| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
351 |
CVE-2018-18820 |
119 |
|
DoS Exec Code Overflow |
2018-11-05 |
2019-01-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A buffer overflow was discovered in the URL-authentication backend of the Icecast before 2.4.4. If the backend is enabled, then any malicious HTTP client can send a request for that specific resource including a crafted header, leading to denial of service and potentially remote code execution. |
|
352 |
CVE-2018-18807 |
79 |
|
XSS |
2018-11-26 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The web application of the TIBCO Statistica component of TIBCO Software Inc.'s TIBCO Statistica Server contains vulnerabilities which may allow an authenticated user to perform cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Statistica Server versions up to and including 13.4.0. |
|
353 |
CVE-2018-18806 |
89 |
|
Sql |
2018-11-16 |
2018-12-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
School Equipment Monitoring System 1.0 allows SQL injection via the login screen, related to include/user.vb. |
|
354 |
CVE-2018-18805 |
89 |
|
Sql |
2018-11-16 |
2022-03-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Point Of Sales 1.0 allows SQL injection via the login screen, related to LoginForm1.vb. |
|
355 |
CVE-2018-18804 |
89 |
|
Sql |
2018-11-16 |
2018-12-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Bakeshop Inventory System 1.0 has SQL injection via the login screen, related to include/publicfunction.vb. |
|
356 |
CVE-2018-18803 |
89 |
|
Sql |
2018-11-16 |
2018-12-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Curriculum Evaluation System 1.0 allows SQL Injection via the login screen, related to frmCourse.vb and includes/user.vb. |
|
357 |
CVE-2018-18801 |
89 |
|
Sql |
2018-11-16 |
2018-12-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The BSEN Ordering software 1.0 has SQL Injection via student/index.php?view=view&id=[SQL] or index.php?q=single-item&id=[SQL]. |
|
358 |
CVE-2018-18799 |
352 |
|
CSRF |
2018-11-16 |
2018-12-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
School Attendance Monitoring System 1.0 has CSRF via event/controller.php?action=photos. |
|
359 |
CVE-2018-18797 |
352 |
|
CSRF |
2018-11-16 |
2018-12-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
School Attendance Monitoring System 1.0 has CSRF via /user/user/edit.php. |
|
360 |
CVE-2018-18796 |
89 |
|
Sql |
2018-11-16 |
2018-12-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Library Management System 1.0 has SQL Injection via the "Search for Books" screen. |
|
361 |
CVE-2018-18795 |
89 |
|
Sql |
2018-11-16 |
2018-12-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
School Event Management System 1.0 has SQL Injection via the student/index.php or event/index.php id parameter. |
|
362 |
CVE-2018-18794 |
352 |
|
CSRF |
2018-11-16 |
2018-12-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
School Event Management System 1.0 allows CSRF via user/controller.php?action=edit. |
|
363 |
CVE-2018-18793 |
434 |
|
|
2018-11-16 |
2018-12-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
School Event Management System 1.0 allows Arbitrary File Upload via event/controller.php?action=photos. |
|
364 |
CVE-2018-18777 |
22 |
|
Dir. Trav. Bypass |
2018-11-01 |
2018-12-12 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Directory traversal vulnerability in Microstrategy Web, version 7, in "/WebMstr7/servlet/mstrWeb" (in the parameter subpage) allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application. NOTE: this is a deprecated product. |
|
365 |
CVE-2018-18776 |
79 |
|
XSS |
2018-11-01 |
2018-12-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the admin/admin.asp ShowAll parameter. NOTE: this is a deprecated product. |
|
366 |
CVE-2018-18775 |
79 |
|
XSS |
2018-11-01 |
2018-12-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the Login.asp Msg parameter. NOTE: this is a deprecated product. |
|
367 |
CVE-2018-18774 |
79 |
|
XSS |
2018-11-20 |
2018-11-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows XSS via the admin/index.php module parameter. |
|
368 |
CVE-2018-18773 |
352 |
|
CSRF |
2018-11-20 |
2018-11-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=rootpwd, as demonstrated by changing the root password. |
|
369 |
CVE-2018-18772 |
352 |
|
CSRF |
2018-11-20 |
2018-11-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=send_ssh, as demonstrated by executing an arbitrary OS command. |
|
370 |
CVE-2018-18763 |
89 |
|
Sql |
2018-11-16 |
2018-12-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SaltOS 3.1 r8126 allows action=ajax&query=numbers&page=usuarios&action2=[SQL] SQL Injection. |
|
371 |
CVE-2018-18761 |
89 |
|
Sql |
2018-11-16 |
2020-05-20 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SaltOS 3.1 r8126 allows action=login&querystring=&user=[SQL] SQL Injection. |
|
372 |
CVE-2018-18760 |
352 |
|
CSRF |
2018-11-16 |
2018-12-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
RhinOS 3.0 build 1190 allows CSRF. |
|
373 |
CVE-2018-18759 |
119 |
|
Overflow |
2018-11-16 |
2019-01-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Modbus Slave 7.0.0 in modbus tools has a Buffer Overflow. |
|
374 |
CVE-2018-18756 |
119 |
|
Overflow |
2018-11-16 |
2018-12-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Local Server 1.0.9 has a Buffer Overflow via crafted data on Port 4008. |
|
375 |
CVE-2018-18755 |
89 |
|
Sql |
2018-11-16 |
2020-06-25 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
K-iwi Framework 1775 has SQL Injection via the admin/user/group/update user_group_id parameter or the admin/user/user/update user_id parameter. |
|
376 |
CVE-2018-18716 |
79 |
|
XSS |
2018-11-20 |
2021-05-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine OpManager 12.3 before 123219 has a Self XSS Vulnerability. |
|
377 |
CVE-2018-18715 |
79 |
|
XSS |
2018-11-20 |
2021-05-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine OpManager 12.3 before 123219 has stored XSS. |
|
378 |
CVE-2018-18714 |
787 |
|
DoS Exec Code Overflow |
2018-11-01 |
2020-08-24 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
RegFilter.sys in IOBit Malware Fighter 6.2 and earlier is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E010. This can lead to denial of service (DoS) or code execution with root privileges. |
|
379 |
CVE-2018-18695 |
119 |
|
Overflow |
2018-11-01 |
2018-12-12 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
M2SOFT Report Designer Viewer 5.0 allows a Buffer Overflow with Extended Instruction Pointer (EIP) control via a crafted MRD file. |
|
380 |
CVE-2018-18649 |
|
|
Exec Code |
2018-11-29 |
2020-08-24 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in the wiki API in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for remote code execution. |
|
381 |
CVE-2018-18619 |
89 |
|
Sql |
2018-11-29 |
2018-12-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
internal/advanced_comment_system/admin.php in Advanced Comment System 1.0 is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query, allowing remote attackers to execute the sqli attack via a URL in the "page" parameter. NOTE: The product is discontinued. |
|
382 |
CVE-2018-18591 |
200 |
|
+Info |
2018-11-13 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
A potential unauthorized disclosure of data vulnerability has been identified in Micro Focus Service Manager versions: 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51. The vulnerability could be exploited to release unauthorized disclosure of data. |
|
383 |
CVE-2018-18590 |
200 |
|
Exec Code +Info |
2018-11-07 |
2019-10-09 |
5.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
A potential remote code execution and information disclosure vulnerability exists in Micro Focus Operations Bridge containerized suite versions 2017.11, 2018.02, 2018.05, 2018.08. This vulnerability could allow for information disclosure. |
|
384 |
CVE-2018-18565 |
434 |
|
|
2018-11-20 |
2018-12-28 |
4.1 |
None |
Local Network |
Low |
??? |
None |
Partial |
Partial |
|
An issue was discovered in Roche Accu-Chek Inform II Instrument before 03.06.00 (Serial number below 14000) and 04.x before 04.03.00 (Serial Number above 14000), CoaguChek Pro II before 04.03.00, CoaguChek XS Plus before 03.01.06, CoaguChek XS Pro before 03.01.06, cobas h 232 before 03.01.03 (Serial number below KQ0400000 or KS0400000), and cobas h 232 before 04.00.04 (Serial number above KQ0400000 or KS0400000). A vulnerability in the software update mechanism allows authenticated attackers in the adjacent network to overwrite arbitrary files on the system through a crafted update package. |
|
385 |
CVE-2018-18564 |
|
|
|
2018-11-20 |
2020-08-24 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
Partial |
None |
|
An issue was discovered in Roche Accu-Chek Inform II Instrument before 03.06.00 (Serial number below 14000) and 04.x before 04.03.00 (Serial Number above 14000), CoaguChek Pro II before 04.03.00, and cobas h 232 before 04.00.04 (Serial number above KQ0400000 or KS0400000). Improper access control allows attackers in the adjacent network to change the instrument configuration. |
|
386 |
CVE-2018-18563 |
434 |
|
Exec Code |
2018-11-20 |
2019-10-03 |
8.3 |
None |
Local Network |
Low |
Not required |
Complete |
Complete |
Complete |
|
An issue was discovered in Roche Accu-Chek Inform II Instrument before 03.06.00 (Serial number below 14000) and 04.x before 04.03.00 (Serial Number above 14000), CoaguChek Pro II before 04.03.00, CoaguChek XS Plus before 03.01.06, CoaguChek XS Pro before 03.01.06, cobas h 232 before 03.01.03 (Serial Number below KQ0400000 or KS0400000) and cobas h 232 before 04.00.04 (Serial Number above KQ0400000 or KS0400000). Improper access control to a service command allows attackers in the adjacent network to execute arbitrary code on the system through a crafted Poct1-A message. |
|
387 |
CVE-2018-18562 |
521 |
|
|
2018-11-20 |
2019-10-03 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Roche Accu-Chek Inform II Base Unit / Base Unit Hub before 03.01.04 and CoaguChek / cobas h232 Handheld Base Unit before 03.01.04. Weak access credentials may enable attackers in the adjacent network to gain unauthorized service access via a service interface. |
|
388 |
CVE-2018-18561 |
732 |
|
Exec Code |
2018-11-20 |
2020-08-24 |
7.7 |
None |
Local Network |
Low |
??? |
Complete |
Complete |
Complete |
|
An issue was discovered in Roche Accu-Chek Inform II Base Unit / Base Unit Hub before 03.01.04 and CoaguChek / cobas h232 Handheld Base Unit before 03.01.04. Insecure permissions in a service interface may allow authenticated attackers in the adjacent network to execute arbitrary commands on the operating system. |
|
389 |
CVE-2018-18519 |
426 |
|
+Priv |
2018-11-19 |
2019-06-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
BestXsoftware Best Free Keylogger before 6.0.0 allows local users to gain privileges via a Trojan horse "%PROGRAMFILES%\BFK 5.2.9\syscrb.exe" file because of insecure permissions for the BUILTIN\Users group. |
|
390 |
CVE-2018-18440 |
119 |
|
Overflow |
2018-11-20 |
2019-12-10 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
DENX U-Boot through 2018.09-rc1 has a locally exploitable buffer overflow via a crafted kernel image because filesystem loading is mishandled. |
|
391 |
CVE-2018-18439 |
119 |
|
Overflow |
2018-11-20 |
2019-01-02 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
DENX U-Boot through 2018.09-rc1 has a remotely exploitable buffer overflow via a malicious TFTP server because TFTP traffic is mishandled. Also, local exploitation can occur via a crafted kernel image. |
|
392 |
CVE-2018-18203 |
347 |
|
Exec Code |
2018-11-28 |
2019-02-05 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
A vulnerability in the update mechanism of Subaru StarLink Harman head units 2017, 2018, and 2019 may give an attacker (with physical access to the vehicle's USB ports) the ability to rewrite the firmware of the head unit. This occurs because the device accepts modified QNX6 filesystem images (as long as the attacker obtains access to certain Harman decryption/encryption code) as a consequence of a bug where unsigned images pass a validity check. An attacker could potentially install persistent malicious head unit firmware and execute arbitrary code as the root user. |
|
393 |
CVE-2018-17960 |
79 |
|
XSS |
2018-11-14 |
2019-07-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste. |
|
394 |
CVE-2018-17953 |
|
|
|
2018-11-27 |
2019-10-09 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
A incorrect variable in a SUSE specific patch for pam_access rule matching in PAM 1.3.0 in openSUSE Leap 15.0 and SUSE Linux Enterprise 15 could lead to pam_access rules not being applied (fail open). |
|
395 |
CVE-2018-17948 |
601 |
|
|
2018-11-20 |
2018-12-26 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
An open redirect vulnerability exists in the Access Manager Identity Provider prior to 4.4 SP3. |
|
396 |
CVE-2018-17936 |
434 |
|
Exec Code |
2018-11-27 |
2019-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
NUUO CMS All versions 3.3 and prior the application allows the upload of arbitrary files that can modify or overwrite configuration files to the server, which could allow remote code execution. |
|
397 |
CVE-2018-17934 |
22 |
|
Exec Code Dir. Trav. +Info |
2018-11-27 |
2019-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
NUUO CMS All versions 3.3 and prior the application allows external input to construct a pathname that is able to be resolved outside the intended directory. This could allow an attacker to impersonate a legitimate user, obtain restricted information, or execute arbitrary code. |
|
398 |
CVE-2018-17930 |
787 |
|
Exec Code Overflow |
2018-11-28 |
2020-09-18 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
A stack-based buffer overflow vulnerability has been identified in Teledyne DALSA Sherlock Version 7.2.7.4 and prior, which may allow remote code execution. |
|
399 |
CVE-2018-17922 |
532 |
|
|
2018-11-02 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Circontrol CirCarLife all versions prior to 4.3.1, the PAP credentials of the device are stored in clear text in a log file that is accessible without authentication. |
|
400 |
CVE-2018-17918 |
287 |
|
Bypass |
2018-11-02 |
2019-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Circontrol CirCarLife all versions prior to 4.3.1, authentication to the device can be bypassed by entering the URL of a specific page. |
