CVE-2018-1189

Dell EMC Isilon versions between 8.1.0.0 – 8.1.0.1, 8.0.1.0 – 8.0.1.2, and 8.0.0.0 – 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 is affected by a cross-site scripting vulnerability in the Antivirus Page within the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user’s browser session in the context of the OneFS website.

Source: CVE-2018-1189

CVE-2018-1201

Dell EMC Isilon versions between 8.1.0.0 – 8.1.0.1, 8.0.1.0 – 8.0.1.2, and 8.0.0.0 – 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 is affected by a cross-site scripting vulnerability in the Job Operations Page within the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user’s browser session in the context of the OneFS website.

Source: CVE-2018-1201

CVE-2018-1188

Dell EMC Isilon versions between 8.1.0.0 – 8.1.0.1, 8.0.1.0 – 8.0.1.2, and 8.0.0.0 – 8.0.0.6, and versions 7.2.1.x is affected by a cross-site scripting vulnerability in the Authorization Providers page within the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user’s browser session in the context of the OneFS website.

Source: CVE-2018-1188

CVE-2018-1213

Dell EMC Isilon OneFS versions between 8.1.0.0 – 8.1.0.1, 8.0.1.0 – 8.0.1.2, and 8.0.0.0 – 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 and 8.1.0.2 is affected by a cross-site request forgery vulnerability. A malicious user may potentially exploit this vulnerability to send unauthorized requests to the server on behalf of authenticated users of the application.

Source: CVE-2018-1213

CVE-2018-1203

In Dell EMC Isilon OneFS, the compadmin is able to run tcpdump binary with root privileges. In versions between 8.1.0.0 – 8.1.0.1, 8.0.1.0 – 8.0.1.2, and 8.0.0.0 – 8.0.0.6, the tcpdump binary, being run with sudo, may potentially be used by compadmin to execute arbitrary code with root privileges.

Source: CVE-2018-1203

CVE-2014-2312

The main function in android_main.cpp in thermald allows local users to write to arbitrary files via a symlink attack on /tmp/thermald.pid.

Source: CVE-2014-2312

CVE-2018-1186

Dell EMC Isilon versions between 8.1.0.0 – 8.1.0.1, 8.0.1.0 – 8.0.1.2, and 8.0.0.0 – 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 is affected by a cross-site scripting vulnerability in the Cluster description of the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user’s browser session in the context of the OneFS website.

Source: CVE-2018-1186

CVE-2014-2293

Zikula Application Framework before 1.3.7 build 11 allows remote attackers to conduct PHP object injection attacks and delete arbitrary files or execute arbitrary PHP code via crafted serialized data in the (1) authentication_method_ser or (2) authentication_info_ser parameter to index.php, or (3) zikulaMobileTheme parameter to index.php.

Source: CVE-2014-2293

CVE-2015-5039

The Remote Client and change management integrations in IBM Rational ClearCase 7.1.x, 8.0.0.x before 8.0.0.18, and 8.0.1.x before 8.0.1.11 do not properly validate hostnames in X.509 certificates from SSL servers, which allows remote attackers to spoof servers and obtain sensitive information or modify network traffic via a crafted certificate. IBM X-Force ID: 106715.

Source: CVE-2015-5039

CVE-2015-5045

The Administration and Reporting tool in IBM Rational License Key Server (RLKS) before 8.1.4.9 iFix 04 allows local users to obtain sensitive information via unspecified vectors. IBM X-Force ID: 106938.

Source: CVE-2015-5045