CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2018

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
601 CVE-2018-18565 434 2018-11-20 2018-12-28
4.1
None Local Network Low ??? None Partial Partial
An issue was discovered in Roche Accu-Chek Inform II Instrument before 03.06.00 (Serial number below 14000) and 04.x before 04.03.00 (Serial Number above 14000), CoaguChek Pro II before 04.03.00, CoaguChek XS Plus before 03.01.06, CoaguChek XS Pro before 03.01.06, cobas h 232 before 03.01.03 (Serial number below KQ0400000 or KS0400000), and cobas h 232 before 04.00.04 (Serial number above KQ0400000 or KS0400000). A vulnerability in the software update mechanism allows authenticated attackers in the adjacent network to overwrite arbitrary files on the system through a crafted update package.
602 CVE-2018-18590 200 Exec Code +Info 2018-11-07 2019-10-09
5.8
None Local Network Low Not required Partial Partial Partial
A potential remote code execution and information disclosure vulnerability exists in Micro Focus Operations Bridge containerized suite versions 2017.11, 2018.02, 2018.05, 2018.08. This vulnerability could allow for information disclosure.
603 CVE-2018-18591 200 +Info 2018-11-13 2019-10-09
4.0
None Remote Low ??? Partial None None
A potential unauthorized disclosure of data vulnerability has been identified in Micro Focus Service Manager versions: 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51. The vulnerability could be exploited to release unauthorized disclosure of data.
604 CVE-2018-18619 89 Sql 2018-11-29 2018-12-28
7.5
None Remote Low Not required Partial Partial Partial
internal/advanced_comment_system/admin.php in Advanced Comment System 1.0 is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query, allowing remote attackers to execute the sqli attack via a URL in the "page" parameter. NOTE: The product is discontinued.
605 CVE-2018-18649 Exec Code 2018-11-29 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the wiki API in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for remote code execution.
606 CVE-2018-18695 119 Overflow 2018-11-01 2018-12-12
4.6
None Local Low Not required Partial Partial Partial
M2SOFT Report Designer Viewer 5.0 allows a Buffer Overflow with Extended Instruction Pointer (EIP) control via a crafted MRD file.
607 CVE-2018-18714 787 DoS Exec Code Overflow 2018-11-01 2020-08-24
7.2
None Local Low Not required Complete Complete Complete
RegFilter.sys in IOBit Malware Fighter 6.2 and earlier is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E010. This can lead to denial of service (DoS) or code execution with root privileges.
608 CVE-2018-18715 79 XSS 2018-11-20 2021-05-04
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine OpManager 12.3 before 123219 has stored XSS.
609 CVE-2018-18716 79 XSS 2018-11-20 2021-05-04
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine OpManager 12.3 before 123219 has a Self XSS Vulnerability.
610 CVE-2018-18755 89 Sql 2018-11-16 2020-06-25
7.5
None Remote Low Not required Partial Partial Partial
K-iwi Framework 1775 has SQL Injection via the admin/user/group/update user_group_id parameter or the admin/user/user/update user_id parameter.
611 CVE-2018-18756 119 Overflow 2018-11-16 2018-12-31
5.0
None Remote Low Not required None None Partial
Local Server 1.0.9 has a Buffer Overflow via crafted data on Port 4008.
612 CVE-2018-18759 119 Overflow 2018-11-16 2019-01-14
5.0
None Remote Low Not required None None Partial
Modbus Slave 7.0.0 in modbus tools has a Buffer Overflow.
613 CVE-2018-18760 352 CSRF 2018-11-16 2018-12-17
4.3
None Remote Medium Not required Partial None None
RhinOS 3.0 build 1190 allows CSRF.
614 CVE-2018-18761 89 Sql 2018-11-16 2020-05-20
7.5
None Remote Low Not required Partial Partial Partial
SaltOS 3.1 r8126 allows action=login&querystring=&user=[SQL] SQL Injection.
615 CVE-2018-18763 89 Sql 2018-11-16 2018-12-18
7.5
None Remote Low Not required Partial Partial Partial
SaltOS 3.1 r8126 allows action=ajax&query=numbers&page=usuarios&action2=[SQL] SQL Injection.
616 CVE-2018-18772 352 CSRF 2018-11-20 2018-11-29
6.8
None Remote Medium Not required Partial Partial Partial
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=send_ssh, as demonstrated by executing an arbitrary OS command.
617 CVE-2018-18773 352 CSRF 2018-11-20 2018-11-29
6.8
None Remote Medium Not required Partial Partial Partial
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=rootpwd, as demonstrated by changing the root password.
618 CVE-2018-18774 79 XSS 2018-11-20 2018-11-29
4.3
None Remote Medium Not required None Partial None
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows XSS via the admin/index.php module parameter.
619 CVE-2018-18775 79 XSS 2018-11-01 2018-12-12
4.3
None Remote Medium Not required None Partial None
Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the Login.asp Msg parameter. NOTE: this is a deprecated product.
620 CVE-2018-18776 79 XSS 2018-11-01 2018-12-12
4.3
None Remote Medium Not required None Partial None
Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the admin/admin.asp ShowAll parameter. NOTE: this is a deprecated product.
621 CVE-2018-18777 22 Dir. Trav. Bypass 2018-11-01 2018-12-12
4.0
None Remote Low ??? Partial None None
Directory traversal vulnerability in Microstrategy Web, version 7, in "/WebMstr7/servlet/mstrWeb" (in the parameter subpage) allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application. NOTE: this is a deprecated product.
622 CVE-2018-18793 434 2018-11-16 2018-12-18
7.5
None Remote Low Not required Partial Partial Partial
School Event Management System 1.0 allows Arbitrary File Upload via event/controller.php?action=photos.
623 CVE-2018-18794 352 CSRF 2018-11-16 2018-12-18
6.8
None Remote Medium Not required Partial Partial Partial
School Event Management System 1.0 allows CSRF via user/controller.php?action=edit.
624 CVE-2018-18795 89 Sql 2018-11-16 2018-12-18
7.5
None Remote Low Not required Partial Partial Partial
School Event Management System 1.0 has SQL Injection via the student/index.php or event/index.php id parameter.
625 CVE-2018-18796 89 Sql 2018-11-16 2018-12-18
7.5
None Remote Low Not required Partial Partial Partial
Library Management System 1.0 has SQL Injection via the "Search for Books" screen.
626 CVE-2018-18797 352 CSRF 2018-11-16 2018-12-18
6.8
None Remote Medium Not required Partial Partial Partial
School Attendance Monitoring System 1.0 has CSRF via /user/user/edit.php.
627 CVE-2018-18799 352 CSRF 2018-11-16 2018-12-18
6.8
None Remote Medium Not required Partial Partial Partial
School Attendance Monitoring System 1.0 has CSRF via event/controller.php?action=photos.
628 CVE-2018-18801 89 Sql 2018-11-16 2018-12-18
7.5
None Remote Low Not required Partial Partial Partial
The BSEN Ordering software 1.0 has SQL Injection via student/index.php?view=view&id=[SQL] or index.php?q=single-item&id=[SQL].
629 CVE-2018-18803 89 Sql 2018-11-16 2018-12-17
7.5
None Remote Low Not required Partial Partial Partial
Curriculum Evaluation System 1.0 allows SQL Injection via the login screen, related to frmCourse.vb and includes/user.vb.
630 CVE-2018-18804 89 Sql 2018-11-16 2018-12-17
7.5
None Remote Low Not required Partial Partial Partial
Bakeshop Inventory System 1.0 has SQL injection via the login screen, related to include/publicfunction.vb.
631 CVE-2018-18805 89 Sql 2018-11-16 2022-03-29
7.5
None Remote Low Not required Partial Partial Partial
Point Of Sales 1.0 allows SQL injection via the login screen, related to LoginForm1.vb.
632 CVE-2018-18806 89 Sql 2018-11-16 2018-12-17
7.5
None Remote Low Not required Partial Partial Partial
School Equipment Monitoring System 1.0 allows SQL injection via the login screen, related to include/user.vb.
633 CVE-2018-18807 79 XSS 2018-11-26 2019-10-09
3.5
None Remote Medium ??? None Partial None
The web application of the TIBCO Statistica component of TIBCO Software Inc.'s TIBCO Statistica Server contains vulnerabilities which may allow an authenticated user to perform cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Statistica Server versions up to and including 13.4.0.
634 CVE-2018-18820 119 DoS Exec Code Overflow 2018-11-05 2019-01-23
6.8
None Remote Medium Not required Partial Partial Partial
A buffer overflow was discovered in the URL-authentication backend of the Icecast before 2.4.4. If the backend is enabled, then any malicious HTTP client can send a request for that specific resource including a crafted header, leading to denial of service and potentially remote code execution.
635 CVE-2018-18856 78 Exec Code 2018-11-20 2020-05-11
7.2
None Local Low Not required Complete Complete Complete
Multiple local privilege escalation vulnerabilities have been identified in the LiquidVPN client through 1.37 for macOS. An attacker can communicate with an unprotected XPC service and directly execute arbitrary OS commands as root or load a potentially malicious kernel extension because com.smr.liquidvpn.OVPNHelper uses the system function to execute the "openvpncmd" parameter as a shell command.
636 CVE-2018-18857 78 Exec Code 2018-11-20 2020-05-11
7.2
None Local Low Not required Complete Complete Complete
Multiple local privilege escalation vulnerabilities have been identified in the LiquidVPN client through 1.37 for macOS. An attacker can communicate with an unprotected XPC service and directly execute arbitrary OS commands as root or load a potentially malicious kernel extension because com.smr.liquidvpn.OVPNHelper uses the system function to execute the "command_line" parameter as a shell command.
637 CVE-2018-18858 78 Exec Code 2018-11-20 2020-05-11
7.2
None Local Low Not required Complete Complete Complete
Multiple local privilege escalation vulnerabilities have been identified in the LiquidVPN client through 1.37 for macOS. An attacker can communicate with an unprotected XPC service and directly execute arbitrary OS commands as root or load a potentially malicious kernel extension because com.smr.liquidvpn.OVPNHelper uses the system function to execute the "tun_path" or "tap_path" pathname within a shell command.
638 CVE-2018-18859 78 Exec Code 2018-11-20 2020-05-11
7.2
None Local Low Not required Complete Complete Complete
Multiple local privilege escalation vulnerabilities have been identified in the LiquidVPN client through 1.37 for macOS. An attacker can communicate with an unprotected XPC service and directly execute arbitrary OS commands as root or load a potentially malicious kernel extension because com.smr.liquidvpn.OVPNHelper uses the value of the "tun_path" or "tap_path" pathname in a kextload() call.
639 CVE-2018-18860 2018-11-30 2020-05-11
7.2
None Local Low Not required Complete Complete Complete
A local privilege escalation vulnerability has been identified in the SwitchVPN client 2.1012.03 for macOS. Due to over-permissive configuration settings and a SUID binary, an attacker is able to execute arbitrary binaries as root.
640 CVE-2018-18861 119 Exec Code Overflow 2018-11-20 2018-12-18
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in PCMan FTP Server 2.0.7 allows for remote code execution via the APPE command.
641 CVE-2018-18864 79 XSS 2018-11-20 2018-12-31
9.3
None Remote Medium Not required Complete Complete Complete
Loadbalancer.org Enterprise VA MAX before 8.3.3 has XSS because Apache HTTP Server logs are displayed.
642 CVE-2018-18865 200 +Info 2018-11-20 2021-09-08
4.3
None Remote Medium Not required Partial None None
The Royal browser extensions TS before 4.3.60728 (Release Date 2018-07-28) and TSX before 3.3.1 (Release Date 2018-09-13) allow Credentials Disclosure.
643 CVE-2018-18883 476 DoS 2018-11-01 2019-01-24
7.2
None Local Low Not required Complete Complete Complete
An issue was discovered in Xen 4.9.x through 4.11.x, on Intel x86 platforms, allowing x86 HVM and PVH guests to cause a host OS denial of service (NULL pointer dereference) or possibly have unspecified other impact because nested VT-x is not properly restricted.
644 CVE-2018-18887 89 Sql 2018-11-01 2018-12-08
7.5
None Remote Low Not required Partial Partial Partial
S-CMS PHP 1.0 has SQL injection in member/member_news.php via the type parameter (aka the $N_type field).
645 CVE-2018-18888 434 2018-11-01 2019-01-29
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in laravelCMS through 2018-04-02. \app\Http\Controllers\Backend\ProfileController.php allows upload of arbitrary PHP files because the file extension is not properly checked and uploaded files are not properly renamed.
646 CVE-2018-18890 22 Dir. Trav. 2018-11-01 2018-12-03
5.0
None Remote Low Not required Partial None None
MiniCMS 1.10 allows full path disclosure via /mc-admin/post.php?state=delete&delete= with an invalid filename.
647 CVE-2018-18891 287 2018-11-01 2018-12-03
6.4
None Remote Low Not required None Partial Partial
MiniCMS 1.10 allows file deletion via /mc-admin/post.php?state=delete&delete= because the authentication check occurs too late.
648 CVE-2018-18892 94 Exec Code 2018-11-01 2018-12-03
7.5
None Remote Low Not required Partial Partial Partial
MiniCMS 1.10 allows execution of arbitrary PHP code via the install.php sitename parameter, which affects the site_name field in mc_conf.php.
649 CVE-2018-18897 772 2018-11-02 2019-10-03
4.3
None Remote Medium Not required None None Partial
An issue was discovered in Poppler 0.71.0. There is a memory leak in GfxColorSpace::setDisplayProfile in GfxState.cc, as demonstrated by pdftocairo.
650 CVE-2018-18903 94 Exec Code 2018-11-03 2018-12-26
7.5
None Remote Low Not required Partial Partial Partial
Vanilla 2.6.x before 2.6.4 allows remote code execution.
Total number of vulnerabilities : 984   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 (This Page)14 15 16 17 18 19 20
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.