Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-17948 | 1 Microfocus | 1 Access Manager | 2018-12-26 | 5.8 MEDIUM | 6.1 MEDIUM |
| An open redirect vulnerability exists in the Access Manager Identity Provider prior to 4.4 SP3. | |||||
| CVE-2018-19794 | 1 Internet2 | 1 Grouper | 2018-12-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in UiV2Public.index in Internet2 Grouper 2.2 and 2.3 allows remote attackers to inject arbitrary web script or HTML via the code parameter. | |||||
| CVE-2018-19761 | 1 Libsixel Project | 1 Libsixel | 2018-12-26 | 4.3 MEDIUM | 5.5 MEDIUM |
| There is an illegal address access at fromsixel.c (function: sixel_decode_raw_impl) in libsixel 1.8.2 that will cause a denial of service. | |||||
| CVE-2018-19763 | 1 Libsixel Project | 1 Libsixel | 2018-12-26 | 4.3 MEDIUM | 5.5 MEDIUM |
| There is a heap-based buffer over-read at writer.c (function: write_png_to_file) in libsixel 1.8.2 that will cause a denial of service. | |||||
| CVE-2018-19759 | 1 Libsixel Project | 1 Libsixel | 2018-12-26 | 4.3 MEDIUM | 5.5 MEDIUM |
| There is a heap-based buffer over-read at stb_image_write.h (function: stbi_write_png_to_mem) in libsixel 1.8.2 that will cause a denial of service. | |||||
| CVE-2018-19756 | 1 Libsixel Project | 1 Libsixel | 2018-12-26 | 4.3 MEDIUM | 5.5 MEDIUM |
| There is a heap-based buffer over-read at stb_image.h (function: stbi__tga_load) in libsixel 1.8.2 that will cause a denial of service. | |||||
| CVE-2018-6079 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2018-12-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate sharing of TEXTURE_2D_ARRAY/TEXTURE_3D data between tabs in WebGL in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2018-5916 | 1 Qualcomm | 70 Mdm9206, Mdm9206 Firmware, Mdm9607 and 67 more | 2018-12-26 | 6.1 MEDIUM | 6.5 MEDIUM |
| Buffer overread while decoding PDP modify request or network initiated secondary PDP activation in Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear in versions MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDA845, SDX20, SXR1130. | |||||
| CVE-2018-6078 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2018-12-26 | 4.3 MEDIUM | 4.3 MEDIUM |
| Incorrect handling of confusable characters in Omnibox in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. | |||||
| CVE-2018-6077 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2018-12-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Displacement map filters being applied to cross-origin images in Blink SVG rendering in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2018-18398 | 1 Xfce | 2 Thunar, Xfce | 2018-12-21 | 1.9 LOW | 4.7 MEDIUM |
| Xfce Thunar 1.6.15, when Xfce 4.12 is used, mishandles the IBus-Unikey input method for file searches within File Manager, leading to an out-of-bounds read and SEGV. This could potentially be exploited by an arbitrary local user who creates files in /tmp before the victim uses this input method. | |||||
| CVE-2018-19609 | 1 Showdoc | 1 Showdoc | 2018-12-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| ShowDoc 2.4.1 allows remote attackers to obtain sensitive information by navigating with a modified page_id, as demonstrated by reading note content, or discovering a username in the JSON data at a diff URL. | |||||
| CVE-2018-13337 | 1 Terra-master | 1 Terramaster Operating System | 2018-12-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via JavaScript. | |||||
| CVE-2018-13022 | 1 Mi | 2 Mi Router 3, Miwifi Os | 2018-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in the API 404 page on Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary JavaScript via a modified URL path. | |||||
| CVE-2018-18642 | 1 Gitlab | 1 Gitlab | 2018-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has XSS. | |||||
| CVE-2018-18645 | 1 Gitlab | 1 Gitlab | 2018-12-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for Information Exposure via unsubscribe links in email replies. | |||||
| CVE-2018-13361 | 1 Terra-master | 1 Terramaster Operating System | 2018-12-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| User enumeration in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to list all system users via the "modgroup" parameter. | |||||
| CVE-2018-19755 | 1 Nasm | 1 Netwide Assembler | 2018-12-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| There is an illegal address access at asm/preproc.c (function: is_mmacro) in Netwide Assembler (NASM) 2.14rc16 that will cause a denial of service (out-of-bounds array access) because a certain conversion can result in a negative integer. | |||||
| CVE-2018-19892 | 1 Domainmod | 1 Domainmod | 2018-12-21 | 3.5 LOW | 4.8 MEDIUM |
| DomainMOD through 4.11.01 has XSS via the admin/dw/add-server.php DisplayName, HostName, or UserName field. | |||||
| CVE-2018-19749 | 1 Domainmod | 1 Domainmod | 2018-12-21 | 3.5 LOW | 4.8 MEDIUM |
| DomainMOD through 4.11.01 has XSS via the assets/add/account-owner.php Owner name field. | |||||
| CVE-2018-19751 | 1 Domainmod | 1 Domainmod | 2018-12-21 | 3.5 LOW | 4.8 MEDIUM |
| DomainMOD through 4.11.01 has XSS via the admin/ssl-fields/add.php notes field for Custom SSL Fields. | |||||
| CVE-2018-19752 | 1 Domainmod | 1 Domainmod | 2018-12-21 | 3.5 LOW | 4.8 MEDIUM |
| DomainMOD through 4.11.01 has XSS via the assets/add/registrar.php notes field for the Registrar. | |||||
| CVE-2018-19913 | 1 Domainmod | 1 Domainmod | 2018-12-21 | 3.5 LOW | 4.8 MEDIUM |
| DomainMOD through 4.11.01 has XSS via the assets/add/registrar-accounts.php UserName, Reseller ID, or notes field. | |||||
| CVE-2018-16224 | 1 Ismartalarm | 2 Cubeone, Cubeone Firmware | 2018-12-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| Incorrect access control for the diagnostic files of the iSmartAlarm Cube One through 2.2.4.10 allows an attacker to retrieve them via a specifically crafted TCP request to port 12345 and 22306, and access sensitive information from the device. | |||||
| CVE-2018-9071 | 1 Lenovo | 2 Chassis Management Module, Chassis Management Module Firmware | 2018-12-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| Lenovo Chassis Management Module (CMM) prior to version 2.0.0 allows unauthenticated users to retrieve information related to the current authentication configuration settings. Exposed settings relate to password lengths, expiration, and lockout configuration. | |||||
| CVE-2018-9073 | 1 Lenovo | 2 Chassis Management Module, Chassis Management Module Firmware | 2018-12-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| Lenovo Chassis Management Module (CMM) prior to version 2.0.0 utilizes a hardcoded encryption key to protect certain secrets. Possession of the key can allow an attacker that has already compromised the server to decrypt these secrets. | |||||
| CVE-2018-12310 | 1 Asustor | 2 As602t, Data Master | 2018-12-20 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting in the Login page in ASUSTOR ADM version 3.1.1 allows attackers to execute JavaScript via the System Announcement feature. | |||||
| CVE-2018-12311 | 1 Asustor | 2 As602t, Data Master | 2018-12-20 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute arbitrary JavaScript when a file is moved via a malicious filename. | |||||
| CVE-2018-12305 | 1 Asustor | 1 Data Master | 2018-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute JavaScript by uploading SVG images with embedded JavaScript. | |||||
| CVE-2018-13360 | 1 Terra-master | 1 Terramaster Operating System | 2018-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in Text Editor in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "filename" URL parameter. | |||||
| CVE-2018-14704 | 1 Drobo | 2 5n2, 5n2 Firmware | 2018-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in the MySQL API error page in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via a malformed URL path. | |||||
| CVE-2018-19651 | 1 Interspire | 1 Email Marketer | 2018-12-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| admin/functions/remote.php in Interspire Email Marketer through 6.1.6 has Server Side Request Forgery (SSRF) via a what=importurl&url= request with an http or https URL. This also allows reading local files with a file: URL. | |||||
| CVE-2018-13317 | 1 Totolink | 2 A3002ru, A3002ru Firmware | 2018-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Password disclosure in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to obtain the plaintext password for the admin user by making a GET request for password.htm. | |||||
| CVE-2018-13331 | 1 Terra-master | 1 Terramaster Operating System | 2018-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing users by placing JavaScript in their usernames. | |||||
| CVE-2018-14698 | 1 Drobo | 2 5n2, 5n2 Firmware | 2018-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the "username" URL parameter. | |||||
| CVE-2018-14697 | 1 Drobo | 2 5n2, 5n2 Firmware | 2018-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the username URL parameter. | |||||
| CVE-2018-16832 | 1 Xunfeng Project | 1 Xunfeng | 2018-12-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| CSRF in the anti-csrf decorator in xunfeng 0.2.0 allows an attacker to modify the configuration via a Flash file because views/lib/AntiCSRF.py can overwrite the request.host value with the content of the X-Forwarded-Host HTTP header. | |||||
| CVE-2018-19443 | 1 Tryton | 1 Tryton | 2018-12-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle. | |||||
| CVE-2018-13357 | 1 Terra-master | 1 Terramaster Operating System | 2018-12-19 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing Shared Folders via JavaScript in Shared Folders' names. | |||||
| CVE-2018-19567 | 1 Dcraw Project | 1 Dcraw | 2018-12-19 | 4.3 MEDIUM | 5.5 MEDIUM |
| A floating point exception in parse_tiff_ifd in dcraw through 9.28 could be used by attackers able to supply malicious files to crash an application that bundles the dcraw code. | |||||
| CVE-2018-19568 | 1 Dcraw Project | 1 Dcraw | 2018-12-19 | 4.3 MEDIUM | 5.5 MEDIUM |
| A floating point exception in kodak_radc_load_raw in dcraw through 9.28 could be used by attackers able to supply malicious files to crash an application that bundles the dcraw code. | |||||
| CVE-2018-16096 | 1 Lenovo | 8 System Management Module Firmware, Thinkagile Hx Enclosure 7x81, Thinkagile Hx Enclosure 7y87 and 5 more | 2018-12-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| In System Management Module (SMM) versions prior to 1.06, the SMM web interface for changing Enclosure VPD fails to sufficiently sanitize all input for HTML tags, possibly opening a path for cross-site scripting. | |||||
| CVE-2018-13351 | 1 Terra-master | 1 Terramaster Operating System | 2018-12-19 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the edit password form. | |||||
| CVE-2018-7946 | 1 Huawei | 4 Honor 7a, Honor 7a Firmware, Honor 9 Lite and 1 more | 2018-12-19 | 1.9 LOW | 4.3 MEDIUM |
| There is an information leak vulnerability in some Huawei smartphones. An attacker may do some specific configuration in the smartphone and trick a user into inputting some sensitive information. Due to improper design, successful exploit may cause some information leak. | |||||
| CVE-2018-13349 | 1 Terra-master | 1 Terramaster Operating System | 2018-12-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in the web application taskbar in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the user's username. | |||||
| CVE-2018-13335 | 1 Terra-master | 1 Terramaster Operating System | 2018-12-19 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing shared folders via their descriptions. | |||||
| CVE-2018-13333 | 1 Terra-master | 1 Terramaster Operating System | 2018-12-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in File Manager in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript in the permissions window by placing JavaScript in users' usernames. | |||||
| CVE-2018-17468 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2018-12-19 | 4.3 MEDIUM | 6.5 MEDIUM |
| Incorrect handling of timer information during navigation in Blink in Google Chrome prior to 70.0.3538.67 allowed a remote attacker to obtain cross origin URLs via a crafted HTML page. | |||||
| CVE-2018-13329 | 1 Terra-master | 1 Terramaster Operating System | 2018-12-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "lines" URL parameter. | |||||
| CVE-2018-13334 | 1 Terra-master | 1 Terramaster Operating System | 2018-12-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in handle.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "options[sysname]" parameter. | |||||