| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
551 |
CVE-2018-13357 |
79 |
|
XSS |
2018-11-27 |
2018-12-19 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing Shared Folders via JavaScript in Shared Folders' names. |
|
552 |
CVE-2018-13356 |
863 |
|
|
2018-11-27 |
2019-10-03 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Incorrect access control on ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to elevate user permissions. |
|
553 |
CVE-2018-13355 |
732 |
|
|
2018-11-27 |
2019-10-03 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Incorrect access controls in ajaxdata.php in TerraMaster TOS version 3.1.03 allow attackers to create user groups without proper authorization. |
|
554 |
CVE-2018-13354 |
78 |
|
Exec Code |
2018-11-27 |
2019-10-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
System command injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "Event" parameter. |
|
555 |
CVE-2018-13353 |
78 |
|
Exec Code |
2018-11-27 |
2019-10-03 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute commands via the "checkport" parameter. |
|
556 |
CVE-2018-13352 |
200 |
|
+Info |
2018-11-27 |
2018-12-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Session Exposure in the web application for TerraMaster TOS version 3.1.03 allows attackers to view active session tokens in a world-readable directory. |
|
557 |
CVE-2018-13351 |
79 |
|
XSS |
2018-11-27 |
2018-12-19 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the edit password form. |
|
558 |
CVE-2018-13350 |
89 |
|
Sql |
2018-11-27 |
2018-12-19 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute SQL queries via the "Event" parameter. |
|
559 |
CVE-2018-13349 |
79 |
|
XSS |
2018-11-27 |
2018-12-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting in the web application taskbar in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the user's username. |
|
560 |
CVE-2018-13338 |
78 |
|
Exec Code |
2018-11-27 |
2019-10-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "username" parameter during user creation. |
|
561 |
CVE-2018-13337 |
384 |
|
|
2018-11-27 |
2018-12-21 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via JavaScript. |
|
562 |
CVE-2018-13336 |
78 |
|
Exec Code |
2018-11-27 |
2019-10-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "pwd" parameter during user creation. |
|
563 |
CVE-2018-13335 |
79 |
|
XSS |
2018-11-27 |
2018-12-19 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing shared folders via their descriptions. |
|
564 |
CVE-2018-13334 |
79 |
|
XSS |
2018-11-27 |
2018-12-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting in handle.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "options[sysname]" parameter. |
|
565 |
CVE-2018-13333 |
79 |
|
XSS |
2018-11-27 |
2018-12-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting in File Manager in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript in the permissions window by placing JavaScript in users' usernames. |
|
566 |
CVE-2018-13332 |
22 |
|
Dir. Trav. |
2018-11-27 |
2018-12-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Directory Traversal in the explorer application in TerraMaster TOS version 3.1.03 allows attackers to upload files to arbitrary locations via the "path" URL parameter. |
|
567 |
CVE-2018-13331 |
79 |
|
XSS |
2018-11-27 |
2018-12-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing users by placing JavaScript in their usernames. |
|
568 |
CVE-2018-13330 |
78 |
|
Exec Code |
2018-11-27 |
2019-10-03 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands during group creation via the "groupname" parameter. |
|
569 |
CVE-2018-13329 |
79 |
|
XSS |
2018-11-27 |
2018-12-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "lines" URL parameter. |
|
570 |
CVE-2018-13324 |
863 |
|
Bypass |
2018-11-26 |
2019-10-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Incorrect access control in nasapi in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to bypass authentication by sending a modified HTTP Host header. |
|
571 |
CVE-2018-13323 |
79 |
|
XSS |
2018-11-26 |
2018-12-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting in detail.html in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to execute JavaScript via the "username" cookie. |
|
572 |
CVE-2018-13322 |
22 |
|
Dir. Trav. |
2018-11-26 |
2018-12-26 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Directory traversal in list_folders method in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to list directory contents via the "path" parameter. |
|
573 |
CVE-2018-13321 |
732 |
|
|
2018-11-26 |
2019-10-03 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Incorrect access controls in nasapi in Buffalo TS5600D1206 version 3.61-0.10 allow attackers to call dangerous internal functions via the "method" parameter. |
|
574 |
CVE-2018-13320 |
78 |
|
Exec Code |
2018-11-26 |
2019-10-03 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
System Command Injection in network.set_auth_settings in Buffalo TS5600D1206 version 3.70-0.10 allows attackers to execute system commands via the adminUsername and adminPassword parameters. |
|
575 |
CVE-2018-13319 |
200 |
|
+Info |
2018-11-26 |
2018-12-31 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Incorrect access control in get_portal_info in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to determine sensitive device information via an unauthenticated POST request. |
|
576 |
CVE-2018-13318 |
78 |
|
Exec Code |
2018-11-26 |
2019-10-03 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
System command injection in User.create method in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to execute system commands via the "name" parameter. |
|
577 |
CVE-2018-13317 |
79 |
|
XSS |
2018-11-26 |
2018-12-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Password disclosure in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to obtain the plaintext password for the admin user by making a GET request for password.htm. |
|
578 |
CVE-2018-13316 |
78 |
|
Exec Code |
2018-11-27 |
2019-10-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "subnet" POST parameter. |
|
579 |
CVE-2018-13315 |
20 |
|
|
2018-11-26 |
2018-12-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Incorrect access control in formPasswordSetup in TOTOLINK A3002RU version 1.0.8 allows attackers to change the admin user's password via an unauthenticated POST request. |
|
580 |
CVE-2018-13314 |
78 |
|
Exec Code |
2018-11-27 |
2019-10-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ipAddr" POST parameter. |
|
581 |
CVE-2018-13312 |
79 |
|
XSS |
2018-11-26 |
2018-12-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "Input your notice URL" field. |
|
582 |
CVE-2018-13311 |
78 |
|
Exec Code |
2018-11-26 |
2019-10-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "sambaUser" POST parameter. |
|
583 |
CVE-2018-13310 |
79 |
|
XSS |
2018-11-26 |
2018-12-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's username. |
|
584 |
CVE-2018-13309 |
79 |
|
XSS |
2018-11-26 |
2018-12-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's password. |
|
585 |
CVE-2018-13308 |
79 |
|
XSS |
2018-11-26 |
2018-12-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "User phrases button" field. |
|
586 |
CVE-2018-13307 |
78 |
|
Exec Code |
2018-11-27 |
2019-10-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter. Certain payloads cause the device to become permanently inoperable. |
|
587 |
CVE-2018-13306 |
78 |
|
Exec Code |
2018-11-27 |
2019-10-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ftpUser" POST parameter. |
|
588 |
CVE-2018-13023 |
78 |
|
Exec Code |
2018-11-27 |
2019-10-03 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
System command injection vulnerability in wifi_access in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute system commands via the "timeout" URL parameter. |
|
589 |
CVE-2018-13022 |
79 |
|
XSS |
2018-11-27 |
2018-12-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting vulnerability in the API 404 page on Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary JavaScript via a modified URL path. |
|
590 |
CVE-2018-12543 |
20 |
|
|
2018-11-15 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is published to Mosquitto that has a topic starting with $, but that is not $SYS, e.g. $test/test, then an assert is triggered that should otherwise not be reachable and Mosquitto will exit. |
|
591 |
CVE-2018-12480 |
79 |
|
XSS |
2018-11-15 |
2018-12-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Mitigates an XSS issue in NetIQ Access Manager versions prior to 4.4 SP3. |
|
592 |
CVE-2018-12416 |
352 |
|
CSRF |
2018-11-13 |
2019-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The GridServer Broker and GridServer Director components of TIBCO Software Inc.'s TIBCO DataSynapse GridServer Manager contain vulnerabilities which may allow an unauthenticated user to perform cross-site request forgery (CSRF). Affected releases are TIBCO Software Inc. TIBCO DataSynapse GridServer Manager: versions up to and including 5.2.0; 6.0.0; 6.0.1; 6.0.2; 6.1.0; 6.1.1; 6.2.0; 6.3.0. |
|
593 |
CVE-2018-12415 |
352 |
|
CSRF |
2018-11-06 |
2020-01-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Central Administration server (emsca) component of TIBCO Software Inc.'s TIBCO Enterprise Message Service, TIBCO Enterprise Message Service - Community Edition, and TIBCO Enterprise Message Service - Developer Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Enterprise Message Service: versions 8.4.0 and below, TIBCO Enterprise Message Service - Community Edition: versions 8.4.0 and below, and TIBCO Enterprise Message Service - Developer Edition: versions 8.4.0 and below. |
|
594 |
CVE-2018-12414 |
352 |
|
CSRF |
2018-11-06 |
2019-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Rendezvous Routing Daemon (rvrd), Rendezvous Secure Routing Daemon (rvrsd), Rendezvous Secure Daemon (rvsd), Rendezvous Cache (rvcache), and Rendezvous Daemon Manager (rvdm) components of TIBCO Software Inc.'s TIBCO Rendezvous, TIBCO Rendezvous Developer Edition, TIBCO Rendezvous for z/Linux, TIBCO Rendezvous for z/OS, TIBCO Rendezvous Network Server, TIBCO Substation ES contain vulnerabilities which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Rendezvous: versions up to and including 8.4.5, TIBCO Rendezvous Developer Edition: versions up to and including 8.4.5, TIBCO Rendezvous for z/Linux: versions up to and including 8.4.5, TIBCO Rendezvous for z/OS: versions up to and including 8.4.5, TIBCO Rendezvous Network Server: versions up to and including 1.1.2, and TIBCO Substation ES: versions up to and including 2.12.2. |
|
595 |
CVE-2018-12413 |
352 |
|
CSRF |
2018-11-06 |
2019-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Schema repository server (tibschemad) component of TIBCO Software Inc.'s TIBCO Messaging - Apache Kafka Distribution - Schema Repository - Community Edition, and TIBCO Messaging - Apache Kafka Distribution - Schema Repository - Enterprise Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc. TIBCO Messaging - Apache Kafka Distribution - Schema Repository - Community Edition: 1.0.0, and TIBCO Messaging - Apache Kafka Distribution - Schema Repository - Enterprise Edition: 1.0.0. |
|
596 |
CVE-2018-12412 |
352 |
|
CSRF |
2018-11-06 |
2019-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The realm server (tibrealmserver) component of TIBCO Software Inc. TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc. TIBCO FTL - Community Edition: versions up to and including 5.4.0, TIBCO FTL - Developer Edition: versions up to and including 5.4.0, TIBCO FTL - Enterprise Edition: versions up to and including 5.4.0. |
|
597 |
CVE-2018-12411 |
352 |
|
CSRF |
2018-11-06 |
2019-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The administrative daemon (tibdgadmind) of TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition, TIBCO ActiveSpaces - Developer Edition, and TIBCO ActiveSpaces - Enterprise Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition: 3.3.0; 3.4.0; 3.5.0, TIBCO ActiveSpaces - Developer Edition: 3.0.0; 3.1.0; 3.3.0; 3.4.0; 3.5.0, and TIBCO ActiveSpaces - Enterprise Edition: 3.0.0; 3.1.0; 3.2.0; 3.3.0; 3.4.0; 3.5.0. |
|
598 |
CVE-2018-12245 |
426 |
|
|
2018-11-29 |
2018-12-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Symantec Endpoint Protection prior to 14.2 MP1 may be susceptible to a DLL Preloading vulnerability, which in this case is an issue that can occur when an application being installed unintentionally loads a DLL provided by a potential attacker. Note that this particular type of exploit only manifests at install time; no remediation is required for software that has already been installed. This issue only impacted the Trialware media for Symantec Endpoint Protection, which has since been updated. |
|
599 |
CVE-2018-12241 |
79 |
|
XSS |
2018-11-27 |
2019-02-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Symantec Security Analytics (SA) 7.x prior to 7.3.4 Web UI is susceptible to a reflected cross-site scripting (XSS) vulnerability. A remote attacker with knowledge of the SA web UI hostname or IP address can craft a malicious URL for the SA web UI and target SA web UI users with phishing attacks or other social engineering techniques. A successful attack allows injecting malicious JavaScript code into the SA web UI client application. |
|
600 |
CVE-2018-12239 |
|
|
Bypass |
2018-11-29 |
2019-10-03 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Norton prior to 22.15; Symantec Endpoint Protection (SEP) prior to 12.1.7454.7000 & 14.2; Symantec Endpoint Protection Small Business Edition (SEP SBE) prior to NIS-22.15.1.8 & SEP-12.1.7454.7000; and Symantec Endpoint Protection Cloud (SEP Cloud) prior to 22.15.1 may be susceptible to an AV bypass issue, which is a type of exploit that works to circumvent one of the virus detection engines to avoid a specific type of virus protection. One of the antivirus engines depends on a signature pattern from a database to identify malicious files and viruses; the antivirus bypass exploit looks to alter the file being scanned so it is not detected. |
