Total
34640 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-20880 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
cPanel before 74.0.8 mishandles account suspension because of an invalid email_accounts.json file (SEC-445).
|
|||||
| CVE-2018-20862 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
|
cPanel before 76.0.8 unsafely performs PostgreSQL password changes (SEC-366).
|
|||||
| CVE-2018-20853 | 1 Mailpoet | 1 Mailpoet Newsletters | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An issue was discovered in the MailPoet Newsletters (aka wysija-newsletters) plugin before 2.8.2 for WordPress. The plugin is vulnerable to SPAM attacks.
|
|||||
| CVE-2018-20851 | 1 Helpy.io | 1 Helpy | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Helpy before 2.2.0 allows agents to edit admins.
|
|||||
| CVE-2018-20799 | 1 Netgate | 1 Pfsense | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In pfSense 2.4.4_1, blocking of source IP addresses on the basis of failed HTTPS authentication is inconsistent with blocking of source IP addresses on the basis of failed SSH authentication (the behavior does not match the sshguard documentation), which might make it easier for attackers to bypass intended access restrictions.
|
|||||
| CVE-2018-20785 | 1 Neatorobotics | 14 Botvac Connected, Botvac Connected Firmware, Botvac D3 Connected and 11 more | 2024-11-21 | 4.4 MEDIUM | 7.4 HIGH |
|
Secure boot bypass and memory extraction can be achieved on Neato Botvac Connected 2.2.0 devices. During startup, the AM335x secure boot feature decrypts and executes firmware. Secure boot can be bypassed by starting with certain commands to the USB serial port. Although a power cycle occurs, this does not completely reset the chip: memory contents are still in place. Also, it restarts into a boot menu that enables XMODEM upload and execution of an unsigned QNX IFS system image, thereby completi ...
Show More |
|||||
| CVE-2018-20764 | 2 Helpsystems, Linux | 2 Boks, Linux Kernel | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A buffer overflow exists in HelpSystems tcpcrypt on Linux, used for BoKS encrypted telnet through BoKS version 6.7.1. Since tcpcrypt is setuid, exploitation leads to privilege escalation.
|
|||||
| CVE-2018-20674 | 1 Dlink | 8 Dir-822, Dir-822-us, Dir-822-us Firmware and 5 more | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
D-Link DIR-822 C1 before v3.11B01Beta, DIR-822-US C1 before v3.11B01Beta, DIR-850L A* before v1.21B08Beta, DIR-850L B* before v2.22B03Beta, and DIR-880L A* before v1.20B02Beta devices allow authenticated remote command execution.
|
|||||
| CVE-2018-20587 | 2 Bitcoin, Bitcoinknots | 2 Bitcoin Core, Bitcoin Knots | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
Bitcoin Core 0.12.0 through 0.17.1 and Bitcoin Knots 0.12.0 through 0.17.x before 0.17.1.knots20181229 have Incorrect Access Control. Local users can exploit this to steal currency by binding the RPC IPv4 localhost port, and forwarding requests to the IPv6 localhost port.
|
|||||
| CVE-2018-20584 | 3 Debian, Jasper Project, Oracle | 3 Debian Linux, Jasper, Outside In Technology | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
JasPer 2.0.14 allows remote attackers to cause a denial of service (application hang) via an attempted conversion to the jp2 format.
|
|||||
| CVE-2018-20423 | 1 Comsenz | 1 Discuzx | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
Discuz! DiscuzX 3.4, when WeChat login is enabled, allows remote attackers to bypass a "disabled registration" setting by adding a non-existing wxopenid value to the plugin.php ac=wxregister query string.
|
|||||
| CVE-2018-20393 | 1 Technicolor | 16 Cga0101, Cga0101 Firmware, Cga0111 and 13 more | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Technicolor CGA0111 CGA0111E-ES-13-E23E-c8000r5712-170217-0829-TRU, CWA0101 CWA0101E-A23E-c7000r5712-170315-SKC, DPC3928SL D3928SL-PSIP-13-A010-c3420r55105-170214a, TC7110.AR STD3.38.03, TC7110.B STC8.62.02, TC7110.D STDB.79.02, TC7200.d1I TC7200.d1IE-N23E-c7000r5712-170406-HAT, and TC7200.TH2v2 SC05.00.22 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.
|
|||||
| CVE-2018-20381 | 1 Technicolor | 2 Dpc2320, Dpc2320 Firmware | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Technicolor DPC2320 dpc2300r2-v202r1244101-150420a-v6 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.
|
|||||
| CVE-2018-20380 | 1 Ubeeinteractive | 8 Ambit Ddw2600, Ambit Ddw2600 Firmware, Ambit Ddw2602 and 5 more | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Ambit DDW2600 5.100.1009, DDW2602 5.105.1003, T60C926 4.64.1012, and U10C019 5.66.1026 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.
|
|||||
| CVE-2018-20377 | 1 Orange | 2 Arv7519rw22 Livebox 2.1, Arv7519rw22 Livebox 2.1 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Orange Livebox 00.96.320S devices allow remote attackers to discover Wi-Fi credentials via /get_getnetworkconf.cgi on port 8080, leading to full control if the admin password equals the Wi-Fi password or has the default admin value. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2.
|
|||||
| CVE-2018-20345 | 1 Stackstorm | 1 Stackstorm | 2024-11-21 | 3.5 LOW | 5.3 MEDIUM |
|
Incorrect access control in StackStorm API (st2api) in StackStorm before 2.9.2 and 2.10.x before 2.10.1 allows an attacker (who has a StackStorm account and is authenticated against the StackStorm API) to retrieve datastore items for other users by utilizing the /v1/keys "?scope=all" and "?user=<username>" query filter parameters. Enterprise editions with RBAC enabled are not affected.
|
|||||
| CVE-2018-20235 | 1 Atlassian | 1 Sourcetree | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
There was an argument injection vulnerability in Atlassian Sourcetree for Windows from version 0.5a before version 3.0.15 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.
|
|||||
| CVE-2018-20226 | 1 Thehive-project | 1 Cortex | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
An organization administrator can add a super administrator in THEHIVE PROJECT Cortex before 2.1.3 due to the lack of overriding the Role.toString method.
|
|||||
| CVE-2018-20161 | 1 Blinkforhome | 1 Sync Module | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
|
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the Wi-Fi network. (Access to live video from the app also becomes unavailable.)
|
|||||
| CVE-2018-20146 | 1 Liquidware | 2 Flexapp, Profileunity | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
An issue was discovered in Liquidware ProfileUnity before 6.8.0 with Liquidware FlexApp before 6.8.0. A local user could obtain administrator rights, as demonstrated by use of PowerShell.
|
|||||
| CVE-2018-20069 | 2 Apple, Google | 2 Iphone Os, Chrome | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Failure to prevent navigation to top frame to data URLs in Navigation in Google Chrome on iOS prior to 71.0.3578.80 allowed a remote attacker to confuse the user about the origin of the current page via a crafted HTML page.
|
|||||
| CVE-2018-20067 | 1 Google | 1 Chrome | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A renderer initiated back navigation was incorrectly allowed to cancel a browser initiated one in Navigation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to confuse the user about the origin of the current page via a crafted HTML page.
|
|||||
| CVE-2018-20053 | 1 Cerner | 2 Connectivity Engine 4, Connectivity Engine 4 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered on Cerner Connectivity Engine (CCE) 4 devices. The hostname, timezone, and NTP server configurations on the CCE device are vulnerable to command injection by sending a crafted configuration file over the network.
|
|||||
| CVE-2018-20050 | 1 Qacctv | 2 Jooan Ja-q1h Wi-fi Camera, Jooan Ja-q1h Wi-fi Camera Firmware | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
Mishandling of an empty string on the Jooan JA-Q1H Wi-Fi camera with firmware 21.0.0.91 allows remote attackers to cause a denial of service (crash and reboot) via the ONVIF GetStreamUri method and GetVideoEncoderConfigurationOptions method.
|
|||||
| CVE-2018-20034 | 2 Flexera, Oracle | 2 Flexnet Publisher, Communications Lsms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop, and the vendor daemon to shut down.
|
|||||
| CVE-2018-20032 | 2 Flexera, Oracle | 2 Flexnet Publisher, Communications Lsms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop, and the vendor daemon to shut down.
|
|||||
| CVE-2018-20031 | 2 Flexera, Oracle | 2 Flexnet Publisher, Communications Lsms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop, and the vendor daemon to shut down.
|
|||||
| CVE-2018-20028 | 1 Contao | 1 Contao Cms | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Contao 3.x before 3.5.37, 4.4.x before 4.4.31 and 4.6.x before 4.6.11 has Incorrect Access Control.
|
|||||
| CVE-2018-20026 | 1 Codesys | 18 Control For Beaglebone Sl, Control For Empc-a\/imx6 Sl, Control For Iot2000 Sl and 15 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Improper Communication Address Filtering exists in CODESYS V3 products versions prior V3.5.14.0.
|
|||||
| CVE-2018-1997 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
IBM Business Automation Workflow and Business Process Manager 18.0.0.0, 18.0.0.1, and 18.0.0.2 are vulnerable to a denial of service attack. An authenticated attacker might send a specially crafted request that exhausts server-side memory. IBM X-Force ID: 154774.
|
|||||
| CVE-2018-1974 | 1 Ibm | 1 Websphere Mq | 2024-11-21 | 6.0 MEDIUM | 7.5 HIGH |
|
IBM WebSphere 8.0.0.0 through 9.1.1 could allow an authenticated attacker to escalate their privileges when using multiplexed channels. IBM X-Force ID: 153915.
|
|||||
| CVE-2018-1928 | 1 Ibm | 1 Storediq | 2024-11-21 | 2.1 LOW | 6.7 MEDIUM |
|
IBM StoredIQ 7.6.0 does not implement proper authorization of user roles due to which it was possible for a low privileged user to access the application endpoints of high privileged users and also perform some state changing actions restricted to a high privileged user. IBM X-Force ID: 153119.
|
|||||
| CVE-2018-1906 | 1 Ibm | 2 Infosphere Information Server, Infosphere Information Server On Cloud | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
IBM InfoSphere Information Server 11.3, 11.5, and 11.7could allow an authenticated user to download code using a specially crafted HTTP request. IBM X-Force ID: 152663.
|
|||||
| CVE-2018-1903 | 1 Ibm | 1 Sterling Connect\ | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
|
IBM Sterling Connect:Direct for UNIX 4.2.0, 4.3.0, and 6.0.0 could allow a user with restricted sudo access on a system to manipulate CD UNIX to gain full sudo access. IBM X-Force ID: 152532.
|
|||||
| CVE-2018-1901 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 6.5 MEDIUM | 5.0 MEDIUM |
|
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to temporarily gain elevated privileges on the system, caused by incorrect cached value being used. IBM X-Force ID: 152530.
|
|||||
| CVE-2018-1899 | 1 Ibm | 2 Infosphere Information Governance Catalog, Infosphere Information Server On Cloud | 2024-11-21 | 3.3 LOW | 4.3 MEDIUM |
|
IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could allow an attacker to change one of the settings related to InfoSphere Business Glossary Anywhere due to improper access control. IBM X-Force ID: 152528.
|
|||||
| CVE-2018-1883 | 1 Ibm | 1 Mq | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A problem within the IBM MQ 9.0.2, 9.0.3, 9.0.4, 9.0.5, and 9.1.0.0 Console REST API Could allow attackers to execute a denial of service attack preventing users from logging into the MQ Console REST API. IBM X-Force ID: 151969.
|
|||||
| CVE-2018-1859 | 1 Ibm | 1 Api Connect | 2024-11-21 | 6.5 MEDIUM | 4.3 MEDIUM |
|
IBM API Connect 5.0.0.0 through 5.0.8.4 could allow a user authenticated as an administrator with limited rights to escalate their privileges. IBM X-Force ID: 151258.
|
|||||
| CVE-2018-1850 | 1 Ibm | 1 Security Access Manager | 2024-11-21 | 8.5 HIGH | 8.8 HIGH |
|
IBM Security Access Manager Appliance 9.0.3.1, 9.0.4.0 and 9.0.5.0 could allow unauthorized administration operations when Advanced Access Control services are running. IBM X-Force ID: 150998.
|
|||||
| CVE-2018-1833 | 1 Ibm | 1 Event Streams | 2024-11-21 | 3.5 LOW | 5.3 MEDIUM |
|
IBM Event Streams 2018.3.0 could allow a remote attacker to submit an API request with a fake Host request header. An attacker, who has already gained authorised access via the CLI, could exploit this vulnerability to spoof the request header. IBM X-Force ID: 150507.
|
|||||