Total
314744 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-13439 | 1 Tencent | 1 Wechat Pay | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a merchant notification URL. | |||||
| CVE-2018-13435 | 1 Linecorp | 1 Line | 2024-11-21 | 4.4 MEDIUM | 7.0 HIGH |
| ** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method to disable passcode authentication. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes iOS devices on which a jailbreak has occurred. | |||||
| CVE-2018-13434 | 1 Linecorp | 1 Line | 2024-11-21 | 4.4 MEDIUM | 6.3 MEDIUM |
| ** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS. The LAContext class for Biometric (TouchID) validation allows authentication bypass by overriding the LAContext return Boolean value to be "true" because the kSecAccessControlUserPresence protection mechanism is not used. In other words, an attacker could authenticate with an arbitrary fingerprint. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes iOS devices on which a jailbreak has occurred. | |||||
| CVE-2018-13433 | 1 Boostnote | 1 Boostnote | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Boostnote v0.11.7 allows XSS during highlighting of Markdown text, as demonstrated by an onerror attribute of an IMG element. | |||||
| CVE-2018-13423 | 1 Omeka | 1 Omeka | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| admin/themes/default/items/tag-form.php in Omeka before 2.6.1 allows XSS by adding or editing a tag. | |||||
| CVE-2018-13422 | 1 Tecnick | 1 Tcexam | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| TCExam before 14.1.2 has XSS via an ff_ or xl_ field. | |||||
| CVE-2018-13421 | 1 Fast-cpp-csv-parser Project | 1 Fast-cpp-csv-parser | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Fast C++ CSV Parser (aka fast-cpp-csv-parser) before 2018-07-06 has a heap-based buffer over-read in io::trim_chars in csv.h. | |||||
| CVE-2018-13420 | 1 Gperftools Project | 1 Gperftools | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| ** DISPUTED ** Google gperftools 2.7 has a memory leak in malloc_extension.cc, related to MallocExtension::Register and InitModule. NOTE: the software maintainer indicates that this is not a bug; it is only a false-positive report from the LeakSanitizer program. | |||||
| CVE-2018-13419 | 1 Libsndfile Project | 1 Libsndfile | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| ** DISPUTED ** An issue has been found in libsndfile 1.0.28. There is a memory leak in psf_allocate in common.c, as demonstrated by sndfile-convert. NOTE: The maintainer and third parties were unable to reproduce and closed the issue. | |||||
| CVE-2018-13418 | 1 Terra-master | 1 Terramaster Operating System | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| System command injection in ajaxdata.php in TerraMaster TOS 3.1.03 allows attackers to execute system commands via the "newname" parameter. | |||||
| CVE-2018-13417 | 1 Vuze | 1 Bittorrent Client | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Vuze Bittorrent Client 5.7.6.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running Vuze, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. | |||||
| CVE-2018-13416 | 1 Spirton | 1 Universal Media Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Universal Media Server (UMS) 7.1.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running UMS, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. | |||||
| CVE-2018-13415 | 1 Plex | 1 Media Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running Plex, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. | |||||
| CVE-2018-13412 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| An issue was discovered in the Self Service Portal in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. In cloud, the issue is fixed in 10.0.470 agent version. | |||||
| CVE-2018-13411 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. In cloud, the issue is fixed in 10.0.470 agent version. | |||||
| CVE-2018-13410 | 1 Info-zip Project | 1 Zip | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| ** DISPUTED ** Info-ZIP Zip 3.0, when the -T and -TT command-line options are used, allows attackers to cause a denial of service (invalid free and application crash) or possibly have unspecified other impact because of an off-by-one error. NOTE: it is unclear whether there are realistic scenarios in which an untrusted party controls the -TT value, given that the entire purpose of -TT is execution of arbitrary commands. | |||||
| CVE-2018-13409 | 1 Jirafeau | 1 Jirafeau | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Jirafeau before 3.4.1. The "search file by hash" form is affected by reflected XSS that could allow, by targeting an administrator, stealing a session and gaining administrative privileges. | |||||
| CVE-2018-13408 | 1 Jirafeau | 1 Jirafeau | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Jirafeau before 3.4.1. The "search file by link" form is affected by reflected XSS that could allow, by targeting an administrator, stealing a session and gaining administrative privileges. | |||||
| CVE-2018-13407 | 1 Jirafeau | 1 Jirafeau | 2024-11-21 | 5.5 MEDIUM | 4.9 MEDIUM |
| A CSRF issue was discovered in Jirafeau before 3.4.1. The "delete file" feature on the admin panel is not protected against automated requests and could be abused. | |||||
| CVE-2018-13406 | 3 Canonical, Debian, Linux | 3 Ubuntu Linux, Debian Linux, Linux Kernel | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c in the Linux kernel before 4.17.4 could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used. | |||||