Total
9615 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-10627 | 1 Echelon | 6 I.lon 100, I.lon 100 Firmware, Smartserver 1 and 3 more | 2024-11-21 | 6.4 MEDIUM | 9.8 CRITICAL |
|
Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. An attacker can use the SOAP API to retrieve and change sensitive configuration items such as the usernames and passwords for the Web and FTP servers. This vulnerability does not affect the i.LON 600 product.
|
|||||
| CVE-2018-10599 | 1 Philips | 36 Avalon Fetal\/maternal Monitors Fm20, Avalon Fetal\/maternal Monitors Fm20 Firmware, Avalon Fetal\/maternal Monitors Fm30 and 33 more | 2024-11-21 | 2.9 LOW | 5.3 MEDIUM |
|
IntelliVue Patient Monitors MP Series (including MP2/X2/MP30/MP50/MP70/NP90/MX700/800) Rev B-M, IntelliVue Patient Monitors MX (MX400-550) Rev J-M and (X3/MX100 for Rev M only), and Avalon Fetal/Maternal Monitors FM20/FM30/FM40/FM50 with software Revisions F.0, G.0 and J.3 have a vulnerability that allows an unauthenticated attacker to read memory from an attacker-chosen device address within the same subnet.
|
|||||
| CVE-2018-10583 | 5 Apache, Canonical, Debian and 2 more | 7 Openoffice, Ubuntu Linux, Debian Linux and 4 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An information disclosure vulnerability occurs when LibreOffice 6.0.3 and Apache OpenOffice Writer 4.1.5 automatically process and initiate an SMB connection embedded in a malicious file, as demonstrated by xlink:href=file://192.168.0.2/test.jpg within an office:document-content element in a .odt XML document.
|
|||||
| CVE-2018-10581 | 1 Octopus | 1 Octopus Deploy | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
In Octopus Deploy 3.4.x before 2018.4.7, an authenticated user is able to view/update/save variable values within the Tenant Variables area for Environments that do not exist within their associated Team scoping. This occurs in situations where this authenticated user also belongs to multiple teams, where one of the Teams has the VariableEdit permission or VariableView permissions for the Environment.
|
|||||
| CVE-2018-10545 | 4 Canonical, Debian, Netapp and 1 more | 4 Ubuntu Linux, Debian Linux, Storage Automation Store and 1 more | 2024-11-21 | 1.9 LOW | 4.7 MEDIUM |
|
An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM worker process.
|
|||||
| CVE-2018-10523 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
CMS Made Simple (CMSMS) through 2.2.7 contains a physical path leakage Vulnerability via /modules/DesignManager/action.ajax_get_templates.php, /modules/DesignManager/action.ajax_get_stylesheets.php, /modules/FileManager/dunzip.php, or /modules/FileManager/untgz.php.
|
|||||
| CVE-2018-10522 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
In CMS Made Simple (CMSMS) through 2.2.7, the "file view" operation in the admin dashboard contains a sensitive information disclosure vulnerability, exploitable by ordinary users, because the product exposes unrestricted access to the PHP file_get_contents function.
|
|||||
| CVE-2018-10516 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
|
In CMS Made Simple (CMSMS) through 2.2.7, the "file rename" operation in the admin dashboard contains a sensitive information disclosure vulnerability, exploitable by an admin user, that can cause DoS by moving config.php to the upload/ directory.
|
|||||
| CVE-2018-10498 | 1 Samsung | 1 Samsung Email | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
This vulnerability allows local attackers to disclose sensitive information on vulnerable installations of Samsung Email Fixed in version 5.0.02.16. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of file:/// URIs. The issue lies in the lack of proper validation of user-supplied data, which can allow for reading arbitrary files. An attacker can leverage this in conju ...
Show More |
|||||
| CVE-2018-10472 | 2 Debian, Xen | 2 Debian Linux, Xen | 2024-11-21 | 1.9 LOW | 5.6 MEDIUM |
|
An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users (in certain configurations) to read arbitrary dom0 files via QMP live insertion of a CDROM, in conjunction with specifying the target file as the backing file of a snapshot.
|
|||||
| CVE-2018-10424 | 1 1234n | 1 Minicms | 2024-11-21 | 4.0 MEDIUM | 2.7 LOW |
|
mc-admin/post-edit.php in MiniCMS 1.10 allows full path disclosure via a modified id field.
|
|||||
| CVE-2018-10423 | 1 1234n | 1 Minicms | 2024-11-21 | 4.0 MEDIUM | 2.7 LOW |
|
mc-admin/post.php in MiniCMS 1.10 allows remote attackers to obtain a directory listing of the top-level directory of the web root via a link that becomes available after posting an article.
|
|||||
| CVE-2018-10245 | 1 Awstats | 1 Awstats | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A Full Path Disclosure vulnerability in AWStats through 7.6 allows remote attackers to know where the config file is allocated, obtaining the full path of the server, a similar issue to CVE-2006-3682. The attack can, for example, use the awstats.pl framename and update parameters.
|
|||||
| CVE-2018-10229 | 3 Google, Lg, Mozilla | 3 Chrome, Nexus 5, Firefox | 2024-11-21 | 5.8 MEDIUM | 4.8 MEDIUM |
|
A hardware vulnerability in GPU memory modules allows attackers to accelerate micro-architectural attacks through the use of the JavaScript WebGL API.
|
|||||
| CVE-2018-10219 | 1 Baijiacms Project | 1 Baijiacms | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
baijiacms V3 has physical path leakage via an index.php?mod=mobile&name=member&do=index request.
|
|||||
| CVE-2018-10198 | 1 Otrs | 1 Otrs | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in OTRS 6.0.x before 6.0.7. An attacker who is logged into OTRS as a customer can use the ticket overview screen to disclose internal article information of their customer tickets.
|
|||||
| CVE-2018-10189 | 1 Mautic | 1 Mautic | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in Mautic 1.x and 2.x before 2.13.0. It is possible to systematically emulate tracking cookies per contact due to tracking the contact by their auto-incremented ID. Thus, a third party can manipulate the cookie value with +1 to systematically assume being tracked as each contact in Mautic. It is then possible to retrieve information about the contact through forms that have progressive profiling enabled.
|
|||||
| CVE-2018-10178 | 1 Iac | 1 Fromdoctopdf | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
The FromDocToPDF extension before 13.611.13.2303 for Chrome allows remote attackers to discover visited web sites via vectors involving a mostVisitedSites command.
|
|||||
| CVE-2018-10142 | 1 Paloaltonetworks | 1 Expedition | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The Expedition Migration tool 1.0.106 and earlier may allow an unauthenticated attacker to enumerate files on the operating system.
|
|||||
| CVE-2018-10106 | 1 Dlink | 2 Dir-815, Dir-815 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
D-Link DIR-815 REV. B (with firmware through DIR-815_REVB_FIRMWARE_PATCH_2.07.B01) devices have permission bypass and information disclosure in /htdocs/web/getcfg.php, as demonstrated by a /getcfg.php?a=%0a_POST_SERVICES%3DDEVICE.ACCOUNT%0aAUTHORIZED_GROUP%3D1 request.
|
|||||
| CVE-2018-10082 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
CMS Made Simple (CMSMS) through 2.2.7 allows physical path leakage via an invalid /index.php?page= value, a crafted URI starting with /index.php?mact=Search, or a direct request to /admin/header.php, /admin/footer.php, /lib/tasks/class.ClearCache.task.php, or /lib/tasks/class.CmsSecurityCheck.task.php.
|
|||||
| CVE-2018-10028 | 1 Joyplus-cms Project | 1 Joyplus-cms | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
joyplus-cms 1.6.0 allows remote attackers to obtain sensitive information via a direct request to the install/ or log/ URI.
|
|||||
| CVE-2018-1000862 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser.
|
|||||
| CVE-2018-1000803 | 1 Gitea | 1 Gitea | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Gitea version prior to version 1.5.1 contains a CWE-200 vulnerability that can result in Exposure of users private email addresses. This attack appear to be exploitable via Watch a repository to receive email notifications. Emails received contain the other recipients even if they have the email set as private. This vulnerability appears to have been fixed in 1.5.1.
|
|||||
| CVE-2018-1000645 | 1 Librehealth | 1 Librehealth Ehr | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
LibreHealthIO lh-ehr version <REL-2.0.0 contains an Authenticated Local File Disclosure vulnerability in Importing of templates allows local file disclosure that can result in Disclosure of sensitive files on the server. This attack appear to be exploitable via User controlled variable in import templates function.
|
|||||
| CVE-2018-1000635 | 1 Openmicroscopy | 1 Omero | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
|
The Open Microscopy Environment OMERO.server version 5.4.0 to 5.4.6 contains a Information Exposure Through Sent Data vulnerability in OMERO.server that can result in an Attacker gaining full administrative access to server and may be able to disable it. This vulnerability appears to have been fixed in 5.4.7.
|
|||||
| CVE-2018-1000633 | 1 Openmicroscopy | 1 Omero | 2024-11-21 | 4.0 MEDIUM | 7.2 HIGH |
|
The Open Microscopy Environment OMERO.web version prior to 5.4.7 contains an Information Exposure Through Log Files vulnerability in the login form and change password form that can result in User's password being revealed. Attacker can log in as that user. This attack appear to be exploitable via an attacker reading the web server log. This vulnerability appears to have been fixed in 5.4.7.
|
|||||
| CVE-2018-1000609 | 1 Jenkins | 1 Configuration As Code | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in ConfigurationAsCode.java that allows attackers with Overall/Read access to obtain the YAML export of the Jenkins configuration.
|
|||||
| CVE-2018-1000603 | 1 Jenkins | 1 Openstack Cloud | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
|
A exposure of sensitive information vulnerability exists in Jenkins Openstack Cloud Plugin 2.35 and earlier in BootSource.java, InstancesToRun.java, JCloudsCleanupThread.java, JCloudsCloud.java, JCloudsComputer.java, JCloudsPreCreationThread.java, JCloudsRetentionStrategy.java, JCloudsSlave.java, JCloudsSlaveTemplate.java, LauncherFactory.java, OpenstackCredentials.java, OpenStackMachineStep.java, SlaveOptions.java, SlaveOptionsDescriptor.java that allows attackers with Overall/Read access to Je ...
Show More |
|||||
| CVE-2018-1000601 | 1 Jenkins | 1 Ssh Credentials | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A arbitrary file read vulnerability exists in Jenkins SSH Credentials Plugin 1.13 and earlier in BasicSSHUserPrivateKey.java that allows attackers with a Jenkins account and the permission to configure credential bindings to read arbitrary files from the Jenkins master file system.
|
|||||
| CVE-2018-1000600 | 1 Jenkins | 1 Github | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
|
A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
|
|||||
| CVE-2018-1000549 | 1 Wekan Project | 1 Wekan | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Wekan version 1.04.0 contains a Email / Username Enumeration vulnerability in Register' and 'Forgot your password?' pages that can result in A remote attacker could perform a brute force attack to obtain valid usernames and email addresses.. This attack appear to be exploitable via HTTP Request.
|
|||||
| CVE-2018-1000535 | 1 Lms | 1 Lms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
lms version <= LMS_011123 contains a Local File Disclosure vulnerability in File reading functionality in LMS module that can result in Possible to read files on the server. This attack appear to be exploitable via GET parameter. This vulnerability appears to have been fixed in after commit 254765e.
|
|||||
| CVE-2018-1000410 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
|
An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers with Overall/Administer permission or access to the local file system to obtain credentials entered by users if the form submission could not be successfully processed.
|
|||||
| CVE-2018-1000402 | 1 Jenkins | 1 Aws Codedeploy | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
|
Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a File and Directory Information Exposure vulnerability in AWSCodeDeployPublisher.java that can result in Disclosure of environment variables. This vulnerability appears to have been fixed in 1.20 and later.
|
|||||
| CVE-2018-1000196 | 1 Jenkins | 1 Gitlab Hook | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A exposure of sensitive information vulnerability exists in Jenkins Gitlab Hook Plugin 1.4.2 and older in gitlab_notifier.rb, views/gitlab_notifier/global.erb that allows attackers with local Jenkins master file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured Gitlab token.
|
|||||
| CVE-2018-1000191 | 1 Jenkins | 1 Synopsys Detect | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A exposure of sensitive information vulnerability exists in Jenkins Black Duck Detect Plugin 1.4.0 and older in DetectPostBuildStepDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
|
|||||
| CVE-2018-1000190 | 1 Jenkins | 1 Black Duck Hub | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A exposure of sensitive information vulnerability exists in Jenkins Black Duck Hub Plugin 4.0.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
|
|||||
| CVE-2018-1000187 | 1 Jenkins | 1 Kubernetes | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.7.0 and older in ContainerExecDecorator.java that results in sensitive variables such as passwords being written to logs.
|
|||||
| CVE-2018-1000186 | 1 Jenkins | 1 Github Pull Request Builder | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin 1.41.0 and older in GhprbGitHubAuth.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
|
|||||