Total
29474 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-5406 | 1 Quest | 2 Kace Systems Management Appliance, Kace Systems Management Appliance Firmware | 2024-11-21 | 8.8 High |
| The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows a remote attacker to exploit the misconfigured Cross-Origin Resource Sharing (CORS) mechanism. An unauthenticated, remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. A malicious internal user could also gain administrator privileges of this appliance and use it to visit a malicious link that exploits this vulnerability. This could cause the application to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. An unauthenticated, remote attacker could add an administrator-level account or change the appliance's settings. | ||||
| CVE-2018-3891 | 1 Yitechnology | 2 Yi Home Camera, Yi Home Camera Firmware | 2024-11-21 | 4.6 Medium |
| An exploitable firmware downgrade vulnerability exists in the firmware update functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted file can cause a logic flaw, resulting in a firmware downgrade. An attacker can insert an SD card to trigger this vulnerability. | ||||
| CVE-2018-25093 | 1 Vaerys-dawn | 1 Discordsailv2 | 2024-11-21 | 5.5 Medium |
| A vulnerability was found in Vaerys-Dawn DiscordSailv2 up to 2.10.2. It has been rated as critical. Affected by this issue is some unknown functionality of the component Tag Handler. The manipulation leads to improper access controls. Upgrading to version 2.10.3 is able to address this issue. The name of the patch is cc12e0be82a5d05d9f359ed8e56088f4f8b8eb69. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-244484. | ||||
| CVE-2018-25092 | 1 Vaerys-dawn | 1 Discordsailv2 | 2024-11-21 | 5.5 Medium |
| A vulnerability was found in Vaerys-Dawn DiscordSailv2 up to 2.10.2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Command Mention Handler. The manipulation leads to improper access controls. Upgrading to version 2.10.3 is able to address this issue. The patch is named cc12e0be82a5d05d9f359ed8e56088f4f8b8eb69. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-244483. | ||||
| CVE-2018-25081 | 1 Bitwarden | 1 Bitwarden | 2024-11-21 | 7.5 High |
| Bitwarden through 2023.2.1 offers password auto-fill within a cross-domain IFRAME element. NOTE: the vendor's position is that there have been important legitimate cross-domain configurations (e.g., an apple.com IFRAME element on the icloud.com website) and that "Auto-fill on page load" is not enabled by default. | ||||
| CVE-2018-25058 | 1 Twitter-post-fetcher Project | 1 Twitter-post-fetcher | 2024-11-21 | 4.2 Medium |
| A vulnerability classified as problematic has been found in Twitter-Post-Fetcher up to 17.x. This affects an unknown part of the file js/twitterFetcher.js of the component Link Target Handler. The manipulation leads to use of web link to untrusted target with window.opener access. It is possible to initiate the attack remotely. Upgrading to version 18.0.0 is able to address this issue. The name of the patch is 7d281c6fb5acbc29a2cad295262c1f0c19ca56f3. It is recommended to upgrade the affected component. The identifier VDB-217017 was assigned to this vulnerability. | ||||
| CVE-2018-25029 | 1 Silabs | 10 Zgm130s037hgn, Zgm130s037hgn Firmware, Zgm2305a27hgn and 7 more | 2024-11-21 | 8.1 High |
| The Z-Wave specification requires that S2 security can be downgraded to S0 or other less secure protocols, allowing an attacker within radio range during pairing to downgrade and then exploit a different vulnerability (CVE-2013-20003) to intercept and spoof traffic. | ||||
| CVE-2018-21249 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 3.7 Low |
| An issue was discovered in Mattermost Server before 5.3.0. It mishandles timing. | ||||
| CVE-2018-21094 | 1 Netgear | 22 Wac120, Wac120 Firmware, Wac505 and 19 more | 2024-11-21 | 7.3 High |
| Certain NETGEAR devices are affected by incorrect configuration of security settings. This affects WAC120 before 2.1.7, WAC505 before 5.0.5.4, WAC510 before 5.0.5.4, WNAP320 before 3.7.11.4, WNAP210v2 before 3.7.11.4, WNDAP350 before 3.7.11.4, WNDAP360 before 3.7.11.4, WNDAP660 before 3.7.11.4, WNDAP620 before 2.1.7, WND930 before 2.1.5, and WN604 before 3.3.10. | ||||
| CVE-2018-20802 | 1 Mongodb | 1 Mongodb | 2024-11-21 | 6.5 Medium |
| A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects MongoDB Server v3.6 versions prior to 3.6.9 and MongoDB Server v4.0 versions prior to 4.0.3. | ||||
| CVE-2018-1170 | 2 Htc, Volkswagen | 2 Customer-link Bridge, Customer-link | 2024-11-21 | 8.8 High |
| This vulnerability allows adjacent attackers to inject arbitrary Controller Area Network messages on vulnerable installations of Volkswagen Customer-Link App 1.30 and HTC Customer-Link Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Customer-Link App and Customer-Link Bridge. The issue results from the lack of a proper protection mechanism against unauthorized firmware updates. An attacker can leverage this vulnerability to inject CAN messages. Was ZDI-CAN-5264. | ||||
| CVE-2018-17921 | 1 Sagaradio | 2 Saga1-l8b, Saga1-l8b Firmware | 2024-11-21 | 8.8 High |
| SAGA1-L8B with any firmware versions prior to A0.10 are vulnerable to an attack that may allow an attacker to force-pair the device without human interaction. | ||||
| CVE-2018-17890 | 1 Nuuo | 1 Nuuo Cms | 2024-11-21 | 9.8 Critical |
| NUUO CMS all versions 3.1 and prior, The application uses insecure and outdated software components for functionality, which could allow arbitrary code execution. | ||||
| CVE-2018-12689 | 1 Phpldapadmin Project | 1 Phpldapadmin | 2024-11-21 | 9.8 Critical |
| phpLDAPadmin 1.2.2 allows LDAP injection via a crafted server_id parameter in a cmd.php?cmd=login_form request, or a crafted username and password in the login panel. | ||||
| CVE-2018-12116 | 3 Nodejs, Redhat, Suse | 5 Node.js, Rhel Software Collections, Suse Enterprise Storage and 2 more | 2024-11-21 | 7.5 High |
| Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server. | ||||
| CVE-2018-10892 | 4 Docker, Mobyproject, Opensuse and 1 more | 7 Docker, Moby, Leap and 4 more | 2024-11-21 | 5.3 Medium |
| The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness. | ||||
| CVE-2017-20160 | 1 Flitto | 1 Express-param | 2024-11-21 | 6.3 Medium |
| A vulnerability was found in flitto express-param up to 0.x. It has been classified as critical. This affects an unknown part of the file lib/fetchParams.js. The manipulation leads to improper handling of extra parameters. It is possible to initiate the attack remotely. Upgrading to version 1.0.0 is able to address this issue. The identifier of the patch is db94f7391ad0a16dcfcba8b9be1af385b25c42db. It is recommended to upgrade the affected component. The identifier VDB-217149 was assigned to this vulnerability. | ||||
| CVE-2017-18920 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 9.8 Critical |
| An issue was discovered in Mattermost Server before 3.6.2. The WebSocket feature does not follow the Same Origin Policy. | ||||
| CVE-2016-20014 | 1 Pam Tacplus Project | 1 Pam Tacplus | 2024-11-21 | 9.8 Critical |
| In pam_tacplus.c in pam_tacplus before 1.4.1, pam_sm_acct_mgmt does not zero out the arep data structure. | ||||
| CVE-2016-20012 | 2 Netapp, Openbsd | 5 Clustered Data Ontap, Hci Management Node, Ontap Select Deploy Administration Utility and 2 more | 2024-11-21 | 5.3 Medium |
| OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product | ||||