

CVE-2023-20099

Technical details for CVE-2023-20099 are not publicly available in the provided documents. Monitor for updates and the release of concrete information on affected products, impact, and remediation.

CVE-2023-23655

CVE-2023-23655 relates to the WordPress plugin MainWP Code Snippets Extension (< =4.0.2). The vulnerability is due to Broken Access Control: there is no authorization check when updating plugin settings, which could let any authenticated user (e.g., a subscriber) modify settings. Affected vers...

CVE-2023-25685

IBM Security Guardium Key Lifecycle Manager (GKLM) is affected by CVE-2023-25685, an XML External Entity (XXE) vulnerability in XML data processing. A remote attacker could potentially expose sensitive information or cause memory resource consumption. The bulletin lists affected GKLM versions as ...

CVE-2014-4920

The CVE-2014-4920 entry is confirmed to have concrete details in connected documents: the twitter-bootstrap-rails Gem for Rails contains a reflected XSS flaw in the bootstrap_flash helper, caused by inadequate input validation when handling flash messages before rendering to users. This can allow...

CVE-2017-8231

CVE-2017-8231 is tracked in Arista EOS advisory 0029 and accompanying Nessus entry ARISTA_EOS_SA0029.NASL. Affected: Arista EOS platforms prior to 4.18.1F (various 4.16/4.17 releases listed). Issue: Rib agent restart when processing a malformed MP-BGP update attribute, caused by improper MPBGP up...

CVE-2022-43879

CVE-2022-43879 is an SSRF vulnerability reported by IBM affecting IBM Jazz Team Server (ELM) versions 7.0.1 and 7.0.2, with remediation via iFix022/iFix023. Separate IBM advisories also document the same CVE affecting QRadar WinCollect/WinCollect Agent versions 10.0–10.1.2, with remediation by up...

CVE-2019-4660

CVE-2019-4660 is an AngularJS client-side template injection vulnerability affecting IBM InfoSphere Information Analyzer and Information Server on Cloud. The issue allows injection of AngularJS template syntax in an internal page request, which can be interpreted by Angular and lead to cross-site...

CVE-2019-4491

CVE-2019-4491 is an IBM MQ vulnerability where an error in the tracing functionality can be exploited to cause a denial-of-service. Connected IBM MQ advisories specify affected products and versions: IBM WebSphere MQ 7.1 (7.1.0.0–7.1.0.9), MQ 7.5 (7.5.0.0–7.5.0.9), MQ v8 (8.0.0.0–8.0.0.12), MQ v9...

CVE-2019-4240

CVE-2019-4240 is a bypass client-side validation vulnerability in IBM Cloud Pak System V2.3.0. An authenticated user with local access could bypass input validation and obtain administrator access due to the lack of server-side validation. IBM has addressed this by upgrading to V2.3.0.1 fixpak fo...

CVE-2019-4757

IBM InfoSphere Information Server is vulnerable to cross-site request forgery (CSRF) under CVE-2019-4757. Affected products/versions include IBM InfoSphere Information Server (11.3, 11.5, 11.7) and InfoSphere Information Server on Cloud (11.5, 11.7). The bulletin lists remediation patches and ser...

CVE-2019-4407

CVE-2019-4407 is a confirmed CSRF vulnerability affecting IBM InfoSphere Information Server (and InfoSphere on Cloud) as detailed in IBM’s Security Bulletin. Affected versions: InfoSphere Information Server 11.3, 11.5, 11.7 and InfoSphere Information Server on Cloud 11.5 and 11.7. The issue allow...

CVE-2018-1995

CVE-2018-1995 is documented in the IBM UrbanCode Deploy bulletin as a vulnerability where authenticated web agents could modify another agent’s properties via a crafted request. Affected products are IBM UrbanCode Deploy Web Agents (versions 6.2.7.3–6.2.7.4 and 7.0–7.0.1.1); JMS-based agents are ...

CVE-2016-6907

CVE-2016-6907 affects F5 BIG-IP TMM SSL/TLS virtual servers using CBC ciphers, enabling a Vaudenay timing/padding oracle attack to potentially reveal plaintext. vulnerable platforms include BIG-IP on Cavium Nitrox with CBC ciphers (not AES-GCM or RC4); also impacts BIG-IP VE/cloud and specific ha...

CVE-2018-1714

The IBM bulletin confirms CVE-2018-1714 affects IBM Cloud Private 2.1.0 where any user authorized to deploy a Helm chart can install an unsafe chart that runs with privileges greater than the Helm user’s. Impact is privilege escalation within the cluster, with CVSS Base Score 7. Remediation: upgr...