Total
3177 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-19110 | 1 Tianti Project | 1 Tianti | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The skin-management feature in tianti 2.3 allows remote authenticated users to bypass intended permission restrictions by visiting tianti-module-admin/user/skin/list directly because controller\usercontroller.java maps a /skin/list request to the function skinList, and lacks an authorization check. | |||||
| CVE-2018-19079 | 2 Foscam, Opticam | 6 C2, C2 Application Firmware, C2 System Firmware and 3 more | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| An issue was discovered on Foscam Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The ONVIF devicemgmt SystemReboot method allows unauthenticated reboot. | |||||
| CVE-2018-18996 | 1 Lcds | 1 Laquis Scada | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| LCDS Laquis SCADA prior to version 4.1.0.4150 allows taking in user input without proper authorization or sanitation, which may allow an attacker to execute remote code on the server. | |||||
| CVE-2018-18647 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Missing Authorization. | |||||
| CVE-2018-18377 | 1 Orange | 2 Airbox, Airbox Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| goform/setReset on Orange AirBox Y858_FL_01.16_04 devices allows attackers to reset a router to factory settings, which can be used to login using the default admin:admin credentials. | |||||
| CVE-2018-18004 | 1 Vivotek | 1 Camera | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Incorrect Access Control in mod_inetd.cgi in VIVOTEK Network Camera Series products with firmware before XXXXXX-VVTK-0X09a allows remote attackers to enable arbitrary system services via a URL parameter. | |||||
| CVE-2018-17491 | 1 Hidglobal | 1 Easylobby Solo | 2024-11-21 | 7.2 HIGH | 8.4 HIGH |
| EasyLobby Solo could allow a local attacker to gain elevated privileges on the system. By visiting the kiosk and typing "esc" to exit the program, an attacker could exploit this vulnerability to perform unauthorized actions on the computer. | |||||
| CVE-2018-17490 | 1 Hidglobal | 1 Easylobby Solo | 2024-11-21 | 3.6 LOW | 7.7 HIGH |
| EasyLobby Solo is vulnerable to a denial of service. By visiting the kiosk and accessing the task manager, a local attacker could exploit this vulnerability to kill the process or launch new processes at will. | |||||
| CVE-2018-16591 | 1 Furuno | 4 Felcom 250, Felcom 250 Firmware, Felcom 500 and 1 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| FURUNO FELCOM 250 and 500 devices allow unauthenticated users to change the password for the Admin, Log and Service accounts, as well as the password for the protected "SMS" panel via /cgi-bin/sm_changepassword.cgi and /cgi-bin/sm_sms_changepasswd.cgi. | |||||
| CVE-2018-16081 | 2 Google, Redhat | 4 Chrome, Enterprise Linux Desktop, Enterprise Linux Server and 1 more | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
| Allowing the chrome.debugger API to run on file:// URLs in DevTools in Google Chrome prior to 69.0.3497.81 allowed an attacker who convinced a user to install a malicious extension to access files on the local file system without file access permission via a crafted Chrome Extension. | |||||
| CVE-2018-16048 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Missing Authorization Control for API Repository Storage. | |||||
| CVE-2018-15429 | 1 Cisco | 1 Hyperflex Hx Data Platform | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the web-based UI of Cisco HyperFlex HX Data Platform Software could allow an unauthenticated, remote attacker to access sensitive information on an affected system. The vulnerability is due to a lack of proper input and authorization of HTTP requests. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web-based UI of an affected system. A successful exploit could allow the attacker to access files that may contain sensitive data. | |||||
| CVE-2018-15329 | 1 F5 | 14 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 11 more | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, or 12.1.0-12.1.3.7, or Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced. | |||||
| CVE-2018-15327 | 1 F5 | 14 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 11 more | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| In BIG-IP 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1 or Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced. | |||||
| CVE-2018-15005 | 1 Zteusa | 2 Zte Zmax Champ, Zte Zmax Champ Firmware | 2024-11-21 | 5.6 MEDIUM | 7.1 HIGH |
| The ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contains a pre-installed platform app with a package name of com.zte.zdm.sdm (versionCode=31, versionName=V5.0.3) that contains an exported broadcast receiver app component named com.zte.zdm.VdmcBroadcastReceiver that allows any app co-located on the device to programmatically initiate a factory reset. In addition, the app initiating the factory reset does not require any permissions. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of a pre-installed platform app. | |||||
| CVE-2018-14997 | 1 Leagoo | 2 P1, P1 Firmware | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| The Leagoo P1 Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains the android framework (i.e., system_server) with a package name of android that has been modified by Leagoo or another entity in the supply chain. The system_server process in the core Android package has an exported broadcast receiver that allows any app co-located on the device to programmatically initiate the taking of a screenshot and have the resulting screenshot be written to external storage. The taking of a screenshot is not transparent to the user; the device has a screen animation as the screenshot is taken and there is a notification indicating that a screenshot occurred. If the attacking app also requests the EXPAND_STATUS_BAR permission, it can wake the device up using certain techniques and expand the status bar to take a screenshot of the user's notifications even if the device has an active screen lock. The notifications may contain sensitive data such as text messages used in two-factor authentication. The system_server process that provides this capability cannot be disabled, as it is part of the Android framework. The notification can be removed by a local Denial of Service (DoS) attack to reboot the device. | |||||
| CVE-2018-14985 | 1 Leagoo | 2 Z5c, Z5c Firmware | 2024-11-21 | 5.6 MEDIUM | 7.1 HIGH |
| The Leagoo Z5C Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a pre-installed platform app with a package name of com.android.settings (versionCode=23, versionName=6.0-android.20170630.092853) that contains an exported broadcast receiver that allows any app co-located on the device to programmatically initiate a factory reset. In addition, the app initiating the factory reset does not require any permissions. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of a pre-installed platform app. | |||||
| CVE-2018-14628 | 2 Fedoraproject, Samba | 2 Fedora, Samba | 2024-11-21 | N/A | 4.3 MEDIUM |
| An information leak vulnerability was discovered in Samba's LDAP server. Due to missing access control checks, an authenticated but unprivileged attacker could discover the names and preserved attributes of deleted objects in the LDAP store. | |||||
| CVE-2018-13063 | 1 Easyappointments | 1 Easy\!appointments | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Easy!Appointments 1.3.0 has a Missing Authorization issue allowing retrieval of hashed passwords and salts. | |||||
| CVE-2018-11888 | 1 Qualcomm | 58 Mdm9607, Mdm9607 Firmware, Mdm9650 and 55 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Unauthorized access may be allowed by the SCP11 Crypto Services TA will processing commands from other TA in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile and Snapdragon Voice & Music in versions MDM9607, MDM9650, MDM9655, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 650/52, SD 820, SD 820A, SD 835, SD 8CX, SDM439, Snapdragon_High_Med_2016. | |||||