CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2018 (CVSS score >= 7)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
101 CVE-2018-16843 400 2018-11-07 2022-02-22
7.8
None Remote Low Not required None None Complete
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.
102 CVE-2018-16395 2018-11-16 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.
103 CVE-2018-16161 +Priv 2018-11-15 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
OpenDolphin 2.7.0 and earlier allows authenticated users to gain administrative privileges and perform unintended operations.
104 CVE-2018-16130 78 Exec Code 2018-11-27 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
System command injection in request_mitv in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary system commands via the "payload" URL parameter.
105 CVE-2018-16089 78 2018-11-27 2019-10-03
8.5
None Remote Medium ??? Complete Complete Complete
In System Management Module (SMM) versions prior to 1.06, a field in the header of SMM firmware update images is insufficiently sanitized, allowing post-authentication command injection on the SMM as the root user.
106 CVE-2018-15981 704 Exec Code 2018-11-29 2018-12-28
10.0
None Remote Low Not required Complete Complete Complete
Flash Player versions 31.0.0.148 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution.
107 CVE-2018-15767 863 2018-11-30 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
The Dell OpenManage Network Manager virtual appliance versions prior to 6.5.3 contain an improper authorization vulnerability caused by a misconfiguration in the /etc/sudoers file.
108 CVE-2018-15716 78 Exec Code 2018-11-30 2019-10-09
9.0
None Remote Low ??? Complete Complete Complete
NUUO NVRMini2 version 3.9.1 is vulnerable to authenticated remote command injection. An attacker can send crafted requests to upgrade_handle.php to execute OS commands as root.
109 CVE-2018-15715 20 2018-11-30 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
Zoom clients on Windows (before version 4.1.34814.1119), Mac OS (before version 4.1.34801.1116), and Linux (2.4.129780.0915 and below) are vulnerable to unauthorized message processing. A remote unauthenticated attacker can spoof UDP messages from a meeting attendee or Zoom server in order to invoke functionality in the target client. This allows the attacker to remove attendees from meetings, spoof messages from users, or hijack shared screens.
110 CVE-2018-15710 78 2018-11-14 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php.
111 CVE-2018-15708 Exec Code 2018-11-14 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request.
112 CVE-2018-15454 20 DoS 2018-11-01 2019-10-09
7.8
None Remote Low Not required None None Complete
A vulnerability in the Session Initiation Protocol (SIP) inspection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial of service (DoS) condition. The vulnerability is due to improper handling of SIP traffic. An attacker could exploit this vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected device. Software updates that address this vulnerability are not yet available.
113 CVE-2018-15447 89 Exec Code Sql 2018-11-08 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
A vulnerability in the web framework code of Cisco Integrated Management Controller (IMC) Supervisor could allow an unauthenticated, remote attacker to execute arbitrary SQL queries. The vulnerability is due to a lack of proper validation of user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted URLs that contain malicious SQL statements to the affected application.
114 CVE-2018-15441 89 Exec Code +Priv Sql 2018-11-28 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
A vulnerability in the web framework code of Cisco Prime License Manager (PLM) could allow an unauthenticated, remote attacker to execute arbitrary SQL queries. The vulnerability is due to a lack of proper validation of user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted HTTP POST requests that contain malicious SQL statements to an affected application. A successful exploit could allow the attacker to modify and delete arbitrary data in the PLM database or gain shell access with the privileges of the postgres user.
115 CVE-2018-15439 798 Exec Code Bypass 2018-11-08 2020-08-28
9.3
None Remote Medium Not required Complete Complete Complete
A vulnerability in the Cisco Small Business Switches software could allow an unauthenticated, remote attacker to bypass the user authentication mechanism of an affected device. The vulnerability exists because under specific circumstances, the affected software enables a privileged user account without notifying administrators of the system. An attacker could exploit this vulnerability by using this account to log in to an affected device and execute commands with full admin rights. Cisco has not released software updates that address this vulnerability. This advisory will be updated with fixed software information once fixed software becomes available. There is a workaround to address this vulnerability.
116 CVE-2018-15394 +Priv Bypass 2018-11-08 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
A vulnerability in the Stealthwatch Management Console (SMC) of Cisco Stealthwatch Enterprise could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected system. The vulnerability is due to an insecure system configuration. An attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted application. An exploit could allow the attacker to gain unauthenticated access, resulting in elevated privileges in the SMC.
117 CVE-2018-15381 502 Exec Code 2018-11-08 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
A Java deserialization vulnerability in Cisco Unity Express (CUE) could allow an unauthenticated, remote attacker to execute arbitrary shell commands with the privileges of the root user. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to the listening Java Remote Method Invocation (RMI) service. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges.
118 CVE-2018-14893 78 Exec Code 2018-11-27 2020-08-24
9.0
None Remote Low ??? Complete Complete Complete
A system command injection vulnerability in zyshclient in ZyXEL NSA325 V2 version 4.81 allows attackers to execute system commands via the web application API.
119 CVE-2018-14749 119 Overflow 2018-11-28 2018-12-27
7.5
None Remote Low Not required Partial Partial Partial
Buffer Overflow vulnerability in QTS 4.3.5 build 20181013, QTS 4.3.4 build 20181008, QTS 4.3.3 build 20180829, QTS 4.2.6 build 20180829 and earlier versions could have unspecified impact on the NAS.
120 CVE-2018-14748 863 2018-11-28 2019-10-03
7.8
None Remote Low Not required None None Complete
Improper Authorization vulnerability in QTS 4.3.5 build 20181013, QTS 4.3.4 build 20181008, QTS 4.3.3 build 20180829, QTS 4.2.6 build 20180829 and earlier versions could allow remote attackers to power off the NAS.
121 CVE-2018-14746 77 2018-11-28 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
Command Injection vulnerability in QTS 4.3.5 build 20181013, QTS 4.3.4 build 20181008, QTS 4.3.3 build 20180829, QTS 4.2.6 build 20180829 and earlier versions could allow remote attackers to run arbitrary commands on the NAS.
122 CVE-2018-14667 94 Exec Code 2018-11-06 2020-08-28
7.5
None Remote Low Not required Partial Partial Partial
The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
123 CVE-2018-13418 78 Exec Code 2018-11-27 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
System command injection in ajaxdata.php in TerraMaster TOS 3.1.03 allows attackers to execute system commands via the "newname" parameter.
124 CVE-2018-13397 Exec Code 2018-11-05 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.
125 CVE-2018-13396 Exec Code 2018-11-05 2020-05-11
9.0
None Remote Low ??? Complete Complete Complete
There was an argument injection vulnerability in Sourcetree for macOS from version 1.0b2 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system.
126 CVE-2018-13358 78 Exec Code 2018-11-27 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "checkName" parameter.
127 CVE-2018-13356 863 2018-11-27 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
Incorrect access control on ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to elevate user permissions.
128 CVE-2018-13354 78 Exec Code 2018-11-27 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
System command injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "Event" parameter.
129 CVE-2018-13353 78 Exec Code 2018-11-27 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute commands via the "checkport" parameter.
130 CVE-2018-13350 89 Sql 2018-11-27 2018-12-19
7.5
None Remote Low Not required Partial Partial Partial
SQL injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute SQL queries via the "Event" parameter.
131 CVE-2018-13338 78 Exec Code 2018-11-27 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "username" parameter during user creation.
132 CVE-2018-13336 78 Exec Code 2018-11-27 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "pwd" parameter during user creation.
133 CVE-2018-13330 78 Exec Code 2018-11-27 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands during group creation via the "groupname" parameter.
134 CVE-2018-13324 863 Bypass 2018-11-26 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
Incorrect access control in nasapi in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to bypass authentication by sending a modified HTTP Host header.
135 CVE-2018-13316 78 Exec Code 2018-11-27 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "subnet" POST parameter.
136 CVE-2018-13314 78 Exec Code 2018-11-27 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ipAddr" POST parameter.
137 CVE-2018-13311 78 Exec Code 2018-11-26 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "sambaUser" POST parameter.
138 CVE-2018-13307 78 Exec Code 2018-11-27 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter. Certain payloads cause the device to become permanently inoperable.
139 CVE-2018-13306 78 Exec Code 2018-11-27 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ftpUser" POST parameter.
140 CVE-2018-13023 78 Exec Code 2018-11-27 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
System command injection vulnerability in wifi_access in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute system commands via the "timeout" URL parameter.
141 CVE-2018-11996 129 2018-11-28 2018-12-26
7.2
None Local Low Not required Complete Complete Complete
When a malformed command is sent to the device programmer, an out-of-bounds access can occur in Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear in versions MDM9206, MDM9607, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 600, SD 820, SD 820A, SD 835, SDA660, SDX20, SDX24.
142 CVE-2018-11995 119 Overflow 2018-11-27 2018-12-21
7.2
None Local Low Not required Complete Complete Complete
In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, a partition name-check variable is not reset for every iteration which may cause improper termination in the META image.
143 CVE-2018-11994 2018-11-28 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
SMMU secure camera logic allows secure camera controllers to access HLOS memory during session in Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear in versions MDM9206, MDM9607, MDM9650, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDA845, SDX24, SXR1130.
144 CVE-2018-11956 2018-11-27 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper mounting lead to device node and executable to be run from /dsp/ which presents a potential security issue.
145 CVE-2018-11921 755 2018-11-28 2020-08-24
7.2
None Local Low Not required Complete Complete Complete
Failure condition is not handled properly and the correct error code is not returned. It could cause unintended SUI behavior and create unintended SUI display in Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear in versions MDM9206, MDM9607, MDM9650, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDA845, SDX24, SXR1130.
146 CVE-2018-11914 732 2018-11-27 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper access control can lead to device node and executable to be run from /systemrw/ which presents a potential security.
147 CVE-2018-11913 732 2018-11-27 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper configuration of dev nodes may lead to potential security issue.
148 CVE-2018-11912 269 2018-11-27 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper configuration of daemons may lead to unprivileged access.
149 CVE-2018-11911 269 2018-11-27 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper configuration of script may lead to unprivileged access.
150 CVE-2018-11910 732 2018-11-27 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper access control can lead to device node and executable to be run from /persist/ which presents a potential issue.
Total number of vulnerabilities : 268   Page : 1 2 3 (This Page)4 5 6
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.