Search
Total
7597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-18321 | 1 Qualcomm | 8 Mdm9650, Mdm9650 Firmware, Mdm9655 and 5 more | 2019-01-25 | 2.1 LOW | 5.5 MEDIUM |
| Security keys used by the terminal and NW for a session could be leaked in snapdragon mobile in versions MDM9650, MDM9655, SD 835, SDA660. | |||||
| CVE-2017-18332 | 1 Qualcomm | 56 Mdm9607, Mdm9607 Firmware, Mdm9635m and 53 more | 2019-01-25 | 2.1 LOW | 5.5 MEDIUM |
| Security keys are logged when any WCDMA call is configured or reconfigured in snapdragon automobile, snapdragon mobile and snapdragon wear in versions MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SDA660, SDX20, SXR1130 | |||||
| CVE-2018-3947 | 1 Yitechnology | 3 Yi Home, Yi Home Camera, Yi Home Camera Firmware | 2019-01-24 | 4.3 MEDIUM | 8.1 HIGH |
| An exploitable information disclosure vulnerability exists in the phone-to-camera communications of Yi Home Camera 27US 1.8.7.0D. An attacker can sniff network traffic to exploit this vulnerability. | |||||
| CVE-2017-15031 | 1 Arm | 1 Arm-trusted-firmware | 2019-01-24 | 5.0 MEDIUM | 7.5 HIGH |
| In all versions of ARM Trusted Firmware up to and including v1.4, not initializing or saving/restoring the PMCR_EL0 register can leak secure world timing information. | |||||
| CVE-2018-12161 | 1 Intel | 1 Raid Web Console | 2019-01-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient session validation in the webserver component of the Intel Rapid Web Server 3 may allow an unauthenticated user to potentially disclose information via network access. | |||||
| CVE-2018-18287 | 1 Asus | 2 Rt-ac58u, Rt-ac58u Firmware | 2019-01-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| On ASUS RT-AC58U 3.0.0.4.380_6516 devices, remote attackers can discover hostnames and IP addresses by reading dhcpLeaseInfo data in the HTML source code of the Main_Login.asp page. | |||||
| CVE-2018-18428 | 1 Tp-link | 2 Tl-sc3130, Tl-sc3130 Firmware | 2019-01-23 | 5.0 MEDIUM | 7.5 HIGH |
| TP-Link TL-SC3130 1.6.18P12_121101 devices allow unauthenticated RTSP stream access, as demonstrated by a /jpg/image.jpg URI. | |||||
| CVE-2017-2582 | 1 Redhat | 3 Enterprise Linux, Jboss Enterprise Application Platform, Keycloak | 2019-01-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. | |||||
| CVE-2018-19718 | 1 Adobe | 1 Connect | 2019-01-22 | 5.0 MEDIUM | 5.3 MEDIUM |
| Adobe Connect versions 9.8.1 and earlier have a session token exposure vulnerability. Successful exploitation could lead to exposure of the privileges granted to a session. | |||||
| CVE-2018-16192 | 1 Nec | 4 Aterm Wf1200cr, Aterm Wf1200cr Firmware, Aterm Wg1200cr and 1 more | 2019-01-17 | 3.3 LOW | 6.5 MEDIUM |
| Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 and earlier, Aterm WG1200CR firmware Ver1.0.1 and earlier) allow an attacker on the same network segment to obtain information registered on the device via unspecified vectors. | |||||
| CVE-2016-4643 | 1 Apple | 3 Apple Tv, Iphone Os, Mac Os | 2019-01-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, a validation issue existed in the parsing of 407 responses. This issue was addressed through improved response validation. | |||||
| CVE-2016-4644 | 1 Apple | 3 Apple Tv, Iphone Os, Mac Os | 2019-01-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, a downgrade issue existed with HTTP authentication credentials saved in Keychain. This issue was addressed by storing the authentication types with the credentials. | |||||
| CVE-2018-20478 | 1 S-cms | 1 S-cms | 2019-01-17 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in S-CMS 1.0. It allows reading certain files, such as PHP source code, via the admin/download.php DownName parameter with a mixed-case extension, as demonstrated by a DownName=download.Php value. | |||||
| CVE-2017-9526 | 1 Gnupg | 1 Libgcrypt | 2019-01-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library. | |||||
| CVE-2017-0379 | 2 Debian, Gnupg | 2 Debian Linux, Libgcrypt | 2019-01-16 | 5.0 MEDIUM | 7.5 HIGH |
| Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attacks, which makes it easier for attackers to discover a secret key, related to cipher/ecc.c and mpi/ec.c. | |||||
| CVE-2015-7940 | 3 Bouncycastle, Opensuse, Oracle | 7 Bouncy Castle Crypto Package, Leap, Opensuse and 4 more | 2019-01-16 | 5.0 MEDIUM | N/A |
| The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack." | |||||
| CVE-2018-6179 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2019-01-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient enforcement of file access permission in the activeTab case in Extensions in Google Chrome prior to 68.0.3440.75 allowed an attacker who convinced a user to install a malicious extension to access files on the local file system via a crafted Chrome Extension. | |||||
| CVE-2018-6117 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2019-01-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| Confusing settings in Autofill in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||||
| CVE-2018-6137 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2019-01-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| CSS Paint API in Blink in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2018-6164 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2019-01-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient origin checks for CSS content in Blink in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2018-12671 | 1 Sv3c | 4 H.264 Poe Ip Camera Firmware, Sv-b01poe-1080p-l, Sv-b11vpoe-1080p-l and 1 more | 2019-01-11 | 5.0 MEDIUM | 9.8 CRITICAL |
| An attacker with remote access to the SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) web interface can disclose information about the camera including all password sets set within the camera. This information can then be used to gain access to the web interface. | |||||
| CVE-2018-12673 | 1 Sv3c | 4 H.264 Poe Ip Camera Firmware, Sv-b01poe-1080p-l, Sv-b11vpoe-1080p-l and 1 more | 2019-01-11 | 5.0 MEDIUM | 7.5 HIGH |
| An attacker with remote access to the SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) web interface can disclose information about the camera including camera hardware, wireless network, and local area network information. | |||||
| CVE-2018-20571 | 1 Damicms | 1 Damicms | 2019-01-11 | 5.0 MEDIUM | 7.5 HIGH |
| DamiCMS 6.0.1 allows remote attackers to read arbitrary files via a crafted admin.php?s=Tpl/Add/id request, as demonstrated by admin.php?s=Tpl/Add/id/.\Public\Config\config.ini.php to read the global configuration file. | |||||
| CVE-2018-20602 | 1 Lfdycms | 1 Lei Feng Tv Cms | 2019-01-10 | 5.0 MEDIUM | 7.5 HIGH |
| Lei Feng TV CMS (aka LFCMS) 3.8.6 allows full path disclosure via the /install.php?s=/1 URI. | |||||
| CVE-2018-15328 | 1 F5 | 16 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 13 more | 2019-01-09 | 5.0 MEDIUM | 7.5 HIGH |
| On BIG-IP 14.0.x, 13.x, 12.x, and 11.x, Enterprise Manager 3.1.1, BIG-IQ 6.x, 5.x, and 4.x, and iWorkflow 2.x, the passphrases for SNMPv3 users and trap destinations that are used for authentication and privacy are not handled by the BIG-IP system Secure Vault feature; they are written in the clear to the various configuration files. | |||||
| CVE-2018-20609 | 1 Txjia | 1 Imcat | 2019-01-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| imcat 4.4 allows remote attackers to obtain potentially sensitive configuration information via the root/tools/adbug/check.php URI. | |||||
| CVE-2018-20608 | 1 Txjia | 1 Imcat | 2019-01-09 | 5.0 MEDIUM | 7.5 HIGH |
| imcat 4.4 allows remote attackers to read phpinfo output via the root/tools/adbug/binfo.php?phpinfo1 URI. | |||||
| CVE-2018-20607 | 1 Txjia | 1 Imcat | 2019-01-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| imcat 4.4 allows remote attackers to obtain potentially sensitive debugging information via the root/tools/adbug/binfo.php URI. | |||||
| CVE-2018-20606 | 1 Txjia | 1 Imcat | 2019-01-09 | 5.0 MEDIUM | 7.5 HIGH |
| imcat 4.4 allows full path disclosure via a dev.php?tools-ipaddr&api=Pcoln&uip= URI. | |||||
| CVE-2018-1000803 | 1 Gitea | 1 Gitea | 2019-01-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| Gitea version prior to version 1.5.1 contains a CWE-200 vulnerability that can result in Exposure of users private email addresses. This attack appear to be exploitable via Watch a repository to receive email notifications. Emails received contain the other recipients even if they have the email set as private. This vulnerability appears to have been fixed in 1.5.1. | |||||
| CVE-2017-5658 | 1 Apache | 1 Pony Mail | 2019-01-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| The statistics generator in Apache Pony Mail 0.7 to 0.9 was found to be returning timestamp data without proper authorization checks. This could lead to derived information disclosure on private lists about the timing of specific email subjects or text bodies, though without disclosing the content itself. As this was primarily used as a caching feature for faster loading times, the caching was disabled by default to prevent this. Users using 0.9 should upgrade to 0.10 to address this issue. | |||||
| CVE-2018-20154 | 1 Designmodo | 1 Wp Maintenance Mode | 2019-01-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses. | |||||
| CVE-2018-16524 | 1 Amazon | 2 Amazon Web Services Freertos, Freertos | 2019-01-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component allow information disclosure during parsing of TCP options in prvCheckOptions. | |||||
| CVE-2018-16527 | 1 Amazon | 2 Amazon Web Services Freertos, Freertos | 2019-01-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component allow information disclosure during parsing of ICMP packets in prvProcessICMPPacket. | |||||
| CVE-2018-16599 | 1 Amazon | 2 Amazon Web Services Freertos, Freertos | 2019-01-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component. Out of bounds memory access during parsing of NBNS packets in prvTreatNBNS can be used for information disclosure. | |||||
| CVE-2018-16600 | 1 Amazon | 2 Amazon Web Services Freertos, Freertos | 2019-01-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component. Out of bounds memory access during parsing of ARP packets in eARPProcessPacket can be used for information disclosure. | |||||
| CVE-2018-16602 | 1 Amazon | 2 Amazon Web Services Freertos, Freertos | 2019-01-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component. Out of bounds memory access during parsing of DHCP responses in prvProcessDHCPReplies can be used for information disclosure. | |||||
| CVE-2018-16603 | 1 Amazon | 2 Amazon Web Services Freertos, Freertos | 2019-01-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component. Out of bounds access to TCP source and destination port fields in xProcessReceivedTCPPacket can leak data back to an attacker. | |||||
| CVE-2015-3238 | 2 Linux-pam, Oracle | 2 Linux-pam, Sparc-opl Service Processor | 2019-01-03 | 5.8 MEDIUM | 6.5 MEDIUM |
| The _unix_run_helper_binary function in the pam_unix module in Linux-PAM (aka pam) before 1.2.1, when unable to directly access passwords, allows local users to enumerate usernames or cause a denial of service (hang) via a large password. | |||||
| CVE-2018-19413 | 1 Sonarsource | 1 Sonarqube | 2019-01-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the API of SonarSource SonarQube before 7.4 could allow an authenticated user to discover sensitive information such as valid user-account logins in the web application. The vulnerability occurs because of improperly configured access controls that cause the API to return the externalIdentity field to non-administrator users. The attacker could use this information in subsequent attacks against the system. | |||||
| CVE-2018-9554 | 1 Google | 1 Android | 2019-01-02 | 2.1 LOW | 5.5 MEDIUM |
| In dumpExtractors of IMediaExtractor.cp, there is a possible disclosure of recently accessed media files due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1. Android ID: A-114770654. | |||||
| CVE-2018-13319 | 1 Buffalo | 2 Ts5600d1206, Ts5600d1206 Firmware | 2018-12-31 | 5.0 MEDIUM | 7.5 HIGH |
| Incorrect access control in get_portal_info in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to determine sensitive device information via an unauthenticated POST request. | |||||
| CVE-2018-19133 | 1 Flarum | 1 Flarum | 2018-12-31 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Flarum Core 0.1.0-beta.7.1, a serious leak can get everyone's email address. | |||||
| CVE-2018-7812 | 1 Schneider-electric | 8 Modicom Bmxnor0200h, Modicom Bmxnor0200h Firmware, Modicom M340 and 5 more | 2018-12-28 | 5.0 MEDIUM | 7.5 HIGH |
| An Information Exposure through Discrepancy vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 where the web server sends different responses in a way that exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. | |||||
| CVE-2018-17976 | 1 Gitlab | 1 Gitlab | 2018-12-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GitLab Community Edition 11.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via Epic change descriptions. | |||||
| CVE-2018-6082 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2018-12-27 | 4.3 MEDIUM | 4.7 MEDIUM |
| Including port 22 in the list of allowed FTP ports in Networking in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially enumerate internal host services via a crafted HTML page. | |||||
| CVE-2018-16712 | 1 Iobit | 1 Advanced Systemcare | 2018-12-27 | 6.8 MEDIUM | 6.5 MEDIUM |
| IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Monitor_win7_x64.sys, 1.2.0.5 (and possibly earlier versions) allows a user to send a specially crafted IOCTL 0x9C406104 to read physical memory. | |||||
| CVE-2018-18640 | 1 Gitlab | 1 Gitlab | 2018-12-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Information Exposure Through Browser Caching. | |||||
| CVE-2018-18644 | 1 Gitlab | 1 Gitlab | 2018-12-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows Information Exposure via a Gitlab Prometheus integration. | |||||
| CVE-2018-15773 | 1 Dell | 1 Data Protection \| Encryption | 2018-12-26 | 4.9 MEDIUM | 4.3 MEDIUM |
| Dell Encryption (formerly Dell Data Protection | Encryption) v10.1.0 and earlier contain an information disclosure vulnerability. A malicious user with physical access to the machine could potentially exploit this vulnerability to access the unencrypted RegBack folder that contains back-ups of sensitive system files. | |||||