Total
30117 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-15660 | 1 Olacabs | 1 Olamoney | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| ** DISPUTED ** An issue was discovered in the Ola Money (aka com.olacabs.olamoney) application 1.9.0 for Android. If an attacker controls an application with accessibility permissions, then the attacker can read certain Ola Money data such as a credit card number, expiration date, bank account number, and transaction history. NOTE: the vendor does not agree that this is a security issue requiring a fix. | |||||
| CVE-2018-15631 | 1 Odoo | 1 Odoo | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper access control in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote authenticated attackers to e-mail themselves arbitrary files from the database, via a crafted RPC request. | |||||
| CVE-2018-15617 | 1 Avaya | 1 Aura Communication Manager | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the "capro" (Call Processor) process component of Avaya Aura Communication Manager could allow a remote, unauthenticated user to cause denial of service. Affected versions include 6.3.x, all 7.x versions prior to 7.1.3.2, and all 8.x versions prior to 8.0.1. | |||||
| CVE-2018-15611 | 1 Avaya | 1 Aura Communication Manager | 2024-11-21 | 7.2 HIGH | 6.3 MEDIUM |
| A vulnerability in the local system administration component of Avaya Aura Communication Manager can allow an authenticated, privileged user on the local system to gain root privileges. Affected versions include 6.3.x and all 7.x version prior to 7.1.3.1. | |||||
| CVE-2018-15593 | 1 Ivanti | 1 Workspace Control | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
| An issue was discovered in Ivanti Workspace Control before 10.3.10.0 and RES One Workspace. A local authenticated user can decrypt the encrypted datastore or relay server password by leveraging an unspecified attack vector. | |||||
| CVE-2018-15590 | 1 Ivanti | 1 Workspace Control | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in Ivanti Workspace Control before 10.3.0.0 and RES One Workspace, when file and folder security are configured. A local authenticated user can bypass file and folder security restriction by leveraging an unspecified attack vector. | |||||
| CVE-2018-15572 | 3 Canonical, Debian, Linux | 3 Ubuntu Linux, Debian Linux, Linux Kernel | 2024-11-21 | 2.1 LOW | 6.5 MEDIUM |
| The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linux kernel before 4.18.1 does not always fill RSB upon a context switch, which makes it easier for attackers to conduct userspace-userspace spectreRSB attacks. | |||||
| CVE-2018-15515 | 1 Dlink | 1 Central Wifimanager | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| The CaptivelPortal service on D-Link Central WiFiManager CWM-100 1.03 r0098 devices will load a Trojan horse "quserex.dll" from the CaptivelPortal.exe subdirectory under the D-Link directory, which allows unprivileged local users to gain SYSTEM privileges. | |||||
| CVE-2018-15480 | 1 Mystrom | 12 Wifi Bulb, Wifi Bulb Firmware, Wifi Button and 9 more | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. The cloud API had a hidden parameter, which allowed an authenticated user to reconfigure the server URL for a device registered to their account. In combination with an insecure device registration vulnerability, this allowed an attacker to reconfigure a maliciously registered device to their own rogue replica of the myStrom API and issue commands to the device, including firmware update commands. | |||||
| CVE-2018-15459 | 1 Cisco | 1 Identity Services Engine | 2024-11-21 | 6.5 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the administrative web interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to gain additional privileges on an affected device. The vulnerability is due to improper controls on certain pages in the web interface. An attacker could exploit this vulnerability by authenticating to the device with an administrator account and sending a crafted HTTP request. A successful exploit could allow the attacker to create additional Admin accounts with different user roles. An attacker could then use these accounts to perform actions within their scope. The attacker would need valid Admin credentials for the device. This vulnerability cannot be exploited to add a Super Admin account. | |||||
| CVE-2018-15398 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense | 2024-11-21 | 4.3 MEDIUM | 4.0 MEDIUM |
| A vulnerability in the per-user-override feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass an access control list (ACL) that is configured for an interface of an affected device. The vulnerability is due to errors that could occur when the affected software constructs and applies per-user-override rules. An attacker could exploit this vulnerability by connecting to a network through an affected device that has a vulnerable configuration. A successful exploit could allow the attacker to access resources that are behind the affected device and would typically be protected by the interface ACL. | |||||
| CVE-2018-15395 | 1 Cisco | 1 Wireless Lan Controller Software | 2024-11-21 | 2.7 LOW | 5.4 MEDIUM |
| A vulnerability in the authentication and authorization checking mechanisms of Cisco Wireless LAN Controller (WLC) Software could allow an authenticated, adjacent attacker to gain network access to a Cisco TrustSec domain. Under normal circumstances, this access should be prohibited. The vulnerability is due to the dynamic assignment of Security Group Tags (SGTs) during a wireless roam from one Service Set Identifier (SSID) to another within the Cisco TrustSec domain. An attacker could exploit this vulnerability by attempting to acquire an SGT from other SSIDs within the domain. Successful exploitation could allow the attacker to gain privileged network access that should be prohibited under normal circumstances. | |||||
| CVE-2018-15394 | 1 Cisco | 1 Stealthwatch Enterprise | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in the Stealthwatch Management Console (SMC) of Cisco Stealthwatch Enterprise could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected system. The vulnerability is due to an insecure system configuration. An attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted application. An exploit could allow the attacker to gain unauthenticated access, resulting in elevated privileges in the SMC. | |||||
| CVE-2018-15392 | 1 Cisco | 1 Industrial Network Director | 2024-11-21 | 3.3 LOW | 4.3 MEDIUM |
| A vulnerability in the DHCP service of Cisco Industrial Network Director could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition. The vulnerability is due to improper handling of DHCP lease requests. An attacker could exploit this vulnerability by sending malicious DHCP lease requests to an affected application. A successful exploit could allow the attacker to cause the DHCP service to terminate, resulting in a DoS condition. | |||||
| CVE-2018-15386 | 1 Cisco | 1 Digital Network Architecture Center | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to bypass authentication and have direct unauthorized access to critical management functions. The vulnerability is due to an insecure default configuration of the affected system. An attacker could exploit this vulnerability by directly connecting to the exposed services. An exploit could allow the attacker to retrieve and modify critical system files. | |||||
| CVE-2018-15372 | 1 Cisco | 1 Ios Xe | 2024-11-21 | 4.8 MEDIUM | 8.1 HIGH |
| A vulnerability in the MACsec Key Agreement (MKA) using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) functionality of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to bypass authentication and pass traffic through a Layer 3 interface of an affected device. The vulnerability is due to a logic error in the affected software. An attacker could exploit this vulnerability by connecting to and passing traffic through a Layer 3 interface of an affected device, if the interface is configured for MACsec MKA using EAP-TLS and is running in access-session closed mode. A successful exploit could allow the attacker to bypass 802.1x network access controls and gain access to the network. | |||||
| CVE-2018-15370 | 1 Cisco | 1 Ios Rom Monitor | 2024-11-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| A vulnerability in Cisco IOS ROM Monitor (ROMMON) Software for Cisco Catalyst 6800 Series Switches could allow an unauthenticated, local attacker to bypass Cisco Secure Boot validation checks and load a compromised software image on an affected device. The vulnerability is due to the presence of a hidden command in the affected software. An attacker could exploit this vulnerability by connecting to an affected device via the console, forcing the device into ROMMON mode, and writing a malicious pattern to a specific memory address on the device. A successful exploit could allow the attacker to bypass signature validation checks by Cisco Secure Boot technology and load a compromised software image on the affected device. A compromised software image is any software image that has not been digitally signed by Cisco. | |||||
| CVE-2018-15359 | 1 Eltex | 2 Esp-200, Esp-200 Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An authenticated attacker with low privileges can use insecure sudo configuration to expand attack surface in Eltex ESP-200 firmware version 1.2.0. | |||||
| CVE-2018-15352 | 1 Kraftway | 2 24f2xg Router, 24f2xg Router Firmware | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An attacker with low privileges can cause denial of service in Kraftway 24F2XG Router firmware version 3.5.30.1118. | |||||
| CVE-2018-15335 | 1 F5 | 1 Big-ip Access Policy Manager | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| When APM 13.0.0-13.1.x is deployed as an OAuth Resource Server, APM becomes a client application to an external OAuth authorization server. In certain cases when communication between the BIG-IP APM and the OAuth authorization server is lost, APM may not display the intended message in the failure response | |||||