Total
9105 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-14782 | 1 Netcommwireless | 2 Nwl-25, Nwl-25 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device allows access to configuration files and profiles without authenticating the user. | |||||
| CVE-2018-14735 | 3 Hitachi, Linux, Microsoft | 8 Command Suite, Compute Systems Manager, Device Manager and 5 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An Information Exposure issue was discovered in Hitachi Command Suite 8.5.3. A remote attacker may be able to exploit a flaw in the permission of messaging that may allow for information exposure via a crafted message. | |||||
| CVE-2018-14731 | 1 Parceljs | 1 Parcel | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in HMRServer.js in Parcel parcel-bundler. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1 connection (with a random TCP port number) from any origin. The random port number can be found by connecting to http://127.0.0.1 and reading the "new WebSocket" line in the source code. | |||||
| CVE-2018-14730 | 1 Browserify-hot Module Replacement Project | 1 Browserify-hot Module Replacement | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/ connection from any origin. | |||||
| CVE-2018-14702 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Incorrect access control in the /drobopix/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information. | |||||
| CVE-2018-14696 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Incorrect access control in the /mysql/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information. | |||||
| CVE-2018-14695 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Incorrect access control in the /mysql/api/diags.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve diagnostic information via the "name" URL parameter. | |||||
| CVE-2018-14685 | 1 Gxlcms | 1 Gxlcms | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| The add function in www/Lib/Lib/Action/Admin/TplAction.class.php in Gxlcms v1.1.4 allows remote attackers to read arbitrary files via a crafted index.php?s=Admin-Tpl-ADD-id request, related to Lib/Common/Admin/function.php. | |||||
| CVE-2018-14642 | 1 Redhat | 3 Enterprise Linux, Jboss Enterprise Application Platform, Undertow | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests. | |||||
| CVE-2018-14602 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. Information Disclosure can occur because the Prometheus metrics feature discloses private project pathnames. | |||||
| CVE-2018-14597 | 1 Broadcom | 2 Ca Identity Governance, Ca Identity Suite Virtual Appliance | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| CA Technologies Identity Governance 12.6, 14.0, 14.1, and 14.2 and CA Identity Suite Virtual Appliance 14.0, 14.1, and 14.2 provide telling error messages that may allow remote attackers to enumerate account names. | |||||
| CVE-2018-14529 | 1 Invoxia | 2 Nvx220, Nvx220 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Invoxia NVX220 devices allow access to /bin/sh via escape from a restricted CLI, leading to disclosure of password hashes. | |||||
| CVE-2018-14432 | 3 Debian, Openstack, Redhat | 3 Debian Linux, Keystone, Openstack | 2024-11-21 | 3.5 LOW | 5.3 MEDIUM |
| In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected. | |||||
| CVE-2018-14348 | 3 Debian, Fedoraproject, Libcgroup Project | 3 Debian Linux, Fedora, Libcgroup | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| libcgroup up to and including 0.41 creates /var/log/cgred with mode 0666 regardless of the configured umask, leading to disclosure of information. | |||||
| CVE-2018-14333 | 1 Teamviewer | 1 Teamviewer | 2024-11-21 | 4.3 MEDIUM | 8.1 HIGH |
| TeamViewer through 13.1.1548 stores a password in Unicode format within TeamViewer.exe process memory between "[00 88] and "[00 00 00]" delimiters, which might make it easier for attackers to obtain sensitive information by leveraging an unattended workstation on which TeamViewer has disconnected but remains running. | |||||
| CVE-2018-14328 | 1 Brynamics | 1 Online Trade | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| Brynamics "Online Trade - Online trading and cryptocurrency investment system" allows remote attackers to obtain sensitive information via a direct request for /dashboard/addplan, /dashboard/paywithcard/charge, /dashboard/withdrawal, or /privacy&terms, as demonstrated by reading database username, database password, database_name, and IP address fields, related to CVE-2018-12908. | |||||
| CVE-2018-14316 | 2 Foxitsoftware, Microsoft | 3 Foxit Reader, Phantompdf, Windows | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of PDF documents. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6351. | |||||
| CVE-2018-14083 | 1 Lica | 2 Minicmts E8k, Minicmts E8k Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| LICA miniCMTS E8K(u/i/...) devices allow remote attackers to obtain sensitive information via a direct POST request for the inc/user.ini file, leading to discovery of a password hash. | |||||
| CVE-2018-14079 | 1 Wi2be | 2 Smart Hp, Smart Hp Wmt | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Wi2be SMART HP WMT R1.2.20_201400922 allows unauthorized remote attackers to obtain sensitive information via /Status/SystemStatusRpm.esp. | |||||
| CVE-2018-14023 | 1 Signal | 1 Signal-desktop | 2024-11-21 | 2.1 LOW | 4.0 MEDIUM |
| Open Whisper Signal (aka Signal-Desktop) before 1.15.0-beta.10 allows information leakage. | |||||