Total
34640 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-18817 | 1 Leostream | 2 Agent, Connection Broker | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The Leostream Agent before Build 7.0.1.0 when used with Leostream Connection Broker 8.2.72 or earlier allows remote attackers to modify registry keys via the Leostream Agent API.
|
|||||
| CVE-2018-18810 | 1 Tibco | 2 Managed File Transfer Command Center, Managed File Transfer Internet Server | 2024-11-21 | 4.0 MEDIUM | 6.8 MEDIUM |
|
The Administrator Service component of TIBCO Software Inc.'s TIBCO Managed File Transfer Command Center, and TIBCO Managed File Transfer Internet Server contains vulnerabilities where an authenticated user with specific privileges can gain access to credentials to other systems. Affected releases are TIBCO Software Inc.'s TIBCO Managed File Transfer Command Center: versions up to and including 7.3.2; 8.0.0; 8.0.1; 8.0.2; 8.1.0, and TIBCO Managed File Transfer Internet Server: versions up to and ...
Show More |
|||||
| CVE-2018-18766 | 1 Provisio | 1 Sitekiosk | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An elevation of privilege vulnerability exists in the Call Dispatcher in Provisio SiteKiosk before 9.7.4905.
|
|||||
| CVE-2018-18652 | 1 Veritas | 1 Netbackup Appliance | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
|
A remote command execution vulnerability in Veritas NetBackup Appliance before 3.1.2 allows authenticated administrators to execute arbitrary commands as root. This issue was caused by insufficient filtering of user provided input.
|
|||||
| CVE-2018-18649 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in the wiki API in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for remote code execution.
|
|||||
| CVE-2018-18626 | 1 Phpyun | 1 Phpyun | 2024-11-21 | 6.4 MEDIUM | 7.5 HIGH |
|
An issue was discovered in PHPYun V4.6. There is a vulnerability that can delete any file or directory via the "admin/index.php?m=database&c=del" sql parameter because del_action() in admin/model/database.class.php mishandles this parameter.
|
|||||
| CVE-2018-18603 | 1 360totalsecurity | 1 360 Total Security | 2024-11-21 | 4.3 MEDIUM | 6.3 MEDIUM |
|
360 Total Security 3.5.0.1033 allows a Sandbox Escape via an "import os" statement, followed by os.system("CMD") or os.system("PowerShell"), within a .py file. NOTE: the vendor's position is that this cannot be categorized as a vulnerability, although it is a security-related issue
|
|||||
| CVE-2018-18564 | 1 Roche | 6 Accu-chek Inform Ii, Accu-chek Inform Ii Firmware, Coaguchek Pro Ii and 3 more | 2024-11-21 | 3.3 LOW | 7.4 HIGH |
|
An issue was discovered in Roche Accu-Chek Inform II Instrument before 03.06.00 (Serial number below 14000) and 04.x before 04.03.00 (Serial Number above 14000), CoaguChek Pro II before 04.03.00, and cobas h 232 before 04.00.04 (Serial number above KQ0400000 or KS0400000). Improper access control allows attackers in the adjacent network to change the instrument configuration.
|
|||||
| CVE-2018-18556 | 1 Vyos | 1 Vyos | 2024-11-21 | 9.0 HIGH | 9.9 CRITICAL |
|
A privilege escalation issue was discovered in VyOS 1.1.8. The default configuration also allows operator users to execute the pppd binary with elevated (sudo) permissions. Certain input parameters are not properly validated. A malicious operator user can run the binary with elevated permissions and leverage its improper input validation condition to spawn an attacker-controlled shell with root privileges.
|
|||||
| CVE-2018-18537 | 1 Asus | 2 Aura Sync, Aura Sync Firmware | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
The GLCKIo low-level driver in ASUS Aura Sync v1.07.22 and earlier exposes a path to write an arbitrary DWORD to an arbitrary address.
|
|||||
| CVE-2018-18536 | 1 Asus | 2 Aura Sync, Aura Sync Firmware | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
The GLCKIo and Asusgio low-level drivers in ASUS Aura Sync v1.07.22 and earlier expose functionality to read/write data from/to IO ports. This could be leveraged in a number of ways to ultimately run code with elevated privileges.
|
|||||
| CVE-2018-18535 | 1 Asus | 2 Aura Sync, Aura Sync Firmware | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
The Asusgio low-level driver in ASUS Aura Sync v1.07.22 and earlier exposes functionality to read and write Machine Specific Registers (MSRs). This could be leveraged to execute arbitrary ring-0 code.
|
|||||
| CVE-2018-18510 | 1 Mozilla | 1 Firefox | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The about:crashcontent and about:crashparent pages can be triggered by web content. These pages are used to crash the loaded page or the browser for test purposes. This issue allows for a non-persistent denial of service (DOS) attack by a malicious site which links to these pages. This vulnerability affects Firefox < 64.
|
|||||
| CVE-2018-18506 | 5 Canonical, Debian, Mozilla and 2 more | 12 Ubuntu Linux, Debian Linux, Firefox and 9 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior is disallowed by default when a proxy is manually configured, but when enabled could allow for attacks on services and tools that bind to the localhost for networked behavior if they are accessed through browsing. This vulnerability affects F ...
Show More |
|||||
| CVE-2018-18497 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Limitations on the URIs allowed to WebExtensions by the browser.windows.create API can be bypassed when a pipe in the URL field is used within the extension to load multiple pages as a single argument. This could allow a malicious WebExtension to open privileged about: or file: locations. This vulnerability affects Firefox < 64.
|
|||||
| CVE-2018-18489 | 1 Tp-link | 2 Wr840n, Wr840n Firmware | 2024-11-21 | 6.8 MEDIUM | 4.9 MEDIUM |
|
The ping feature in the Diagnostic functionality on TP-LINK WR840N v2 Firmware 3.16.9 Build 150701 Rel.51516n devices allows remote attackers to cause a denial of service (HTTP service termination) by modifying the packet size to be higher than the UI limit of 1472.
|
|||||
| CVE-2018-18442 | 2 D-link, Dlink | 2 Dcs-825l Firmware, Dcs-825l | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
D-Link DCS-825L devices with firmware 1.08 do not employ a suitable mechanism to prevent denial-of-service (DoS) attacks. An attacker can harm the device availability (i.e., live-online video/audio streaming) by using the hping3 tool to perform an IPv4 flood attack. Verified attacks includes SYN flooding, UDP flooding, ICMP flooding, and SYN-ACK flooding.
|
|||||
| CVE-2018-18396 | 1 Moxa | 1 Thingspro | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Remote Code Execution in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.
|
|||||
| CVE-2018-18395 | 1 Moxa | 1 Thingspro | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Hidden Token Access in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.
|
|||||
| CVE-2018-18393 | 1 Moxa | 1 Thingspro | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Password Management Issue in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.
|
|||||
| CVE-2018-18392 | 1 Moxa | 1 Thingspro | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Privilege Escalation via Broken Access Control in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.
|
|||||
| CVE-2018-18391 | 1 Moxa | 1 Thingspro | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
User Privilege Escalation in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.
|
|||||
| CVE-2018-18388 | 1 Escanav | 1 Escan Anti-virus | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
eScan Agent Application (MWAGENT.EXE) 4.0.2.98 in MicroWorld Technologies eScan 14.0 allows remote or local attackers to execute arbitrary commands by sending a carefully crafted payload to TCP port 2222.
|
|||||
| CVE-2018-18365 | 1 Symantec | 1 Norton Password Manager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Norton Password Manager may be susceptible to an address spoofing issue. This type of issue may allow an attacker to disguise their origin IP address in order to obfuscate the source of network traffic.
|
|||||
| CVE-2018-18363 | 1 Symantec | 1 Norton App Lock | 2024-11-21 | 7.2 HIGH | 6.2 MEDIUM |
|
Norton App Lock prior to 1.4.0.445 can be susceptible to a bypass exploit. In this type of circumstance, the exploit can allow the user to circumvent the app to prevent it from locking the device, thereby allowing the individual to gain device access.
|
|||||
| CVE-2018-18357 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.
|
|||||
| CVE-2018-18355 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.
|
|||||
| CVE-2018-18353 | 3 Debian, Google, Redhat | 6 Debian Linux, Android, Chrome and 3 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Failure to dismiss http auth dialogs on navigation in Network Authentication in Google Chrome on Android prior to 71.0.3578.80 allowed a remote attacker to confuse the user about the origin of an auto dialog via a crafted HTML page.
|
|||||
| CVE-2018-18350 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Incorrect handling of CSP enforcement during navigations in Blink in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to bypass content security policy via a crafted HTML page.
|
|||||
| CVE-2018-18348 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Incorrect handling of bidirectional domain names with RTL characters in Omnibox in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.
|
|||||
| CVE-2018-18346 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Linux Desktop and 2 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Incorrect handling of alert box display in Blink in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to present confusing browser UI via a crafted HTML page.
|
|||||
| CVE-2018-18345 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Incorrect handling of blob URLS in Site Isolation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker who had compromised the renderer process to bypass site isolation protections via a crafted HTML page.
|
|||||
| CVE-2018-18330 | 1 Trendmicro | 1 Dr. Safety | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
An Address Bar Spoofing vulnerability in Trend Micro Dr. Safety for Android (Consumer) versions 3.0.1324 and below could allow an attacker to potentially trick a victim into visiting a malicious URL using address bar spoofing on the Private Browser of the app on vulnerable installations.
|
|||||
| CVE-2018-18320 | 1 Asuswrt-merlin Project | 28 Rt-ac1900, Rt-ac1900 Firmware, Rt-ac2900 and 25 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because exec.php has a popen call. NOTE: the vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network, and intentionally allows remote code execution
|
|||||
| CVE-2018-18284 | 5 Artifex, Canonical, Debian and 2 more | 11 Ghostscript, Gpl Ghostscript, Ubuntu Linux and 8 more | 2024-11-21 | 6.8 MEDIUM | 8.6 HIGH |
|
Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving the 1Policy operator.
|
|||||
| CVE-2018-18223 | 2 Opendesign, Oracle | 2 Drawings Sdk, Outside In Technology | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
|
Open Design Alliance Drawings SDK 2019Update1 has a vulnerability during the reading of malformed files, allowing attackers to obtain sensitive information from process memory or cause a crash.
|
|||||
| CVE-2018-18202 | 1 Ibm | 4 Qlogic 20-port 4\/8 Gb San Switch Module, Qlogic 20-port 4\/8 Gb San Switch Module Firmware, Qlogic 4 Gb Fibre Channel Expansion Card and 1 more | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
The QLogic 4Gb Fibre Channel 5.5.2.6.0 and 4/8Gb SAN 7.10.1.20.0 modules for IBM BladeCenter have an undocumented support account with a support password, an undocumented diags account with a diags password, and an undocumented prom account with a prom password.
|
|||||
| CVE-2018-17953 | 3 Kernel, Opensuse, Suse | 3 Linux-pam, Leap, Linux Enterprise | 2024-11-21 | 9.3 HIGH | 7.5 HIGH |
|
A incorrect variable in a SUSE specific patch for pam_access rule matching in PAM 1.3.0 in openSUSE Leap 15.0 and SUSE Linux Enterprise 15 could lead to pam_access rules not being applied (fail open).
|
|||||
| CVE-2018-17933 | 1 Vecna | 2 Vgo, Vgo Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
VGo Robot (Versions 3.0.3.52164 and 3.0.3.53662. Prior versions may also be affected) connected to the VGo XAMPP. User accounts may be able to execute commands that are outside the scope of their privileges and within the scope of an admin account. If an attacker has access to VGo XAMPP Client credentials, they may be able to execute admin commands on the connected robot.
|
|||||
| CVE-2018-17925 | 1 Ge | 1 Ifix | 2024-11-21 | 4.4 MEDIUM | 4.8 MEDIUM |
|
Multiple instances of this vulnerability (Unsafe ActiveX Control Marked Safe For Scripting) have been identified in the third-party ActiveX object provided to GE iFIX versions 2.0 - 5.8 by Gigasoft. Only the independent use of the Gigasoft charting package outside the iFIX product may expose users to the reported vulnerability. The reported method shown to impact Internet Explorer is not exposed in the iFIX product, nor is the core functionality of the iFIX product known to be impacted.
|
|||||