CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2018

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
401 CVE-2018-13309 79 XSS 2018-11-26 2018-12-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's password.
402 CVE-2018-13310 79 XSS 2018-11-26 2018-12-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's username.
403 CVE-2018-13311 78 Exec Code 2018-11-26 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "sambaUser" POST parameter.
404 CVE-2018-13312 79 XSS 2018-11-26 2018-12-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "Input your notice URL" field.
405 CVE-2018-13314 78 Exec Code 2018-11-27 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ipAddr" POST parameter.
406 CVE-2018-13315 20 2018-11-26 2018-12-20
5.0
None Remote Low Not required None Partial None
Incorrect access control in formPasswordSetup in TOTOLINK A3002RU version 1.0.8 allows attackers to change the admin user's password via an unauthenticated POST request.
407 CVE-2018-13316 78 Exec Code 2018-11-27 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "subnet" POST parameter.
408 CVE-2018-13317 79 XSS 2018-11-26 2018-12-20
4.3
None Remote Medium Not required None Partial None
Password disclosure in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to obtain the plaintext password for the admin user by making a GET request for password.htm.
409 CVE-2018-13318 78 Exec Code 2018-11-26 2019-10-03
6.5
None Remote Low ??? Partial Partial Partial
System command injection in User.create method in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to execute system commands via the "name" parameter.
410 CVE-2018-13319 200 +Info 2018-11-26 2018-12-31
5.0
None Remote Low Not required Partial None None
Incorrect access control in get_portal_info in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to determine sensitive device information via an unauthenticated POST request.
411 CVE-2018-13320 78 Exec Code 2018-11-26 2019-10-03
6.5
None Remote Low ??? Partial Partial Partial
System Command Injection in network.set_auth_settings in Buffalo TS5600D1206 version 3.70-0.10 allows attackers to execute system commands via the adminUsername and adminPassword parameters.
412 CVE-2018-13321 732 2018-11-26 2019-10-03
6.5
None Remote Low ??? Partial Partial Partial
Incorrect access controls in nasapi in Buffalo TS5600D1206 version 3.61-0.10 allow attackers to call dangerous internal functions via the "method" parameter.
413 CVE-2018-13322 22 Dir. Trav. 2018-11-26 2018-12-26
4.0
None Remote Low ??? Partial None None
Directory traversal in list_folders method in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to list directory contents via the "path" parameter.
414 CVE-2018-13323 79 XSS 2018-11-26 2018-12-26
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in detail.html in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to execute JavaScript via the "username" cookie.
415 CVE-2018-13324 863 Bypass 2018-11-26 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
Incorrect access control in nasapi in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to bypass authentication by sending a modified HTTP Host header.
416 CVE-2018-13329 79 XSS 2018-11-27 2018-12-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "lines" URL parameter.
417 CVE-2018-13330 78 Exec Code 2018-11-27 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands during group creation via the "groupname" parameter.
418 CVE-2018-13331 79 XSS 2018-11-27 2018-12-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing users by placing JavaScript in their usernames.
419 CVE-2018-13332 22 Dir. Trav. 2018-11-27 2018-12-20
5.0
None Remote Low Not required None Partial None
Directory Traversal in the explorer application in TerraMaster TOS version 3.1.03 allows attackers to upload files to arbitrary locations via the "path" URL parameter.
420 CVE-2018-13333 79 XSS 2018-11-27 2018-12-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in File Manager in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript in the permissions window by placing JavaScript in users' usernames.
421 CVE-2018-13334 79 XSS 2018-11-27 2018-12-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in handle.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "options[sysname]" parameter.
422 CVE-2018-13335 79 XSS 2018-11-27 2018-12-19
3.5
None Remote Medium ??? None Partial None
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing shared folders via their descriptions.
423 CVE-2018-13336 78 Exec Code 2018-11-27 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "pwd" parameter during user creation.
424 CVE-2018-13337 384 2018-11-27 2018-12-21
5.8
None Remote Medium Not required Partial Partial None
Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via JavaScript.
425 CVE-2018-13338 78 Exec Code 2018-11-27 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "username" parameter during user creation.
426 CVE-2018-13349 79 XSS 2018-11-27 2018-12-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in the web application taskbar in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the user's username.
427 CVE-2018-13350 89 Sql 2018-11-27 2018-12-19
7.5
None Remote Low Not required Partial Partial Partial
SQL injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute SQL queries via the "Event" parameter.
428 CVE-2018-13351 79 XSS 2018-11-27 2018-12-19
3.5
None Remote Medium ??? None Partial None
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the edit password form.
429 CVE-2018-13352 200 +Info 2018-11-27 2018-12-21
5.0
None Remote Low Not required Partial None None
Session Exposure in the web application for TerraMaster TOS version 3.1.03 allows attackers to view active session tokens in a world-readable directory.
430 CVE-2018-13353 78 Exec Code 2018-11-27 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute commands via the "checkport" parameter.
431 CVE-2018-13354 78 Exec Code 2018-11-27 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
System command injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "Event" parameter.
432 CVE-2018-13355 732 2018-11-27 2019-10-03
4.0
None Remote Low ??? None Partial None
Incorrect access controls in ajaxdata.php in TerraMaster TOS version 3.1.03 allow attackers to create user groups without proper authorization.
433 CVE-2018-13356 863 2018-11-27 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
Incorrect access control on ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to elevate user permissions.
434 CVE-2018-13357 79 XSS 2018-11-27 2018-12-19
3.5
None Remote Medium ??? None Partial None
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing Shared Folders via JavaScript in Shared Folders' names.
435 CVE-2018-13358 78 Exec Code 2018-11-27 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "checkName" parameter.
436 CVE-2018-13359 79 XSS 2018-11-27 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "modgroup" parameter.
437 CVE-2018-13360 79 XSS 2018-11-27 2018-12-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in Text Editor in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "filename" URL parameter.
438 CVE-2018-13361 20 2018-11-27 2018-12-21
5.0
None Remote Low Not required Partial None None
User enumeration in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to list all system users via the "modgroup" parameter.
439 CVE-2018-13376 2018-11-27 2019-10-03
5.0
None Remote Low Not required Partial None None
An uninitialized memory buffer leak exists in Fortinet FortiOS 5.6.1 to 5.6.3, 5.4.6 to 5.4.7, 5.2 all versions under web proxy's disclaimer response web pages, potentially causing sensitive data to be displayed in the HTTP response.
440 CVE-2018-13396 Exec Code 2018-11-05 2020-05-11
9.0
None Remote Low ??? Complete Complete Complete
There was an argument injection vulnerability in Sourcetree for macOS from version 1.0b2 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system.
441 CVE-2018-13397 Exec Code 2018-11-05 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.
442 CVE-2018-13418 78 Exec Code 2018-11-27 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
System command injection in ajaxdata.php in TerraMaster TOS 3.1.03 allows attackers to execute system commands via the "newname" parameter.
443 CVE-2018-14626 DoS 2018-11-29 2019-10-09
5.0
None Remote Low Not required None None Partial
PowerDNS Authoritative Server 4.1.0 up to 4.1.4 inclusive and PowerDNS Recursor 4.0.0 up to 4.1.4 inclusive are vulnerable to a packet cache pollution via crafted query that can lead to denial of service.
444 CVE-2018-14629 835 DoS 2018-11-28 2019-10-09
4.0
None Remote Low ??? None None Partial
A denial of service vulnerability was discovered in Samba's LDAP server before versions 4.7.12, 4.8.7, and 4.9.3. A CNAME loop could lead to infinite recursion in the server. An unprivileged local attacker could create such an entry, leading to denial of service.
445 CVE-2018-14637 287 2018-11-30 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.
446 CVE-2018-14644 20 2018-11-09 2019-10-09
4.3
None Remote Medium Not required None None Partial
An issue has been found in PowerDNS Recursor from 4.0.0 up to and including 4.1.4. A remote attacker sending a DNS query for a meta-type like OPT can lead to a zone being wrongly cached as failing DNSSEC validation. It only arises if the parent zone is signed, and all the authoritative servers for that parent zone answer with FORMERR to a query for at least one of the meta-types. As a result, subsequent queries from clients requesting DNSSEC validation will be answered with a ServFail.
447 CVE-2018-14646 476 DoS 2018-11-26 2019-10-09
4.9
None Local Low Not required None None Complete
The Linux kernel before 4.15-rc8 was found to be vulnerable to a NULL pointer dereference bug in the __netlink_ns_capable() function in the net/netlink/af_netlink.c file. A local attacker could exploit this when a net namespace with a netnsid is assigned to cause a kernel panic and a denial of service.
448 CVE-2018-14655 79 XSS 2018-11-13 2019-10-09
3.5
None Remote Medium ??? None Partial None
A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.
449 CVE-2018-14657 307 2018-11-13 2020-12-04
4.3
None Remote Medium Not required Partial None None
A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures.
450 CVE-2018-14658 601 2018-11-13 2019-10-09
5.8
None Remote Medium Not required Partial Partial None
A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack
Total number of vulnerabilities : 984   Page : 1 2 3 4 5 6 7 8 9 (This Page)10 11 12 13 14 15 16 17 18 19 20
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.