US-CERT - SB18-099: Vulnerability Summary for the Week of April 2, 2018
Original release date: April 09, 2018
Back to top
Back to top
Back to top
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0
Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9
Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
High Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| There were no high vulnerabilities recorded this week. | ||||
Medium Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| There were no medium vulnerabilities recorded this week. | ||||
Low Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| There were no low vulnerabilities recorded this week. | ||||
Severity Not Yet Assigned
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| allen_bradley -- micrologix_1400_series_b_firmware | An exploitable insufficient resource pool vulnerability exists in the session communication functionality of Allen Bradley Micrologix 1400 Series B Firmware 21.2 and before. A specially crafted stream of packets can cause a flood of the session resource pool resulting in legitimate connections to the PLC being disconnected. An attacker can send unauthenticated packets to trigger this vulnerability. | 2018-04-05 | not yet calculated | CVE-2017-12093 MISC |
| allen_bradley -- micrologix_1400_series_b_frn | An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: REMOTE or PROG Associated Fault Codes: 0023, 002e, and 0037 Fault Type: Recoverable Description: The STI, EII, and HSC function files contain bits signifying whether or not a fault has occurred. Additionally there is a bit signaling the module to auto start. When these bits are set for any of the three modules and the device is moved into a run state, a fault is triggered. | 2018-04-05 | not yet calculated | CVE-2017-14471 MISC |
| allen_bradley -- micrologix_1400_series_b_frn | An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: REMOTE or PROG or RUN Description: The value 0xffffffff is considered NaN for the Float data type. When a float is set to this value and used in the PLC, a fault is triggered. NOTE: This is not possible through RSLogix. | 2018-04-05 | not yet calculated | CVE-2017-14470 MISC |
| allen_bradley -- micrologix_1400_series_b_frn | An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: REMOTE or PROG Description: The filetype 0x03 allows users write access, allowing the ability to overwrite the Master Password value stored in the file. | 2018-04-05 | not yet calculated | CVE-2017-14466 MISC |
| allen_bradley -- micrologix_1400_series_b_frn | An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: REMOTE or PROG Description: This ability is leveraged in a larger exploit to flash custom firmware. | 2018-04-05 | not yet calculated | CVE-2017-14468 MISC |
| allen_bradley -- micrologix_1400_series_b_frn | An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: REMOTE or PROG (also RUN for some) Description: Allows an attacker to enable SNMP, Modbus, DNP, and any other features in the channel configuration. Also allows attackers to change network parameters, such as IP address, name server, and domain name. | 2018-04-05 | not yet calculated | CVE-2017-14462 MISC |
| allen_bradley -- micrologix_1400_series_b_frn | An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability.Required Keyswitch State: REMOTE or PROG Associated Fault Code: 0001 Fault Type: Non-User Description: A fault state can be triggered by setting the NVRAM/memory module user program mismatch bit (S2:9) when a memory module is NOT installed. | 2018-04-05 | not yet calculated | CVE-2017-14464 MISC |
| allen_bradley -- micrologix_1400_series_b_frn | An exploitable denial of service vulnerability exists in the program download functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a device fault resulting in halted operations. An attacker can send an unauthenticated packet to trigger this vulnerability. | 2018-04-05 | not yet calculated | CVE-2017-12089 MISC |
| allen_bradley -- micrologix_1400_series_b_frn | An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: REMOTE or PROG Associated Fault Code: 0012 Fault Type: Non-User Description: A fault state can be triggered by overwriting the ladder logic data file (type 0x22 number 0x02) with null values. | 2018-04-05 | not yet calculated | CVE-2017-14463 MISC |
| allen_bradley -- micrologix_1400_series_b_frn | An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: Any Description: Requests a specific set of bytes from an undocumented data file and returns the ASCII version of the master password. | 2018-04-05 | not yet calculated | CVE-2017-14472 MISC |
| allen_bradley -- micrologix_1400_series_b_frn | An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: REMOTE or PROG Associated Fault Code: 0028 Fault Type: Non-User Description: Values 0x01 and 0x02 are invalid values for the user fault routine. By writing directly to the file it is possible to set these values. When this is done and the device is moved into a run state, a fault is triggered. NOTE: This is not possible through RSLogix. | 2018-04-05 | not yet calculated | CVE-2017-14469 MISC |
| allen_bradley -- micrologix_1400_series_b_frn | An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: REMOTE Description: Any input or output can be forced, causing unpredictable activity from the PLC. | 2018-04-05 | not yet calculated | CVE-2017-14465 MISC |
| allen_bradley -- micrologix_1400_series_b_frn | An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: REMOTE Description: Live rung edits are able to be made by an unauthenticated user allowing for addition, deletion, or modification of existing ladder logic. Additionally, faults and cpu state modification can be triggered if specific ladder logic is used. | 2018-04-05 | not yet calculated | CVE-2017-14467 MISC |
| allen_bradley -- micrologix_1400_series_b_frn | An exploitable denial of service vulnerability exists in the processing of snmp-set commands of the Allen Bradley Micrologix 1400 Series B FRN 21.2 and below. A specially crafted snmp-set request, when sent without associated firmware flashing snmp-set commands, can cause a device power cycle resulting in downtime for the device. An attacker can send one packet to trigger this vulnerability. | 2018-04-05 | not yet calculated | CVE-2017-12090 MISC |
| allen_bradley -- micrologix_1400_series_b_frn | An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: Any Description: Reads the encoded ladder logic from its data file and print it out in HEX. | 2018-04-05 | not yet calculated | CVE-2017-14473 MISC |
| allen_bradley -- micrologix_1400_series_b_frn | An exploitable denial of service vulnerability exists in the Ethernet functionality of the Allen Bradley Micrologix 1400 Series B FRN 21.2 and below. A specially crafted packet can cause a device power cycle resulting in a fault state and deletion of ladder logic. An attacker can send one unauthenticated packet to trigger this vulnerability | 2018-04-05 | not yet calculated | CVE-2017-12088 MISC |
| apache -- hive_jdbc_driver | This vulnerability in Apache Hive JDBC driver 0.7.1 to 2.3.2 allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation. | 2018-04-05 | not yet calculated | CVE-2018-1282 MLIST |
| apache -- hive | In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by HiveServer2 user (usually hive) if hive.server2.enable.doAs=false. | 2018-04-05 | not yet calculated | CVE-2018-1284 MLIST |
| apache -- hive | In Apache Hive 2.1.0 to 2.3.2, when 'COPY FROM FTP' statement is run using HPL/SQL extension to Hive, a compromised/malicious FTP server can cause the file to be written to an arbitrary location on the cluster where the command is run from. This is because FTP client code in HPL/SQL does not verify the destination location of the downloaded file. This does not affect hive cli user and hiveserver2 user as hplsql is a separate command line script and needs to be invoked differently. | 2018-04-05 | not yet calculated | CVE-2018-1315 MLIST |
| apache -- ignite | In Apache Ignite 2.3 or earlier, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a specially prepared form of a serialized object to one of the deserialization endpoints of some Ignite components - discovery SPI, Ignite persistence, Memcached endpoint, socket steamer. | 2018-04-02 | not yet calculated | CVE-2018-1295 MLIST |
| apple -- ios_and_macos_and_tvos | An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. macOS before 10.12.6 is affected. tvOS before 10.2.2 is affected. The issue involves the "Wi-Fi" component. It allows remote attackers to execute arbitrary code (on the Wi-Fi chip) or cause a denial of service (memory corruption) by leveraging proximity for 802.11. | 2018-04-03 | not yet calculated | CVE-2017-7065 BID CONFIRM CONFIRM CONFIRM |
| apple -- ios_and_macos_and_watchos | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. watchOS before 4.3 is affected. The issue involves the "CoreFoundation" component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4158 BID SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM |
| apple -- ios_and_macos_and_watchos | An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. watchOS before 4.2.2 is affected. The issue involves the "LinkPresentation" component. It allows remote attackers to cause a denial of service (resource consumption) via a crafted text message. | 2018-04-03 | not yet calculated | CVE-2018-4100 BID SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM |
| apple -- ios_and_macos | An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. The issue involves the "SQLite" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2017-7002 BID CONFIRM CONFIRM |
| apple -- ios_and_macos | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. The issue involves the "Mail" component. It allows man-in-the-middle attackers to read S/MIME encrypted messages by leveraging an inconsistency in the user interface. | 2018-04-03 | not yet calculated | CVE-2018-4174 BID SECTRACK SECTRACK CONFIRM CONFIRM |
| apple -- ios_and_macos | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. The issue involves the "PluginKit" component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4156 BID SECTRACK SECTRACK CONFIRM CONFIRM |
| apple -- ios_and_macos | An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. The issue involves the "SQLite" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2017-7001 BID CONFIRM CONFIRM |
| apple -- ios_and_macos | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. The issue involves the "Storage" component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4154 BID SECTRACK SECTRACK CONFIRM CONFIRM |
| apple -- ios_and_macos | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. The issue involves the "WindowServer" component. It allows attackers to bypass the Secure Input Mode protection mechanism, and log keystrokes of arbitrary apps, via a crafted app that scans key states. | 2018-04-03 | not yet calculated | CVE-2018-4131 BID SECTRACK SECTRACK CONFIRM CONFIRM MISC |
| apple -- ios_and_macos | An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. The issue involves the "Security" component. A race condition allows attackers to bypass intended entitlement restrictions for sending XPC messages via a crafted app. | 2018-04-03 | not yet calculated | CVE-2017-7004 CONFIRM CONFIRM EXPLOIT-DB |
| apple -- ios_and_macos | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. The issue involves the "iCloud Drive" component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4151 BID SECTRACK SECTRACK CONFIRM CONFIRM |
| apple -- ios_and_macos | An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. The issue involves the "SQLite" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2017-7000 BID BID REDHAT GENTOO CONFIRM CONFIRM DEBIAN |
| apple -- ios_and_safari_and_tvos | An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue involves the "JavaScriptCore" component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted web site that triggers prototype mishandling. | 2018-04-03 | not yet calculated | CVE-2017-2492 CONFIRM CONFIRM CONFIRM |
| apple -- ios_and_safari_and_tvos | An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected. The issue involves the "JavaScriptCore" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2017-7005 CONFIRM CONFIRM CONFIRM EXPLOIT-DB |
| apple -- ios_and_tvos_and_watchos | An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Graphics Driver" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4109 CONFIRM CONFIRM CONFIRM |
| apple -- ios_and_tvos_and_watchos | An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Core Bluetooth" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4095 BID SECTRACK MISC CONFIRM CONFIRM CONFIRM |
| apple -- ios_and_tvos_and_watchos | An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Core Bluetooth" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4087 BID SECTRACK MISC CONFIRM CONFIRM CONFIRM EXPLOIT-DB |
| apple -- ios_and_tvos | An issue was discovered in certain Apple products. iOS before 11.2 is affected. tvOS before 11.2 is affected. The issue involves the "App Store" component. It allows man-in-the-middle attackers to spoof password prompts. | 2018-04-03 | not yet calculated | CVE-2017-7164 CONFIRM CONFIRM |
| apple -- ios_and_tvos | An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. tvOS before 10.2.2 is affected. The issue involves the "Wi-Fi" component. It allows attackers to cause a denial of service (memory corruption on the Wi-Fi chip) by leveraging proximity for 802.11. | 2018-04-03 | not yet calculated | CVE-2017-7066 CONFIRM CONFIRM |
| apple -- ios | An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "Profiles" component. It does not enforce the configuration profile's settings for whether pairings are allowed. | 2018-04-03 | not yet calculated | CVE-2017-13806 CONFIRM |
| apple -- ios | An issue was discovered in certain Apple products. iOS before 11.3 is affected. The issue involves the "Telephony" component. A buffer overflow allows remote attackers to execute arbitrary code. | 2018-04-03 | not yet calculated | CVE-2018-4148 BID CONFIRM |
| apple -- ios | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. The issue involves the "Safari Login AutoFill" component. It allows remote attackers to read autofilled data by leveraging lack of a user-confirmation requirement. | 2018-04-03 | not yet calculated | CVE-2018-4137 SECTRACK CONFIRM CONFIRM |
| apple -- ios | An issue was discovered in certain Apple products. iOS before 11.3 is affected. The issue involves the "Safari" component. It allows remote attackers to spoof the user interface via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4134 BID SECTRACK CONFIRM |
| apple -- ios | An issue was discovered in certain Apple products. iOS before 11.3 is affected. The issue involves the "Web App" component. It allows remote attackers to bypass intended restrictions on cookie persistence. | 2018-04-03 | not yet calculated | CVE-2018-4110 BID SECTRACK CONFIRM |
| apple -- ios | An issue was discovered in certain Apple products. iOS before 11.3 is affected. The issue involves the "Files Widget" component. It allows physically proximate attackers to obtain sensitive information by leveraging the display of cached data on a locked device. | 2018-04-03 | not yet calculated | CVE-2018-4168 BID SECTRACK CONFIRM |
| apple -- ios | An issue was discovered in certain Apple products. iOS before 11.3 is affected. The issue involves the "Find My iPhone" component. It allows physically proximate attackers to bypass the iCloud password requirement for disabling the "Find My iPhone" feature via vectors involving a backup restore. | 2018-04-03 | not yet calculated | CVE-2018-4172 BID SECTRACK CONFIRM |
| apple -- ios | An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "Sandbox Profiles" component. It allows attackers to bypass intended access restrictions (for iCloud user records) via a crafted app. | 2018-04-03 | not yet calculated | CVE-2017-6976 CONFIRM |
| apple -- ios | An issue was discovered in certain Apple products. iOS before 11.3 is affected. The issue involves alarm and timer handling in the "Clock" component. It allows physically proximate attackers to discover the iTunes e-mail address. | 2018-04-03 | not yet calculated | CVE-2018-4123 BID SECTRACK CONFIRM |
| apple -- ios | An issue was discovered in certain Apple products. iOS before 11.3 is affected. The issue involves the "Telephony" component. It allows remote attackers to cause a denial of service (NULL pointer dereference and reboot) via a Class 0 SMS message. | 2018-04-03 | not yet calculated | CVE-2018-4140 BID SECTRACK CONFIRM |
| apple -- ios | An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "Sandbox Profiles" component. It allows attackers to determine whether arbitrary files exist via a crafted app. | 2018-04-03 | not yet calculated | CVE-2017-13877 CONFIRM |
| apple -- ios | An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "Notes" component. It allows local users to obtain sensitive information by reading search results that contain locked-note content. | 2018-04-03 | not yet calculated | CVE-2017-7075 CONFIRM |
| apple -- ios | An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "APNs" component. It allows man-in-the-middle attackers to track users by leveraging the transmission of client certificates. | 2018-04-03 | not yet calculated | CVE-2017-13863 CONFIRM |
| apple -- ios | An issue was discovered in certain Apple products. iOS before 11.3 is affected. The issue involves the "SafariViewController" component. It allows remote attackers to spoof the user interface via a crafted web site that leverages input into a partially loaded page. | 2018-04-03 | not yet calculated | CVE-2018-4149 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13 is affected. The issue involves the "Spotlight" component. It allows local users to see results for other users' files. | 2018-04-03 | not yet calculated | CVE-2017-13839 CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "Admin Framework" component. It allows local users to discover a password by listing a process and its arguments during sysadminctl execution. | 2018-04-03 | not yet calculated | CVE-2018-4170 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13 is affected. The issue involves the "kext tools" component. It allows attackers to execute arbitrary code in a privileged context via a crafted app that performs kext loading. | 2018-04-03 | not yet calculated | CVE-2017-13827 CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.3 is affected. The issue involves the "Touch Bar Support" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4083 CONFIRM EXPLOIT-DB |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13 is affected. The issue involves the "DesktopServices" component. It allows local users to bypass intended access restrictions on home folder files. | 2018-04-03 | not yet calculated | CVE-2017-13851 CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. macOS before 10.13 is affected. The issue involves the "CoreTypes" component. It allows remote attackers to trigger disk-image mounting via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2017-13890 BID SECTRACK CONFIRM CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves the "Kernel" component. It allows physically proximate attackers to bypass the screen-locking protection mechanism that should have been in place upon closing the lid. | 2018-04-03 | not yet calculated | CVE-2017-7070 CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "PDFKit" component. It allows remote attackers to bypass intended restrictions on visiting URLs within a PDF document. | 2018-04-03 | not yet calculated | CVE-2018-4107 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "NVIDIA Graphics Drivers" component. It allows attackers to bypass intended memory-read restrictions via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4138 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.12.6 is affected. The issue involves the "Font Importer" component. It allows remote attackers to cause a denial of service (memory corruption) or obtain sensitive information from process memory via a crafted font. | 2018-04-03 | not yet calculated | CVE-2017-13850 CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.3 is affected. The issue involves the "Sandbox" component. It allows bypass of a sandbox protection mechanism. | 2018-04-03 | not yet calculated | CVE-2018-4091 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "Disk Management" component. It allows attackers to trigger truncation of an APFS volume password via an unspecified injection. | 2018-04-03 | not yet calculated | CVE-2018-4108 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "kext tools" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4139 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.3 is affected. The issue involves the "Wi-Fi" component. It allows attackers to bypass intended memory-read restrictions via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4084 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (out-of-bounds read) via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4160 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "Intel Graphics Driver" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4132 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "Notes" component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4152 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "IOFireWireFamily" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4135 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the Bracketed Paste Mode of the "Terminal" component. It allows user-assisted attackers to inject arbitrary commands within pasted content. | 2018-04-03 | not yet calculated | CVE-2018-4106 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.3 is affected. The issue involves the "IOHIDFamily" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4098 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.12.6 is affected. The issue involves the "AppleGraphicsControl" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | 2018-04-03 | not yet calculated | CVE-2017-13853 CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "ATS" component. It allows attackers to obtain sensitive information by leveraging symlink mishandling. | 2018-04-03 | not yet calculated | CVE-2018-4112 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (out-of-bounds read) via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4136 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "APFS" component. It allows attackers to trigger truncation of an APFS volume password via an unspecified injection. | 2018-04-03 | not yet calculated | CVE-2018-4105 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app. | 2018-04-03 | not yet calculated | CVE-2017-7173 CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "Disk Images" component. It allows attackers to trigger an app launch upon mounting a crafted disk image. | 2018-04-03 | not yet calculated | CVE-2018-4176 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.1 is affected. The issue involves the "Security" component. It allows attackers to execute arbitrary code in a privileged context via a crafted app. | 2018-04-03 | not yet calculated | CVE-2017-7170 CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4097 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13 is affected. The issue involves the "Installer" component. It does not properly restrict an app's entitlements for accessing the FileVault unlock key. | 2018-04-03 | not yet calculated | CVE-2017-13837 CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "Mail" component. It allows man-in-the-middle attackers to read S/MIME encrypted message content by sending HTML e-mail that references remote resources but lacks a valid S/MIME signature. | 2018-04-03 | not yet calculated | CVE-2018-4111 BID SECTRACK CONFIRM |
| apple -- macos | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "LaunchServices" component. It allows attackers to bypass the code-signing protection mechanism via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4175 BID SECTRACK CONFIRM |
| apple -- mulitple_products | An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4090 BID SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM EXPLOIT-DB |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "File System Events" component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4167 SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4130 SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "WebKit" component. It allows attackers to cause a denial of service (memory corruption) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4146 SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4122 SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4129 SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "CoreAnimation" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | 2018-04-03 | not yet calculated | CVE-2017-7171 CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.2.6 is affected. macOS before 10.13.3 Supplemental Update is affected. tvOS before 11.2.6 is affected. watchOS before 4.2.3 is affected. The issue involves the "CoreText" component. It allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via a crafted string containing a certain Telugu character. | 2018-04-03 | not yet calculated | CVE-2018-4124 SECTRACK MISC CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. watchOS before 4.3 is affected. The issue involves the fetch API in the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4117 SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4125 SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11 is affected. macOS before 10.13 is affected. tvOS before 11 is affected. watchOS before 4 is affected. The issue involves the "Kernel" component. It allows attackers to obtain sensitive network-activity information about arbitrary apps via a crafted app. | 2018-04-03 | not yet calculated | CVE-2017-13873 CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Audio" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted audio file. | 2018-04-03 | not yet calculated | CVE-2018-4094 BID SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. tvOS before 10.2.1 is affected. watchOS before 3.2.2 is affected. The issue involves the "CoreText" component. It allows remote attackers to cause a denial of service (application crash) via a crafted file. | 2018-04-03 | not yet calculated | CVE-2017-7003 CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4114 SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4162 SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4093 BID SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4128 SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "CoreFoundation" component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4155 SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4104 SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves a JavaScriptCore function in the "WebKit" component. It allows attackers to trigger an assertion failure by leveraging improper array indexing. | 2018-04-03 | not yet calculated | CVE-2018-4113 SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4120 SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.2 is affected. Safari before 11.0.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to spoof user-interface information (about whether the entire content is derived from a valid TLS session) via a crafted web site that sends a 401 Unauthorized redirect. | 2018-04-03 | not yet calculated | CVE-2017-7153 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM UBUNTU |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4119 SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. Safari before 11.0.3 is affected. iCloud before 7.3 on Windows is affected. iTunes before 12.7.3 on Windows is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4096 BID SECTRACK SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM UBUNTU |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "CFNetwork Session" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | 2018-04-03 | not yet calculated | CVE-2017-7172 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4143 SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4118 SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. Safari before 11.0.3 is affected. iCloud before 7.3 on Windows is affected. iTunes before 12.7.3 on Windows is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4088 BID SECTRACK SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM UBUNTU |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "CoreText" component. It allows remote attackers to cause a denial of service (application crash) via a crafted string. | 2018-04-03 | not yet calculated | CVE-2018-4142 SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "NSURLSession" component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4166 SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4082 BID SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4101 SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "Quick Look" component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4157 SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. iCloud before 6.2 on Windows is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted elements on a web site. | 2018-04-03 | not yet calculated | CVE-2017-2493 CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Security" component. It allows remote attackers to spoof certificate validation via crafted name constraints. | 2018-04-03 | not yet calculated | CVE-2018-4086 BID SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Kernel" component. A race condition allows attackers to bypass intended memory-read restrictions via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4092 BID SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4163 SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4150 SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. Safari before 11.0.3 is affected. tvOS before 11.2.5 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4089 BID SECTRACK SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM EXPLOIT-DB |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.2 is affected. Safari before 11.0.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2017-13884 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM UBUNTU |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "QuartzCore" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4085 BID SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11 is affected. macOS before 10.13 is affected. tvOS before 11 is affected. watchOS before 4 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | 2018-04-03 | not yet calculated | CVE-2017-13854 CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4165 SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | 2018-04-03 | not yet calculated | CVE-2017-13904 CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.2 is affected. Safari before 11.0.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. tvOS before 11.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2017-13885 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM UBUNTU |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4127 SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4121 SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4161 SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.2 is affected. Safari before 11.0.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2017-7165 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM UBUNTU |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves CFPreferences in the "System Preferences" component. It allows attackers to bypass intended access restrictions by leveraging incorrect configuration-profile persistence. | 2018-04-03 | not yet calculated | CVE-2018-4115 SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- multiple_products | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "Security" component. A buffer overflow allows attackers to execute arbitrary code in a privileged context via a crafted app. | 2018-04-03 | not yet calculated | CVE-2018-4144 BID SECTRACK SECTRACK CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| apple -- safari | An issue was discovered in certain Apple products. Safari before 10.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2017-7071 BID CONFIRM |
| apple -- safari | An issue was discovered in certain Apple products. Safari before 11.1 is affected. The issue involves the "Safari" component. It allows remote attackers to spoof the address bar via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4102 BID SECTRACK CONFIRM |
| apple -- safari | An issue was discovered in certain Apple products. Safari before 11.1 is affected. The issue involves the "WebKit" component. A Safari cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | 2018-04-03 | not yet calculated | CVE-2018-4133 BID SECTRACK CONFIRM |
| apple -- safari | An issue was discovered in certain Apple products. Safari before 11.0.2 is affected. The issue involves the "WebKit Web Inspector" component. It allows remote attackers to execute arbitrary code via special characters that trigger command injection. | 2018-04-03 | not yet calculated | CVE-2017-7161 CONFIRM UBUNTU |
| apple -- safari | An issue was discovered in certain Apple products. Safari before 11.1 is affected. The issue involves the "Safari" component. It allows remote attackers to spoof the address bar via a crafted web site. | 2018-04-03 | not yet calculated | CVE-2018-4116 SECTRACK CONFIRM |
| apple -- xcode | An issue was discovered in certain Apple products. Xcode before 9.3 is affected. The issue, which is unspecified, involves the "LLVM" component. | 2018-04-03 | not yet calculated | CVE-2018-4164 MISC MISC BID SECTRACK MISC CONFIRM |
| apple -- xcode | An issue was discovered in certain Apple products. Xcode before 9.2 is affected. The issue involves the "ld64" component. A buffer overflow allows remote attackers to execute arbitrary code via crafted source code. | 2018-04-03 | not yet calculated | CVE-2017-7167 CONFIRM |
| asus -- multiple_routers | Main_Analysis_Content.asp in /apply.cgi on ASUS RT-AC66U, RT-AC68U, RT-AC86U, RT-AC88U, RT-AC1900, RT-AC2900, and RT-AC3100 devices before 3.0.0.4.384_10007; RT-N18U devices before 3.0.0.4.382.39935; RT-AC87U and RT-AC3200 devices before 3.0.0.4.382.50010; and RT-AC5300 devices before 3.0.0.4.384.20287 allows OS command injection via the pingCNT and destIP fields of the SystemCmd variable. | 2018-04-04 | not yet calculated | CVE-2018-9285 MISC MISC |
| atlassian -- application_links | The OAuth status rest resource in Atlassian Application Links before version 5.2.7, from 5.3.0 before 5.3.4 and from 5.4.0 before 5.4.3 allows remote attackers with administrative rights to access the content of internal network resources via a Server Side Request Forgery (SSRF) by creating an OAuth application link to a location they control and then redirecting access from the linked location's OAuth status rest resource to an internal location. When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information. | 2018-04-04 | not yet calculated | CVE-2017-18096 CONFIRM |
| atlassian -- jira | The Trello board importer resource in Atlassian Jira before version 7.6.1 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the title of a Trello card. | 2018-04-06 | not yet calculated | CVE-2017-18097 CONFIRM |
| atlassian -- jira | The searchrequest-xml resource in Atlassian Jira before version 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through various fields. | 2018-04-06 | not yet calculated | CVE-2017-18098 CONFIRM |
| auth0 -- auth0 | The Auth0 authentication service before 2017-10-15 allows privilege escalation because the JWT audience is not validated. | 2018-04-04 | not yet calculated | CVE-2018-6873 MISC |
| avatar_uploader -- avatar_uploader | Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesn't verify users or sanitize the file path. | 2018-04-04 | not yet calculated | CVE-2018-9205 MISC MISC MISC |
| axis -- m1033-w_ip_camera_firmware | ** DISPUTED ** An issue was discovered on AXIS M1033-W (IP camera) Firmware version 5.40.5.1 devices. The upload web page doesn't verify the file type, and an attacker can upload a webshell by making a fileUpload.shtml request for a custom .shtml file, which is interpreted by the Apache HTTP Server mod_include module with "
|