Cabinet Decisions taken on 5 APRIL 2019

 

CABINET DECISIONS – 5 APRIL 2019
 
 
1.         Cabinet has taken note that HE Mr Uhuru Kenyatta, President of the Republic of Kenya, would effect a State Visit to Mauritius from 09 to 12 April 2019.  During his visit, he would, among others, pay a courtesy call on the Acting President of the Republic of Mauritius, have a working session with the Prime Minister and attend a Business Forum organised by the Economic Development Board.
 
****
 
 
2.         Cabinet has taken note that following invitation made to the general public and political parties, suggestions/counter proposals have been received in relation to the proposals on the Financing of Political Parties. Cabinet has agreed to instructions being conveyed to the Attorney General’s Office for the drafting of the Financing of Political Parties Bill.
 
****
 
 
3.         Cabinet has taken note of the arrangements being made by the Forensic Science Laboratory to acquire a Liquid Chromatography-High Resolution Mass Spectrometer System for the implementation of the drug driving testing project, as announced in Budget Speech 2018-2019, in order to detect and sanction persons under the influence of drugs, including drivers, with a view to intensifying Government’s fight against drug trafficking and abuse.
 
****
 
 
4.         Cabinet has agreed to the introduction of the Mauritius Research and Innovation Council Bill into the National Assembly.  The object of the Bill is to repeal the Mauritius Research Council Act and replace it by a new Act in order to –
 
(a)       provide for the establishment of the Mauritius Research and Innovative Council and the National Research and Innovation Fund; and
 
(b)       promote high quality research and foster innovation in the national interest.
 
****
 
 
5.         Cabinet has taken note that the Ministry of Education and Human Resources, Tertiary Education and Scientific Research and the Ministry of Education of the Republic of Kenya would sign a Memorandum of Understanding in the field of Higher Education and Scientific Research during the forthcoming State Visit of the President of the Republic of Kenya to Mauritius.  The objective of the Memorandum of Understanding is to enshrine collaboration between the two Ministries with a view to fostering cooperation between their respective institutions of higher education through staff and student exchange, scientific research and capacity building.
 
****
 
 
6.         Cabinet has taken note that Excise (Amendment) Regulations 2019 and Excise (Amendment of Schedule) Regulations 2019 would be promulgated.  The draft regulations provide for the implementation of the Budget 2018-19 measure relating to the imposition of an excise duty of Rs2 per unit on non-biodegradable disposable plastic containers, plates, bowls, cups and trays.  The Excise (Amendment) Regulations 2019 lay out the rules and procedures to operationalise the measure. 
 
            Both Regulations would come into operation on 2 May 2019.
 
 
****
 
 
7.         Cabinet has taken note that the Income Tax (Amendment of Schedule) Regulations 2019 would be made to include Mauritius Renewable Energy Agency in the list of exempt bodies of the Income Tax Act.  The Mauritius Renewable Energy Agency is a body corporate set up under the Mauritius Renewable Energy Agency Act 2015 operating under the aegis of the Ministry of Energy and Public Utilities.  Its sole source of income is from grants and it operates on a non-profit making basis.  
 
 
****
 
 
8.         Cabinet has taken note that the Investment Promotion (Property Development Scheme) (Amendment) Regulations 2019 would be made under the Economic Development Board Act.  The Regulations would set out a package of incentives to attract foreign retirees in Mauritius and also lay down the eligibility criteria to benefit from the incentives and other conditions of the Scheme.
 
 
****
 
 
9.         Cabinet has taken note that the Statutory Bodies Pension Funds (Amendment of Schedule) Regulations would be made to include the Economic Development Board in the listing of the First Schedule to the Statutory Bodies Pension Funds Act, for the establishment of a pension fund with SICOM for its employees.
 
 
****
 
 
10.       Cabinet has taken note that the Registration Duty (Amendment of Schedule) Regulations would be made under the Registration Duty Act to clarify that the lease/ sublease of land and lease of building thereon for use as a private health institution would be exempted from registration duty upon registration of the lease and sub-lease agreement.  The exemption is being extended to cover the setting up of a public health institution in order to cater for the eventuality that a public health institution may be constructed on leased land.
 
 
****
 
11.       Cabinet has agreed to the setting up of a Technical Committee to look into the feasibility of establishing a Bonus Malus System for insurance of drivers and vehicles in Mauritius, and to make recommendations thereon.  The Bonus Malus System relates to an arrangement where the premium payable by a customer is adjusted according to his individual claim history. The bonus would constitute a discount in the premium which is given on the renewal of the policy if no claim is made in the previous year. On the other hand, Malus is an increase in the premium if there is a claim in the previous year. The underlying principle of the proposed Bonus Malus System is that the higher the claim frequency of a policy holder, the higher the insurance costs charged to the policy holder.  The proposed system is intended to reduce the number of casualties on our roads and is in line with the National Road Safety Strategy as drivers would be encouraged to be more careful.
 
 
****
 
 
12.       Cabinet has agreed to the opening of a Consulate General of the Republic of Mauritius and the appointment of a Consul General of the Republic of Mauritius in Jeddah, Saudi Arabia as announced in the Budget Speech 2016-2017.
 
 
****
 
 
13.       Cabinet has agreed to the State of Mauritius acceding to the Convention on the Prevention and Punishment of the Crime of Genocide.  The Convention was the first human rights treaty to be adopted by the United Nations General Assembly, on 9 December 1948 and entered into force on 12 January 1951.  The Convention provides, inter alia, for a precise definition of the crime of genocide in legal terms, including the required intent and the prohibited acts, and the application of the treaty and its reservations. It also specifies that the crime of genocide may be committed in time of peace or in time of war and provides for punishment of persons committing genocide whether they are constitutionally responsible rulers, public officials or private individuals.
 
 
****
 
 
14.       Cabinet has agreed to Mauritius supporting the request of the Russian Federation for observer status in the Indian Ocean Commission (IOC).
 
 
****
 
15.       Cabinet has taken note that the Ministry of Health and Quality of Life would proceed with its annual vaccination campaign against seasonal influenza as from 11 April 2019 at the level of the Regional and District Hospitals, Mediclinics and Area Health Centres and thereafter in Rodrigues and Agalega.  The vaccination campaign would target the vulnerable sections of the population recommended by the WHO as well as the general public.
 
****
 
16.       Cabinet has taken note that the Mauritius Accreditation Service (MAURITAS) has been admitted as a signatory, that is, an Arrangement Member to the Southern African Development Community Cooperation in Accreditation (SADCA) Mutual Recognition Arrangement at the 23rd General Assembly of the SADCA.  The SADCA is a cooperation structure established under the SADC Protocol on Trade and its main objective is to establish, manage and maintain a Mutual Recognition Arrangement between Accreditation Bodies in the region.
 
Cabinet has also taken note that Mrs C. Matadeen-Domun, Assistant Accreditation Manager at MAURITAS, has been elected as SADCA Marketing and Communication Committee Vice Chair.  She would be assisting the Chairperson of the Committee to develop the SADCA marketing and communication strategy, as well as prepare promotional material for use by SADCA members.
 
 
****
 
 
17.       Cabinet has taken note that a Special Call for Proposals on “Expanding access to early childhood care services at community level for vulnerable children” would be launched by the National Corporate Social Responsibility Foundation. Vulnerable children would be given the opportunity to have access to day care centres in order to develop their capacities at a very early age and help them in their educational development. The role of non-governmental organisations as child day care service providers would be crucial to enhance access to child day care services in poor and disadvantaged regions.
 
 
****
 
 
18.       Cabinet has taken note that a Regional Workshop on Oceanographic Research and Data in the Western Indian Ocean region, would be organised by the United Nations Environment Programme (UNEP) Nairobi Convention, in Mauritius from 27 to 29 May 2019.  The overall objective of the Regional Workshop would be to establish and operationalise the science to policy platform as a core structure within the Nairobi Convention.  Discussions would also be held on the need for a regional ecosystem/indicator monitoring framework and road map on its development.
 
 
 
****
 
 
19.       Cabinet has taken note that the Code de Commerce (Amendment) Act 2018 would come into operation on 5 April 2019.  The object of the Act is to allow the use of the value of a commercial business as a whole (fonds de commerce), including leasehold rights, trade name, intellectual property rights and goodwill but excluding the value of freehold property as collateral and enhance access to credit.
 
 
 
****
 
20.       Cabinet has taken note of the activities being organised by the National Heritage Fund to mark the International Day for Monuments and Sites, observed on 18 April,
namely –
 
            (a)       an Official Prize Giving Function for a Short Film Competition and a Painting Competition on 18 April 2019 at the Serge Constantin Theatre, Vacoas.  The programme would also comprise a short documentary film entitled “Rakont nou lavi lontan” by students of Rodrigues College, as well as performances of ‘Sega Tipik’, ‘Geet Gawai’, ‘Sega Tambour Chagos’ and ‘Sega Tambour Rodrig’; and
 
            (b)       Open Days for the sites/monuments on 26 and 27 April 2019.
 
****
 
21.       Cabinet has taken note of the outcome of the recent mission of the Minister of Tourism to the Kingdom of Saudi Arabia.  The Mauritius Tourism Promotion Authority and 27 tourism operators participated in the Mauritian week organised in the cities of Jeddah, Dammam and Riyadh and the 11th International Riyadh Travel Fair. The Mauritian week consisted of holding of roadshows, cultural show, photo exhibition, Mauritian food and cuisine tasting, billboard campaigns in main cities of the Kingdom of Saudi Arabia and launching of an aggressive online campaign.  Media interviews were given to showcase the uniqueness of our destination, our tourism products, sense of place, hospitality, cultural diversity, political stability, safety and culinary offerings.
 
The Minister of Tourism also attended the opening of the Riyadh Travel Fair which is one of the major fairs in the Middle East for the travel and tourism industry. He also paid a courtesy call on Mr Ahmad Al-Khateeb, President of the Saudi Commission for Tourism and National Heritage and briefed him about the tourism sector in Mauritius.
 
****
 
22.       Cabinet has taken note of the outcome of the recent mission of the Minister of Tourism to Réunion Island in connection with the National Day Celebrations 2019.  The Honorary Consul of Mauritius in Réunion Island organised a ceremony with the support of the Mayor of St Denis where Mauritians living in Réunion Island and the Préfet were invited.  The Mayor spoke about the progress achieved by Mauritius since the time of independence and referred to Les Jeux des Iles and the Metro Express as clear signs of a country on the move.
 
****
 
23.       Cabinet has taken note of the recent mission of the Minister of Youth and Sports to Morocco where he attended the 37th Ministerial Session of the “Conférence des Ministres de la Jeunesse et des Sports de la Francophonie” (CONFEJES).  The 37th Ministerial Session was organised under the high patronage of His Majesty the King Mohammed VI of Morocco and sponsored by the Secretary-General of the ‘Organisation Internationale de la Francophonie’.  The opening ceremony was marked by a film projection reviewing the 50-year history of CONFEJES and the traditional ceremony of transmission of the presidency.  Members present also had the opportunity to hear the testimonials of former beneficiaries of CONFEJES.  The Ministerial Conference approved, inter alia, a calendar of activities for the four-year period ending December 2022 as well as the conferment of awards to a number of officials who contributed to the development of the CONFEJES.
 
****
 
24.       Cabinet has taken note of the outcome of the recent mission of the Minister of Financial Services and Good Governance to Rwanda and South Africa.  In Rwanda, the Minister delivered a keynote address at the Africa CEO Forum, which is a high-level international event for African CEOs and investors. The Forum was attended by more than 1,500 top executives from Pan-African companies and Multi-National Companies, major financiers, bank advisors as well as political leaders.  The Economic Development Board, being a key sponsor at the Forum, leveraged on the magnitude of the event to enhance the visibility of Mauritius as a jurisdiction of substance, choice and repute and made a presentation to showcase the key attributes of the Mauritius International Financial Centre as a hub for Africa.  A session was organised in order to galvanize investments in the Special Economic Zone and where the Africa Strategy for Mauritius was disseminated.
 
            In the margins of the Forum, several one to one meetings were conducted with General Electric Africa, Nedbank, Unilever Africa, the African Development Bank, the Africa Enterprise Challenge Fund and Norfund Housing/BDO Kenya.
 
            In South Africa, the Minister led a mission with representatives of the Economic Development Board and the Financial Services Commission which was of utmost importance to share the recent legislative amendments brought to the global and financial services sector of Mauritius with the South African Operators in the financial services sphere and position the Mauritius International Financial Centre as a prime jurisdiction of substance for establishing their regional treasury, procurement and shared services centre.  The Minister also had a meeting with the Chairperson of the Nedbank Group Limited who demonstrated keen interest in setting up an Investment Bank in Mauritius.
 
 
****
 
 
25.       Cabinet has taken note of the appointment of Mr Azaad Aumeerally as Chairperson of the Sugar Insurance Fund Board.
 
 
 
 
******

DNSSEC Usage in Switzerland is on the rise after widespread attacks on the Domain Name System

Attacks on the DNS System

Cyber attacks on the DNS system are not new. Cache poisoning, Domain Hijacking and BGP injections of routes to public DNS resolvers happen regularly, but they usually don’t get much attention as they target the Internet’s core infrastructure and are not directly visible to end users in most cases. This time it was different. The recent widespread DNS hijacking attacks on several Mid East, North African and European and North American governments and infrastructure providers, published by Ciscos Talos showed that DNS attacks are a real threat to cyber security. Netnode, one of the affected infrastructure providers issued a statement, that called, amongst other domain security mechanisms, for the implementation of the DNS Security Extensions (DNSSEC).

The analysis of these attacks also convinced the Internet Corporation for Assigned Names and Numbers (ICANN) that there is an ongoing and significant risk to key parts of the System (DNS) infrastructure. ICANN issued a call for “Full DNSSEC Deployment to Protect the Internet” across all unsecured domain names.

The question is if  these attacks and the awareness that DNSSEC is an absolute essential base layer protection for domain names had some effects on the Implementation of DNSSEC Switzerland?

More DNSSEC signed domain names

As a ccTLD operator SWITCH publishes the number of DNSSEC signed .ch and .li domain names every month. While the number of signed domain names is still very low at around 3-4% we see a rise in the numbers of signed domain names for two years now.

DNSSEC signed .ch domain names 1.4.2019

One reason is that Infomaniak started signing all newly registered domain names by default. In March 2019 we saw an even sharper rise with more than 10’000 .ch domain names newly DNSSEC signed. In general we saw more DNS hosters and registrars signing their domain names, but the reason for this “jump” was FireStorm, a Swiss webhoster and registrar who signed several thousands of domain names on his DNS server.

FireStorm signed them by publishing Child DS (CDS) record sets in the zones on his autoritative name servers.  This feature was introduced by SWITCH at the end of 2018 and activated in the beginning of 2019 for all .ch and .li domains. We think that CDS makes DNSSEC signing much more easy for DNS hosters, especially if they are not the registrar for some of their domain names.

More Swiss AS are validating

With more are more and more domain names now signed, the question is how many of the DNS recursive resolvers in Switzerland actually validate the DNSSEC Signature of the signed zones? Thanks to from APNIC we can estimate the percentage of all DNS requests that come from validating resolvers. Looking at Switzerland over all, about 13% of all requests are validated, compared to other countries in Europe this is quiet low and places Switzerland on place 30 in Europe.

If we look at the individual AS in Switzerland, we can see that mainly cooperated networks and some smaller ISPs turned on DNSSEC validation on their resolvers recently. Amongst them there are ISPs like green and EWB and GGA Maur, the bank Julius Bär that started validating to protect their users. They joined ISPs like Quickcom  and coorporate networks like Novartis and Swiss Re that are already validating on their resolvers for several years.

A special case is Salt that currently validates about 50% of all DNS Queries but it is most probably due to their usage of the Google public DNS (8.8.8.8) that validates DNS queries, a fact that can also bee estimated by the measurement from APNICLabs.

Federal Administration is leading the public sector with DNSSEC deployment

The main domain used by the Swiss federation admin.ch was signed last year, and it is good to see that the Swiss federation apparently also turned on DNSSEC validation on their resolvers at about the same time.

The DNSSEC Chicken and the Egg problem is solved

So far most ISPs in Switzerland argued that they don’t need to validate DNSSEC because nobody is signing their domain names with DNSSEC. And most DNS hosters argued that, as long as no Swiss ISP is validating, there is no point in signing domain names. Now that we see a strong surge in DNSSEC signed .ch domain names and more ISPs and corporate networks validating, this arguments are no longer valid.

There is no evidence that the rise in adoption of DNSSEC is directly related to the recent attacks, but we think that the public attention for DNS had its impact on the rise of DNSSEC in Switzerland.

The core Internet Infrastructure in Switzerland needs better protection

DNS is a base protocol that is used by almost every service on the internet: web pages, e-banking, e-commerce, email and also most apps on mobile phones rely on this core service and are vulnerable for attacks on the DNS. While we see that the adaption of DNSSEC is growing in Switzerland, Swiss  ISPs and other infrastructure providers like webhosters need to implement technologies that protects the DNS. DNSSEC is a mature protocol, it is supported out of the box from all major DNS servers and easy to deploy. DNSSEC is available for the TLDs .ch and .li  for about 9 years and after the recent attacks there is no reason not to protect your services with DNSSEC.

 

Cabinet Decisions taken on 29 MARCH 2019

CABINET DECISIONS    29 MARCH 2019
 
1.         Cabinet has agreed to the introduction of the Building Control (Amendment) Bill into the National Assembly.  The main object of the Bill is to provide, in case a notice sent by registered post by a local authority on the owner or occupier of a dangerous building returns undelivered and personal service of the notice could not be effected on the owner or occupier by an officer of the local authority, for substituted service to be effected on the owner or occupier by –
 
            (a)       affixing a notice at the owner’s or occupier’s last known residence or business address;
 
            (b)       affixing a copy of the notice at the dangerous building; and
 
            (c)        publication of the notice in two newspapers, subject to the publication of the notice in the second newspaper is effected not later than 15 days after the publication of the notice in the first newspaper.
 
****
 
2.         Cabinet has taken note of the outcome of the recent mission of Hon Pravind Kumar Jugnauth, Prime Minister to Vienna, Austria and the United Kingdom (UK).  In Vienna, the Prime Minister was invited by the United Nations Office on Drugs and Crime (UNODC) to participate in the Ministerial Segment of the 62nd session of the Commission on Narcotics Drugs.  The Commission decided to convene a Ministerial Segment at its 62nd regular session to take stock of the implementation of the commitments made to jointly address and counter the world drug problem, following the adoption of the “Political Declaration and Plan of Action on International Cooperation towards an Integrated and Balanced Strategy to counter the World Drug Problem” in 2009.
 
The Prime Minister addressed the Ministerial Segment Meeting and underlined the measures that Government was taking to address the drug scourge in Mauritius as well as in the region.  He also indicated that one of Government’s main challenges in Mauritius was the establishment of a well-structured psycho-social support for drug users.  He stressed that one of the priorities of Government was the rehabilitation and social reintegration of drug users through the development and implementation of a health-based and a person-centred approach.
 
The Ministerial Segment also adopted the Ministerial Declaration on strengthening the actions of Member States at the national, regional and international levels to accelerate the implementation of the joint commitments to address and counter the world drug issue.
 
In the margins of the Ministerial Segment Meeting, the Prime Minister had meetings with –
 
(a)       Mr Yury Fedotov, Executive Director of the UNODC, who expressed his appreciation on the actions being taken by Mauritius to contain the scourge of drugs to whom a request for capacity building for the Forensic Science Laboratory was also made; and
 
(b)       Dr Amado de Andres, UNODC Regional Representative for Eastern Africa and his team with whom he reviewed the areas of cooperation.
 
In the UK, the Prime Minister met, at the request of the British authorities, the Rt Hon Theresa May, Prime Minister of the United Kingdom in the presence of the Rt Hon David Lidington CBE MP, Minister for the Cabinet Office and Chancellor of the Duchy of Lancaster and the British High Commissioner in Mauritius to discuss, among others, the Chagos Archipelago issue.  The British Prime Minister emphasised the good relations between the two countries and expressed her desire to further strengthen those relations by exploring new avenues of cooperation and joint initiatives in sectors of interest to Mauritius.
 
The Prime Minister welcomed the different proposals put forward by the UK, but at the same time, pointed out that the Chagos Archipelago issue would go back to the UN General Assembly.  Mauritius and other countries would be tabling a draft resolution at the United Nations General Assembly towards the end of April 2019.
 
The Prime Minister also had a working session with Professor Philippe Sands QC on the Chagos Archipelago issue.  He also had discussions with –
 
(a)       the Chairperson of the House of Lords Select Committee on Artificial Intelligence, His Lordship Clement-Jones and Lord Anthony St John of Bletso to discuss the way forward for Mauritius with respect to Artificial Intelligence, while taking cognizance of the latest developments in this field in the UK; and
 
(b)       Lord Meghnad Desai, Professor Emeritus at the London School of Economics, David Marsh and Philip Middleton, Chairperson and Deputy Chairperson of the Official Monetary and Financial Institutions Forum to discuss new strategies for the Mauritian economy and for the International Financial Centre.
 
****
3.         Cabinet has taken note that a Submission has been made by the Republic of Mauritius to the United Nations Commission on the Limits of the Continental Shelf (UNCLCS) on 26 March 2019, for an Extended Continental Shelf (ECS) of an approximate area of 175,000 km2 in the Southern Chagos Archipelago Region.  The Submission has been made in the light of the Advisory Opinion delivered by the International Court of Justice on 25 February 2019 whereby the Court concluded that the Chagos Archipelago had been unlawfully detached from Mauritius by the United Kingdom.
 
****
 
4.         Cabinet has taken note that the Prime Minister led a delegation comprising the Minister Mentor, Minister of Defence, Minister for Rodrigues, the Minister of Health and Quality of Life, the Minister of Agro-Industry and Food Security and senior officials to Rodrigues Island on 28 March 2019, to have an in-depth assessment of the damages caused by cyclone Joaninha.
 

He took the opportunity to take stock of the progress achieved by the different stakeholders on site and noted with satisfaction that the electricity supply which was badly damaged had been restored at around 40%.  The Prime Minister also met some planters at Anse Quitor/Corail, Montagne Goyave, Anse Ally and St François who suffered loss of their crops and visited maize fields which were affected by the Fall Army Worm.  The Ministry of Agro-Industry and Food Security would assist in the fight against the outbreak.  He also visited a few ‘radiers’ at Baie du Nord and Bay Malgache which were severely flooded during the cyclone and families at Montagne Cimetière whose house had been damaged.
 
The Prime Minister had a working session with the Chief Commissioner and his Commissioners on the post cyclonic situation and the immediate actions taken to restore essential public services, namely, transport, electricity, telephone and water.
 
****
 
5.         Cabinet has taken note that following the tabling of the Report of the Director of Audit for Financial Year 2017-18 in the National Assembly, the Prime Minister has set up a Committee under the chair of the Senior Chief Executive of the Ministry of Justice, Human Rights and Institutional Reforms, to examine the Report in consultation with Ministries/Departments and to propose measures to address the weaknesses and shortcomings mentioned therein.  The Committee would also comprise the representatives of the Ministry of Finance and Economic Development and the Ministry of Civil Service and Administrative Reforms.  The Internal Control Division of the Ministry of Finance and Economic Development would follow up with Ministries/Departments to ensure that remedial actions proposed by the Committee are implemented.
 
****
 
6.         Cabinet has taken note that the Minister of Health and Quality of Life would make Regulations under the Dental Council Act for the recognition and listing of two dental institutions, namely the Gulf Medical University, United Arab Emirates and the University of Peradeniya, Sri Lanka, as recommended by the Dental Council of Mauritius.
 
****
 
7.         Cabinet has taken note of the activities that would be organised to mark World Health Day 2019, observed on 7 April.  The following activities would be held at the Trianon Convention Centre on 8 April 2019 –
 
(a)       the launching of a booklet on Non-Communicable Diseases (NCDs) and their risk factors;
 
(b)       the screening and counselling for NCDs; and
 
(c)        an exhibition on health related issues and cooking demonstration.
 
            Sensitisation campaigns would also be held on TV/Radio as well as in Community Health Centres, Women Centres, Social Welfare Centres, schools, urban/rural community settings, on the risk factors of diseases and the preventive measures to be taken.
 
            The theme for this year is “Universal Health Coverage: everyone and everywhere”.
 
****
 

 
8.         Cabinet has taken note that the Municipal City Council of Port Louis has organised a public collection of funds to help the victims of Cyclone IDAI which hit Mozambique and Zimbabwe.  Special bank accounts in the name of “The Municipal City Council of Port Louis – Victims of Cyclone IDAI” have been opened for the public to donate funds as follows –
 
            (i)         State Bank of Mauritius:     A/c No. 50300000374763; and
 
            (ii)        Mauritius Commercial Bank Ltd:   A/c No. 000446801003.
 
****
 
9.         Cabinet has agreed to the closure of Médine Sugar Mill with effect from the end of crop 2018, subject to certain conditions, in accordance with the provisions of the Mauritius Cane Industry Authority Act.  The Mauritius Cane Industry Authority recommended the closure after consultations with relevant stakeholders including planters, employees, trade unions and receiving sugar mills.  The packages to planters and workers and staff have been worked out in line with the provisions of the Blue Print on Centralisation of Sugar Milling Operations in Mauritius of May 1997.  Arrangements are also being made with other factories to receive the canes from Médine.
 
****
 
10.       Cabinet has taken note that the second edition of the 12-Hour Relay Walk, Jog, and Run for Health and Fun would be held on Saturday 30 March 2019, from 06 00hrs to 18 00hrs, at Maryse Justin Stadium, Réduit.
 
****
 
11.       Cabinet has taken note of the outcome of recent mission of the Vice-Prime Minister, Minister of Local Government and Outer Islands and Minister of Gender Equality, Child Development and Family Welfare to New York where she participated in the 63rd Session of the Commission on the Status of Women (CSW).  The priority theme for the year 2019 was “Social protection systems, access to public services and sustainable infrastructure for gender equality and the empowerment of women and girls” and the review theme was “Women’s empowerment and the link to sustainable development, from the 60th session of the CSW”.  In her statement at the Plenary Session, the Vice-Prime Minister, Minister of Local Government and Outer Islands and Minister of Gender Equality, Child Development and Family Welfare laid emphasis, inter alia, on –
 
            (a)       the efforts of the Government to strengthen the existing welfare state through various support programmes to ensure that “no one is left behind’’; and
 
            (b)       the use of the National Steering Committee on Gender Mainstreaming as a platform for policy dialogue and exchange of best practices.
 
            In the margins of the visit, the Vice-Prime Minister had bilateral meetings with –
 
(a)       HE (Mrs) Kersti Kaljulaid, President of Estonia on assistance to Mauritius in the field of ICT and e-governance; and
 
(b)       HE David Stanton, Minister with responsibility for Equality, Immigration and Integration of Ireland on sharing of best practices, including the policies and programmes to curb gender based violence.
 
****
 
12.       Cabinet has taken note of the outcome of the recent mission of the Attorney General, Minister of Justice, Human Rights and Institutional Reforms to Geneva where he participated in the 40th Regular Session of the Human Rights Council where the Universal Periodic Report (UPR) of Mauritius was considered for approval.  In his introductory statement, he expressed his appreciation to Member States for their participation, constructive recommendations and recognition of the progress achieved by Mauritius so far and also explained the various challenges faced by Mauritius. The session was transmitted live on the UN Web TV and the adoption of the UPR of Mauritius was published on the website of the Office of the High Commissioner for Human Rights.  Various Member States commended Mauritius for accepting most of their recommendations which, inter alia, related to –
  

(a)          fight against corruption;
(b)       domestic violence;
(c)       protection and promotion of human rights;
(d)       empowerment of women;
(e)       setting up of the Independent Police Complaint Commission; and
(f)        equal employment rights;
 

            In the margins of his visit, the Attorney General, Minister of Justice, Human Rights and Institutional Reforms met HE Mr Le Yucheng, Vice-Foreign Minister of the People’s Republic of China and Mr Sanjoy Hazarika, Director Commonwealth Human Rights Initiative.
 
****
 
13.       Cabinet has taken note of the reconstitution of –
 
(a)       the Board of the Wastewater Management Authority with Mr Sulaiman Hansrod as Chairperson; and
 
            (b)       the Board of the Irrigation Authority with Mr Kissoonduth Sarju as Chairperson.
 
 
*******

 

 
 

Our strength is our unity, states Prime Minister in his message to the nation

GIS – 13 March, 2019: Our strength is our national unity, and where we stand today is the testimony of the great maturity showed by our ancestors in 1968 by not falling into the trap of violence and division. Since independence, Mauritius has laid the foundation of an inclusive and equitable nation where people of different religions and cultural beliefs live in unity. We must all work towards an environmentally sustainable society, which nurtures respect for elders, valorises the role of women, and promotes security among the citizens.

This was the gist of the message to the Nation of the Prime Minister, Minister of Home Affairs, External Communications and National Development Unit and Minister of Finance and Economic Development, Mr Pravind Kumar Jugnauth, on 12 March 2019 on the occasion of the 51st anniversary of the Independence and 27th anniversary of the Republic of Mauritius.
 
The Prime Minister highlighted that the 12th of March allows each and every one to celebrate 51 years of living in peace, harmony and diversity and also to reflect on the path we started, where we stand and the way forward. We have moved ahead in unity and today we are cited as a model by different international institutions, such as the World Bank, said Prime Minister Jugnauth.
 
The theme ‘Dan linite nou avanse’, which has been chosen this year, reflects a desire to join forces for a better country for us and for future generations. For instance, on 25 February 2019, the International Court of Justice issued an advisory opinion that will remain etched in the history of our country. The court, he stated, has ruled that the United Kingdom has the obligation to bring an end to its administration of the Chagos Archipelago as rapidly as possible and this is a great victory for the people of Mauritius. This, added the Prime Minister, demonstrates to the world that when a country is united, it will always succeed regardless of the adversity in front of it.
 
The theme also reflects the country’s commitment to consolidate its relations with other countries from which our ancestors came to work in difficult conditions. He underscored the huge contribution of India and its commitment to the advancement of Mauritius, with several flagship projects that are being implemented in Mauritius and Agalega.
 
Prime Minister Jugnauth also dwelt on the various Government initiatives aiming to improve social justice such as the introduction of the National Minimum Wage last year. He underlined that no country can make such progress if its citizens do not have access to education and it was in this context that free tertiary education in public institutions for Mauritian citizens was announced in January 2019. Furthermore, he pointed out that Government’s policy has begun to bear fruits and expressed his satisfaction with regards the unemployment rate which has dropped to its lowest point in the last 10 years.
 
Regarding the environment and climatic change, he underpinned that many families still face difficulties such as water problems and floods. One of Government’s priorities, he added, is to preserve the environment. Mr Jugnauth further observed that, climate change means that the country receives a lot of rain in a short time. Government, he said, has already invested billions in the construction of drains and will continue to do so until the problem is solved.
 
Speaking about security and the Safe City project in particular, he recalled that more than 4 000 surveillance cameras will be installed in different locations across the country. This, he said, will enable every Mauritian to live in security.
 
The Prime Minister also spoke of the forthcoming Indian Ocean Island Games in Mauritius where the whole country will support Mauritian athletes and experience strong moments of patriotism.
 

Government Information Service, Prime Minister’s Office, Level 6, New Government Centre, Port Louis, Mauritius. Email: gis@govmu.org  Website: http://gis.govmu.org

International Women’s Day: Government not to tolerate any discrimination against women, exhorts PM

GIS – 08 March, 2019: Government will not tolerate any discrimation against women and no efforts will be spared towards protecting women against injustice and violence as well as in preserving their identity. Women should have their due recognition and deserve all respect and rights in the society.

The Prime Minister, Minister of Home Affairs, External Communications and National Development Unit and Minister of Finance and Economic Development, Mr Pravind Kumar Jugnauth, made this statement this morning at the official celebration of the International Women’s Day 2019 held at the Swami Vivekananda International Convention Centre in Pailles. The theme chosen at national level to mark the day is: “Egalite zom/fam koumans par mwa” and that of the United Nations is “Think Equal, build smart, innovate for change”.
The Deputy Prime Minister, Minister of Energy and Public Utilities, Mr Ivan Leslie Collendavelloo, the Vice-Prime Minister, Minister of Local Government and Outer Islands, Minister of Gender Equality, Child Development and Family Welfare, Mrs Fazila-Jeewa Daureeawoo and several eminent personalities were also present on that occasion.
In his address, Prime Minister Jugnauth recalled the essential role and values of women in the society at all levels of the social ladder and cautioned that prejudices and lack of respect against women, violence against women, and abuse of power to exploit women should be behind us as such actions will result to severe sanctions.
He dwelt on the numerous measures put in place by his Government to protect women against such scourges namely: the setting up of the Integrated Support Centre to provide victims of domestic violence with a comprehensive and integrated service; the putting in place of a dedicated service by the Citizen Support Unit of the Prime Minister’s Office in the 35 Citizens Advice Bureau across the island to support victims of domestic violence; the Safe City project which will help  identify cases of violence; and the grant of financial assistance by the Development Bank of Mauritius in the forms of no guarantee loans up to a ceiling of Rs 500 000 at a fixed interest rate of 3%  to assist women to start a business and 40% spaces in industrial zones projects will be earmarked to women entrepreneurs; among others.
Prime Minister Jugnauth, expressed his conviction that Government recognises the contribution and merit of women in the economic development of the country and reiterated his total support to women in accessing positions at high level of decision-making instances. According to him, women should unite and set the agenda for the way forward.
He further underlined that the International Women’s Day is a day to reflect on the role of women in the society and the family adding that the theme for the day should not be a mere motto but that each and every one should apply it in their daily life routine and should start in our own homes.
For his part, Deputy Prime Minister, Ivan Collendavelloo, encouraged and called for more women to enroll for technical jobs in the electrical engineering fields in the utilities sector which he said is a promising sector for women in the future. He recalled the implementation of the home solar project launched since 2016 for low-income households especially run by women at the lower rung of the social ladder to enable them to consume electricity that they will produce themselves through solar panels.
This project, he added is part of Government’s efforts to alleviate poverty whilst contributing to the national target of achieving 35% of renewable electricity in the energy mix by 2025. He further highlighted that 46% beneficiaries are women and 989 households of such categories are equipped with solar panels which will in turn help low-income communities to be energy sufficient and save energy costs. He also spoke on the different schemes to provide water to the population on a 24/7 basis.
Vice-Prime Minister, Mrs Fazila-Jeewa Daureeawoo, called for greater emancipation of women and participation in the economic development of the country as women has a crucial role to play in all aspects of the society. She lauded all women who contributed to help Mauritius stand where it is today. She further underscored that we should instill the idea that men and women are entitled to equal rights and that women’s rights are human rights. Both should have balanced responsibilities at home so that they can have the chance to have an equal role in society and in the economy, she said. She further spoke of the various measures put in place by her Ministry to empower and protect women against domestic abuse and violence.
It is to be noted that the Integrated Support Centre to protect women against domestic violence, was also launched this morning. The service which will operate on a hotline 139 will allow victims to benefit from an immediate, consistent, coordinated and timely support and counselling.

Government Information Service, Prime Minister’s Office, Level 6, New Government Centre, Port Louis, Mauritius. Email: gis@govmu.org  Website: http://gis.govmu.org

Maurice sécurise son infrastructure digitale avec l’appui de l’Union européenne

Le ministre des Affaires étrangères, M. Vishnu Lutchmeenaraidoo, a inauguré un important séminaire sur le thème de la cyberresilience le jeudi 7 février 2019 au Le Labourdonnais Waterfront Hotel à Port Louis. Le ministre de la Technologie, de l’Information et de la Communication et de l’Innovation, M. Yogida Sawmynaden, et l’ambassadrice de l’Union européenne (UE) à Maurice, Mme Marjaana Sall, ont participé à cet évènement.

La solidité et la sécurité de la connectivité numérique est devenu un enjeu de développement de taille pour les pays comme Maurice qui ont misé sur le potentiel de l’économie numérique.
Pour le chef de la diplomatie mauricienne il s’agit de prendre des dispositions pour protéger les citoyens contre les dangers que comporte le monde numérique, tout en profitant pleinement des potentialités offertes par la cyberéconomie.  
Le projet « Cyber Resilience for Development » est financé et mis en place par l’Union européenne (UE). Il a pour objectif de permettre aux pays participant de rehausser le niveau de sécurité et de résilience de leurs réseaux d’information digitaux. 
Maurice a été retenu dans le cadre de cet accompagnement en raison de sa capacité à adopter les nouvelles technologies de l’information et de son ambition à jouer un rôle prépondérant en matière de l’économie digitale en Afrique.
Pour le ministre, Maurice a tous les atouts pour se donner une vocation de leader dans la région et assurer une grande contribution à l’ambitieux projet de Digital Africa, soit le programme-phare de l’UE en matière de la diffusion de la technologie numérique  sur le continent.
Le ministre a mis l’accent sur le partenariat technologique entre Maurice et l’Estonie, un leader mondial des nouvelles technologies en ligne en vue d’explorer les nombreuses possibilités de l’économie numérique.
Il a rappelé, à cet effet, l’accord de coopération signé les Premiers ministres de Maurice et de l’Estonie en novembre 2017 à Abidjan, en Côte d’Ivoire, et qui offre un cadre par excellence pour engager le transfert de technologie et de savoir-faire.
Le ministre Vishnu Lutchmeenaraidoo préconise l’avènement de la signature digitale qui viendra transformer l’utilisation  des services en ligne de manière très significative.
La technologie estonienne de signature électronique est utilisée dans les pays de l’Union européenne et offre, à ce titre, des bénéfices considérables aux utilisateurs mauriciens en terme de compatibilité et d’acceptabilité.
Le ministre de la Technologie, de la Communication et de l’Innovation, M. Yogida Sawmynaden, a pour sa part, fait état des mesures adoptées par son ministère pour assurer la cyber-sécurité et la cyber-résilience. Il a aussi souligné les dispositions prises par le gouvernement pour protéger la population contre les personnes et groupes malintentionnés.

L’ambassadrice de l’UE à Maurice, Mme Marjaana Sall, a, elle, réitéré la volonté et l’engagement de l’Europe à soutenir le développement des nouvelles capacités de technologie pour encourager le progrès socioéconomique en Afrique.

Cabinet Decisions taken on 30 JANUARY 2019

CABINET DECISIONS – 30 JANUARY 2019
 
 
1.         Cabinet has taken note of the outcome of the recent mission of Hon Pravind Kumar Jugnauth, Prime Minister to India where he was invited as Chief Guest for the 15th Pravasi Bharatiya Divas (PBD) in Varanasi and to attend the Kumbh Mela in Prayagraj. He was also the Guest of Honour in Mumbai for the Official Celebrations marking the 69th Anniversary of the Republic of India.
 
            As Chief Guest at the Pravasi Bharatiya Divas, the Prime Minister participated in the Inaugural Session of the Convention. The theme for the Pravasi Bharatiya Divas was ‘Role of Indian diaspora in building a new India’. Mauritius was the second largest delegation at that event with some 400 participants. These participants also attended the Kumbh Mela and the Republic Day celebrations in New Delhi. The Inaugural Session was attended, among others, by Prime Minister Modi, Shrimati S. Swaraj, Minister of External Affairs and Yogi Adityanath, Chief Minister of Uttar Pradesh.  In his address, the Prime Minister of the Republic of India stated that Non-resident Indians (NRIs) continue to play a significant role in the development of their country of residence and he called upon Indian diaspora to contribute actively in that direction. Shrimati Swaraj spoke on the origin of the Pravasi Bharatiya Divas and paid homage to former Prime Minister Atal Bihari Vajpayee for starting Pravasi Bharatiya Divas in 2003.
 
            In his speech, Hon P.K. Jugnauth, Prime Minister, laid emphasis on the role of education which not only ensured the rapid development of Mauritius but also played a crucial role in ensuring that all religious faith and cultures are respected and upheld. He also congratulated Prime Minister Modi for the impressive economic performance of India and the various initiatives he has taken to transform India into a modern and prosperous country for the benefit of all citizens, including the global community. The Prime Minister announced that Mauritius would be hosting the Bhaagavad Gita Mahotsav in February 2019 and the Bhojpuri Mahotsav next year. The closing ceremony was performed by the President of the Republic of India and he presented the Pravasi Bharatiya Samman to some 30 overseas Indians. In his intervention, he highlighted the importance of connecting with the youth as they are at the forefront of all development. The Prime Minister   also paid a courtesy call on the President.
 
            The Prime Minister also attended the Kumbh Mela in Prayagraj which is inscribed on the Representative List of the Intangible Cultural Heritage of Humanity. He visited the Integrated Command and Control Centre which has been set up specifically to monitor and coordinate the security and safety arrangement of the entire Kumbh Mela area, spread over 3,200 hectares.  The Prime Minister also participated in the Official Celebrations marking the 69th Anniversary of the Republic of India in Mumbai held on 26 January 2019 at the Shivaji Park and was received by HE Shri C. Vidyasagar Rao, Governor of Maharashtra as well as Shri Devendra Fadnavis, Chief Minister of Maharashtra.
 
            During his stay in Mumbai, the Prime Minister launched the new corporate office of the SBM Bank (India) Ltd which is the first foreign bank to obtain a wholly-owned subsidiary licence from the Reserve Bank of India to operate in that country. This would allow the company to operate as a scheduled commercial bank and would reinforce its potential to promote trade and investment flows particularly along the India-Africa corridor.
 
            The Economic Development Board (EDB), in collaboration with the Ministry of External Affairs, the Federation of Indian Chambers of Commerce and Industry, ASSOCHAM and the Confederation of Indian Industries, also organised a Business Forum where some 130 people from the business community were briefed on the investment and trade opportunities available in Mauritius and also of the possibility of using Mauritius for investing in Africa and other emerging markets. Shri S. Prabhu, Minister of Commerce & Industry and Civil Aviation addressed the Forum.  During the Business Forum, the Prime Minister informed the participants about the incentives and support that Government was providing in terms of fiscal incentives to attract potential investors.
 
            The Prime Minister had the opportunity to visit the Bombay Stock Exchange (BSE) which is among the 10 largest Stock Exchanges of the world, where he was invited to participate at the Bell Ringing Ceremony. He also addressed the investors highlighting the opportunities existing in Mauritius and Africa.  He launched the Vision document for Africa and AFRINEX Limited which has been set up in Mauritius to further develop and internationalise the capital market in Mauritius and enhance the role of Mauritius as a regional financial hub.
 
            In the margins of the PBD 2019, the Prime Minister had the opportunity to have meetings with –
 
(a)         Shri Narendra Modi followed by a tête à tête. Prime Minister Modi thanked him for accepting to be the Chief Guest at the PBD and expressed his appreciation regarding the large number of Mauritian participants in the event and the naming of the Cyber tower in Ebene after Shri Atal Bihari Vajpayee. The Prime Minister expressed his gratitude for the assistance granted by the Indian Government in financing key infrastructure projects which are significantly changing the landscape of Mauritius. The Prime Minister of Mauritius and Prime Minister Modi discussed future areas of cooperation;
 
(b)         Shrimati S. Swaraj, Minister of External Affairs and Shri S. Prabhu. Minister of Commerce & Industry and Civil Aviation with whom projects that are being implemented with the assistance of the Indian Government, namely the Metro Express, the Supreme Court, the new ENT Hospital and infrastructure projects in Agalega were reviewed. The Comprehensive Economic Cooperation and Partnership Agreement (CECPA) was also discussed; and
 
(c)        the Chief Minister of Maharashtra with whom he discussed areas of cooperation and the possibility of signing various MoUs in the fields of creative industry, culture, health, education and IT. The Chief Minister was keen to further strengthen the trade relations between Maharashtra and Mauritius and in that respect, he agreed to give his full support for a high level delegation to proceed to Mauritius to explore opportunities for investment.
 
 
*****
 
2.         Cabinet has taken note of the status regarding the extension of the Social Contract between the Ministry of Social Integration and Economic Empowerment and households eligible under the Social Register of Mauritius for another period of 18 months ending 30 June 2020.  Under the Social Contract, the beneficiaries have the obligation to, inter alia, participate in empowerment and employment programmes offered to them, ensure their children attend school with a monthly attendance of at least 90%, register with the Ministry of Labour, Industrial Relations, Employment and Training in the event they are unemployed and ensure that they attend health care centres for pre-natal, post-natal and preventive medical care.
 
 
*****
 
 
3.         Cabinet has agreed to the signing of a Memorandum of Understanding between the Ministry of Ocean Economy, Marine Resources, Fisheries and Shipping and the United Nations Conference on Trade and Development (UNCTAD) for the establishment of a Regional Centre of Excellence in the Republic of Mauritius.  The objectives of the Memorandum of Understanding are, inter alia, to –
 
(a)       establish a Regional Centre of Excellence in Mauritius to serve as a hub for capacity building in the fisheries and aquaculture sector for LDCs in the African and Asian regions respectively;
 
(b)       allow policy makers from selected African and Asian LDCs to benefit from the successful experience of Mauritius in developing its fisheries sector and building the regulatory and institutional requirements for meeting international food safety standards; and
 
(c)        foster an active exchange of experience, best practices and knowledge to better harness the development potential of the fisheries and aquaculture sector and to enhance their expertise and knowledge to strengthen domestic capacities in LCDs.
 
 
*****
 
 
4.         Cabinet has agreed to the Financial Reporting Council hosting the second meeting of the African Forum of Independent Accounting and Auditing Regulators (AFIAAR) in Mauritius in May 2019. The AFIAAR was established in March 2018 to enhance a climate of investor confidence and to ensure security and stability for global investments into the African continent.  The main objective of the AFIAAR is to provide a platform for its members to share information regarding the audit market environment and ethics, with focus on independent audit regulations and audit quality.  Some 15 foreign participants as well as some 40 local participants would attend the Forum.
 
*****
 
 
5.         Cabinet has taken note of the holding of the Third Concertation Meeting between the European Union (EU) Fishing Industry and the Indian Ocean Tuna Processing Industry in February 2019 in Mauritius.  The meeting would comprise two sessions. The first session would be devoted to the technical discussions between representatives of the EU fishing industry and the Indian Ocean Tuna processing industry and the second session would allow for discussions on wider fisheries-related issues and would be restricted to Government and EU officials.  The meeting would be co-chaired by Mauritius and DG MARE.  HE Mr J. Machado, DG MARE and other EU representatives, Government senior officials and private sector representatives of the fisheries sector of Madagascar and Seychelles have been invited to the meeting.
 
*****
 
 
6.         Cabinet has taken note of the measures being initiated for the implementation of the recommended actions in the Eastern and Southern Africa Anti-Money Laundering Group (ESAAMLG) Mutual Evaluation Report (MER).  Cabinet has also taken note that the second National Capacity Building workshop on the financing of terrorism would be held in February 2019.  The theme of the workshop would be “Protecting Non-Profit Organisations from Terrorist Abuse”.  The objective of the workshop is to assist Mauritius in implementing Recommendation 8 of the Financial Action Task Force (FATF) on Non-Profit Organisations.
 
 
*****
 
7.         Cabinet has agreed to the organisation of a regional meeting by the Eastern and Southern Africa Trade and Development Bank in March 2019, in collaboration with the Ministry of Energy and Public Utilities to discuss on the development of a proposed Regional LNG Strategy and to agree on an operating framework to guide and co-ordinate the collaboration of the Indian Ocean island states towards the joint development, financing and operationalisation of a proposed Regional Liquefied Natural Gas procurement, transportation, storage and distribution platform.
 
*****
 
8.         Cabinet has agreed to the proposed deproclamation of the public road, commonly known as Decaen Street, extending over a distance of around 64 metres within the Victoria Bus station.  In that connection, the Minister of Public Infrastructure and Land Transport would make the Port Louis (Decaen Street) (End of Public Use) Regulations.  The Decaen Street would no longer be dedicated to public use as from 01 March 2019.
 
 
*****
 
 
9.         Cabinet has taken note of the outcome of the recent mission of the Deputy Prime Minister, Minister of Energy and Public Utilities to Abu Dhabi where he participated in the 9th Assembly of the International Renewable Energy Agency (IRENA) and a Ministerial Meeting of the International Solar Alliance. The most important event of the Assembly was the appointment of Mr Francesco La Camera, as the new Director General of IRENA. The 9th Assembly’s approved the following –
 
(a)       the scale of contributions of Member States, which has remained unchanged for Mauritius;
(b)       the Annual Report of IRENA for 2018-2019;
(c)        the financial statements of IRENA and audit reports;
(d)       the membership of the Council of IRENA for 2019 and 2020; and
(e)       various human resource and governance issues.
 
            The Deputy Prime Minister also attended a Ministerial Meeting of the International Solar Alliance and made a statement, inter alia, on the various fiscal incentives provided by Government to encourage investment in solar energy.
 
            The Central Electricity Board and the Abu Dhabi Fund for Development, also signed a loan agreement for the grant of 10 million USD to implement the Home Solar project which consists of the installation of solar PV kits on rooftops of 10,000 houses of low income families.
 
*****
 
 
10.       Cabinet has taken note that the Deputy Prime Minister, Minister of Energy and Public Utilities participated in the Swearing-in ceremony of HE Mr Andry Nirina Rajoelina, as the 6th President of the Republic of Madagascar on 19 January 2019.  The Deputy Prime Minister, Minister of Energy and Public Utilities also had meetings with HE Mr Andry Nirina Rajoelina and prominent businessmen who reiterated their commitment to invest further in Mauritius.
 
*****
 
 
11.       Cabinet has taken note that the National Sports Awards 2018 would be held on 9 February 2019 at the Caudan Arts Centre, Port Louis.  The National Sports Awards recognises and rewards excellence in sports and individuals, teams and coaches receive due distinction for their outstanding performance during the preceding year, in all categories and cutting across all age groups.
 
*****
 
 
12.       Cabinet has taken note that the Ministry of Youth and Sports would launch, as from February 2019, the Youth Service Programme also called the National Youth Civic Service, for 1,000 young persons aged between 17 and 25 years.  The key objective of the National Youth Civic Service is to promote positive youth development through youth civic engagement.  The programme endeavours to steer young people to practise and exercise citizenship, develop talents, life skills and soft skills such as team building, discipline, communication and work ethics, as well as the practice of sports and physical activity.  The aim is to enhance the employability of young people and help them become agents of positive change who can contribute to society, development and peace.  The programme would be of a duration of 18 weeks on a full-time basis.
 
*****
 
13.       Cabinet has taken note of the activities being organised in the context of World Cancer Day, observed on 4 February, namely –
 
(a)       the launching of the event on 12 February 2019 at Roche Bois Social Welfare Centre where screening for breast and cervical cancer would be carried out;
 
            (b)       an exhibition on healthy life style and healthy diet;
 
(c)        sensitisation campaigns on television on the theme of the World Cancer Day, that is “I am and I will”, as well as at the level of Community Health Centres, Women Centres, Social Welfare Centres and schools; and
 
(d)       wide range screening for breast and cervical cancer and counselling for prevention of cancer.
 
*****
 
 
14.       Cabinet has taken note that according to the last monthly report published by the Statistics Unit of the Ministry of Tourism, 158,043 tourists visited Mauritius in the month of December 2018 as compared to 155,615 in December 2017, i.e., an increase of 1.6%.  During the period of January to December 2018, 1,399,287 tourists visited Mauritius as compared to 1,341,860 for the same period in 2017, i.e., an increase of 4.3%.  Growth has been registered in arrivals from Germany (+25.5%), Italy (+16.2%), France (+2.0%), South Africa (12.8%), Saudi Arabia (+233.2%), Czech Republic (+37.4%), Russia (+27.8%), Hungary (+21.9%) and Romania (+51.5%).
 
 
*****
 
 
15.       Cabinet has taken note that the Minister of Health and Quality of Life would make the Dental Council (Medical Institutions) (Amendment) Regulations under section 40 of the Dental Council Act for the recognition and listing of the Griffith University, Australia and the Chaudhary Charan Singh University, Meerut, India, following the recommendation of the Dental Council of Mauritius.
 
*****
 
 
16.       Cabinet has also taken note of the reconstitution of the –
 
            (a)       Correctional Youth Centre Board of Visitors with Dr Mahendranath Motah as Chairperson;
 
            (b)       Rehabilitation Youth Centre Board of Visitors with Mrs Leelawtee Ramsaha as Chairperson; and
 
            (c)        Agalega Island Council with Mr Gino Alfred, an Agalean, as Chairperson.
 
 
*******

Pravasi Bharatiya Divas and privileged Indo-Mauritian ties highlighted by Prime Minister Jugnauth

GIS – 30 January, 2019: The participation of Mauritius at the Pravasi Bharatiya Divas and the Republic Day in Mumbai is a privilege and affirms the longstanding and special ties that Mauritius and India share.  As regards the negotiations pertaining to the Comprehensive Economic Cooperation Partnership Agreement (CECPA) the state of these negotiations are being reviewed and the signing of the document is on the right track.

These were the highlights of the press conference held by the Prime Minister, Minister of Home Affairs, External Communications and National  Development Unit, Minister of Finance and Economic Development, Mr Pravind Kumar Jugnauth, yesterday at the New Treasury Building in Port-Louis.  During the press conference, he spoke about his eight-day visit to India from 20 to 28 January 2019 in the context of the 15th Pravasi Bharatiya Divas in Varanasi, alongside the Kumbh Mela held at Triveni Sangam in Allahabad, Uttar Pradesh.
 
Prime Minister Jugnauth underscored the honour and privilege of Mauritius, with him as representative, to be the Chief Guest of the Government of India at the Pravasi Bharatiya Divas and at the Republic day in Mumbai, which he emphasised testifies the strong relationship and deep cultural bond between the two countries.  Mauritius, he pointed out, was the second largest participating delegation with the official delegation consisting of 18 persons, among whom three Cabinet Ministers, Senior Officials as well as representatives of Ministries, and 400 other Mauritian delegates.
 
The Prime Minister also expressed gratitude to the Government of India for the warm welcome extended which he said, reflects the people-to-people bonding that exists beyond bilateral relations.
 
Speaking about the CECPA, the Prime Minister indicated that over the course of meetings he had with the Minister for Commerce and Industry, Mr Suresh Prabhu, both countries demonstrated their intent to further boost economic activities and bring a new dimension to bilateral cooperation in the context of the Africa Strategy through the signing of the Agreement.  He expressed confidence that the CECPA will be shortly finalised, adding that discussions regarding the matter were reinitiated in 2007.  So far both parties have agreed on discussions pertaining to economic cooperation and trade in services, while talks with regards to trade in goods are still ongoing.
 
Mauritius-India bilateral meetings
 
The Mauritian Prime Minister had several bilateral meetings with various Ministers of the Indian Government during his stay.  His visit to India was marked with a bilateral meeting and a tête-à-tête with the Indian Prime Minister, Mr Narendra Modi on 22 January 2019, with whom he discussed new avenues of cooperation to further enhance the strong ties between the two countries. Mr Jugnauth stressed on the need to further collaborate to face future challenges and brought forth key developmental projects being undertaken with the financial assistance of India, including the Metro Express, New Supreme Court, ENT hospital and infrastructural works being carried out in Agalega.  A meeting and tête-à-tête session were also held with the Indian President, Mr Ram Nath Kovind, during the closing session of Pravasi Bharatiya Divas.
 
In addition, the Prime Minister had a meeting with the Minister of External Affairs, Mrs Sushma Swaraj earlier on 21 January 2019, during which discussions focused on the excellent Indo-Mauritian bilateral ties, the numerous projects being undertaken in Mauritius and international affairs.  On the same day, the official delegation was also convened to a dinner hosted by the Chief Minister of Uttar Pradesh, Mr Yogi Adityanath. 
 
Moreover, during a meeting with the Chief minister of Maharashtra, Mr  Devendra Gangadharrao Fadnavis, discussions centered on avenues of cooperation between the State of Maharashtra and Mauritius in various sectors including creative industry, education, health and IT.
 
Furthermore, the Prime Minister Jugnauth underlined that the Kumbh Mela was an opportune time to take stock of the state-of-the-art Integrated Command and Control Centre deployed to monitor and ensure the security of pilgrims, which is in line with the modern security system and use of technology with regards to the safe-city project.  He also proceeded with the inauguration of the State Bank of Mauritius, (India), the first foreign bank to receive a license from RBI to set up universal banking business in India through Wholly Owned Subsidiary mode.
 
On 25 January 2019, Mr Jugnauth participated in a business forum held in Mumbai, which was an important platform to encourage Indian entrepreneurs to harness business opportunities in Mauritius in line with Mauritius’ Africa Strategy.
 
The Prime Minister was also present at the bell-ringing ceremony at the Bombay Stock Exchange as well as the launching of the Afrinex Stock Exchange.  The Prime Minister indicated that he took stock of the various activities available to provide assistance to start-ups.
 

Government Information Service, Prime Minister’s Office, Level 6, New Government Centre, Port Louis, Mauritius. Email: gis@govmu.org  Website: http://gis.govmu.org

Rogue Mobile App

Rogue mobile apps are counterfeit apps designed to mimic trusted brands or apps with non-advertised malicious features. In both cases, the goal is that unaware users install the app in order to steal sensitive information such as credit card data or login credentials.

The common way to install apps is to use the official app store. By default, neither Android nor Apple’s iPhone allow users to install apps from unknown sources. However, this does not mean we can just trust the official app store. SWITCH-CERT has been monitoring Apple’s App Store and Google Play for some time and noticed that many rogue apps are able to sneak into Google Play especially.

Google Play

Attackers are abusing the weak app testing procedure of Google to sneak their rogue apps into Google Play. One can find counterfeit apps of Swiss brands on a regular basis. Typically, the apps reside on Google Play for some time until it is removed because of take down requests from security researchers. Until that happens, unaware users are likely to install such apps and put their data at risk.

The screenshot below shows apps found when searching for Bluewin. During the last months, Bluewin has been a common target for rogue counterfeit apps. The red circle indicates the rogue app.

Play Store result for the search key word “Bluewin”

It is not always as easy as in the above screenshot to spot the rogue app. However, checking the reviews, looking at the developer address and potentially other apps from the same developer provides a good first indication.

Rogue Bluewin App

The rogue Bluewin app tries to steal the user’s email credentials. It is classical phishing but instead of a fake email it starts with a fake app. Below screenshots show the app icon and the welcome screen of the rogue app.

Entered credentials are sent to an external URL where the attacker has access to this data.

Rogue App Monitoring

As an end user it is important to always check the legitimacy of an app before installing it. Rogue apps are common even for Swiss brands (See also rogue Postfinance app article on inside-it.ch).

For larger companies, we strongly recommend that you monitor official app stores for your brand. Whether you outsource this or do it yourself, the following tasks should be part of the rogue app monitoring service:

  • Monitor your brand in app stores
  • Ability to analyze apps
    • What is it doing?
    • Where is it communicating to?
  • Take down rogue apps from app stores
  • Take down app communication end points

 

IOCs

Recent Bluewin fake apps

31708e597d1cd7f72df63f45c47bc3e3	com.brealmary.bluech
2f8e945c52977f5a33f0afdba01721f7	com.brealmary.devhouba
2ca5a4496c93633ee00e404f364960c8	ch.bluewemail

SB19-014: Vulnerability Summary for the Week of January 7, 2019

Original release date: January 14, 2019

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

 

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
microsoft — edge A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka “Microsoft Edge Memory Corruption Vulnerability.” This affects Microsoft Edge. 2019-01-08 7.6 CVE-2019-0565
BID
CONFIRM

Back to top

 

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
arc_project — arc ARC 5.21q allows directory traversal via a full pathname in an archive file. 2019-01-07 5.0 CVE-2015-9275
MISC
MISC
getbootstrap — bootstrap In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041. 2019-01-09 4.3 CVE-2016-10735
MISC
MISC
MISC
MISC
MISC
MISC
ibm — api_connect IBM API Connect 5.0.0.0 through 5.0.8.4 could allow a user authenticated as an administrator with limited rights to escalate their privileges. IBM X-Force ID: 151258. 2019-01-04 6.5 CVE-2018-1859
BID
XF
CONFIRM
microsoft — asp.net_core A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka “ASP.NET Core Denial of Service Vulnerability.” This affects ASP.NET Core 2.1. This CVE ID is unique from CVE-2019-0548. 2019-01-08 5.0 CVE-2019-0564
BID
REDHAT
CONFIRM
microsoft — office An information disclosure vulnerability exists when Microsoft Outlook improperly handles certain types of messages, aka “Microsoft Outlook Information Disclosure Vulnerability.” This affects Office 365 ProPlus, Microsoft Office, Microsoft Outlook. 2019-01-08 4.3 CVE-2019-0559
BID
CONFIRM
microsoft — office An information disclosure vulnerability exists when Microsoft Office improperly discloses the contents of its memory, aka “Microsoft Office Information Disclosure Vulnerability.” This affects Office 365 ProPlus, Microsoft Office. 2019-01-08 4.3 CVE-2019-0560
BID
CONFIRM
yunucms — yunucms YUNUCMS 1.1.8 has XSS in app/admin/controller/System.php because crafted data can be written to the sys.php file, as demonstrated by site_title in an admin/system/basic POST request. 2019-01-04 4.3 CVE-2019-5310
MISC
yunucms — yunucms An issue was discovered in YUNUCMS V1.1.8. app/index/controller/Show.php has an XSS vulnerability via the index.php/index/show/index cw parameter. 2019-01-04 4.3 CVE-2019-5311
MISC

Back to top

 

Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
frog_cms_project — frog_cms Frog CMS 0.9.5 has XSS in the admin/?/page/edit/1 body field. 2019-01-09 3.5 CVE-2018-20680
MISC
ibm — rational_publishing_engine IBM Publishing Engine 2.1.2, 6.0.5, and 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-force ID: 144883. 2019-01-04 3.5 CVE-2018-1657
BID
XF
CONFIRM
ibm — rational_publishing_engine IBM Publishing Engine 2.1.2, 6.0.5, and 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 153494. 2019-01-04 3.5 CVE-2018-1951
BID
XF
CONFIRM

Back to top

 

Severity Not Yet Assigned

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
apache — karaf
 
Apache Karaf provides a features deployer, which allows users to “hot deploy” a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn’t contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases. 2019-01-07 not yet calculated CVE-2018-11788
MISC
BID
apache — thrift Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete. 2019-01-07 not yet calculated CVE-2018-1320
MISC
apache — thrift The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path. 2019-01-07 not yet calculated CVE-2018-11798
BID
MISC
apple — cleanmymac_x An exploitable privilege escalation vulnerability exists in the Clean My Mac X, version 4.04, helper service due to improper input validation. A user with local access can use this vulnerability to modify the file system as root. An attacker would need local access to the machine for a successful exploit. 2019-01-10 not yet calculated CVE-2018-4043
MISC
apple — cleanmymac_x An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. An attacker with local access could exploit this vulnerability to modify the file system as root. 2019-01-10 not yet calculated CVE-2018-4047
MISC
apple — cleanmymac_x An exploitable privilege escalation vulnerability exists in the way the CleanMyMac X software improperly validates inputs. An attacker with local access could use this vulnerability to modify the file system as root. An attacker would need local access to the machine for a successful exploit. 2019-01-10 not yet calculated CVE-2018-4032
MISC
apple — cleanmymac_x The CleanMyMac X software contains an exploitable privilege escalation vulnerability due to improper input validation. An attacker with local access could use this vulnerability to modify the file system as root. 2019-01-10 not yet calculated CVE-2018-4033
MISC
apple — cleanmymac_x The CleanMyMac X software contains an exploitable privilege escalation vulnerability that exists due to improper input validation. An attacker with local access could use this vulnerability to modify the file system as root. 2019-01-10 not yet calculated CVE-2018-4034
MISC
apple — cleanmymac_x An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. An attacker with local access could exploit this vulnerability to modify the file system as root. 2019-01-10 not yet calculated CVE-2018-4045
MISC
apple — cleanmymac_x The CleanMyMac X software contains an exploitable privilege escalation vulnerability due to improper input validation. An attacker with local access could use this vulnerability to modify the running kernel extensions on the system. 2019-01-10 not yet calculated CVE-2018-4036
MISC
apple — cleanmymac_x The CleanMyMac X software contains an exploitable privilege escalation vulnerability due to improper input validation. An attacker with local access can use this vulnerability to modify the file system as root. 2019-01-10 not yet calculated CVE-2018-4037
MISC
apple — cleanmymac_x The CleanMyMac X software contains an exploitable privilege escalation vulnerability that exists due to improper input validation. An attacker with local access could use this vulnerability to modify the file system as root. 2019-01-10 not yet calculated CVE-2018-4035
MISC
apple — cleanmymac_x An exploitable denial-of-service vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. A user with local access can use this vulnerability to terminate a privileged helper application. An attacker would need local access to the machine for a successful exploit. 2019-01-10 not yet calculated CVE-2018-4046
MISC
apple — cleanmymac_x An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. An attacker with local access could exploit this vulnerability to modify the file system as root. 2019-01-10 not yet calculated CVE-2018-4041
MISC
apple — cleanmymac_x An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. An attacker with local access could exploit this vulnerability to modify the file system as root. 2019-01-10 not yet calculated CVE-2018-4042
MISC
apple — cleanmymac_x An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. An attacker with local access could exploit this vulnerability to modify the file system as root. 2019-01-10 not yet calculated CVE-2018-4044
MISC
apple — ios In iOS before 11.2, exchange rates were retrieved from HTTP rather than HTTPS. This was addressed by enabling HTTPS for exchange rates. 2019-01-11 not yet calculated CVE-2017-2411
CONFIRM
apple — ios In iOS before 11.4 and macOS High Sierra before 10.13.5, a memory corruption issue exists and was addressed with improved memory handling. 2019-01-11 not yet calculated CVE-2018-4404
MISC
CONFIRM
EXPLOIT-DB
apple — ios In iOS before 11.2, an inconsistent user interface issue was addressed through improved state management. 2019-01-11 not yet calculated CVE-2017-13891
CONFIRM
apple — ios In iOS before 11.2, a type confusion issue was addressed with improved memory handling. 2019-01-11 not yet calculated CVE-2017-13888
CONFIRM
apple — ios In iOS before 11.4, a memory corruption issue exists and was addressed with improved memory handling. 2019-01-11 not yet calculated CVE-2018-4330
BID
SECTRACK
CONFIRM
apple — ios In iOS before 9.3.3, a memory corruption issue existed in the kernel. This issue was addressed through improved memory handling. 2019-01-11 not yet calculated CVE-2016-7576
CONFIRM
apple — macos_high_sierra In macOS High Sierra before 10.13.5, a buffer overflow was addressed with improved size validation. 2019-01-11 not yet calculated CVE-2018-4257
CONFIRM
apple — macos_high_sierra In macOS High Sierra before 10.13.5, an out-of-bounds read was addressed with improved input validation. 2019-01-11 not yet calculated CVE-2018-4255
CONFIRM
apple — macos_high_sierra In macOS High Sierra before 10.13.5, an input validation issue existed in the kernel. This issue was addressed with improved input validation. 2019-01-11 not yet calculated CVE-2018-4254
CONFIRM
apple — macos_high_sierra In macOS High Sierra before 10.13.5, a privacy issue in the handling of Open Directory records was addressed with improved indexing. 2019-01-11 not yet calculated CVE-2018-4217
CONFIRM
apple — macos_high_sierra In macOS High Sierra before 10.13.5, an access issue was addressed with additional sandbox restrictions. 2019-01-11 not yet calculated CVE-2018-4183
CONFIRM
DEBIAN
apple — macos_high_sierra In macOS High Sierra before 10.13.5, an access issue was addressed with additional sandbox restrictions on CUPS. 2019-01-11 not yet calculated CVE-2018-4182
CONFIRM
DEBIAN
apple — macos_high_sierra In macOS High Sierra before 10.13.5, an issue existed in CUPS. This issue was addressed with improved access restrictions. 2019-01-11 not yet calculated CVE-2018-4181
MLIST
CONFIRM
UBUNTU
DEBIAN
apple — macos_high_sierra In macOS High Sierra before 10.13.5, an issue existed in CUPS. This issue was addressed with improved access restrictions. 2019-01-11 not yet calculated CVE-2018-4180
MLIST
CONFIRM
UBUNTU
DEBIAN
apple — macos_high_sierra In macOS High Sierra before 10.13.5, a buffer overflow was addressed with improved bounds checking. 2019-01-11 not yet calculated CVE-2018-4258
CONFIRM
apple — macos_high_sierra In macOS High Sierra before 10.13.5, an out-of-bounds read was addressed with improved input validation. 2019-01-11 not yet calculated CVE-2018-4256
CONFIRM
apple — macos_high_sierra In macOS High Sierra before 10.13.4, there was an issue with the handling of smartcard PINs. This issue was addressed with additional logic. 2019-01-11 not yet calculated CVE-2018-4179
CONFIRM
apple — macos_high_sierra In macOS High Sierra before 10.13.2, an access issue existed with privileged WiFi system configuration. This issue was addressed with additional restrictions. 2019-01-11 not yet calculated CVE-2017-13886
CONFIRM
apple — macos_high_sierra In macOS High Sierra before 10.13.2, a logic issue existed in APFS when deleting keys during hibernation. This was addressed with improved state management. 2019-01-11 not yet calculated CVE-2017-13887
CONFIRM
apple — multiple_products In iOS before 11.4, iCloud for Windows before 7.5, watchOS before 4.3.1, iTunes before 12.7.5 for Windows, and macOS High Sierra before 10.13.5, an out-of-bounds read was addressed with improved input validation. 2019-01-11 not yet calculated CVE-2018-4194
MISC
CONFIRM
MISC
MISC
MISC
apple — multiple_products In macOS High Sierra before 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan, a logic error existed in the validation of credentials. This was addressed with improved credential validation. 2019-01-11 not yet calculated CVE-2017-13889
CONFIRM
apple — multiple_products In macOS High Sierra before 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan, an out-of-bounds read was addressed with improved input validation. 2019-01-11 not yet calculated CVE-2018-4169
CONFIRM
apple — multiple_products In Safari before 11.1.2, iTunes before 12.8 for Windows, iOS before 11.4.1, tvOS before 11.4.1, iCloud for Windows before 7.6, sound fetched through audio elements may be exfiltrated cross-origin. This issue was addressed with improved audio taint tracking. 2019-01-11 not yet calculated CVE-2018-4278
SECTRACK
GENTOO
CONFIRM
MISC
MISC
MISC
MISC
UBUNTU
apple — multiple_products In iOS before 11.4.1, watchOS before 4.3.2, tvOS before 11.4.1, Safari before 11.1.1, macOS High Sierra before 10.13.6, a spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. 2019-01-11 not yet calculated CVE-2018-4277
SECTRACK
MISC
MISC
MISC
CONFIRM
MISC
apple — multiple_products In Safari before 11.1.2, iTunes before 12.8 for Windows, iOS before 11.4.1, tvOS before 11.4.1, iCloud for Windows before 7.6, multiple memory corruption issues were addressed with improved memory handling. 2019-01-11 not yet calculated CVE-2018-4262
SECTRACK
GENTOO
MISC
CONFIRM
MISC
UBUNTU
apple — multiple_products In iOS before 11.3, Safari before 11.1, iCloud for Windows before 7.4, tvOS before 11.3, watchOS before 4.3, iTunes before 12.7.4 for Windows, unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks. 2019-01-11 not yet calculated CVE-2018-4213
GENTOO
MISC
CONFIRM
MISC
MISC
MISC
UBUNTU
apple — multiple_products In macOS High Sierra before 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan, a permissions issue existed in Remote Management. This issue was addressed through improved permission validation. 2019-01-11 not yet calculated CVE-2018-4298
CONFIRM
MISC
apple — multiple_products In iOS before 11.3, Safari before 11.1, iCloud for Windows before 7.4, tvOS before 11.3, watchOS before 4.3, iTunes before 12.7.4 for Windows, unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks. 2019-01-11 not yet calculated CVE-2018-4212
GENTOO
MISC
CONFIRM
MISC
MISC
MISC
MISC
UBUNTU
apple — multiple_products In iOS before 11.3, Safari before 11.1, tvOS before 11.3, watchOS before 4.3, iTunes before 12.7.4 for Windows, an array indexing issue existed in the handling of a function in javascript core. This issue was addressed with improved checks. 2019-01-11 not yet calculated CVE-2018-4210
GENTOO
MISC
MISC
MISC
CONFIRM
UBUNTU
apple — multiple_products In iOS before 11.3, Safari before 11.1, iCloud for Windows before 7.4, tvOS before 11.3, watchOS before 4.3, iTunes before 12.7.4 for Windows, unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks. 2019-01-11 not yet calculated CVE-2018-4209
GENTOO
MISC
CONFIRM
MISC
MISC
MISC
MISC
UBUNTU
apple — multiple_products In iOS before 11.3, Safari before 11.1, iCloud for Windows before 7.4, tvOS before 11.3, watchOS before 4.3, iTunes before 12.7.4 for Windows, unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks. 2019-01-11 not yet calculated CVE-2018-4208
GENTOO
MISC
MISC
MISC
CONFIRM
MISC
MISC
UBUNTU
apple — multiple_products In iOS before 11.3, Safari before 11.1, iCloud for Windows before 7.4, tvOS before 11.3, watchOS before 4.3, iTunes before 12.7.4 for Windows, unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks. 2019-01-11 not yet calculated CVE-2018-4207
GENTOO
MISC
CONFIRM
MISC
MISC
MISC
MISC
UBUNTU
apple — multiple_products In iOS before 11.2.5, macOS High Sierra before 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan, watchOS before 4.2.2, and tvOS before 11.2.5, a memory corruption issue exists and was addressed with improved memory handling. 2019-01-11 not yet calculated CVE-2018-4189
CONFIRM
MISC
MISC
MISC
apple — multiple_products In iCloud for Windows before 7.3, Safari before 11.0.3, iTunes before 12.7.3 for Windows, and iOS before 11.2.5, multiple memory corruption issues exist and were addressed with improved memory handling. 2019-01-11 not yet calculated CVE-2018-4147
CONFIRM
MISC
MISC
MISC
MISC
apple — multiple_products In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, a downgrade issue existed with HTTP authentication credentials saved in Keychain. This issue was addressed by storing the authentication types with the credentials. 2019-01-11 not yet calculated CVE-2016-4644
MISC
MISC
CONFIRM
apple — multiple_products In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, a validation issue existed in the parsing of 407 responses. This issue was addressed through improved response validation. 2019-01-11 not yet calculated CVE-2016-4643
MISC
MISC
CONFIRM
apple — multiple_products In iOS before 11.3, tvOS before 11.3, watchOS before 4.3, and macOS before High Sierra 10.13.4, an information disclosure issue existed in the transition of program state. This issue was addressed with improved state handling. 2019-01-11 not yet calculated CVE-2018-4185
MISC
MISC
CONFIRM
MISC
apple — multiple_products
 
In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, proxy authentication incorrectly reported HTTP proxies received credentials securely. This issue was addressed through improved warnings. 2019-01-11 not yet calculated CVE-2016-4642
MISC
MISC
CONFIRM
apple — safari In Safari before 11.1, an information leakage issue existed in the handling of downloads in Safari Private Browsing. This issue was addressed with additional validation. 2019-01-11 not yet calculated CVE-2018-4186
CONFIRM
apple — swiftnio In SwiftNIO before 1.8.0, a buffer overflow was addressed with improved size validation. 2019-01-11 not yet calculated CVE-2018-4281
CONFIRM
artifex — mupdf Artifex MuPDF 1.14.0 has a SEGV in the function fz_load_page of the fitz/document.c file, as demonstrated by mutool. This is related to page-number mishandling in cbz/mucbz.c, cbz/muimg.c, and svg/svg-doc.c. 2019-01-11 not yet calculated CVE-2019-6130
MISC
artifex — mupdf svg-run.c in Artifex MuPDF 1.14.0 has infinite recursion with stack consumption in svg_run_use_symbol, svg_run_element, and svg_run_use, as demonstrated by mutool. 2019-01-11 not yet calculated CVE-2019-6131
MISC
aterm — hc100rc Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via FactoryPassword parameter or bootmode parameter of a certain URL. 2019-01-09 not yet calculated CVE-2018-0634
MISC
JVN
aterm — hc100rc Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via filename parameter. 2019-01-09 not yet calculated CVE-2018-0635
MISC
JVN
aterm — hc100rc Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via FactoryPassword parameter of a certain URL, different URL from CVE-2018-0634. 2019-01-09 not yet calculated CVE-2018-0636
MISC
JVN
aterm — hc100rc Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via import.cgi encKey parameter. 2019-01-09 not yet calculated CVE-2018-0638
MISC
JVN
aterm — hc100rc Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via tools_firmware.cgi date parameter, time parameter, and offset parameter. 2019-01-09 not yet calculated CVE-2018-0639
MISC
JVN
aterm — hc100rc Buffer overflow in Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary code via netWizard.cgi date parameter, time parameter, and offset parameter. 2019-01-09 not yet calculated CVE-2018-0640
MISC
JVN
aterm — hc100rc Buffer overflow in Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary code via tools_system.cgi date parameter, time parameter, and offset parameter. 2019-01-09 not yet calculated CVE-2018-0641
MISC
JVN
aterm — hc100rc Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via export.cgi encKey parameter. 2019-01-09 not yet calculated CVE-2018-0637
MISC
JVN
aterm — w300p Buffer overflow in Aterm W300P Ver1.0.13 and earlier allows attacker with administrator rights to execute arbitrary code via submit-url parameter. 2019-01-09 not yet calculated CVE-2018-0633
MISC
JVN
aterm — w300p Buffer overflow in Aterm W300P Ver1.0.13 and earlier allows attacker with administrator rights to execute arbitrary code via HTTP request and response. 2019-01-09 not yet calculated CVE-2018-0632
MISC
JVN
aterm — w300p Aterm W300P Ver1.0.13 and earlier allows attacker with administrator rights to execute arbitrary OS commands via targetAPSsid parameter. 2019-01-09 not yet calculated CVE-2018-0631
MISC
JVN
aterm — w300p Aterm W300P Ver1.0.13 and earlier allows attacker with administrator rights to execute arbitrary OS commands via HTTP request and response. 2019-01-09 not yet calculated CVE-2018-0629
MISC
JVN
aterm — w300p Aterm W300P Ver1.0.13 and earlier allows attacker with administrator rights to execute arbitrary OS commands via sysCmd parameter. 2019-01-09 not yet calculated CVE-2018-0630
MISC
JVN
aterm — wg1200hp_firmware Aterm WG1200HP firmware Ver1.0.31 and earlier allows attacker with administrator rights to execute arbitrary OS commands via HTTP request and response. 2019-01-09 not yet calculated CVE-2018-0628
MISC
JVN
aterm — wg1200hp_firmware Aterm WG1200HP firmware Ver1.0.31 and earlier allows attacker with administrator rights to execute arbitrary OS commands via targetAPSsid parameter. 2019-01-09 not yet calculated CVE-2018-0627
MISC
JVN
aterm — wg1200hp_firmware Aterm WG1200HP firmware Ver1.0.31 and earlier allows attacker with administrator rights to execute arbitrary OS commands via sysCmd in formWsc parameter. 2019-01-09 not yet calculated CVE-2018-0626
MISC
JVN
aterm — wg1200hp_firmware Aterm WG1200HP firmware Ver1.0.31 and earlier allows attacker with administrator rights to execute arbitrary OS commands via formSysCmd parameter. 2019-01-09 not yet calculated CVE-2018-0625
MISC
JVN
bento4 — bento4
 
An issue was discovered in Bento4 v1.5.1-627. There is a memory leak in AP4_DescriptorFactory::CreateDescriptorFromStream in Core/Ap4DescriptorFactory.cpp when called from the AP4_EsdsAtom class in Core/Ap4EsdsAtom.cpp, as demonstrated by mp42aac. 2019-01-11 not yet calculated CVE-2019-6132
MISC
bodhi — bodhi
 
Bodhi 2.9.0 and lower is vulnerable to cross-site scripting resulting in code injection caused by incorrect validation of bug titles. 2019-01-10 not yet calculated CVE-2017-1002152
CONFIRM
bootstrap — bootstrap In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property. 2019-01-09 not yet calculated CVE-2018-20677
MISC
MISC
MISC
MISC
MISC
bootstrap — bootstrap
 
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute. 2019-01-09 not yet calculated CVE-2018-20676
MISC
MISC
MISC
MISC
MISC
busybox — busybox
 
An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. 2019-01-09 not yet calculated CVE-2019-5747
MISC
MISC
busybox — busybox
 
An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. 2019-01-09 not yet calculated CVE-2018-20679
MISC
MISC
MISC
cimtechniques — cimscan In CIMTechniques CIMScan 6.x through 6.2, the SOAP WSDL parser allows attackers to execute SQL code. 2019-01-10 not yet calculated CVE-2018-16803
MISC
MISC
cisco — 900_series_aggregation_services_router A vulnerability in Cisco 900 Series Aggregation Services Router (ASR) software could allow an unauthenticated, remote attacker to cause a partial denial of service (DoS) condition on an affected device. The vulnerability is due to insufficient handling of certain broadcast packets ingress to the device. An attacker could exploit this vulnerability by sending large streams of broadcast packets to an affected device. If successful, an exploit could allow an attacker to impact services running on the device, resulting in a partial DoS condition. 2019-01-11 not yet calculated CVE-2018-15464
CISCO
cisco — cisco_asyncos_software_for_cisco_email_security_appliance A vulnerability in the Secure/Multipurpose Internet Mail Extensions (S/MIME) Decryption and Verification or S/MIME Public Key Harvesting features of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause an affected device to corrupt system memory. A successful exploit could cause the filtering process to unexpectedly reload, resulting in a denial of service (DoS) condition on the device. The vulnerability is due to improper input validation of S/MIME-signed emails. An attacker could exploit this vulnerability by sending a malicious S/MIME-signed email through a targeted device. If Decryption and Verification or Public Key Harvesting is configured, the filtering process could crash due to memory corruption and restart, resulting in a DoS condition. The software could then resume processing the same S/MIME-signed email, causing the filtering process to crash and restart again. A successful exploit could allow the attacker to cause a permanent DoS condition. This vulnerability may require manual intervention to recover the ESA. 2019-01-10 not yet calculated CVE-2018-15453
BID
CISCO
cisco — cisco_asyncos_software_for_cisco_email_security_appliance A vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to cause the CPU utilization to increase to 100 percent, causing a denial of service (DoS) condition on an affected device. The vulnerability is due to improper filtering of email messages that contain references to whitelisted URLs. An attacker could exploit this vulnerability by sending a malicious email message that contains a large number of whitelisted URLs. A successful exploit could allow the attacker to cause a sustained DoS condition that could force the affected device to stop scanning and forwarding email messages. 2019-01-10 not yet calculated CVE-2018-15460
BID
CISCO
cisco — firepower_management_center A vulnerability in the Shell Access Filter feature of Cisco Firepower Management Center (FMC), when used in conjunction with remote authentication, could allow an unauthenticated, remote attacker to cause high disk utilization, resulting in a denial of service (DoS) condition. The vulnerability occurs because the configuration of the Shell Access Filter, when used with a specific type of remote authentication, can cause a system file to have unbounded writes. An attacker could exploit this vulnerability by sending a steady stream of remote authentication requests to the appliance when the specific configuration is applied. Successful exploitation could allow the attacker to increase the size of a system log file so that it consumes most of the disk space. The lack of available disk space could lead to a DoS condition in which the device functions could operate abnormally, making the device unstable. 2019-01-10 not yet calculated CVE-2018-15458
BID
CISCO
cisco — identity_services_engine A vulnerability in the Admin Portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to view saved passwords in plain text. The vulnerability is due to the incorrect inclusion of saved passwords when loading configuration pages in the Admin Portal. An attacker with read or write access to the Admin Portal could exploit this vulnerability by browsing to a page that contains sensitive data. An exploit could allow the attacker to recover passwords for unauthorized use and expose those accounts to further attack. 2019-01-10 not yet calculated CVE-2018-15456
BID
CISCO
cisco — ios_and_ios_xe_software A vulnerability in the TCP socket code of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a state condition between the socket state and the transmission control block (TCB) state. While this vulnerability potentially affects all TCP applications, the only affected application observed so far is the HTTP server. An attacker could exploit this vulnerability by sending specific HTTP requests at a sustained rate to a reachable IP address of the affected software. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition on an affected device. 2019-01-09 not yet calculated CVE-2018-0282
BID
CISCO
cisco — ios_and_ios_xe_software A vulnerability in the access control logic of the Secure Shell (SSH) server of Cisco IOS and IOS XE Software may allow connections sourced from a virtual routing and forwarding (VRF) instance despite the absence of the vrf-also keyword in the access-class configuration. The vulnerability is due to a missing check in the SSH server. An attacker could use this vulnerability to open an SSH connection to an affected Cisco IOS or IOS XE device with a source address belonging to a VRF instance. Once connected, the attacker would still need to provide valid credentials to access the device. 2019-01-10 not yet calculated CVE-2018-0484
CISCO
cisco — ip_phone_8800_series_software A vulnerability in the Cisco IP Phone 8800 Series Software could allow an unauthenticated, remote attacker to conduct an arbitrary script injection attack on an affected device. The vulnerability exists because the software running on an affected device insufficiently validates user-supplied data. An attacker could exploit this vulnerability by persuading a user to click a malicious link provided to the user or through the interface of an affected device. A successful exploit could allow an attacker to execute arbitrary script code in the context of the user interface or access sensitive system-based information, which under normal circumstances should be prohibited. 2019-01-10 not yet calculated CVE-2018-0461
BID
CISCO
cisco — jabber_client_framework A vulnerability in the Cisco Jabber Client Framework (JCF) software, installed as part of the Cisco Jabber for Mac client, could allow an authenticated, local attacker to corrupt arbitrary files on an affected device that has elevated privileges. The vulnerability exists due to insecure directory permissions set on a JCF created directory. An authenticated attacker with the ability to access an affected directory could create a hard link to an arbitrary location on the affected system. An attacker could convince another user that has administrative privileges to perform an install or update the Cisco Jabber for Mac client to perform such actions, allowing files to be created in an arbitrary location on the disk or an arbitrary file to be corrupted when it is appended to or overwritten. 2019-01-10 not yet calculated CVE-2018-0449
BID
CISCO
cisco — jabber_client_framework A vulnerability in Cisco Jabber Client Framework (JCF) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of an affected system. The vulnerability is due to insufficient validation of user-supplied input of an affected client. An attacker could exploit this vulnerability by executing arbitrary JavaScript in the Jabber client of the recipient. A successful exploit could allow the attacker to execute arbitrary script code in the context of the targeted client or allow the attacker to access sensitive client-based information. 2019-01-10 not yet calculated CVE-2018-0483
BID
CISCO
cisco — policy_suite_for_mobile_and_policy_suite_diameter_routing_agent_software A vulnerability in the Redis implementation used by the Cisco Policy Suite for Mobile and Cisco Policy Suite Diameter Routing Agent software could allow an unauthenticated, remote attacker to modify key-value pairs for short-lived events stored by the Redis server. The vulnerability is due to improper authentication when accessing the Redis server. An unauthenticated attacker could exploit this vulnerability by modifying key-value pairs stored within the Redis server database. An exploit could allow the attacker to reduce the efficiency of the Cisco Policy Suite for Mobile and Cisco Policy Suite Diameter Routing Agent software. 2019-01-09 not yet calculated CVE-2018-0181
CISCO
cisco — policy_suite
 
A vulnerability in the Graphite web interface of the Policy and Charging Rules Function (PCRF) of Cisco Policy Suite (CPS) could allow an unauthenticated, remote attacker to access the Graphite web interface. The attacker would need to have access to the internal VLAN where CPS is deployed. The vulnerability is due to lack of authentication. An attacker could exploit this vulnerability by directly connecting to the Graphite web interface. An exploit could allow the attacker to access various statistics and Key Performance Indicators (KPIs) regarding the Cisco Policy Suite environment. 2019-01-11 not yet calculated CVE-2018-15466
BID
CISCO
cisco — prime_infrastructure A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. 2019-01-10 not yet calculated CVE-2018-15457
BID
CISCO
cisco — prime_network_control_system A vulnerability in the web-based management interface of Cisco Prime Network Control System could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of the affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the web-based management interface or allow the attacker to access sensitive browser-based information. 2019-01-10 not yet calculated CVE-2018-0482
BID
CISCO
cisco — telepresence_management_suite A vulnerability in the web-based management interface of Cisco TelePresence Management Suite (TMS) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. 2019-01-11 not yet calculated CVE-2018-15467
BID
CISCO
cisco — unified_communications_manager A vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an authenticated, remote attacker to view digest credentials in clear text. The vulnerability is due to the incorrect inclusion of saved passwords in configuration pages. An attacker could exploit this vulnerability by logging in to the Cisco Unified Communications Manager web-based management interface and viewing the source code for the configuration page. A successful exploit could allow the attacker to recover passwords and expose those accounts to further attack. 2019-01-10 not yet calculated CVE-2018-0474
CISCO
cisco — webex_business_suite A vulnerability in the MyWebex component of Cisco Webex Business Suite could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by convincing a user to click a crafted URL. To exploit this vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link. 2019-01-10 not yet calculated CVE-2018-15461
BID
CISCO
cybozu — dezie Directory traversal vulnerability in Cybozu Dezie 8.0.2 to 8.1.2 allows remote attackers to read arbitrary files via HTTP requests. 2019-01-09 not yet calculated CVE-2018-0705
JVN
MISC
cybozu — garoon Cybozu Garoon 3.0.0 to 4.10.0 allows remote attackers to bypass access restriction to view information available only for a sign-on user via Single sign-on function. 2019-01-09 not yet calculated CVE-2018-16178
JVN
MISC
cybozu — mailwise Directory traversal vulnerability in Cybozu Mailwise 5.0.0 to 5.4.5 allows remote attackers to delete arbitrary files via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-0702
JVN
MISC
cybozu — office Directory traversal vulnerability in Cybozu Office 10.0.0 to 10.8.1 allows remote attackers to delete arbitrary files via HTTP requests. 2019-01-09 not yet calculated CVE-2018-0703
JVN
MISC
cybozu — office Directory traversal vulnerability in Cybozu Office 10.0.0 to 10.8.1 allows remote attackers to delete arbitrary files via Keitai Screen. 2019-01-09 not yet calculated CVE-2018-0704
JVN
MISC
cybozu — remote_service Cybozu Remote Service 3.0.0 to 3.1.0 allows remote authenticated attackers to upload and execute Java code file on the server via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16169
JVN
MISC
cybozu — remote_service Improper countermeasure against clickjacking attack in client certificates management screen was discovered in Cybozu Remote Service 3.0.0 to 3.1.8, that allows remote attackers to trick a user to delete the registered client certificate. 2019-01-09 not yet calculated CVE-2018-16172
JVN
MISC
cybozu — remote_service Directory traversal vulnerability in Cybozu Remote Service 3.0.0 to 3.1.8 allows remote attackers to execute Java code file on the server via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16171
JVN
MISC
cybozu — remote_service Directory traversal vulnerability in Cybozu Remote Service 3.0.0 to 3.1.8 for Windows allows remote authenticated attackers to read arbitrary files via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16170
JVN
MISC
d-link — multiple_devices D-Link DIR-822 C1 before v3.11B01Beta, DIR-822-US C1 before v3.11B01Beta, DIR-850L A* before v1.21B08Beta, DIR-850L B* before v2.22B03Beta, and DIR-880L A* before v1.20B02Beta devices allow authentication bypass. 2019-01-08 not yet calculated CVE-2018-20675
MISC
d-link — multiple_devices D-Link DIR-822 C1 before v3.11B01Beta, DIR-822-US C1 before v3.11B01Beta, DIR-850L A* before v1.21B08Beta, DIR-850L B* before v2.22B03Beta, and DIR-880L A* before v1.20B02Beta devices allow authenticated remote command execution. 2019-01-08 not yet calculated CVE-2018-20674
MISC
digital_arts — i-filter HTTP header injection vulnerability in i-FILTER Ver.9.50R05 and earlier may allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks that may result in an arbitrary script injection or setting an arbitrary cookie values via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16181
MISC
JVN
digital_arts — i-filter Cross-site scripting vulnerability in i-FILTER Ver.9.50R05 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16180
MISC
JVN
django — django
 
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. 2019-01-09 not yet calculated CVE-2019-3498
BID
MISC
MISC
MLIST
UBUNTU
DEBIAN
MISC
docker_engine — docker_engine
 
Docker Engine before 18.09 allows attackers to cause a denial of service (dockerd memory consumption) via a large integer in a –cpuset-mems or –cpuset-cpus value, related to daemon/daemon_unix.go, pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go. 2019-01-11 not yet calculated CVE-2018-20699
MISC
MISC
dokan — dokan
 
Dokan, versions between 1.0.0.5000 and 1.2.0.1000, are vulnerable to a stack-based buffer overflow in the dokan1.sys driver. An attacker can create a device handle to the system driver and send arbitrary input that will trigger the vulnerability. This vulnerability was introduced in the 1.0.0.5000 version update. 2019-01-07 not yet calculated CVE-2018-5410
BID
MISC
CONFIRM
CERT-VN
elfinder — elfinder
 
php/elFinder.class.php in elFinder before 2.1.45 leaks information if PHP’s curl extension is enabled and safe_mode or open_basedir is not set. 2019-01-10 not yet calculated CVE-2019-5884
MISC
MISC
fork — fork_cms
 
Fork CMS 5.0.6 allows stored XSS via the private/en/settings facebook_admin_ids parameter (aka “Admin ids” input in the Facebook section). 2019-01-09 not yet calculated CVE-2018-20682
MISC
frog_cms — frog_cms Frog CMS 0.9.5 allows XSS via the forgot password page (aka the /admin/?/login/forgot URI). 2019-01-11 not yet calculated CVE-2019-6243
MISC
frontaccounting — frontaccounting
 
includes/db/class.reflines_db.inc in FrontAccounting 2.4.6 contains a SQL Injection vulnerability in the reference field that can allow the attacker to grab the entire database of the application via the void_transaction.php filterType parameter. 2019-01-08 not yet calculated CVE-2019-5720
MISC
frrouting — frrouting
 
bgpd in FRRouting FRR (aka Free Range Routing) 2.x and 3.x before 3.0.4, 4.x before 4.0.1, 5.x before 5.0.2, and 6.x before 6.0.2 (not affecting Cumulus Linux or VyOS), when ENABLE_BGP_VNC is used for Virtual Network Control, allows remote attackers to cause a denial of service (peering session flap) via attribute 255 in a BGP UPDATE packet. This occurred during Disco in January 2019 because FRR does not implement RFC 7606, and therefore the packets with 255 were considered invalid VNC data and the BGP session was closed. 2019-01-10 not yet calculated CVE-2019-5892
CONFIRM
MISC
MISC
MISC
MISC
MISC
MISC
gitolite — gitolite
 
commands/rsync in Gitolite before 3.6.11, if .gitolite.rc enables rsync, mishandles the rsync command line, which allows attackers to have a “bad” impact by triggering use of an option other than -v, -n, -q, or -P. 2019-01-09 not yet calculated CVE-2018-20683
MISC
MISC
MISC
MISC
gnu — binutils load_specific_debug_section in objdump.c in GNU Binutils through 2.31.1 contains an integer overflow vulnerability that can trigger a heap-based buffer overflow via a crafted section size. 2019-01-04 not yet calculated CVE-2018-20671
BID
MISC
MISC
gnu — binutils The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for “Create an array for saving the template argument values”) that can trigger a heap-based buffer overflow, as demonstrated by nm. 2019-01-04 not yet calculated CVE-2018-20673
BID
MISC
google — chrome The default selected dialog button in CustomHandlers in Google Chrome prior to 69.0.3497.81 allowed a remote attacker who convinced the user to perform certain operations to open external programs via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-16084
BID
REDHAT
CONFIRM
MISC
GENTOO
google — chrome Failure to prevent navigation to top frame to data URLs in Navigation in Google Chrome on iOS prior to 71.0.3578.80 allowed a remote attacker to confuse the user about the origin of the current page via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-20069
CONFIRM
MISC
google — chrome Incorrect handling of 304 status codes in Navigation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to confuse the user about the origin of the current page via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-20068
CONFIRM
MISC
google — chrome A renderer initiated back navigation was incorrectly allowed to cancel a browser initiated one in Navigation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to confuse the user about the origin of the current page via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-20067
CONFIRM
MISC
google — chrome Incorrect object lifecycle in Extensions in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-20066
CONFIRM
MISC
google — chrome Handling of URI action in PDFium in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to initiate potentially unsafe navigations without a user gesture via a crafted PDF file. 2019-01-09 not yet calculated CVE-2018-20065
CONFIRM
MISC
google — chrome Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. 2019-01-09 not yet calculated CVE-2018-6166
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. 2019-01-09 not yet calculated CVE-2018-6163
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Incorrect handling of reloads in Navigation in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6165
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Insufficient origin checks for CSS content in Blink in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to leak cross-origin data via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6164
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Improper deserialization in WebGL in Google Chrome on Mac prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6162
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome A heap buffer overflow in GPU in Google Chrome prior to 70.0.3538.67 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-17470
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome An out of bounds read in PDFium in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform an out of bounds memory read via a crafted PDF file. 2019-01-09 not yet calculated CVE-2018-17461
CONFIRM
MISC
google — chrome Incorrect handling of clicks in the omnibox in Navigation in Google Chrome prior to 69.0.3497.92 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-17459
REDHAT
CONFIRM
MISC
google — chrome An improper update of the WebAssembly dispatch table in WebAssembly in Google Chrome prior to 69.0.3497.92 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-17458
REDHAT
CONFIRM
MISC
google — chrome An object lifecycle issue in Blink could lead to a use after free in WebAudio in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-17457
CONFIRM
MISC
google — chrome JavaScript alert handling in Prompts in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6160
BID
CONFIRM
MISC
GENTOO
google — chrome Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. 2019-01-09 not yet calculated CVE-2018-20070
CONFIRM
MISC
google — chrome Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. 2019-01-09 not yet calculated CVE-2018-6167
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Insufficiently strict origin checks during JIT payment app installation in Payments in Google Chrome prior to 70.0.3538.67 allowed a remote attacker to install a service worker for a domain that can host attacker controled files via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-20071
CONFIRM
MISC
google — chrome Insufficient data validation in V8 builtins string generator could lead to out of bounds read and write access in V8 in Google Chrome prior to 62.0.3202.94 and allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. 2019-01-09 not yet calculated CVE-2017-15428
CONFIRM
MISC
google — chrome A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55.0.2883.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. 2019-01-09 not yet calculated CVE-2016-9651
REDHAT
BID
CONFIRM
MISC
GENTOO
EXPLOIT-DB
google — chrome A memory corruption bug in WebAssembly could lead to out of bounds read and write through V8 in WebAssembly in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. 2019-01-09 not yet calculated CVE-2017-15401
CONFIRM
MISC
google — chrome Using an ID that can be controlled by a compromised renderer which allows any frame to overwrite the page_state of any other frame in the same process in Navigation in Google Chrome on Chrome OS prior to 62.0.3202.74 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 2019-01-09 not yet calculated CVE-2017-15402
CONFIRM
MISC
google — chrome Insufficient data validation in crosh could lead to a command injection under chronos privileges in Networking in Google Chrome on Chrome OS prior to 61.0.3163.113 allowed a local attacker to execute arbitrary code via a crafted HTML page. 2019-01-09 not yet calculated CVE-2017-15403
CONFIRM
MISC
google — chrome An ability to process crash dumps under root privileges and inappropriate symlinks handling could lead to a local privilege escalation in Crash Reporting in Google Chrome on Chrome OS prior to 61.0.3163.113 allowed a local attacker to perform privilege escalation via a crafted HTML page. 2019-01-09 not yet calculated CVE-2017-15404
CONFIRM
MISC
google — chrome Inappropriate symlink handling and a race condition in the stateful recovery feature implementation could lead to a persistance established by a malicious code running with root privileges in cryptohomed in Google Chrome on Chrome OS prior to 61.0.3163.113 allowed a local attacker to execute arbitrary code via a crafted HTML page. 2019-01-09 not yet calculated CVE-2017-15405
CONFIRM
MISC
google — chrome Insufficient enforcement of file access permission in the activeTab case in Extensions in Google Chrome prior to 68.0.3440.75 allowed an attacker who convinced a user to install a malicious extension to access files on the local file system via a crafted Chrome Extension. 2019-01-09 not yet calculated CVE-2018-6179
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome A precision error in Skia in Google Chrome prior to 68.0.3440.75 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6153
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Eliding from the wrong side in an infobar in DevTools in Google Chrome prior to 68.0.3440.75 allowed an attacker who convinced a user to install a malicious extension to Hide Chrome Security UI via a crafted Chrome Extension. 2019-01-09 not yet calculated CVE-2018-6178
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. 2019-01-09 not yet calculated CVE-2018-6175
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Integer overflows in Swiftshader in Google Chrome prior to 68.0.3440.75 potentially allowed a remote attacker to execute arbitrary code via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6174
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. 2019-01-09 not yet calculated CVE-2018-6173
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. 2019-01-09 not yet calculated CVE-2018-6172
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome A bad cast in PDFium in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. 2019-01-09 not yet calculated CVE-2018-6170
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Lack of timeout on extension install prompt in Extensions in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to trigger installation of an unwanted extension via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6169
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome A race condition in Oilpan in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6158
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Bad cast in DevTools in Google Chrome on Win, Linux, Mac, Chrome OS prior to 66.0.3359.117 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted Chrome Extension. 2019-01-09 not yet calculated CVE-2018-6151
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome A use after free in ResourceCoordinator in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-16085
BID
REDHAT
CONFIRM
MISC
GENTOO
google — chrome A missing check for popup window handling in Fullscreen in Google Chrome on macOS prior to 69.0.3497.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-16080
BID
REDHAT
CONFIRM
MISC
GENTOO
google — chrome Unsafe handling of credit card details in Autofill in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-16078
BID
REDHAT
CONFIRM
MISC
GENTOO
google — chrome Incorrect handling of asynchronous methods in Fullscreen in Google Chrome on macOS prior to 66.0.3359.117 allowed a remote attacker to enter full screen without showing a warning via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6097
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome A race condition between permission prompts and navigations in Prompts in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-16079
BID
REDHAT
CONFIRM
MISC
GENTOO
google — chrome Incorrect handling of confusable characters in URL Formatter in Google Chrome on macOS prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. 2019-01-09 not yet calculated CVE-2018-6100
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome An asynchronous generator may return an incorrect state in V8 in Google Chrome prior to 66.0.3359.117 allowing a remote attacker to potentially exploit object corruption via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6106
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome readAsText() can indefinitely read the file picked by the user, rather than only once at the time the file is picked in File API in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to access data on the user file system without explicit consent via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6109
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Parsing documents as HTML in Downloads in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to cause Chrome to execute scripts via a local non-HTML page. 2019-01-09 not yet calculated CVE-2018-6110
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome An object lifetime issue in the developer tools network handler in Google Chrome prior to 66.0.3359.117 allowed a local attacker to execute arbitrary code via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6111
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Allowing the chrome.debugger API to run on file:// URLs in DevTools in Google Chrome prior to 69.0.3497.81 allowed an attacker who convinced a user to install a malicious extension to access files on the local file system without file access permission via a crafted Chrome Extension. 2019-01-09 not yet calculated CVE-2018-16081
BID
REDHAT
CONFIRM
MISC
GENTOO
google — chrome A JavaScript focused window could overlap the fullscreen notification in Fullscreen in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to obscure the full screen warning via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6096
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome An out of bounds read in Swiftshader in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-16082
BID
REDHAT
CONFIRM
MISC
GENTOO
google — chrome An out of bounds read in forward error correction code in WebRTC in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-16083
BID
REDHAT
CONFIRM
MISC
GENTOO
EXPLOIT-DB
google — chrome Making URLs clickable and allowing them to be styled in DevTools in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6112
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Improper handling of pending navigation entries in Navigation in Google Chrome on iOS prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6113
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Incorrect enforcement of CSP for <object> tags in Blink in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to bypass content security policy via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6114
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Confusing settings in Autofill in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6117
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome An integer overflow that could lead to an attacker-controlled heap out-of-bounds write in PDFium in Google Chrome prior to 66.0.3359.170 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. 2019-01-09 not yet calculated CVE-2018-6120
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome A missing check for JS-simulated input events in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to download arbitrary files with no user input via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-16088
REDHAT
CONFIRM
MISC
GENTOO
google — chrome Lack of proper state tracking in Permissions in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-16087
REDHAT
CONFIRM
MISC
GENTOO
google — chrome Missing bounds check in PDFium in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to perform an out of bounds memory read via a crafted PDF file. 2019-01-09 not yet calculated CVE-2018-16076
BID
REDHAT
CONFIRM
MISC
GENTOO
google — chrome Insufficient origin checks in Blink in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to leak cross-origin data via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6093
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Lack of secure text entry mode in Browser UI in Google Chrome on Mac prior to 67.0.3396.62 allowed a local attacker to obtain potentially sensitive information from process memory via a local process. 2019-01-09 not yet calculated CVE-2018-6147
BID
SECTRACK
REDHAT
CONFIRM
MISC
DEBIAN
google — chrome Early free of object in use in IndexDB in Google Chrome prior to 67.0.3396.62 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6127
BID
SECTRACK
REDHAT
CONFIRM
MISC
DEBIAN
google — chrome Off-by-one error in PDFium in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform an out of bounds memory write via a crafted PDF file. 2019-01-09 not yet calculated CVE-2018-6144
BID
SECTRACK
REDHAT
CONFIRM
MISC
DEBIAN
google — chrome Insufficient validation in V8 in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6143
BID
SECTRACK
REDHAT
CONFIRM
MISC
DEBIAN
google — chrome Insufficient validation of an image filter in Skia in Google Chrome prior to 67.0.3396.62 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory read via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6141
BID
SECTRACK
REDHAT
CONFIRM
MISC
DEBIAN
google — chrome Allowing the chrome.debugger API to attach to Web UI pages in DevTools in Google Chrome prior to 67.0.3396.62 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. 2019-01-09 not yet calculated CVE-2018-6140
BID
SECTRACK
REDHAT
CONFIRM
MISC
DEBIAN
google — chrome Insufficient target checks on the chrome.debugger API in DevTools in Google Chrome prior to 67.0.3396.62 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. 2019-01-09 not yet calculated CVE-2018-6139
BID
SECTRACK
REDHAT
CONFIRM
MISC
DEBIAN
google — chrome CSS Paint API in Blink in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to leak cross-origin data via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6137
BID
SECTRACK
REDHAT
CONFIRM
MISC
DEBIAN
google — chrome Lack of clearing the previous site before loading alerts from a new one in Blink in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform domain spoofing via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6135
BID
SECTRACK
REDHAT
CONFIRM
MISC
DEBIAN
google — chrome Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. 2019-01-09 not yet calculated CVE-2018-6133
BID
SECTRACK
REDHAT
CONFIRM
MISC
DEBIAN
google — chrome A precision error in Skia in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6126
BID
BID
SECTRACK
SECTRACK
REDHAT
REDHAT
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
DEBIAN
EXPLOIT-DB
google — chrome Service Workers can intercept any request made by an <embed> or <object> tag in Fetch API in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to leak cross-origin data via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6091
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Type confusion in ReadableStreams in Blink in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6124
BID
SECTRACK
REDHAT
CONFIRM
MISC
DEBIAN
google — chrome A use after free in Blink in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6123
BID
SECTRACK
REDHAT
CONFIRM
MISC
DEBIAN
google — chrome A Javascript reentrancy issues that caused a use-after-free in V8 in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-16065
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome A use after free in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-16066
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome Missing validation in Mojo in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-16068
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome A use after free in WebRTC in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. 2019-01-09 not yet calculated CVE-2018-16071
BID
REDHAT
CONFIRM
MISC
GENTOO
EXPLOIT-DB
google — chrome A missing origin check related to HLS manifests in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass same origin policy via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-16072
BID
CONFIRM
MISC
GENTOO
google — chrome Type confusion could lead to a heap out-of-bounds write in V8 in Google Chrome prior to 64.0.3282.168 allowing a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-6056
BID
REDHAT
CONFIRM
MISC
DEBIAN
google — chrome Insufficiently sanitized distributed objects in Updater in Google Chrome on macOS prior to 66.0.3359.117 allowed a local attacker to execute arbitrary code via an executable file. 2019-01-09 not yet calculated CVE-2018-6084
BID
BID
CONFIRM
MISC
EXPLOIT-DB
google — chrome A use after free in WebAudio in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2019-01-09 not yet calculated CVE-2018-16067
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
google — chrome
 
Insufficient data validation on image data in PDFium in Google Chrome prior to 51.0.2704.63 allowed a remote attacker to perform an out of bounds memory read via a crafted PDF file. 2019-01-09 not yet calculated CVE-2016-10403
CONFIRM
MISC
ibm — api_connect IBM API Connect 5.0.0.0 through 5.0.8.4 is affected by a vulnerability in the role-based access control in the management server that could allow an authenticated user to obtain highly sensitive information. IBM X-Force ID: 153175. 2019-01-08 not yet calculated CVE-2018-1932
CONFIRM
BID
XF
ibm — i_access_for_windows An untrusted search path vulnerability in IBM i Access for Windows versions 7.1 and earlier on Windows can allow arbitrary code execution via a Trojan horse DLL in the current working directory, related to use of the LoadLibrary function. IBM X-Force ID: 152079. 2019-01-04 not yet calculated CVE-2018-1888
BID
XF
CONFIRM
ibm — jazz_reporting_service IBM Jazz Reporting Service (JRS) 6.0.3, 6.0.4, 6.0.5, and 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152785. 2019-01-08 not yet calculated CVE-2018-1918
CONFIRM
BID
XF
ibm — spectrum_scale IBM Spectrum Scale (GPFS) 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, and 5.0.0 where the use of Local Read Only Cache (LROC) is enabled may caused read operation on a file to return data from a different file. IBM X-Force ID: 154440. 2019-01-08 not yet calculated CVE-2018-1993
BID
XF
CONFIRM
imperva — securesphere Imperva SecureSphere running v12.0.0.50 is vulnerable to local arbitrary code execution, escaping sealed-mode. 2019-01-10 not yet calculated CVE-2018-5412
EXPLOIT-DB
imperva — securesphere Imperva SecureSphere running v13.0, v12.0, or v11.5 allows low privileged users to add SSH login keys to the admin user, resulting in privilege escalation. 2019-01-10 not yet calculated CVE-2018-5413
EXPLOIT-DB
imperva — securesphere_gateway Imperva SecureSphere gateway (GW) running v13, for both pre-First Time Login or post-First Time Login (FTL), if the attacker knows the basic authentication passwords, the GW may be vulnerable to RCE through specially crafted requests, from the web access management interface. 2019-01-10 not yet calculated CVE-2018-5403
EXPLOIT-DB
intel — nuc_firmware
 
Improper setting of device configuration in system firmware for Intel(R) NUC kits may allow a privileged user to potentially enable escalation of privilege via physical access. 2019-01-10 not yet calculated CVE-2017-3718
CONFIRM
intel — optane_ssd_dc_p4800x Firmware update routine in bootloader for Intel(R) Optane(TM) SSD DC P4800X before version E2010435 may allow a privileged user to potentially enable a denial of service via local access. 2019-01-10 not yet calculated CVE-2018-12167
CONFIRM
intel — optane_ssd_dc_p4800x Insufficient write protection in firmware for Intel(R) Optane(TM) SSD DC P4800X before version E2010435 may allow a privileged user to potentially enable a denial of service via local access. 2019-01-10 not yet calculated CVE-2018-12166
CONFIRM
intel — proset/wireless_wifi_software Improper directory permissions in the ZeroConfig service in Intel(R) PROSet/Wireless WiFi Software before version 20.90.0.7 may allow an authorized user to potentially enable escalation of privilege via local access. 2019-01-10 not yet calculated CVE-2018-12177
CONFIRM
intel — sgx_sdk_and_platform_software_for_window Improper file verification in install routine for Intel(R) SGX SDK and Platform Software for Windows before 2.2.100 may allow an escalation of privilege via local access. 2019-01-10 not yet calculated CVE-2018-18098
CONFIRM
intel — ssd_data_center_tool_for_windows Improper directory permissions in the installer for the Intel(R) SSD Data Center Tool for Windows before v3.0.17 may allow authenticated users to potentially enable an escalation of privilege via local access. 2019-01-10 not yet calculated CVE-2018-3703
CONFIRM
intel — system_support_utility_for_windows Insufficient path checking in Intel(R) System Support Utility for Windows before 2.5.0.15 may allow an authenticated user to potentially enable an escalation of privilege via local access. 2019-01-10 not yet calculated CVE-2019-0088
CONFIRM
irssi — irssi
 
Irssi 1.1.x before 1.1.2 has a use after free when hidden lines are expired from the scroll buffer. 2019-01-09 not yet calculated CVE-2019-5882
MISC
MISC
MISC
japan_atomic_energy_agency — mapping_tool Untrusted search path vulnerability in Installer of Mapping Tool 2.0.1.6 and 2.0.1.7 allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory. 2019-01-09 not yet calculated CVE-2018-16176
MISC
JVN
jenkins — jenkins An improper authorization vulnerability exists in Jenkins Jira Plugin 3.0.1 and earlier in JiraSite.java that allows attackers with Overall/Read access to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. 2019-01-09 not yet calculated CVE-2018-1000412
CONFIRM
jenkins — jenkins An improper authorization vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java that allows attackers to have Jenkins perform a connection test, connecting to an attacker-specified server with attacker-specified credentials and connection settings. 2019-01-09 not yet calculated CVE-2018-1000422
CONFIRM
jenkins — jenkins A cross-site scripting vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/Api.java that allows attackers to specify URLs to Jenkins that result in rendering arbitrary attacker-controlled HTML by Jenkins. 2019-01-09 not yet calculated CVE-2018-1000407
CONFIRM
jenkins — jenkins A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that allows attackers without Overall/Read permission to access a specific URL on instances using the built-in Jenkins user database security realm that results in the creation of an ephemeral user record in memory. 2019-01-09 not yet calculated CVE-2018-1000408
CONFIRM
jenkins — jenkins A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalidating the existing session and creating a new one when a user signed up for a new user account. 2019-01-09 not yet calculated CVE-2018-1000409
CONFIRM
jenkins — jenkins A cross-site scripting vulnerability exists in Jenkins Git Changelog Plugin 2.6 and earlier in GitChangelogSummaryDecorator/summary.jelly, GitChangelogLeftsideBuildDecorator/badge.jelly, GitLogJiraFilterPostPublisher/config.jelly, GitLogBasicChangelogPostPublisher/config.jelly that allows attackers able to control the Git history parsed by the plugin to have Jenkins render arbitrary HTML on some pages. 2019-01-09 not yet calculated CVE-2018-1000426
CONFIRM
jenkins — jenkins An insufficiently protected credentials vulnerability exists in Jenkins SonarQube Scanner Plugin 2.8 and earlier in SonarInstallation.java that allows attackers with local file system access to obtain the credentials used to connect to SonarQube. 2019-01-09 not yet calculated CVE-2018-1000425
CONFIRM
jenkins — jenkins An insufficiently protected credentials vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java, CrowdConfigurationService.java that allows attackers with local file system access to obtain the credentials used to connect to Crowd 2. 2019-01-09 not yet calculated CVE-2018-1000423
CONFIRM
jenkins — jenkins An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to an attacker-specified Mesos server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. 2019-01-09 not yet calculated CVE-2018-1000421
CONFIRM
jenkins — jenkins A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result. 2019-01-09 not yet calculated CVE-2018-1000411
CONFIRM
jenkins — jenkins An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins. 2019-01-09 not yet calculated CVE-2018-1000420
CONFIRM
jenkins — jenkins An improper authorization vulnerability exists in Jenkins HipChat Plugin 2.2.0 and earlier in HipChatNotifier.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins. 2019-01-09 not yet calculated CVE-2018-1000419
CONFIRM
jenkins — jenkins An improper authorization vulnerability exists in Jenkins HipChat Plugin 2.2.0 and earlier in HipChatNotifier.java that allows attackers with Overall/Read access to send test notifications to an attacker-specified HipChat server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. 2019-01-09 not yet calculated CVE-2018-1000418
CONFIRM
jenkins — jenkins A cross-site request forgery vulnerability exists in Jenkins Email Extension Template Plugin 1.0 and earlier in ExtEmailTemplateManagement.java that allows creating or removing templates. 2019-01-09 not yet calculated CVE-2018-1000417
CONFIRM
jenkins — jenkins A reflected cross-site scripting vulnerability exists in Jenkins Job Config History Plugin 2.18 and earlier in all Jelly files that shows arbitrary attacker-specified HTML in Jenkins to users with Job/Configure access. 2019-01-09 not yet calculated CVE-2018-1000416
CONFIRM
jenkins — jenkins An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers with Overall/Administer permission or access to the local file system to obtain credentials entered by users if the form submission could not be successfully processed. 2019-01-09 not yet calculated CVE-2018-1000410
CONFIRM
jenkins — jenkins A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions. 2019-01-09 not yet calculated CVE-2018-1000414
CONFIRM
jenkins — jenkins A cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in configfiles.jelly, providerlist.jelly that allows users with the ability to configure configuration files to insert arbitrary HTML into some pages in Jenkins. 2019-01-09 not yet calculated CVE-2018-1000413
CONFIRM
jenkins — jenkins A cross-site scripting vulnerability exists in Jenkins Rebuilder Plugin 1.28 and earlier in RebuildAction/BooleanParameterValue.jelly, RebuildAction/ExtendedChoiceParameterValue.jelly, RebuildAction/FileParameterValue.jelly, RebuildAction/LabelParameterValue.jelly, RebuildAction/ListSubversionTagsParameterValue.jelly, RebuildAction/MavenMetadataParameterValue.jelly, RebuildAction/NodeParameterValue.jelly, RebuildAction/PasswordParameterValue.jelly, RebuildAction/RandomStringParameterValue.jelly, RebuildAction/RunParameterValue.jelly, RebuildAction/StringParameterValue.jelly, RebuildAction/TextParameterValue.jelly, RebuildAction/ValidatingStringParameterValue.jelly that allows users with Job/Configuration permission to insert arbitrary HTML into rebuild forms. 2019-01-09 not yet calculated CVE-2018-1000415
CONFIRM
jenkins — jenkins An insufficiently protected credentials vulnerability exists in Jenkins Artifactory Plugin 2.16.1 and earlier in ArtifactoryBuilder.java, CredentialsConfig.java that allows attackers with local file system access to obtain old credentials configured for the plugin before it integrated with Credentials Plugin. 2019-01-09 not yet calculated CVE-2018-1000424
CONFIRM
jenkins — jenkins
 
A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build. 2019-01-09 not yet calculated CVE-2018-1000406
CONFIRM
jpcert_coordination_center — logontracer LogonTracer 1.2.0 and earlier allows remote attackers to conduct Python code injection attacks via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16168
MISC
MISC
jpcert_coordination_center — logontracer Cross-site scripting vulnerability in LogonTracer 1.2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16165
MISC
MISC
jpcert_coordination_center — logontracer LogonTracer 1.2.0 and earlier allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16166
MISC
MISC
jpcert_coordination_center — logontracer LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16167
MISC
MISC
lib60870 — lib60870
 
An issue was discovered in lib60870 2.1.1. LinkLayer_setAddress in link_layer/link_layer.c has a NULL pointer dereference. 2019-01-11 not yet calculated CVE-2019-6137
MISC
libiec61850 — libiec61850 An issue has been found in libIEC61850 v1.3.1. Ethernet_setProtocolFilter in hal/ethernet/linux/ethernet_linux.c has a SEGV, as demonstrated by sv_subscriber_example.c and sv_subscriber.c. 2019-01-11 not yet calculated CVE-2019-6136
MISC
libiec61850 — libiec61850
 
An issue has been found in libIEC61850 v1.3.1. Memory_malloc and Memory_calloc in hal/memory/lib_memory.c have memory leaks when called from mms/iso_mms/common/mms_value.c, server/mms_mapping/mms_mapping.c, and server/mms_mapping/mms_sv.c (via common/string_utilities.c), as demonstrated by iec61850_9_2_LE_example.c. 2019-01-11 not yet calculated CVE-2019-6138
MISC
libiec61850 — libiec61850
 
An issue has been found in libIEC61850 v1.3.1. Memory_malloc in hal/memory/lib_memory.c has a memory leak when called from Asn1PrimitiveValue_create in mms/asn1/asn1_ber_primitive_value.c, as demonstrated by goose_publisher_example.c and iec61850_9_2_LE_example.c. 2019-01-11 not yet calculated CVE-2019-6135
MISC
MISC
libpng — libpng
 
png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. 2019-01-11 not yet calculated CVE-2019-6129
MISC
libtiff — libtiff
 
The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10 has a memory leak, as demonstrated by pal2rgb. 2019-01-11 not yet calculated CVE-2019-6128
MISC

linux — linux_kernel
 

The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server. 2019-01-07 not yet calculated CVE-2019-5489
MISC
BID
MISC
MISC
MISC
MISC

linux — linux_kernel
 

EARCLINK ESPCMS-P8 has SQL injection in the install_pack/index.php?ac=Member&at=verifyAccount verify_key parameter. install_pack/espcms_public/espcms_db.php may allow retrieving sensitive information from the ESPCMS database. 2019-01-07 not yet calculated CVE-2019-5488
MISC
lockon — ec-cube Open redirect vulnerability in EC-CUBE (EC-CUBE 3.0.0, EC-CUBE 3.0.1, EC-CUBE 3.0.2, EC-CUBE 3.0.3, EC-CUBE 3.0.4, EC-CUBE 3.0.5, EC-CUBE 3.0.6, EC-CUBE 3.0.7, EC-CUBE 3.0.8, EC-CUBE 3.0.9, EC-CUBE 3.0.10, EC-CUBE 3.0.11, EC-CUBE 3.0.12, EC-CUBE 3.0.12-p1, EC-CUBE 3.0.13, EC-CUBE 3.0.14, EC-CUBE 3.0.15, EC-CUBE 3.0.16) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16191
JVN
MISC
mate_desktop_environment — mate-screensaver mate-screensaver before 1.20.2 in MATE Desktop Environment allows physically proximate attackers to view screen content and possibly control applications. By unplugging and re-plugging or power-cycling external output devices (such as additionally attached graphical outputs via HDMI, VGA, DVI, etc.) the content of a screensaver-locked session can be revealed. In some scenarios, the attacker can execute applications, such as by clicking with a mouse. 2019-01-09 not yet calculated CVE-2018-20681
MISC
MISC
MISC
MISC
mcafee — web_gateway
 
Improper input validation in the proxy component of McAfee Web Gateway 7.8.2.0 and later allows remote attackers to cause a denial of service via a crafted HTTP request parameter. 2019-01-09 not yet calculated CVE-2019-3581
CONFIRM
micronet — inplc INplc-RT 3.08 and earlier allows remote attackers to bypass authentication to execute an arbitrary command through the protocol-compliant traffic. This is a different vulnerability than CVE-2018-0670. 2019-01-09 not yet calculated CVE-2018-0669
MISC
JVN
micronet — inplc Buffer overflow in INplc-RT 3.08 and earlier allows remote attackers to cause denial-of-service (DoS) condition that may result in executing arbtrary code via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-0668
MISC
JVN
micronet — inplc Privilege escalation vulnerability in INplc-RT 3.08 and earlier allows an attacker with administrator rights to execute arbitrary code on the Windows system via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-0671
MISC
JVN
micronet — inplc INplc-RT 3.08 and earlier allows remote attackers to bypass authentication to execute an arbitrary command through the protocol-compliant traffic. This is a different vulnerability than CVE-2018-0669. 2019-01-09 not yet calculated CVE-2018-0670
MISC
JVN
micronet — inplc
 
Untrusted search path vulnerability in Installer of INplc SDK Express 3.08 and earlier and Installer of INplc SDK Pro+ 3.08 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. 2019-01-09 not yet calculated CVE-2018-0667
MISC
JVN
microsoft — .net_framework An information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross-origin Resource Sharing (CORS) configurations, aka “.NET Framework Information Disclosure Vulnerability.” This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.7/4.7.1/4.7.2, .NET Core 2.1, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, .NET Core 2.2, Microsoft .NET Framework 4.7.2. 2019-01-08 not yet calculated CVE-2019-0545
BID
REDHAT
CONFIRM
microsoft — asp.net_core A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka “ASP.NET Core Denial of Service Vulnerability.” This affects ASP.NET Core 2.2, ASP.NET Core 2.1. This CVE ID is unique from CVE-2019-0564. 2019-01-08 not yet calculated CVE-2019-0548
BID
REDHAT
CONFIRM
microsoft — edge An elevation of privilege vulnerability exists in Microsoft Edge Browser Broker COM object, aka “Microsoft Edge Elevation of Privilege Vulnerability.” This affects Microsoft Edge. 2019-01-08 not yet calculated CVE-2019-0566
BID
CONFIRM
microsoft — edge_and_chakracore A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka “Chakra Scripting Engine Memory Corruption Vulnerability.” This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2019-0539, CVE-2019-0567. 2019-01-08 not yet calculated CVE-2019-0568
BID
CONFIRM
microsoft — edge_and_chakracore A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka “Chakra Scripting Engine Memory Corruption Vulnerability.” This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2019-0567, CVE-2019-0568. 2019-01-08 not yet calculated CVE-2019-0539
BID
CONFIRM
microsoft — edge_and_chakracore A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka “Chakra Scripting Engine Memory Corruption Vulnerability.” This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2019-0539, CVE-2019-0568. 2019-01-08 not yet calculated CVE-2019-0567
BID
CONFIRM
microsoft — exchange_server A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka “Microsoft Exchange Memory Corruption Vulnerability.” This affects Microsoft Exchange Server. 2019-01-08 not yet calculated CVE-2019-0586
BID
CONFIRM
microsoft — exchange_server
 
An information disclosure vulnerability exists when the Microsoft Exchange PowerShell API grants calendar contributors more view permissions than intended, aka “Microsoft Exchange Information Disclosure Vulnerability.” This affects Microsoft Exchange Server. 2019-01-08 not yet calculated CVE-2019-0588
BID
CONFIRM
microsoft — multiple_products An information disclosure vulnerability exists when Microsoft Word macro buttons are used improperly, aka “Microsoft Word Information Disclosure Vulnerability.” This affects Microsoft Word, Office 365 ProPlus, Microsoft Office, Word. 2019-01-08 not yet calculated CVE-2019-0561
BID
CONFIRM
microsoft — multiple_products A remote code execution vulnerability exists in the way that the MSHTML engine inproperly validates input, aka “MSHTML Engine Remote Code Execution Vulnerability.” This affects Microsoft Office, Microsoft Office Word Viewer, Internet Explorer 9, Internet Explorer 11, Microsoft Excel Viewer, Internet Explorer 10, Office 365 ProPlus. 2019-01-08 not yet calculated CVE-2019-0541
BID
CONFIRM
microsoft — multiple_products A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory, aka “Microsoft Word Remote Code Execution Vulnerability.” This affects Word, Microsoft Office, Microsoft Office Word Viewer, Office 365 ProPlus, Microsoft SharePoint, Microsoft Office Online Server, Microsoft Word, Microsoft SharePoint Server. 2019-01-08 not yet calculated CVE-2019-0585
BID
CONFIRM
microsoft — multiple_products A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka “Microsoft Office SharePoint XSS Vulnerability.” This affects Microsoft SharePoint Server, Microsoft SharePoint, Microsoft Business Productivity Servers. This CVE ID is unique from CVE-2019-0556, CVE-2019-0557. 2019-01-08 not yet calculated CVE-2019-0558
BID
CONFIRM
microsoft — sharepoint A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka “Microsoft Office SharePoint XSS Vulnerability.” This affects Microsoft SharePoint. This CVE ID is unique from CVE-2019-0557, CVE-2019-0558. 2019-01-08 not yet calculated CVE-2019-0556
BID
CONFIRM
microsoft — sharepoint An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka “Microsoft SharePoint Elevation of Privilege Vulnerability.” This affects Microsoft SharePoint Server, Microsoft SharePoint. 2019-01-08 not yet calculated CVE-2019-0562
BID
CONFIRM
microsoft — sharepoint
 
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka “Microsoft Office SharePoint XSS Vulnerability.” This affects Microsoft SharePoint. This CVE ID is unique from CVE-2019-0556, CVE-2019-0558. 2019-01-08 not yet calculated CVE-2019-0557
BID
CONFIRM
microsoft — skype_for_android An elevation of privilege vulnerability exists when Skype for Andriod fails to properly handle specific authentication requests, aka “Skype for Android Elevation of Privilege Vulnerability.” This affects Skype 8.35. 2019-01-08 not yet calculated CVE-2019-0622
BID
CONFIRM
microsoft — visual_studio A remote code execution vulnerability exists in Visual Studio when the C++ compiler improperly handles specific combinations of C++ constructs, aka “Visual Studio Remote Code Execution Vulnerability.” This affects Microsoft Visual Studio. 2019-01-08 not yet calculated CVE-2019-0546
BID
CONFIRM
microsoft — visual_studio An information disclosure vulnerability exists when Visual Studio improperly discloses arbitrary file contents if the victim opens a malicious .vscontent file, aka “Microsoft Visual Studio Information Disclosure Vulnerability.” This affects Microsoft Visual Studio. 2019-01-08 not yet calculated CVE-2019-0537
BID
CONFIRM
microsoft — windows An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations, aka “Windows Data Sharing Service Elevation of Privilege Vulnerability.” This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers. This CVE ID is unique from CVE-2019-0572, CVE-2019-0573, CVE-2019-0574. 2019-01-08 not yet calculated CVE-2019-0571
BID
CONFIRM
microsoft — windows An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory, aka “Windows Runtime Elevation of Privilege Vulnerability.” This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows Server 2019, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers. 2019-01-08 not yet calculated CVE-2019-0570
BID
CONFIRM
microsoft — windows An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka “Windows Kernel Information Disclosure Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2019-0536, CVE-2019-0549, CVE-2019-0554. 2019-01-08 not yet calculated CVE-2019-0569
BID
CONFIRM
microsoft — windows A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka “Jet Database Engine Remote Code Execution Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584. 2019-01-08 not yet calculated CVE-2019-0538
BID
CONFIRM
microsoft — windows A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, aka “Windows Hyper-V Remote Code Execution Vulnerability.” This affects Windows 10 Servers, Windows 10, Windows Server 2019. This CVE ID is unique from CVE-2019-0551. 2019-01-08 not yet calculated CVE-2019-0550
BID
CONFIRM
microsoft — windows An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka “Windows Kernel Information Disclosure Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2019-0536, CVE-2019-0554, CVE-2019-0569. 2019-01-08 not yet calculated CVE-2019-0549
BID
CONFIRM
microsoft — windows An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka “Microsoft Windows Elevation of Privilege Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. 2019-01-08 not yet calculated CVE-2019-0543
BID
CONFIRM
microsoft — windows An elevation of privilege vulnerability exists in the Microsoft XmlDocument class that could allow an attacker to escape from the AppContainer sandbox in the browser, aka “Microsoft XmlDocument Elevation of Privilege Vulnerability.” This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows Server 2019, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers. 2019-01-08 not yet calculated CVE-2019-0555
BID
CONFIRM
microsoft — windows An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka “Windows Kernel Information Disclosure Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2019-0536, CVE-2019-0549, CVE-2019-0569. 2019-01-08 not yet calculated CVE-2019-0554
BID
CONFIRM
microsoft — windows An information disclosure vulnerability exists when Windows Subsystem for Linux improperly handles objects in memory, aka “Windows Subsystem for Linux Information Disclosure Vulnerability.” This affects Windows 10 Servers, Windows 10, Windows Server 2019. 2019-01-08 not yet calculated CVE-2019-0553
BID
CONFIRM
microsoft — windows An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations, aka “Windows Data Sharing Service Elevation of Privilege Vulnerability.” This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers. This CVE ID is unique from CVE-2019-0571, CVE-2019-0572, CVE-2019-0574. 2019-01-08 not yet calculated CVE-2019-0573
BID
CONFIRM
microsoft — windows An elevation of privilege exists in Windows COM Desktop Broker, aka “Windows COM Elevation of Privilege Vulnerability.” This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2019, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers. 2019-01-08 not yet calculated CVE-2019-0552
BID
CONFIRM
microsoft — windows A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, aka “Windows Hyper-V Remote Code Execution Vulnerability.” This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers. This CVE ID is unique from CVE-2019-0550. 2019-01-08 not yet calculated CVE-2019-0551
BID
CONFIRM
microsoft — windows An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations, aka “Windows Data Sharing Service Elevation of Privilege Vulnerability.” This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers. This CVE ID is unique from CVE-2019-0571, CVE-2019-0573, CVE-2019-0574. 2019-01-08 not yet calculated CVE-2019-0572
BID
CONFIRM
microsoft — windows A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka “Jet Database Engine Remote Code Execution Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2019-0538, CVE-2019-0575, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584. 2019-01-08 not yet calculated CVE-2019-0576
BID
CONFIRM
microsoft — windows An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations, aka “Windows Data Sharing Service Elevation of Privilege Vulnerability.” This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers. This CVE ID is unique from CVE-2019-0571, CVE-2019-0572, CVE-2019-0573. 2019-01-08 not yet calculated CVE-2019-0574
BID
CONFIRM
microsoft — windows A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka “Jet Database Engine Remote Code Execution Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2019-0538, CVE-2019-0575, CVE-2019-0576, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584. 2019-01-08 not yet calculated CVE-2019-0577
BID
CONFIRM
microsoft — windows A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka “Jet Database Engine Remote Code Execution Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2019-0538, CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584. 2019-01-08 not yet calculated CVE-2019-0581
BID
CONFIRM
microsoft — windows A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka “Jet Database Engine Remote Code Execution Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2019-0538, CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0583, CVE-2019-0584. 2019-01-08 not yet calculated CVE-2019-0582
BID
CONFIRM
microsoft — windows A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka “Jet Database Engine Remote Code Execution Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2019-0538, CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584. 2019-01-08 not yet calculated CVE-2019-0578
BID
CONFIRM
microsoft — windows A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka “Jet Database Engine Remote Code Execution Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2019-0538, CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584. 2019-01-08 not yet calculated CVE-2019-0579
BID
CONFIRM
microsoft — windows A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka “Jet Database Engine Remote Code Execution Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2019-0538, CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584. 2019-01-08 not yet calculated CVE-2019-0580
BID
CONFIRM
microsoft — windows A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka “Jet Database Engine Remote Code Execution Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2019-0538, CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0584. 2019-01-08 not yet calculated CVE-2019-0583
BID
CONFIRM
microsoft — windows A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka “Jet Database Engine Remote Code Execution Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2019-0538, CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583. 2019-01-08 not yet calculated CVE-2019-0584
BID
CONFIRM
microsoft — windows A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka “Jet Database Engine Remote Code Execution Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2019-0538, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584. 2019-01-08 not yet calculated CVE-2019-0575
BID
CONFIRM
microsoft — windows
 
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka “Windows Kernel Information Disclosure Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2019-0549, CVE-2019-0554, CVE-2019-0569. 2019-01-08 not yet calculated CVE-2019-0536
BID
CONFIRM
mizuho_bank — mizuho_direct_app_for_android The Mizuho Direct App for Android version 3.13.0 and earlier does not verify server certificates, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. 2019-01-09 not yet calculated CVE-2018-16179
MISC
MISC
modulemd — modulemd
 
modulemd 1.3.1 and earlier uses an unsafe function for processing externally provided data, leading to remote code execution. 2019-01-10 not yet calculated CVE-2017-1002157
CONFIRM
nec — aterm_wf1200cr_and_aterm_wg1200cr Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 and earlier, Aterm WG1200CR firmware Ver1.0.1 and earlier) allows an attacker on the same network segment to execute arbitrary OS commands via SOAP interface of UPnP. 2019-01-09 not yet calculated CVE-2018-16195
MISC
JVN
nec — aterm_wf1200cr_and_aterm_wg1200cr Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 and earlier, Aterm WG1200CR firmware Ver1.0.1 and earlier) allow an attacker on the same network segment to obtain information registered on the device via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16192
MISC
JVN
nec — aterm_wf1200cr_and_aterm_wg1200cr Cross-site scripting vulnerability in Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 and earlier, Aterm WG1200CR firmware Ver1.0.1 and earlier) allows authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16193
MISC
JVN
nec — aterm_wf1200cr_and_aterm_wg1200cr Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 and earlier, Aterm WG1200CR firmware Ver1.0.1 and earlier) allows authenticated attackers to execute arbitrary OS commands via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16194
MISC
JVN
nelson — open_source_erp
 
Nelson Open Source ERP v6.3.1 allows SQL Injection via the db/utils/query/data.xml query parameter. 2019-01-10 not yet calculated CVE-2019-5893
MISC
EXPLOIT-DB
netapp — oncommand_unified_manager_for_7-mode OnCommand Unified Manager for 7-Mode (core package) prior to 5.2.4 uses cookies that lack the secure attribute in certain circumstances making it vulnerable to impersonation via man-in-the-middle (MITM) attacks. 2019-01-07 not yet calculated CVE-2018-5481
CONFIRM
nippon_telegraph_and_telephone_west_corporation — security_measures_tool Untrusted search path vulnerability in The installer of Windows10 Fall Creators Update Modify module for Security Measures tool allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. 2019-01-09 not yet calculated CVE-2018-16177
MISC
JVN
npm — cordova-plugin-ionic-webview Directory traversal vulnerability in cordova-plugin-ionic-webview versions prior to 2.2.0 (not including 2.0.0-beta.0, 2.0.0-beta.1, 2.0.0-beta.2, and 2.1.0-0) allows remote attackers to access arbitrary files via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16202
MISC
JVN
MISC
openssh — openssh
 
In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. 2019-01-10 not yet calculated CVE-2018-20685
BID
MISC
MISC
panasonic — bn-sdwbp3_firmware Buffer overflow in BN-SDWBP3 firmware version 1.0.9 and earlier allows an attacker on the same network segment to execute arbitrary code via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-0678
JVN
MISC
panasonic — bn-sdwbp3_firmware BN-SDWBP3 firmware version 1.0.9 and earlier allows attacker with administrator rights on the same network segment to execute arbitrary OS commands via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-0677
JVN
MISC
panasonic — bn-sdwbp3_firmware
 
BN-SDWBP3 firmware version 1.0.9 and earlier allows an attacker on the same network segment to bypass authentication to access to the management screen and execute an arbitrary command via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-0676
JVN
MISC
panasonic — multiple_pcs An unquoted search path vulnerability in some pre-installed applications on Panasonic PC run on Windows 7 (32bit), Windows 7 (64bit), Windows 8 (64bit), Windows 8.1 (64bit), Windows 10 (64bit) delivered in or later than October 2009 allow local users to gain privileges via a Trojan horse executable file and execute arbitrary code with eleveted privileges. 2019-01-09 not yet calculated CVE-2018-16183
JVN
MISC
pgpool — global_development_group_pgpooladmin PgpoolAdmin 4.0 and earlier allows remote attackers to bypass the login authentication and obtain the administrative privilege of the PostgreSQL database via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16203
JVN
MISC
phpscriptsmall.com — advance_peer_to_peer_mlm_script The Admin Panel of PHP Scripts Mall Advance Peer to Peer MLM Script v1.7.0 allows remote attackers to bypass intended access restrictions by directly navigating to admin/dashboard.php or admin/user.php, as demonstrated by disclosure of information about users and staff. 2019-01-11 not yet calculated CVE-2019-6126
MISC
phpscriptsmall.com — citysearch_/_hotfrog_/_gelbeseiten_clone_script PHP Scripts Mall Citysearch / Hotfrog / Gelbeseiten Clone Script 2.0.1 has Reflected XSS via the srch parameter, as demonstrated by restaurants-details.php. 2019-01-12 not yet calculated CVE-2019-6248
MISC
pivotal — concourse Pivotal Concourse, all versions prior to 4.2.2, puts the user access token in a url during the login flow. A remote attacker who gains access to a user’s browser history could obtain the access token and use it to authenticate as the user. 2019-01-11 not yet calculated CVE-2019-3803
CONFIRM
policykit — policykit
 
In PolicyKit (aka polkit) 0.115, the “start time” protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c. 2019-01-11 not yet calculated CVE-2019-6133
MISC
MISC
MISC
MISC
qibosoft — qibosoft
 
qibosoft through V7 allows remote attackers to read arbitrary files via the member/index.php main parameter, as demonstrated by SSRF to a URL on the same web site to read a .sql file. 2019-01-08 not yet calculated CVE-2019-5725
MISC
rakuten_securities — market_speed Untrusted search path vulnerability in the installer of MARKET SPEED Ver.16.4 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. 2019-01-09 not yet calculated CVE-2018-16182
JVN
MISC
red_hat — satellite
 
A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable. 2019-01-12 not yet calculated CVE-2018-16887
CONFIRM
ricoh — interactive_whiteboard RICOH Interactive Whiteboard D2200 V1.6 to V2.2, D5500 V1.6 to V2.2, D5510 V1.6 to V2.2, and the display versions with RICOH Interactive Whiteboard Controller Type1 V1.6 to V2.2 attached (D5520, D6500, D6510, D7500, D8400) allows remote attackers to execute arbitrary commands via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16184
JVN
MISC
ricoh — interactive_whiteboard The RICOH Interactive Whiteboard D2200 V1.3 to V2.2, D5500 V1.3 to V2.2, D5510 V1.3 to V2.2, the display versions with RICOH Interactive Whiteboard Controller Type1 V1.3 to V2.2 attached (D5520, D6500, D6510, D7500, D8400), and the display versions with RICOH Interactive Whiteboard Controller Type2 V3.0 to V3.1.10137.0 attached (D5520, D6510, D7500, D8400) does not verify its server certificates, which allows man-in-the-middle attackers to eversdrop on encrypted communication. 2019-01-09 not yet calculated CVE-2018-16187
JVN
MISC
ricoh — interactive_whiteboard RICOH Interactive Whiteboard D2200 V1.1 to V2.2, D5500 V1.1 to V2.2, D5510 V1.1 to V2.2, the display versions with RICOH Interactive Whiteboard Controller Type1 V1.1 to V2.2 attached (D5520, D6500, D6510, D7500, D8400), and the display versions with RICOH Interactive Whiteboard Controller Type2 V3.0 to V3.1.10137.0 attached (D5520, D6510, D7500, D8400) uses hard-coded credentials, which may allow an attacker on the same network segments to login to the administrators settings screen and change the configuration. 2019-01-09 not yet calculated CVE-2018-16186
JVN
MISC
ricoh — interactive_whiteboard RICOH Interactive Whiteboard D2200 V1.1 to V2.2, D5500 V1.1 to V2.2, D5510 V1.1 to V2.2, the display versions with RICOH Interactive Whiteboard Controller Type1 V1.1 to V2.2 attached (D5520, D6500, D6510, D7500, D8400), and the display versions with RICOH Interactive Whiteboard Controller Type2 V3.0 to V3.1.10137.0 attached (D5520, D6510, D7500, D8400) allows remote attackers to execute a malicious program. 2019-01-09 not yet calculated CVE-2018-16185
JVN
MISC
ricoh — interactive_whiteboard
 
SQL injection vulnerability in the RICOH Interactive Whiteboard D2200 V1.3 to V2.2, D5500 V1.3 to V2.2, D5510 V1.3 to V2.2, the display versions with RICOH Interactive Whiteboard Controller Type1 V1.3 to V2.2 attached (D5520, D6500, D6510, D7500, D8400), and the display versions with RICOH Interactive Whiteboard Controller Type2 V3.0 to V3.1.10137.0 attached (D5520, D6510, D7500, D8400) allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16188
JVN
MISC
sap — business_objects_mobile_for_android SAP Business Objects Mobile for Android (before 6.3.5) application allows an attacker to provide malicious input in the form of a SAP BI link, preventing legitimate users from accessing the application by crashing it. 2019-01-08 not yet calculated CVE-2019-0240
BID
MISC
MISC
sap — bw/4hana Under some circumstances, masterdata maintenance in SAP BW/4HANA (fixed in DW4CORE version 1.0 (SP08)) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. 2019-01-08 not yet calculated CVE-2019-0243
BID
MISC
MISC
sap — cloud_connector SAP Cloud Connector, before version 2.11.3, allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application. 2019-01-08 not yet calculated CVE-2019-0247
MISC
MISC
sap — cloud_connector SAP Cloud Connector, before version 2.11.3, does not perform any authentication checks for functionalities that require user identity. 2019-01-08 not yet calculated CVE-2019-0246
BID
MISC
MISC
sap — commerce
 
SAP Commerce (previously known as SAP Hybris Commerce), before version 6.7, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. 2019-01-08 not yet calculated CVE-2019-0238
BID
MISC
MISC
sap — crm_webclient_ui SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. 2019-01-08 not yet calculated CVE-2019-0244
BID
MISC
MISC
sap — crm_webclient_ui SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. 2019-01-08 not yet calculated CVE-2019-0245
BID
MISC
MISC
sap — enterprise_financial_services SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. 2019-01-08 not yet calculated CVE-2018-2484
BID
MISC
MISC
sap — financial_consolidation_cube_designer A security weakness in SAP Financial Consolidation Cube Designer (BOBJ_EADES fixed in versions 8.0, 10.1) may allow an attacker to discover the password hash of an admin user. 2019-01-08 not yet calculated CVE-2018-2499
BID
MISC
MISC
sap — gateway_of_abap_application_server Under certain conditions SAP Gateway of ABAP Application Server (fixed in SAP_GWFND 7.5, 7.51, 7.52, 7.53; SAP_BASIS 7.5) allows an attacker to access information which would otherwise be restricted. 2019-01-08 not yet calculated CVE-2019-0248
BID
MISC
MISC
sap — landscape_management Under certain conditions SAP Landscape Management (VCM 3.0) allows an attacker to access information which would otherwise be restricted. 2019-01-08 not yet calculated CVE-2019-0249
BID
MISC
MISC
sap — work_and_inventory_manager SAP Work and Inventory Manager (Agentry_SDK , before 7.0, 7.1) allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. 2019-01-08 not yet calculated CVE-2019-0241
BID
MISC
MISC
seiko_epson — printers_and_scanners HTTP header injection vulnerability in SEIKO EPSON printers and scanners (DS-570W firmware versions released prior to 2018 March 13, DS-780N firmware versions released prior to 2018 March 13, EP-10VA firmware versions released prior to 2017 September 4, EP-30VA firmware versions released prior to 2017 June 19, EP-707A firmware versions released prior to 2017 August 1, EP-708A firmware versions released prior to 2017 August 7, EP-709A firmware versions released prior to 2017 June 12, EP-777A firmware versions released prior to 2017 August 1, EP-807AB/AW/AR firmware versions released prior to 2017 August 1, EP-808AB/AW/AR firmware versions released prior to 2017 August 7, EP-879AB/AW/AR firmware versions released prior to 2017 June 12, EP-907F firmware versions released prior to 2017 August 1, EP-977A3 firmware versions released prior to 2017 August 1, EP-978A3 firmware versions released prior to 2017 August 7, EP-979A3 firmware versions released prior to 2017 June 12, EP-M570T firmware versions released prior to 2017 September 6, EW-M5071FT firmware versions released prior to 2017 November 2, EW-M660FT firmware versions released prior to 2018 April 19, EW-M770T firmware versions released prior to 2017 September 6, PF-70 firmware versions released prior to 2018 April 20, PF-71 firmware versions released prior to 2017 July 18, PF-81 firmware versions released prior to 2017 September 14, PX-048A firmware versions released prior to 2017 July 4, PX-049A firmware versions released prior to 2017 September 11, PX-437A firmware versions released prior to 2017 July 24, PX-M350F firmware versions released prior to 2018 February 23, PX-M5040F firmware versions released prior to 2017 November 20, PX-M5041F firmware versions released prior to 2017 November 20, PX-M650A firmware versions released prior to 2017 October 17, PX-M650F firmware versions released prior to 2017 October 17, PX-M680F firmware versions released prior to 2017 June 29, PX-M7050F firmware versions released prior to 2017 October 13, PX-M7050FP firmware versions released prior to 2017 October 13, PX-M7050FX firmware versions released prior to 2017 November 7, PX-M7070FX firmware versions released prior to 2017 April 27, PX-M740F firmware versions released prior to 2017 December 4, PX-M741F firmware versions released prior to 2017 December 4, PX-M780F firmware versions released prior to 2017 June 29, PX-M781F firmware versions released prior to 2017 June 27, PX-M840F firmware versions released prior to 2017 November 16, PX-M840FX firmware versions released prior to 2017 December 8, PX-M860F firmware versions released prior to 2017 October 25, PX-S05B/W firmware versions released prior to 2018 March 9, PX-S350 firmware versions released prior to 2018 February 23, PX-S5040 firmware versions released prior to 2017 November 20, PX-S7050 firmware versions released prior to 2018 February 21, PX-S7050PS firmware versions released prior to 2018 February 21, PX-S7050X firmware versions released prior to 2017 November 7, PX-S7070X firmware versions released prior to 2017 April 27, PX-S740 firmware versions released prior to 2017 December 3, PX-S840 firmware versions released prior to 2017 November 16, PX-S840X firmware versions released prior to 2017 December 8, PX-S860 firmware versions released prior to 2017 December 7) may allow a remote attackers to lead a user to a phishing site or execute an arbitrary script on the user’s web browser. 2019-01-09 not yet calculated CVE-2018-0689
JVN
MISC
seiko_epson — printers_and_scanners Open redirect vulnerability in SEIKO EPSON printers and scanners (DS-570W firmware versions released prior to 2018 March 13, DS-780N firmware versions released prior to 2018 March 13, EP-10VA firmware versions released prior to 2017 September 4, EP-30VA firmware versions released prior to 2017 June 19, EP-707A firmware versions released prior to 2017 August 1, EP-708A firmware versions released prior to 2017 August 7, EP-709A firmware versions released prior to 2017 June 12, EP-777A firmware versions released prior to 2017 August 1, EP-807AB/AW/AR firmware versions released prior to 2017 August 1, EP-808AB/AW/AR firmware versions released prior to 2017 August 7, EP-879AB/AW/AR firmware versions released prior to 2017 June 12, EP-907F firmware versions released prior to 2017 August 1, EP-977A3 firmware versions released prior to 2017 August 1, EP-978A3 firmware versions released prior to 2017 August 7, EP-979A3 firmware versions released prior to 2017 June 12, EP-M570T firmware versions released prior to 2017 September 6, EW-M5071FT firmware versions released prior to 2017 November 2, EW-M660FT firmware versions released prior to 2018 April 19, EW-M770T firmware versions released prior to 2017 September 6, PF-70 firmware versions released prior to 2018 April 20, PF-71 firmware versions released prior to 2017 July 18, PF-81 firmware versions released prior to 2017 September 14, PX-048A firmware versions released prior to 2017 July 4, PX-049A firmware versions released prior to 2017 September 11, PX-437A firmware versions released prior to 2017 July 24, PX-M350F firmware versions released prior to 2018 February 23, PX-M5040F firmware versions released prior to 2017 November 20, PX-M5041F firmware versions released prior to 2017 November 20, PX-M650A firmware versions released prior to 2017 October 17, PX-M650F firmware versions released prior to 2017 October 17, PX-M680F firmware versions released prior to 2017 June 29, PX-M7050F firmware versions released prior to 2017 October 13, PX-M7050FP firmware versions released prior to 2017 October 13, PX-M7050FX firmware versions released prior to 2017 November 7, PX-M7070FX firmware versions released prior to 2017 April 27, PX-M740F firmware versions released prior to 2017 December 4, PX-M741F firmware versions released prior to 2017 December 4, PX-M780F firmware versions released prior to 2017 June 29, PX-M781F firmware versions released prior to 2017 June 27, PX-M840F firmware versions released prior to 2017 November 16, PX-M840FX firmware versions released prior to 2017 December 8, PX-M860F firmware versions released prior to 2017 October 25, PX-S05B/W firmware versions released prior to 2018 March 9, PX-S350 firmware versions released prior to 2018 February 23, PX-S5040 firmware versions released prior to 2017 November 20, PX-S7050 firmware versions released prior to 2018 February 21, PX-S7050PS firmware versions released prior to 2018 February 21, PX-S7050X firmware versions released prior to 2017 November 7, PX-S7070X firmware versions released prior to 2017 April 27, PX-S740 firmware versions released prior to 2017 December 3, PX-S840 firmware versions released prior to 2017 November 16, PX-S840X firmware versions released prior to 2017 December 8, PX-S860 firmware versions released prior to 2017 December 7) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the web interface of the affected product. 2019-01-09 not yet calculated CVE-2018-0688
JVN
MISC
shopxo — shopxo An issue was discovered in ShopXO 1.2.0. In the UnlinkDir method of the FileUtil.php file, the input parameters are not checked, resulting in input mishandling by the rmdir method. Attackers can delete arbitrary files by using “../” directory traversal. 2019-01-10 not yet calculated CVE-2019-5887
MISC
shopxo — shopxo
 
An issue was discovered in ShopXO 1.2.0. In the application\install\controller\Index.php file, there is no validation lock file in the Add method, which allows an attacker to reinstall the database. The attacker can write arbitrary code to database.php during system reinstallation. 2019-01-10 not yet calculated CVE-2019-5886
MISC
svgpp — svgpp An issue was discovered in Anti-Grain Geometry (AGG) 2.4 as used in SVG++ (aka svgpp) 1.2.3. A heap-based buffer overflow bug in svgpp_agg_render may lead to code execution. In the render_scanlines_aa_solid function, the blend_hline function is called repeatedly multiple times. blend_hline is equivalent to a loop containing write operations. Each call writes a piece of heap data, and multiple calls overwrite the data in the heap. 2019-01-12 not yet calculated CVE-2019-6247
MISC
svgpp — svgpp An issue was discovered in SVG++ (aka svgpp) 1.2.3. After calling the gil::get_color function in Generic Image Library in Boost, the return code is used as an address, leading to an Access Violation because of an out-of-bounds read. 2019-01-12 not yet calculated CVE-2019-6246
MISC
svgpp — svgpp
 
An issue was discovered in Anti-Grain Geometry (AGG) 2.4 as used in SVG++ (aka svgpp) 1.2.3. In the function agg::cell_aa::not_equal, dx is assigned to (x2 – x1). If dx >= dx_limit, which is (16384 << poly_subpixel_shift), this function will call itself recursively. There can be a situation where (x2 – x1) is always bigger than dx_limit during the recursion, leading to continual stack consumption. 2019-01-12 not yet calculated CVE-2019-6245
MISC
systemd-journald — systemd-journald An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ‘:’. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable. 2019-01-11 not yet calculated CVE-2018-16866
BID
CONFIRM
UBUNTU
MISC
systemd-journald — systemd-journald An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges. Versions through v240 are vulnerable. 2019-01-11 not yet calculated CVE-2018-16865
BID
CONFIRM
UBUNTU
MISC
systemd-journald — systemd-journald
 
An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges. Versions through v240 are vulnerable. 2019-01-11 not yet calculated CVE-2018-16864
BID
CONFIRM
UBUNTU
MISC

toshiba — toshiba_home_gateway_hem-gw16a_and_
hem-gw26a

Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier allows an attacker on the same network segment to bypass access restriction to access the information and files stored on the affected device. 2019-01-09 not yet calculated CVE-2018-16197
MISC
JVN
toshiba — toshiba_home_gateway_hem-gw16a_and_
hem-gw26a
Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier may allow an attacker on the same network segment to access a non-documented developer screen to perform operations on the affected device. 2019-01-09 not yet calculated CVE-2018-16198
MISC
JVN
toshiba — toshiba_home_gateway_hem-gw16a_and_
hem-gw26a
Cross-site scripting vulnerability in Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier allows an remote attacker to inject arbitrary web script or HTML via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16199
MISC
JVN
toshiba — toshiba_home_gateway_hem-gw16a_and_
hem-gw26a
Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier allows an attacker on the same network segment to execute arbitrary OS commands. 2019-01-09 not yet calculated CVE-2018-16200
MISC
JVN
toshiba — toshiba_home_gateway_hem-gw16a_and_
hem-gw26a
Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier uses hard-coded credentials, which may allow an attacker on the same network segment to login to the administrators settings screen and change the configuration or execute arbitrary OS commands. 2019-01-09 not yet calculated CVE-2018-16201
MISC
JVN
traccar — traccar_server
 
In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks. 2019-01-09 not yet calculated CVE-2019-5748
MISC
MISC
usualtoolcms — usualtoolcms
 
An issue was discovered in UsualToolCMS 8.0. cmsadmin/a_sqlbackx.php?t=sql allows CSRF attacks that can execute SQL statements, and consequently execute arbitrary PHP code by writing that code into a .php file. 2019-01-11 not yet calculated CVE-2019-6244
MISC
weseek — growi Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via New Page modal. 2019-01-09 not yet calculated CVE-2018-16205
JVN
MISC
weseek — growi
 
Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-0698
JVN
MISC
windows — dhcp_client A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client, aka “Windows DHCP Client Remote Code Execution Vulnerability.” This affects Windows 10, Windows 10 Servers. 2019-01-08 not yet calculated CVE-2019-0547
BID
CONFIRM
winscp — winscp
 
In WinSCP before 5.14 beta, due to missing validation, the scp implementation would accept arbitrary files sent by the server, potentially overwriting unrelated files. This affects TSCPFileSystem::SCPSink in core/ScpFileSystem.cpp. 2019-01-10 not yet calculated CVE-2018-20684
BID
MISC
MISC
MISC
wireshark — wireshark In Wireshark 2.6.0 to 2.6.5 and 2.4.0 to 2.4.11, the RTSE dissector and other ASN.1 dissectors could crash. This was addressed in epan/charsets.c by adding a get_t61_string length check. 2019-01-08 not yet calculated CVE-2019-5718
BID
MISC
MISC
MISC
wireshark — wireshark In Wireshark 2.6.0 to 2.6.5 and 2.4.0 to 2.4.11, the ISAKMP dissector could crash. This was addressed in epan/dissectors/packet-isakmp.c by properly handling the case of a missing decryption data block. 2019-01-08 not yet calculated CVE-2019-5719
MISC
MISC
MISC
wireshark — wireshark In Wireshark 2.6.0 to 2.6.5 and 2.4.0 to 2.4.11, the P_MUL dissector could crash. This was addressed in epan/dissectors/packet-p_mul.c by rejecting the invalid sequence number of zero. 2019-01-08 not yet calculated CVE-2019-5717
BID
MISC
MISC
MISC
wireshark — wireshark In Wireshark 2.4.0 to 2.4.11, the ENIP dissector could crash. This was addressed in epan/dissectors/packet-enip.c by changing the memory-management approach so that a use-after-free is avoided. 2019-01-08 not yet calculated CVE-2019-5721
MISC
MISC
MISC
wireshark — wireshark
 
In Wireshark 2.6.0 to 2.6.5, the 6LoWPAN dissector could crash. This was addressed in epan/dissectors/packet-6lowpan.c by avoiding use of a TVB before its creation. 2019-01-08 not yet calculated CVE-2019-5716
BID
MISC
MISC
MISC
wordpress — wordpress Cross-site scripting vulnerability in WordPress plugin spam-byebye 2.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2019-01-12 not yet calculated CVE-2018-16206
JVN
MISC
wordpress — wordpress SQL injection vulnerability in the LearnPress prior to version 3.1.0 allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16175
JVN
MISC
wordpress — wordpress Open redirect vulnerability in LearnPress prior to version 3.1.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16174
JVN
MISC
wordpress — wordpress Cross-site scripting vulnerability in LearnPress prior to version 3.1.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16173
JVN
MISC
wordpress — wordpress
 
The “Social Pug – Easy Social Share Buttons” plugin before 1.2.6 for WordPress allows XSS via the wp-admin/admin.php?page=dpsp-toolkit dpsp_message_class parameter. 2019-01-09 not yet calculated CVE-2016-10736
MISC
wordpress — wordpress
 
Cross-site scripting vulnerability in Event Calendar WD version 1.1.21 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16164
JVN
MISC
MISC
MISC
wordpress — wordpress
 
Cross-site scripting vulnerability in Google XML Sitemaps Version 4.0.9 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16204
JVN
MISC
xiaocms — xiaocms
 
An issue was discovered in XiaoCms 20141229. It allows admin/index.php?c=database table[] SQL injection. This can be used for PHP code execution via “INTO OUTFILE” with a .php filename. 2019-01-11 not yet calculated CVE-2019-6127
MISC
xterm.js — xterm.js
 
A remote code execution vulnerability exists in Xterm.js when the component mishandles special characters, aka “Xterm Remote Code Execution Vulnerability.” This affects xterm.js. 2019-01-09 not yet calculated CVE-2019-0542
BID
MISC
yamaha — multiple_routers
 
Yamaha routers RT57i Rev.8.00.95 and earlier, RT58i Rev.9.01.51 and earlier, NVR500 Rev.11.00.36 and earlier, RTX810 Rev.11.01.31 and earlier, allow an administrative user to embed arbitrary scripts to the configuration data through a certain form field of the configuration page, which may be executed on another administrative user’s web browser. This is a different vulnerability from CVE-2018-0666. 2019-01-09 not yet calculated CVE-2018-0665
MISC
MISC
JVN
MISC
yamaha — multiple_routers
 
Yamaha routers RT57i Rev.8.00.95 and earlier, RT58i Rev.9.01.51 and earlier, NVR500 Rev.11.00.36 and earlier, RTX810 Rev.11.01.31 and earlier, allow an administrative user to embed arbitrary scripts to the configuration data through a certain form field of the configuration page, which may be executed on another administrative user’s web browser. This is a different vulnerability from CVE-2018-0665. 2019-01-09 not yet calculated CVE-2018-0666
MISC
MISC
JVN
MISC
yokogawa — multiple_products
 
Buffer overflow in the license management function of YOKOGAWA products (iDefine for ProSafe-RS R1.16.3 and earlier, STARDOM VDS R7.50 and earlier, STARDOM FCN/FCJ Simulator R4.20 and earlier, ASTPLANNER R15.01 and earlier, TriFellows V5.04 and earlier) allows remote attackers to stop the license management function or execute an arbitrary program via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-0651
BID
MISC
MISC
yokogawa — multiple_products
 
Multiple Yokogawa products that contain Vnet/IP Open Communication Driver (CENTUM CS 3000(R3.05.00 – R3.09.50), CENTUM CS 3000 Entry Class(R3.05.00 – R3.09.50), CENTUM VP(R4.01.00 – R6.03.10), CENTUM VP Entry Class(R4.01.00 – R6.03.10), Exaopc(R3.10.00 – R3.75.00), PRM(R2.06.00 – R3.31.00), ProSafe-RS(R1.02.00 – R4.02.00), FAST/TOOLS(R9.02.00 – R10.02.00), B/M9000 VP(R6.03.01 – R8.01.90)) allows remote attackers to cause a denial of service attack that may result in stopping Vnet/IP Open Communication Driver’s communication via unspecified vectors. 2019-01-09 not yet calculated CVE-2018-16196
BID
MISC
MISC

Back to top


This product is provided subject to this Notification and this Privacy & Use policy.