CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2018

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
151 CVE-2018-6079 200 +Info 2018-11-14 2018-12-26
4.3
None Remote Medium Not required Partial None None
Inappropriate sharing of TEXTURE_2D_ARRAY/TEXTURE_3D data between tabs in WebGL in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
152 CVE-2018-6080 269 2018-11-14 2019-10-03
4.3
None Remote Medium Not required Partial None None
Lack of access control checks in Instrumentation in Google Chrome prior to 65.0.3325.146 allowed a remote attacker who had compromised the renderer process to obtain memory metadata from privileged processes .
153 CVE-2018-6081 79 XSS 2018-11-14 2018-12-14
4.3
None Remote Medium Not required None Partial None
XSS vulnerabilities in Interstitials in Google Chrome prior to 65.0.3325.146 allowed an attacker who convinced a user to install a malicious extension or open Developer Console to inject arbitrary scripts or HTML via a crafted HTML page.
154 CVE-2018-6082 200 +Info 2018-11-14 2018-12-27
4.3
None Remote Medium Not required Partial None None
Including port 22 in the list of allowed FTP ports in Networking in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially enumerate internal host services via a crafted HTML page.
155 CVE-2018-6083 2018-11-14 2019-10-03
6.8
None Remote Medium Not required Partial Partial Partial
Failure to disallow PWA installation from CSP sandboxed pages in AppManifest in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to access privileged APIs via a crafted HTML page.
156 CVE-2018-6260 200 +Info 2018-11-13 2019-04-18
2.1
None Local Low Not required Partial None None
NVIDIA graphics driver contains a vulnerability that may allow access to application data processed on the GPU through a side channel exposed by the GPU performance counters. Local user access is required. This is not a network or remote attack vector.
157 CVE-2018-6263 2018-11-27 2019-10-03
4.6
None Local Low Not required Partial Partial Partial
NVIDIA GeForce Experience contains a vulnerability in all versions prior to 3.16 on Windows in which an attacker who has access to a local user account can plant a malicious dynamic link library (DLL) during application installation, which may lead to escalation of privileges.
158 CVE-2018-6265 2018-11-27 2019-10-03
4.6
None Local Low Not required Partial Partial Partial
NVIDIA GeForce Experience contains a vulnerability in all versions prior to 3.16 during application installation on Windows 7 in elevated privilege mode, where a local user who initiates a browser session may obtain escalation of privileges on the browser.
159 CVE-2018-6266 200 +Info 2018-11-27 2019-04-04
2.1
None Local Low Not required Partial None None
NVIDIA GeForce Experience contains a vulnerability in all versions prior to 3.16 on Windows where a local user may obtain third party integration parameters, which may lead to information disclosure.
160 CVE-2018-6433 20 Bypass 2018-11-08 2021-06-22
2.1
None Local Low Not required Partial None None
A vulnerability in the secryptocfg export command of Brocade Fabric OS versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow a local attacker to bypass the export file access restrictions and initiate a file copy from the source to a remote system.
161 CVE-2018-6434 384 2018-11-08 2021-06-22
5.0
None Remote Low Not required None Partial None
A vulnerability in the web management interface of Brocade Fabric OS versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow attackers to intercept or manipulate a user's session ID.
162 CVE-2018-6435 2018-11-08 2021-06-22
7.2
None Local Low Not required Complete Complete Complete
A Vulnerability in the secryptocfg command of Brocade Fabric OS command line interface (CLI) versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow a local attacker to escape the restricted shell and, and gain root access.
163 CVE-2018-6436 2018-11-08 2021-06-22
7.2
None Local Low Not required Complete Complete Complete
A Vulnerability in the firmwaredownload command of Brocade Fabric OS command line interface (CLI) versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow a local attacker to escape the restricted shell and, gain root access.
164 CVE-2018-6437 2018-11-08 2021-06-22
7.2
None Local Low Not required Complete Complete Complete
A Vulnerability in the help command of Brocade Fabric OS command line interface (CLI) versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow a local attacker to escape the restricted shell and, gain root access.
165 CVE-2018-6438 2018-11-08 2021-06-22
7.2
None Local Low Not required Complete Complete Complete
A Vulnerability in the supportsave command of Brocade Fabric OS command line interface (CLI) versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow a local attacker to escape the restricted shell and, gain root access.
166 CVE-2018-6441 Bypass 2018-11-08 2021-06-22
7.2
None Local Low Not required Complete Complete Complete
A vulnerability in Secure Shell implementation of Brocade Fabric OS versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow a local attacker to provide arbitrary environment variables, and bypass the restricted configuration shell.
167 CVE-2018-6442 Exec Code 2018-11-08 2021-06-22
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability in the Brocade Webtools firmware update section of Brocade Fabric OS before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow remote authenticated attackers to execute arbitrary commands.
168 CVE-2018-6906 79 XSS 2018-11-01 2019-02-15
4.3
None Remote Medium Not required None Partial None
A persistent Cross Site Scripting (XSS) vulnerability in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allows an attacker to inject arbitrary JavaScript via the REST API.
169 CVE-2018-6907 352 CSRF 2018-11-01 2019-02-15
6.8
None Remote Medium Not required Partial Partial Partial
A Cross Site Request Forgery (CSRF) vulnerability in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allows an attacker to control the RainMachine device via the REST API.
170 CVE-2018-6908 287 Bypass 2018-11-01 2019-02-22
5.0
None Remote Low Not required Partial None None
An authentication bypass vulnerability exists in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allowing an unauthenticated attacker to perform authenticated actions on the device via a 127.0.0.1:port value in the HTTP 'Host' header, as demonstrated by retrieving credentials.
171 CVE-2018-6909 1021 2018-11-01 2020-08-24
4.3
None Remote Medium Not required None Partial None
A missing X-Frame-Options header in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application could be used by a remote attacker for clickjacking, as demonstrated by triggering an API page request.
172 CVE-2018-6980 863 2018-11-13 2019-10-03
6.5
None Remote Low ??? Partial Partial Partial
VMware vRealize Log Insight (4.7.x before 4.7.1 and 4.6.x before 4.6.2) contains a vulnerability due to improper authorization in the user registration method. Successful exploitation of this issue may allow Admin users with view only permission to perform certain administrative functions which they are not allowed to perform.
173 CVE-2018-6983 190 Exec Code Overflow 2018-11-27 2018-12-19
7.2
None Local Low Not required Complete Complete Complete
VMware Workstation (15.x before 15.0.2 and 14.x before 14.1.5) and Fusion (11.x before 11.0.2 and 10.x before 10.1.5) contain an integer overflow vulnerability in the virtual network devices. This issue may allow a guest to execute code on the host.
174 CVE-2018-7356 294 2018-11-01 2019-10-09
5.0
None Remote Low Not required None Partial None
All versions up to V3.03.10.B23P2 of ZTE ZXR10 8905E product are impacted by TCP Initial Sequence Number (ISN) reuse vulnerability, which can generate easily predictable ISN, and allows remote attackers to spoof connections.
175 CVE-2018-7357 306 2018-11-14 2019-10-09
3.3
None Local Network Low Not required Partial None None
ZTE ZXHN H168N product with versions V2.2.0_PK1.2T5, V2.2.0_PK1.2T2, V2.2.0_PK11T7 and V2.2.0_PK11T have an improper access control vulnerability, which may allow an unauthorized user to gain unauthorized access.
176 CVE-2018-7358 287 2018-11-14 2019-10-09
5.8
None Local Network Low Not required Partial Partial Partial
ZTE ZXHN H168N product with versions V2.2.0_PK1.2T5, V2.2.0_PK1.2T2, V2.2.0_PK11T7 and V2.2.0_PK11T have an improper change control vulnerability, which may allow an unauthorized user to perform unauthorized operations.
177 CVE-2018-7359 787 Exec Code Overflow 2018-11-16 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by heap-based buffer overflow vulnerability, which may allow an attacker to execute arbitrary code.
178 CVE-2018-7360 200 +Info 2018-11-16 2019-10-09
3.3
None Local Network Low Not required Partial None None
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by information exposure vulnerability, which may allow an unauthenticated attacker to get the GPON SN information via appviahttp service.
179 CVE-2018-7361 476 DoS 2018-11-16 2019-10-09
3.3
None Local Network Low Not required None None Partial
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by null pointer dereference vulnerability, which may allows an attacker to cause a denial of service via appviahttp service.
180 CVE-2018-7362 284 2018-11-16 2019-10-09
9.0
None Remote Low ??? Complete Complete Complete
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by improper access control vulnerability, which may allows an unauthorized user to perform unauthorized operations on the router.
181 CVE-2018-7363 863 2018-11-16 2019-10-09
3.3
None Local Network Low Not required Partial None None
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by improper authorization vulnerability. Since appviahttp service has no authorization delay, an attacker can be allowed to brute force account credentials.
182 CVE-2018-7718 2018-11-08 2019-10-03
4.0
None Remote Low ??? None Partial None
An issue was discovered in Telexy QPath 5.4.462. A low privileged authenticated user supplying a specially crafted serialized request to AdanitDataService.svc may modify user information, including but not limited to email address, username, and password, of other user accounts. The simplest attack approach is for the attacker to intercept their own password-change request and modify the username before the request reaches the server. Also, changing a victim's email address can have a similar account-takeover consequence.
183 CVE-2018-7798 345 2018-11-02 2022-01-31
6.4
None Remote Low Not required None Partial Partial
A Insufficient Verification of Data Authenticity (CWE-345) vulnerability exists in the Modicon M221, all versions, which could cause a change of IPv4 configuration (IP address, mask and gateway) when remotely connected to the device.
184 CVE-2018-7799 427 Exec Code 2018-11-02 2018-12-27
9.3
None Remote Medium Not required Complete Complete Complete
A DLL hijacking vulnerability exists in Schneider Electric Software Update (SESU), all versions prior to V2.2.0, which could allow an attacker to execute arbitrary code on the targeted system when placing a specific DLL file.
185 CVE-2018-7806 22 Dir. Trav. 2018-11-30 2018-12-28
6.5
None Remote Low ??? Partial Partial Partial
Data Center Operation allows for the upload of a zip file from its user interface to the server. A carefully crafted, malicious file could be mistakenly uploaded by an authenticated user via this feature which could contain path traversal file names. As such, it could allow for the arbitrary upload of files contained with the zip onto the server file system outside of the intended directory. This is leveraging the more commonly known ZipSlip vulnerability within Java code.
186 CVE-2018-7807 22 Dir. Trav. 2018-11-30 2018-12-28
6.5
None Remote Low ??? Partial Partial Partial
Data Center Expert, versions 7.5.0 and earlier, allows for the upload of a zip file from its user interface to the server. A carefully crafted, malicious file could be mistakenly uploaded by an authenticated user via this feature which could contain path traversal file names. As such, it could allow for the arbitrary upload of files contained with the zip onto the server file system outside of the intended directory. This is leveraging the more commonly known ZipSlip vulnerability within Java code.
187 CVE-2018-7809 640 2018-11-30 2018-12-28
6.4
None Remote Low Not required None Partial Partial
An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an unauthenticated remote user to access the password delete function of the web server.
188 CVE-2018-7810 79 XSS 2018-11-30 2018-12-28
4.3
None Remote Medium Not required None Partial None
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 allowing an attacker to craft a URL containing JavaScript that will be executed within the user's browser, potentially impacting the machine the browser is running on.
189 CVE-2018-7811 640 2018-11-30 2019-10-02
5.0
None Remote Low Not required None Partial None
An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an unauthenticated remote user to access the change password function of the web server
190 CVE-2018-7830 113 DoS Http R.Spl. 2018-11-30 2018-12-28
5.0
None Remote Low Not required None None Partial
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 where a denial of service can occur for ~1 minute by sending a specially crafted HTTP request.
191 CVE-2018-7831 352 XSS 2018-11-30 2020-08-24
4.3
None Remote Medium Not required None Partial None
An Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 allowing an attacker to send a specially crafted URL to a currently authenticated web server user to execute a password change on the web server.
192 CVE-2018-7910 287 Bypass +Info 2018-11-13 2018-12-12
4.6
None Local Low Not required Partial Partial Partial
Some Huawei smartphones ALP-AL00B 8.0.0.118D(C00), ALP-TL00B 8.0.0.118D(C01), BLA-AL00B 8.0.0.118D(C00), BLA-L09C 8.0.0.127(C432), 8.0.0.128(C432), 8.0.0.137(C432), BLA-L29C 8.0.0.129(C432), 8.0.0.137(C432) have an authentication bypass vulnerability. When the attacker obtains the user's smartphone, the vulnerability can be used to replace the start-up program so that the attacker can obtain the information in the smartphone and achieve the purpose of controlling the smartphone.
193 CVE-2018-7925 863 Bypass 2018-11-13 2019-10-03
4.6
None Local Low Not required Partial Partial Partial
The radio module of some Huawei smartphones Emily-AL00A The versions before 8.1.0.171(C00) have a lock-screen bypass vulnerability. An unauthenticated attacker could start third-part input method APP through certain operations to bypass lock-screen by exploit this vulnerability.
194 CVE-2018-7926 863 Bypass 2018-11-13 2019-10-03
2.1
None Local Low Not required None Partial None
Huawei Watch 2 with versions and earlier than OWDD.180707.001.E1 have an improper authorization vulnerability. Due to improper permission configuration for specific operations, an attacker who obtained the Huawei ID bound to the watch can bypass permission verification to perform specific operations and modify some data on the watch.
195 CVE-2018-7946 200 +Info 2018-11-27 2018-12-19
1.9
None Local Medium Not required Partial None None
There is an information leak vulnerability in some Huawei smartphones. An attacker may do some specific configuration in the smartphone and trick a user into inputting some sensitive information. Due to improper design, successful exploit may cause some information leak.
196 CVE-2018-7958 287 2018-11-27 2018-12-20
5.8
None Remote Medium Not required Partial Partial None
There is an anonymous TLS cipher suites supported vulnerability in Huawei eSpace product. An unauthenticated, remote attacker launches man-in-the-middle attack to hijack the connection from a client when the user signs up to log in by TLS. Due to insufficient authentication, which may be exploited to intercept and tamper with the data information.
197 CVE-2018-7959 327 +Info 2018-11-27 2019-10-03
4.3
None Remote Medium Not required Partial None None
There is a short key vulnerability in Huawei eSpace product. An unauthenticated, remote attacker launches man-in-the-middle attack to intercept and decrypt the call information when the user enables SRTP to make a call. Successful exploitation may cause sensitive information leak.
198 CVE-2018-7960 319 +Info 2018-11-27 2019-10-03
5.8
None Remote Medium Not required Partial Partial None
There is a SRTP icon display vulnerability in Huawei eSpace product. An unauthenticated, remote attacker launches man-in-the-middle attack to intercept the packets in non-secure transmission mode. Successful exploitation may intercept and tamper with the call information, eventually cause sensitive information leak.
199 CVE-2018-7961 200 +Info 2018-11-27 2019-02-04
4.3
None Remote Medium Not required Partial None None
There is a smart SMS verification code vulnerability in some Huawei smart phones. An attacker should trick a user to access malicious Website or malicious App and register. Due to incorrect processing of the smart SMS verification code, successful exploitation can cause sensitive information leak.
200 CVE-2018-7977 200 +Info 2018-11-27 2018-12-20
5.0
None Remote Low Not required Partial None None
There is an information leakage vulnerability on several Huawei products. Due to insufficient communication protection for specific services, a remote, unauthorized attacker can exploit this vulnerability to connect to specific services to obtain additional information. Successful exploitation of this vulnerability can lead to information leakage.
Total number of vulnerabilities : 984   Page : 1 2 3 4 (This Page)5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.