Total
30110 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-15006 | 1 Zteusa | 2 Zte Zmax Champ, Zte Zmax Champ Firmware | 2024-11-21 | 4.9 MEDIUM | 5.5 MEDIUM |
| The ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contains a pre-installed platform app with a package name of com.android.zte.hiddenmenu (versionCode=23, versionName=6.0.1) that contains an exported broadcast receiver app component named com.android.zte.hiddenmenu.CommandReceiver that is accessible to any app co-located on the device. This app component, when it receives a broadcast intent with a certain action string, will write a non-standard (i.e., not defined in Android Open Source Project (AOSP) code) command to the /cache/recovery/command file to be executed in recovery mode. Once the device boots into recovery mode, it will crash, boot into recovery mode, and crash again. This crash loop will keep repeating, which makes the device unusable. There is no way to boot into an alternate mode once the crash loop starts. | |||||
| CVE-2018-15005 | 1 Zteusa | 2 Zte Zmax Champ, Zte Zmax Champ Firmware | 2024-11-21 | 5.6 MEDIUM | 7.1 HIGH |
| The ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contains a pre-installed platform app with a package name of com.zte.zdm.sdm (versionCode=31, versionName=V5.0.3) that contains an exported broadcast receiver app component named com.zte.zdm.VdmcBroadcastReceiver that allows any app co-located on the device to programmatically initiate a factory reset. In addition, the app initiating the factory reset does not require any permissions. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of a pre-installed platform app. | |||||
| CVE-2018-15000 | 1 Vivo | 2 V7, V7 Firmware | 2024-11-21 | 3.3 LOW | 6.3 MEDIUM |
| The Vivo V7 Android device with a build fingerprint of vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys contains a platform app with a package name of com.vivo.smartshot (versionCode=1, versionName=3.0.0). This app contains an exported service named com.vivo.smartshot.ui.service.ScreenRecordService that will record the screen for 60 minutes and write the mp4 file to a location of the user's choosing. Normally, a recording notification will be visible to the user, but we discovered an approach to make it mostly transparent to the user by quickly removing a notification and floating icon. The user can see a floating icon and notification appear and disappear quickly due to quickly stopping and restarting the service with different parameters that do not interfere with the ongoing screen recording. The screen recording lasts for 60 minutes and can be written directly to the attacking app's private directory. | |||||
| CVE-2018-14999 | 1 Leagoo | 2 P1, P1 Firmware | 2024-11-21 | 9.4 HIGH | 9.1 CRITICAL |
| The Leagoo P1 device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a pre-installed platform app with a package name of com.wtk.factory (versionCode=1, versionName=1.0) that contains an exported broadcast receiver named com.wtk.factory.MMITestReceiver allows any app co-located on the device to programmatically initiate a factory reset. In addition, the app initiating the factory reset does not require any permissions. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of a pre-installed platform app. | |||||
| CVE-2018-14997 | 1 Leagoo | 2 P1, P1 Firmware | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| The Leagoo P1 Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains the android framework (i.e., system_server) with a package name of android that has been modified by Leagoo or another entity in the supply chain. The system_server process in the core Android package has an exported broadcast receiver that allows any app co-located on the device to programmatically initiate the taking of a screenshot and have the resulting screenshot be written to external storage. The taking of a screenshot is not transparent to the user; the device has a screen animation as the screenshot is taken and there is a notification indicating that a screenshot occurred. If the attacking app also requests the EXPAND_STATUS_BAR permission, it can wake the device up using certain techniques and expand the status bar to take a screenshot of the user's notifications even if the device has an active screen lock. The notifications may contain sensitive data such as text messages used in two-factor authentication. The system_server process that provides this capability cannot be disabled, as it is part of the Android framework. The notification can be removed by a local Denial of Service (DoS) attack to reboot the device. | |||||
| CVE-2018-14996 | 1 Oppo | 2 F5, F5 Firmware | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| The Oppo F5 Android device with a build fingerprint of OPPO/CPH1723/CPH1723:7.1.1/N6F26Q/1513597833:user/release-keys contains a pre-installed platform app with a package name of com.dropboxchmod (versionCode=1, versionName=1.0) that contains an exported service named com.dropboxchmod.DropboxChmodService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user's text messages, and more. This vulnerability can also be used to secretly record audio of the user without their awareness on the Oppo F5 device. The pre-installed com.oppo.engineermode app (versionCode=25, versionName=V1.01) has an exported activity that can be started to initiate a recording and quickly dismissed. The activity can be started in a way that the user will not be able to see the app in the recent apps list. The resulting audio amr file can be copied from a location on internal storage using the arbitrary command execution as system user vulnerability. Executing commands as system user can allow a third-party app to factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, obtain the user's text messages, and more. | |||||
| CVE-2018-14993 | 1 Asus | 4 Zenfone 3 Max, Zenfone 3 Max Firmware, Zenfone V Live and 1 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| The ASUS Zenfone V Live Android device with a build fingerprint of asus/VZW_ASUS_A009/ASUS_A009:7.1.1/NMF26F/14.0610.1802.78-20180313:user/release-keys and the Asus ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys both contain a pre-installed platform app with a package name of com.asus.splendidcommandagent (versionCode=1510200090, versionName=1.2.0.18_160928) that contains an exported service named com.asus.splendidcommandagent.SplendidCommandAgentService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, obtain the user's text messages, and more. | |||||
| CVE-2018-14992 | 1 Asus | 2 Zenfone 3 Max, Zenfone 3 Max Firmware | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed platform app with a package name of com.asus.dm (versionCode=1510500200, versionName=1.5.0.40_171122) has an exposed interface in an exported service named com.asus.dm.installer.DMInstallerService that allows any app co-located on the device to use its capabilities to download an arbitrary app over the internet and install it. Any app on the device can send an intent with specific embedded data that will cause the com.asus.dm app to programmatically download and install the app. For the app to be downloaded and installed, certain data needs to be provided: download URL, package name, version name from the app's AndroidManifest.xml file, and the MD5 hash of the app. Moreover, any app that is installed using this method can also be programmatically uninstalled using the same unprotected component named com.asus.dm.installer.DMInstallerService. | |||||
| CVE-2018-14985 | 1 Leagoo | 2 Z5c, Z5c Firmware | 2024-11-21 | 5.6 MEDIUM | 7.1 HIGH |
| The Leagoo Z5C Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a pre-installed platform app with a package name of com.android.settings (versionCode=23, versionName=6.0-android.20170630.092853) that contains an exported broadcast receiver that allows any app co-located on the device to programmatically initiate a factory reset. In addition, the app initiating the factory reset does not require any permissions. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of a pre-installed platform app. | |||||
| CVE-2018-14891 | 1 Vectra | 1 Cognito | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Management Console in Vectra Networks Cognito Brain and Sensor before 4.3 contains a local privilege escalation vulnerability. | |||||
| CVE-2018-14876 | 1 Flif | 1 Flif | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in image_save_png in image/image-png.cpp in Free Lossless Image Format (FLIF) 0.3. Attackers can trigger a longjmp that leads to an uninitialized stack frame after a libpng error concerning the IHDR image width. | |||||
| CVE-2018-14773 | 3 Debian, Drupal, Sensiolabs | 3 Debian Linux, Drupal, Symfony | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning. | |||||
| CVE-2018-14771 | 1 Vivotek | 1 Camera | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code (issue 2 of 2) via eventscript.cgi. | |||||
| CVE-2018-14770 | 1 Vivotek | 1 Camera | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code (issue 1 of 2) via the ONVIF interface, (/onvif/device_service). | |||||
| CVE-2018-14768 | 1 Vivotek | 1 Camera | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Various VIVOTEK FD8*, FD9*, FE9*, IB8*, IB9*, IP9*, IZ9*, MS9*, SD9*, and other devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code. | |||||
| CVE-2018-14722 | 1 Btrfsmaintenance Project | 1 Btrfsmaintenance | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
| An issue was discovered in evaluate_auto_mountpoint in btrfsmaintenance-functions in btrfsmaintenance through 0.4.1. Code execution as root can occur via a specially crafted filesystem label if btrfs-{scrub,balance,trim} are set to auto in /etc/sysconfig/btrfsmaintenance (this is not the default, though). | |||||
| CVE-2018-14714 | 1 Asus | 2 Rt-ac3200, Rt-ac3200 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| System command injection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute system commands via the "load_script" URL parameter. | |||||
| CVE-2018-14649 | 1 Redhat | 5 Ceph-iscsi-cli, Ceph Storage, Enterprise Linux Desktop and 2 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges. Once an attacker has successfully connected to this debug shell they will be able to execute arbitrary commands remotely. These commands will run with the same privileges as of user executing the application which is using python-werkzeug with debug shell mode enabled. In - Red Hat Ceph Storage 2 and 3, ceph-isci-cli package runs python-werkzeug library with root level permissions. | |||||
| CVE-2018-14636 | 1 Openstack | 1 Neutron | 2024-11-21 | 3.5 LOW | 5.3 MEDIUM |
| Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor. This brief window could be extended indefinitely if the instance's port is set administratively down prior to live-migration and kept down after the migration is complete. This is possible due to the Open vSwitch integration bridge being connected to the instance during migration. When connected to the integration bridge, all traffic for instances using the same Open vSwitch instance would potentially be visible to the migrated guest, as the required Open vSwitch VLAN filters are only applied post-migration. Versions of openstack-neutron before 13.0.0.0b2, 12.0.3, 11.0.5 are vulnerable. | |||||
| CVE-2018-14626 | 1 Powerdns | 2 Authoritative, Recursor | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| PowerDNS Authoritative Server 4.1.0 up to 4.1.4 inclusive and PowerDNS Recursor 4.0.0 up to 4.1.4 inclusive are vulnerable to a packet cache pollution via crafted query that can lead to denial of service. | |||||