Total
1208 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-14981 | 2 Google, Lg | 15 Android, G5, G6 and 12 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Certain LG devices based on Android 6.0 through 8.1 have incorrect access control for SystemUI application intents. The LG ID is LVE-SMP-180005. | |||||
| CVE-2018-14934 | 1 Polycom | 2 Trio 8500, Trio 8500 Firmware | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
| The Bluetooth subsystem on Polycom Trio devices with software before 5.5.4 has Incorrect Access Control. An attacker can connect without authentication and subsequently record audio from the device microphone. | |||||
| CVE-2018-14825 | 2 Google, Honeywell | 15 Android, Ck75, Cn51 and 12 more | 2024-11-21 | 6.8 MEDIUM | 5.8 MEDIUM |
| On Honeywell Mobile Computers (CT60 running Android OS 7.1, CN80 running Android OS 7.1, CT40 running Android OS 7.1, CK75 running Android OS 6.0, CN75 running Android OS 6.0, CN75e running Android OS 6.0, CT50 running Android OS 6.0, D75e running Android OS 6.0, CT50 running Android OS 4.4, D75e running Android OS 4.4, CN51 running Android OS 6.0, EDA50k running Android 4.4, EDA50 running Android OS 7.1, EDA50k running Android OS 7.1, EDA70 running Android OS 7.1, EDA60k running Android OS 7.1, and EDA51 running Android OS 8.1), a skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges. This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable information, photos, emails, or business-critical documents. | |||||
| CVE-2018-14703 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| Incorrect access control in the /mysql/api/droboapp/data endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve the MySQL database root password. | |||||
| CVE-2018-14327 | 1 Ee | 2 Ee40vb, Ee40vb Firmware | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
| The installer for the Alcatel OSPREY3_MINI Modem component on EE EE40VB 4G mobile broadband modems with firmware before EE40_00_02.00_45 sets weak permissions (Everyone:Full Control) for the "Web Connecton\EE40" and "Web Connecton\EE40\BackgroundService" directories, which allows local users to gain privileges, as demonstrated by inserting a Trojan horse ServiceManager.exe file into the "Web Connecton\EE40\BackgroundService" directory. | |||||
| CVE-2018-14043 | 1 Monetra | 1 Mstdlib | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| mstdlib (aka the M Standard Library for C) 1.2.0 has incorrect file access control in situations where M_fs_perms_can_access attempts to delete an existing file (that lacks public read/write access) during a copy operation, related to fs/m_fs.c and fs/m_fs_path.c. An attacker could create the file and then would have access to the data. | |||||
| CVE-2018-13791 | 1 Abbyy | 1 Flexicapture | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The HTTP API in ABBYY FlexiCapture before 12 Release 1 Update 7 allows an attacker to conduct Access Control attacks via the /FlexiCapture12/Login/Server/SevaUserProfile FlexiCaptureTmsSts2 parameter. | |||||
| CVE-2018-13412 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| An issue was discovered in the Self Service Portal in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. In cloud, the issue is fixed in 10.0.470 agent version. | |||||
| CVE-2018-13411 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. In cloud, the issue is fixed in 10.0.470 agent version. | |||||
| CVE-2018-13399 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory. | |||||
| CVE-2018-13355 | 1 Terra-master | 1 Terramaster Operating System | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Incorrect access controls in ajaxdata.php in TerraMaster TOS version 3.1.03 allow attackers to create user groups without proper authorization. | |||||
| CVE-2018-13321 | 1 Buffalo | 2 Ts5600d1206, Ts5600d1206 Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Incorrect access controls in nasapi in Buffalo TS5600D1206 version 3.61-0.10 allow attackers to call dangerous internal functions via the "method" parameter. | |||||
| CVE-2018-13122 | 1 Onefilecms | 1 Onefilecms | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| onefilecms.php in OneFileCMS through 2017-10-08 might allow attackers to delete arbitrary files via the Delete File(s) screen, as demonstrated by a ?i=var/www/html/&f=123.php&p=edit&p=deletefile URI. | |||||
| CVE-2018-13110 | 1 Adbglobal | 8 Dv2210, Dv2210 Firmware, Prg Av4202n and 5 more | 2024-11-21 | 8.5 HIGH | 7.5 HIGH |
| All ADB broadband gateways / routers based on the Epicentro platform are affected by a privilege escalation vulnerability where attackers can gain access to the command line interface (CLI) if previously disabled by the ISP, escalate their privileges, and perform further attacks. | |||||
| CVE-2018-13025 | 1 Yxcms | 1 Yxcms | 2024-11-21 | 5.5 MEDIUM | 4.9 MEDIUM |
| protected/apps/admin/controller/photoController.php in YXcms 1.4.7 allows remote attackers to delete arbitrary files via the index.php?r=admin/photo/delpic picname parameter. | |||||
| CVE-2018-12979 | 1 Wago | 8 762-3000, 762-3000 Firmware, 762-3001 and 5 more | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. Weak permissions allow an authenticated user to overwrite critical files by abusing the unrestricted file upload in the WBM. | |||||
| CVE-2018-12922 | 1 Vertiv | 2 Liebert Intellislot, Liebert Intellislot Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Emerson Liebert IntelliSlot Web Card devices allow remote attackers to reconfigure access control via the config/configUser.htm or config/configTelnet.htm URI. | |||||
| CVE-2018-12642 | 1 Froxlor | 1 Froxlor | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Froxlor through 0.9.39.5 has Incorrect Access Control for tickets not owned by the current user. | |||||
| CVE-2018-12615 | 1 Phusion | 1 Passenger | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges. | |||||
| CVE-2018-12467 | 1 Opensuse | 1 Open Build Service | 2024-11-21 | 5.5 MEDIUM | 6.0 MEDIUM |
| Authorized users of the openbuildservice before 2.9.4 could delete packages by using a malicious request against projects having the OBS:InitializeDevelPackage attribute, a similar issue to CVE-2018-7689. | |||||