Default credentials in Adobe Experience Manager (AEM) versions prior to 6.3 can lead to remote code execution.

D-Link DSL-3782 suffers from an authentication bypass vulnerability.

Easy MPEG to DVD Burner version 1.7.11 local buffer overflow SEH exploit with DEP bypass.

Joomla EkRishta component version 2.10 suffers from cross site scripting and remote SQL injection vulnerabilities.

mySCADA myPRO version 7 has a hardcoded FTP username and password.

Gentoo Linux Security Advisory 201805-6 - Multiple vulnerabilities have been found in Chromium and Google Chrome, the worst of which could result in privilege escalation. Versions less than 66.0.3359.170 are affected.

This Metasploit module exploits a vulnerability in the rds_page_copy_user function in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8 to execute code as root (CVE-2010-3904). This Metasploit module has been tested successfully on Fedora 13 (i686) with kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04 (x86_64) with kernel version 2.6.32-21-generic.

Red Hat Security Advisory 2018-1627-01 - Red Hat OpenStack Platform director provides the facilities for deploying and monitoring a private or public infrastructure-as-a-service cloud based on Red Hat OpenStack Platform. Issues addressed include a denial of service vulnerability.

Ubuntu Security Notice 3645-2 - USN-3645-1 fixed vulnerabilities in Firefox. The update caused an issue where users experienced long UI pauses in some circumstances. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, bypass same-origin restrictions, conduct cross-site scripting attacks, install lightweight themes without user interaction, spoof the filename in the downloads panel, or execute arbitrary code. Various other issues were also addressed.

This Microsoft bulletin summary holds CVE revision updates for CVE-2018-0886.

Healwire Online Pharmacy version 3.0 suffers from cross site request forgery and cross site scripting vulnerabilities.

This Metasploit module exploits an expression language injection vulnerability, along with an authentication bypass vulnerability in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04 to achieve remote code execution. The HP iMC server suffers from multiple vulnerabilities allows unauthenticated attacker to execute arbitrary Expression Language via the beanName parameter, allowing execution of arbitrary operating system commands as SYSTEM. This service listens on TCP port 8080 and 8443 by default. This Metasploit module has been tested successfully on iMC PLAT v7.3(E0504P02) on Windows 2k12r2 x64 (EN).

SAP B2B / B2C CRM versions 2.x up to 4.x suffer from a local file inclusion vulnerability.

DynoRoot DHCP suffers from a client command injection vulnerability.

Infinity Market Classified Ads Script version 1.6.2 suffers from a cross site request forgery vulnerability.

Prime95 version 29.4b8 SEH buffer overflow exploit.

Cisco SA520W Security Appliance suffers from a path traversal vulnerability.

Multiple Siemens SIMATIC panels suffer from cross site request forgery and cross site scripting vulnerabilities.

Linux suffers from a 4-byte information leak via an uninitialized struct field in the compat adjtimex syscall.

Chakra uses the InvariantBlockBackwardIterator class to backpropagate the information about the hoisted bound checks. But the class follows the linked list instead of the control flow. This may lead to incorrectly remove the bound checks.

MagniComp SysInfo contains an information exposure vulnerability through debug functionality.

Debian Linux Security Advisory 4203-1 - Hans Jerry Illikainen discovered a type conversion vulnerability in the MP4 demuxer of the VLC media player, which could result in the execution of arbitrary code if a malformed media file is played.

SAP NetWeaver Web Dynpro versions 6.4 up to 7.5 suffer from an information disclosure vulnerability.

Monstra CMS versions prior to 3.0.4 suffer from a cross site scripting vulnerability.