CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2018

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
51 CVE-2018-1779 770 DoS 2018-11-20 2020-08-24
5.0
None Remote Low Not required None None Partial
IBM API Connect 2018.1 through 2018.3.7 could allow an unauthenticated attacker to cause a denial of service due to not setting limits on JSON payload size. IBM X-Force ID: 148802.
52 CVE-2018-1780 59 2018-11-09 2019-10-09
7.2
None Local Low Not required Complete Complete Complete
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local db2 instance owner to obtain root access by exploiting a symbolic link attack to read/write/corrupt a file that they originally did not have permission to access. IBM X-Force ID: 148803.
53 CVE-2018-1781 59 2018-11-09 2019-10-09
7.2
None Local Low Not required Complete Complete Complete
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to obtain root access by exploiting a symbolic link attack to read/write/corrupt a file that they originally did not have permission to access. IBM X-Force ID: 148804.
54 CVE-2018-1786 400 DoS 2018-11-12 2019-10-09
5.0
None Remote Low Not required None None Partial
IBM Spectrum Protect 7.1 and 8.1 dsmc and dsmcad processes incorrectly accumulate TCP/IP sockets in a CLOSE_WAIT state. This can cause TCP/IP resource leakage and may result in a denial of service. IBM X-Force ID: 148871.
55 CVE-2018-1788 532 2018-11-02 2019-10-09
2.1
None Local Low Not required Partial None None
IBM Spectrum Protect Server 7.1 and 8.1 could disclose highly sensitive information via trace logs to a local privileged user. IBM X-Force ID: 148873.
56 CVE-2018-1792 94 Exec Code 2018-11-13 2019-10-09
7.2
None Local Low Not required Complete Complete Complete
IBM WebSphere MQ 8.0.0.0 through 8.0.0.10, 9.0.0.0 through 9.0.0.5, 9.0.1 through 9.0.5, and 9.1.0.0 could allow a local user to inject code that could be executed with root privileges. IBM X-Force ID: 148947.
57 CVE-2018-1797 22 Dir. Trav. 2018-11-16 2019-10-09
4.3
None Remote Medium Not required None Partial None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using Enterprise bundle Archives (EBA) could allow a local attacker to traverse directories on the system. By persuading a victim to extract a specially-crafted ZIP archive containing "dot dot slash" sequences (../), an attacker could exploit this vulnerability to write to arbitrary files on the system. Note: This vulnerability is known as "Zip-Slip". IBM X-Force ID: 149427.
58 CVE-2018-1798 79 XSS 2018-11-12 2019-10-09
4.3
None Remote Medium Not required None Partial None
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 149428.
59 CVE-2018-1799 2018-11-09 2020-08-24
3.6
None Local Low Not required None Partial Partial
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local unprivileged user to overwrite files on the system which could cause damage to the database. IBM X-Force ID: 149429.
60 CVE-2018-1802 426 2018-11-09 2019-10-09
4.6
None Local Low Not required Partial Partial Partial
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 binaries load shared libraries from an untrusted path potentially giving low privilege user full access to the DB2 instance account by loading a malicious shared library. IBM X-Force ID: 149640.
61 CVE-2018-1808 94 2018-11-13 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
IBM WebSphere Commerce 9.0.0.0 through 9.0.0.6 could allow some server-side code injection due to inadequate input control. IBM X-Force ID: 149828.
62 CVE-2018-1834 59 2018-11-09 2019-10-09
7.2
None Local Low Not required Complete Complete Complete
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 contains a vulnerability that could allow a local user to escalate their privileges to root through a symbolic link attack. IBM X-Force ID: 150511.
63 CVE-2018-1835 611 2018-11-02 2019-10-09
5.5
None Remote Low ??? Partial None Partial
IBM Daeja ViewONE Professional, Standard & Virtual 5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150514.
64 CVE-2018-1841 200 +Info 2018-11-19 2019-10-09
2.1
None Local Low Not required Partial None None
IBM Cloud Private 2.1.0 could allow a local user to obtain the CA Private Key due to it being world readable in boot/master node. IBM X-Force ID: 150901.
65 CVE-2018-1842 347 Bypass 2018-11-09 2019-10-09
3.3
None Local Medium Not required Partial Partial None
IBM Cognos Analytics 11 Configuration tool, under certain circumstances, will bypass OIDC namespace signature verification on its id_token. IBM X-Force ID: 150902.
66 CVE-2018-1843 200 +Info 2018-11-21 2019-10-09
1.9
None Local Medium Not required Partial None None
The Identity and Access Management (IAM) services (IBM Cloud Private 3.1.0) do not use a secure channel, such as SSL, to exchange information only when accessed internally from within the cluster. It could be possible for an attacker with access to network traffic to sniff packets from the connection and uncover data. IBM X-Force ID: 150903
67 CVE-2018-1846 611 2018-11-02 2019-10-09
5.5
None Remote Low ??? Partial None Partial
IBM Rational Engineering Lifecycle Manager 5.0 through 5.0.2 and 6.0 through 6.0.6 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150945.
68 CVE-2018-1857 200 Bypass +Info 2018-11-09 2019-10-09
4.0
None Remote Low ??? Partial None None
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 could allow a user to bypass FGAC control and gain access to data they shouldn't be able to see. IBM X-Force ID: 151155.
69 CVE-2018-1872 79 XSS 2018-11-09 2019-10-09
3.5
None Remote Medium ??? None Partial None
IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 151330.
70 CVE-2018-1876 532 2018-11-02 2019-10-09
2.1
None Local Low Not required Partial None None
IBM Robotic Process Automation with Automation Anywhere 11 could under certain cases, display the password in a Control Room log file after installation. IBM X-Force ID: 151707.
71 CVE-2018-1877 312 2018-11-02 2019-10-09
2.1
None Local Low Not required Partial None None
IBM Robotic Process Automation with Automation Anywhere 11 could store highly sensitive information in the form of unencrypted passwords that would be available to a local user. IBM X-Force ID: 151713.
72 CVE-2018-1878 200 +Info 2018-11-02 2019-10-09
5.0
None Remote Low Not required Partial None None
IBM Robotic Process Automation with Automation Anywhere 11 could disclose sensitive information in a web request that could aid in future attacks against the system. IBM X-Force ID: 151714.
73 CVE-2018-1884 22 Exec Code Dir. Trav. 2018-11-12 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
IBM Case Manager 5.2.0.0, 5.2.0.4, 5.2.1.0, 5.2.1.7, 5.3.0.0, and 5.3.3.0 is vulnerable to a "zip slip" vulnerability which could allow a remote attacker to execute code using directory traversal techniques. IBM X-Force ID: 151970.
74 CVE-2018-1897 787 Exec Code Overflow 2018-11-30 2020-08-24
4.6
None Local Low Not required Partial Partial Partial
IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5., and 11.1 db2pdcfg is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow an attacker to execute arbitrary code. IBM X-Force ID: 152462.
75 CVE-2018-1905 611 2018-11-26 2019-10-09
5.5
None Remote Low ??? Partial None Partial
IBM WebSphere Application Server 9.0.0.0 through 9.0.0.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 152534.
76 CVE-2018-1927 352 CSRF 2018-11-30 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
IBM StoredIQ 7.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 153118.
77 CVE-2018-1928 2018-11-30 2019-10-09
2.1
None Local Low Not required None Partial None
IBM StoredIQ 7.6.0 does not implement proper authorization of user roles due to which it was possible for a low privileged user to access the application endpoints of high privileged users and also perform some state changing actions restricted to a high privileged user. IBM X-Force ID: 153119.
78 CVE-2018-2473 2018-11-13 2020-08-24
4.0
None Remote Low ??? None None Partial
SAP BusinessObjects Business Intelligence Platform Server, versions 4.1 and 4.2, when using Web Intelligence Richclient 3 tiers mode gateway allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.
79 CVE-2018-2476 601 2018-11-13 2018-12-13
5.8
None Remote Medium Not required Partial Partial None
Due to insufficient URL Validation in forums in SAP NetWeaver versions 7.30, 7.31, 7.40, an attacker can redirect users to a malicious site.
80 CVE-2018-2477 91 2018-11-13 2019-02-01
6.5
None Remote Low ??? Partial Partial Partial
Knowledge Management (XMLForms) in SAP NetWeaver, versions 7.30, 7.31, 7.40 and 7.50 does not sufficiently validate an XML document accepted from an untrusted source.
81 CVE-2018-2478 Exec Code 2018-11-13 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
An attacker can use specially crafted inputs to execute commands on the host of a TREX / BWA installation, SAP Basis, versions: 7.0 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40 and 7.50 to 7.53. Not all commands are possible, only those that can be executed by the <sid>adm user. The commands executed depend upon the privileges of the <sid>adm user.
82 CVE-2018-2479 79 XSS 2018-11-13 2018-11-24
4.3
None Remote Medium Not required None Partial None
SAP BusinessObjects Business Intelligence Platform (BIWorkspace), versions 4.1 and 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
83 CVE-2018-2481 269 Exec Code 2018-11-13 2019-10-03
6.5
None Remote Low ??? Partial Partial Partial
In some SAP standard roles, in SAP_ABA versions, 7.00 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, 75C to 75D, a transaction code reserved for customer is used. By implementing such transaction code a malicious user may execute unauthorized transaction functionality.
84 CVE-2018-2482 2018-11-13 2020-08-24
5.0
None Remote Low Not required None None Partial
SAP Mobile Secure Android Application, Mobile-secure.apk Android client, before version 6.60.19942.0, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Install the Mobile Secure Android client released in Mid-Oct 2018.
85 CVE-2018-2483 287 2018-11-13 2020-08-24
4.0
None Remote Low ??? Partial None None
HTTP Verb Tampering is possible in SAP BusinessObjects Business Intelligence Platform, versions 4.1 and 4.2, Central Management Console (CMC) by changing request method.
86 CVE-2018-2485 2018-11-13 2019-10-03
6.4
None Remote Low Not required Partial Partial None
It is possible for a malicious application or malware to execute JavaScript in a SAP Fiori application. This can include reading and writing of information and calling device specific JavaScript APIs in the application. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version.
87 CVE-2018-2487 2018-11-13 2020-08-24
5.1
None Remote High Not required Partial Partial Partial
SAP Disclosure Management 10.x allows an attacker to exploit through a specially crafted zip file provided by users: When extracted in specific use cases, files within this zip file can land in different locations than the originally intended extraction point.
88 CVE-2018-2488 2018-11-13 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
It is possible for a malware application installed on an Android device to send local push notifications with an empty message to SAP Fiori Client and cause the application to crash. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version.
89 CVE-2018-2489 732 2018-11-13 2019-10-03
6.8
None Remote Medium Not required Partial Partial Partial
Locally, without any permission, an arbitrary android application could delete the SSO configuration of SAP Fiori Client. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version.
90 CVE-2018-2490 732 2018-11-13 2019-10-03
6.8
None Remote Medium Not required Partial Partial Partial
The broadcast messages received by SAP Fiori Client are not protected by permissions. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version.
91 CVE-2018-2491 94 2018-11-13 2019-02-01
6.8
None Remote Medium Not required Partial Partial Partial
When opening a deep link URL in SAP Fiori Client with log level set to "Debug", the client application logs the URL to the log file. If this URL contains malicious JavaScript code it can eventually run inside the built-in log viewer of the application in case user opens the viewer and taps on the hyperlink in the viewer. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version.
92 CVE-2018-3621 200 +Info 2018-11-14 2018-12-13
3.3
None Local Network Low Not required Partial None None
Insufficient input validation in the Intel Driver & Support Assistant before 3.6.0.4 may allow an unauthenticated user to potentially enable information disclosure via adjacent access.
93 CVE-2018-3635 269 DoS 2018-11-14 2021-03-26
4.6
None Local Low Not required Partial Partial Partial
Insufficient input validation in installer in Intel Rapid Store Technology (RST) before version 16.7 may allow an unprivileged user to potentially elevate privileges or cause an installer denial of service via local access.
94 CVE-2018-3696 287 +Priv Bypass 2018-11-14 2018-12-31
2.1
None Local Low Not required Partial None None
Authentication bypass in the Intel RAID Web Console 3 for Windows before 4.186 may allow an unprivileged user to potentially gain administrative privileges via local access.
95 CVE-2018-3697 732 2018-11-14 2019-10-03
4.6
None Local Low Not required Partial Partial Partial
Improper directory permissions in the installer for the Intel Media Server Studio may allow unprivileged users to potentially enable an escalation of privilege via local access.
96 CVE-2018-3698 +Priv 2018-11-14 2019-10-03
4.6
None Local Low Not required Partial Partial Partial
Improper file permissions in the installer for the Intel Ready Mode Technology may allow an unprivileged user to potentially gain privileged access via local access.
97 CVE-2018-3699 79 XSS 2018-11-14 2018-12-31
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in the Intel RAID Web Console v3 for Windows may allow an unauthenticated user to elevate privilege via remote access.
98 CVE-2018-3890 78 Exec Code 2018-11-02 2022-04-19
4.6
None Local Low Not required Partial Partial Partial
An exploitable code execution vulnerability exists in the firmware update functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted file can cause a logic flaw and command injection, resulting in code execution. An attacker can insert an SD card to trigger this vulnerability.
99 CVE-2018-3891 20 2018-11-02 2022-04-19
2.1
None Local Low Not required None Partial None
An exploitable firmware downgrade vulnerability exists in the firmware update functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted file can cause a logic flaw, resulting in a firmware downgrade. An attacker can insert an SD card to trigger this vulnerability.
100 CVE-2018-3892 119 Exec Code Overflow 2018-11-02 2022-04-19
7.5
None Remote Low Not required Partial Partial Partial
An exploitable firmware downgrade vulnerability exists in the time syncing functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted packet can cause a buffer overflow, resulting in code execution. An attacker can intercept and alter network traffic to trigger this vulnerability.
Total number of vulnerabilities : 984   Page : 1 2 (This Page)3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.