Lista CVE - 2018 / Novembre
Visualizzazione 501 - 600 di 983 CVE per Novembre 2018 (Pagina 6 di 10)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2018-15712 | 2018-11-14 | Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the host parameter in api_tool.php. |
| CVE-2018-15713 | 2018-11-14 | Nagios XI 5.5.6 allows persistent cross site scripting from remote authenticated attackers via the stored email address in admin/users.php. |
| CVE-2018-15714 | 2018-11-14 | Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the oname and oname2 parameters. |
| CVE-2018-5495 | 2018-11-14 | All StorageGRID Webscale versions are susceptible to a vulnerability which could permit an unauthenticated attacker to communicate with systems on the same network as the StorageGRID Webscale Admin Node via... |
| CVE-2018-17960 | 2018-11-14 | CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste. |
| CVE-2018-19280 | 2018-11-14 | Centreon 3.4.x (fixed in Centreon 18.10.0) has XSS via the resource name or macro expression of a poller macro. |
| CVE-2018-19281 | 2018-11-14 | Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.27) allows SNMP trap SQL Injection. |
| CVE-2018-19278 | 2018-11-14 | Buffer overflow in DNS SRV and NAPTR lookups in Digium Asterisk 15.x before 15.6.2 and 16.x before 16.0.1 allows remote attackers to crash Asterisk via a specially crafted DNS SRV... |
| CVE-2018-19279 | 2018-11-14 | PRIMX ZoneCentral before 6.1.2236 on Windows sometimes leaks the plaintext of NTFS files. On non-SSD devices, this is limited to a 5-second window and file sizes less than 600 bytes.... |
| CVE-2015-9274 | 2018-11-15 | HarfBuzz before 1.0.4 allows remote attackers to cause a denial of service (invalid read of two bytes and application crash) because of GPOS and GSUB table mishandling, related to hb-ot-layout-gpos-table.hh,... |
| CVE-2018-19286 | 2018-11-15 | The server in mubu note 2018-11-11 has XSS by configuring an account with a crafted name value (along with an arbitrary username value), and then creating and sharing a note. |
| CVE-2018-19287 | 2018-11-15 | XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter. |
| CVE-2018-19288 | 2018-11-15 | Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the updateWidget API. |
| CVE-2018-19289 | 2018-11-15 | An issue was discovered in Valine v1.3.3. It allows HTML injection, which can be exploited for JavaScript execution via an EMBED element in conjunction with a .pdf file. |
| CVE-2018-19291 | 2018-11-15 | An issue was discovered in DiliCMS 2.4.0. There is a CSRF vulnerability that can delete a user or group via an admin/index.php/user/del/1 or admin/index.php/role/del/2 URI. |
| CVE-2018-12480 | 2018-11-15 | NetIQ Access Manager XSS vulnerability in versions prior to 4.4 SP3 |
| CVE-2018-0673 | 2018-11-15 | Directory traversal vulnerability in Cybozu Garoon 3.5.0 to 4.6.3 allows authenticated attackers to read arbitrary files via unspecified vectors. |
| CVE-2018-0679 | 2018-11-15 | Cross-site scripting vulnerability in multiple FXC Inc. network devices (Managed Ethernet switch FXC5210/5218/5224 firmware prior to version Ver1.00.22, Managed Ethernet switch FXC5426F firmware prior to version Ver1.00.06, Managed Ethernet switch... |
| CVE-2018-0680 | 2018-11-15 | Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R4.0 and earlier, Denbun IMAP version V3.3I R4.0 and earlier) uses hard-coded credentials, which may allow remote attackers to read/send mail or... |
| CVE-2018-0681 | 2018-11-15 | Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R4.0 and earlier, Denbun IMAP version V3.3I R4.0 and earlier) uses hard-coded credentials, which may allow remote attackers to login to the... |
| CVE-2018-0682 | 2018-11-15 | Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R4.0 and earlier, Denbun IMAP version V3.3I R4.0 and earlier) does not properly manage sessions, which allows remote attackers to read/send mail... |
| CVE-2018-0683 | 2018-11-15 | Buffer overflow in Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R4.0 and earlier, Denbun IMAP version V3.3I R4.0 and earlier) allows remote attackers to execute arbitrary code or cause... |
| CVE-2018-0684 | 2018-11-15 | Buffer overflow in Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R3.0 and earlier, Denbun IMAP version V3.3I R3.0 and earlier) allows remote attackers to execute arbitrary code or cause... |
| CVE-2018-0685 | 2018-11-15 | SQL injection vulnerability in the Denbun POP version V3.3P R4.0 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via HTTP requests for mail search. |
| CVE-2018-0686 | 2018-11-15 | Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R4.0 and earlier, Denbun IMAP version V3.3I R4.0 and earlier) allows remote authenticated attackers to upload and execute any executable files via... |
| CVE-2018-0687 | 2018-11-15 | Cross-site scripting vulnerability in Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R4.0 and earlier, Denbun IMAP version V3.3I R4.0 and earlier) allows remote attackers to inject arbitrary web script... |
| CVE-2018-0690 | 2018-11-15 | An unvalidated software update vulnerability in Music Center for PC version 1.0.02 and earlier could allow a man-in-the-middle attacker to tamper with an update file and inject executable files. |
| CVE-2018-0691 | 2018-11-15 | Multiple +Message Apps (Softbank +Message App for Android prior to version 10.1.7, Softbank +Message App for iOS prior to version 1.1.23, NTT DOCOMO +Message App for Android prior to version... |
| CVE-2018-0692 | 2018-11-15 | Untrusted search path vulnerability in Baidu Browser Version 43.23.1000.500 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. |
| CVE-2018-0693 | 2018-11-15 | Directory traversal vulnerability in FileZen V3.0.0 to V4.2.1 allows remote attackers to upload an arbitrary file in the specific directory in FileZen via unspecified vectors. |
| CVE-2018-0694 | 2018-11-15 | FileZen V3.0.0 to V4.2.1 allows remote attackers to execute arbitrary OS commands via unspecified vectors. |
| CVE-2018-0695 | 2018-11-15 | Cross-site scripting vulnerability in User-friendly SVN (USVN) Version 1.0.7 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| CVE-2018-0697 | 2018-11-15 | Cross-site scripting vulnerability in Metabase version 0.29.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| CVE-2018-0699 | 2018-11-15 | Cross-site scripting vulnerability in YukiWiki 2.1.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| CVE-2018-0700 | 2018-11-15 | YukiWiki 2.1.3 and earlier does not process a particular request properly that may allow consumption of large amounts of CPU and memory resources and may result in causing a denial... |
| CVE-2018-0701 | 2018-11-15 | BlueStacks App Player (BlueStacks App Player for Windows 3.0.0 to 4.31.55, BlueStacks App Player for macOS 2.0.0 and later) allows an attacker on the same network segment to bypass access... |
| CVE-2018-12543 | 2018-11-15 | In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is published to Mosquitto that has a topic starting with $, but that is not $SYS, e.g. $test/test, then... |
| CVE-2018-16160 | 2018-11-15 | SecureCore Standard Edition Version 2.x allows an attacker to bypass the product 's authentication to log in to a Windows PC. |
| CVE-2018-16161 | 2018-11-15 | OpenDolphin 2.7.0 and earlier allows authenticated users to gain administrative privileges and perform unintended operations. |
| CVE-2018-16162 | 2018-11-15 | OpenDolphin 2.7.0 and earlier allows authenticated attackers to obtain other users credentials such as a user ID and/or its password via unspecified vectors. |
| CVE-2018-16163 | 2018-11-15 | OpenDolphin 2.7.0 and earlier allows authenticated attackers to bypass authentication to create and/or delete other users accounts via unspecified vectors. |
| CVE-2018-1643 | 2018-11-15 | The Installation Verification Tool of IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the... |
| CVE-2018-8529 | 2018-11-15 | A remote code execution vulnerability exists when Team Foundation Server (TFS) does not enable basic authorization on the communication between the TFS and Search services, aka "Team Foundation Server Remote... |
| CVE-2018-14934 | 2018-11-15 | The Bluetooth subsystem on Polycom Trio devices with software before 5.5.4 has Incorrect Access Control. An attacker can connect without authentication and subsequently record audio from the device microphone. |
| CVE-2018-14935 | 2018-11-15 | The Web administration console on Polycom Trio devices with software before 5.5.4 has XSS. |
| CVE-2018-16619 | 2018-11-15 | Sonatype Nexus Repository Manager before 3.14 allows XSS. |
| CVE-2018-16620 | 2018-11-15 | Sonatype Nexus Repository Manager before 3.14 has Incorrect Access Control. |
| CVE-2018-16621 | 2018-11-15 | Sonatype Nexus Repository Manager before 3.14 allows Java Expression Language Injection. |
| CVE-2018-18954 | 2018-11-15 | The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1 allows out-of-bounds write or read access to PowerNV memory. |
| CVE-2018-5407 | 2018-11-15 | Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'. |
| CVE-2018-19301 | 2018-11-15 | tp4a TELEPORT 3.1.0 allows XSS via the login page because a crafted username is mishandled when an administrator later views the system log. |
| CVE-2018-19296 | 2018-11-16 | PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. |
| CVE-2018-9071 | 2018-11-16 | CMM Security Vulnerability |
| CVE-2018-9073 | 2018-11-16 | CMM Security Vulnerability |
| CVE-2018-9085 | 2018-11-16 | Missing System x Flash Memory Write Protection Lock Bit |
| CVE-2018-9086 | 2018-11-16 | Legacy Server BMC Remote Command Injection |
| CVE-2018-7359 | 2018-11-16 | All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by heap-based buffer overflow vulnerability, which may allow an attacker to execute arbitrary code. |
| CVE-2018-7360 | 2018-11-16 | All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by information exposure vulnerability, which may allow an unauthenticated attacker to get the GPON SN information via appviahttp... |
| CVE-2018-7361 | 2018-11-16 | All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by null pointer dereference vulnerability, which may allows an attacker to cause a denial of service via appviahttp... |
| CVE-2018-7362 | 2018-11-16 | All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by improper access control vulnerability, which may allows an unauthorized user to perform unauthorized operations on the router. |
| CVE-2018-7363 | 2018-11-16 | All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by improper authorization vulnerability. Since appviahttp service has no authorization delay, an attacker can be allowed to brute... |
| CVE-2018-1639 | 2018-11-16 | The Report Builder of Jazz Reporting Service 5.0 through 5.0.2 and 6.0 through 6.0.6 could allow an authenticated user to obtain sensitive information beyond its assigned privileges. IBM X-Force ID:... |
| CVE-2018-1797 | 2018-11-16 | IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using Enterprise bundle Archives (EBA) could allow a local attacker to traverse directories on the system. By persuading a victim to... |
| CVE-2018-15692 | 2018-11-16 | Inova Partner 5.0.5-RELEASE, Build 0510-0906 and earlier allows authenticated users authorization bypass and data manipulation in certain functions. |
| CVE-2018-15693 | 2018-11-16 | Inova Partner 5.0.5-RELEASE, Build 0510-0906 and earlier allows authenticated users authorization bypass via insecure direct object reference. |
| CVE-2018-16395 | 2018-11-16 | An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==,... |
| CVE-2018-16396 | 2018-11-16 | An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with... |
| CVE-2018-18755 | 2018-11-16 | K-iwi Framework 1775 has SQL Injection via the admin/user/group/update user_group_id parameter or the admin/user/user/update user_id parameter. |
| CVE-2018-18756 | 2018-11-16 | Local Server 1.0.9 has a Buffer Overflow via crafted data on Port 4008. |
| CVE-2018-18759 | 2018-11-16 | Modbus Slave 7.0.0 in modbus tools has a Buffer Overflow. |
| CVE-2018-18760 | 2018-11-16 | RhinOS 3.0 build 1190 allows CSRF. |
| CVE-2018-18761 | 2018-11-16 | SaltOS 3.1 r8126 allows action=login&querystring=&user=[SQL] SQL Injection. |
| CVE-2018-18763 | 2018-11-16 | SaltOS 3.1 r8126 allows action=ajax&query=numbers&page=usuarios&action2=[SQL] SQL Injection. |
| CVE-2018-18793 | 2018-11-16 | School Event Management System 1.0 allows Arbitrary File Upload via event/controller.php?action=photos. |
| CVE-2018-18794 | 2018-11-16 | School Event Management System 1.0 allows CSRF via user/controller.php?action=edit. |
| CVE-2018-18795 | 2018-11-16 | School Event Management System 1.0 has SQL Injection via the student/index.php or event/index.php id parameter. |
| CVE-2018-18796 | 2018-11-16 | Library Management System 1.0 has SQL Injection via the "Search for Books" screen. |
| CVE-2018-18797 | 2018-11-16 | School Attendance Monitoring System 1.0 has CSRF via /user/user/edit.php. |
| CVE-2018-18799 | 2018-11-16 | School Attendance Monitoring System 1.0 has CSRF via event/controller.php?action=photos. |
| CVE-2018-18801 | 2018-11-16 | The BSEN Ordering software 1.0 has SQL Injection via student/index.php?view=view&id=[SQL] or index.php?q=single-item&id=[SQL]. |
| CVE-2018-18803 | 2018-11-16 | Curriculum Evaluation System 1.0 allows SQL Injection via the login screen, related to frmCourse.vb and includes/user.vb. |
| CVE-2018-18804 | 2018-11-16 | Bakeshop Inventory System 1.0 has SQL injection via the login screen, related to include/publicfunction.vb. |
| CVE-2018-18805 | 2018-11-16 | Point Of Sales 1.0 allows SQL injection via the login screen, related to LoginForm1.vb. |
| CVE-2018-18806 | 2018-11-16 | School Equipment Monitoring System 1.0 allows SQL injection via the login screen, related to include/user.vb. |
| CVE-2018-19311 | 2018-11-16 | Centreon 3.4.x (fixed in Centreon 18.10.0) allows XSS via the Service field to the main.php?p=20201 URI, as demonstrated by the "Monitoring > Status Details > Services" screen. |
| CVE-2018-19312 | 2018-11-16 | Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.24) allows SQL Injection via the searchVM parameter to the main.php?p=20408 URI. |
| CVE-2018-19318 | 2018-11-16 | SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=manager&a=update to change the username and password of the super administrator account. |
| CVE-2018-19319 | 2018-11-16 | SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=gifts&a=update to change goods prices with the super administrator's privileges. |
| CVE-2018-18955 | 2018-11-16 | In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A... |
| CVE-2018-15769 | 2018-11-16 | RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server... |
| CVE-2018-19274 | 2018-11-17 | Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the... |
| CVE-2018-19324 | 2018-11-17 | kimsQ Rb 2.3.0 allows XSS via the second input field to the /?r=home&mod=mypage&page=info URI. |
| CVE-2018-19326 | 2018-11-17 | Zyxel VMG1312-B10D devices before 5.13(AAXA.8)C0 allow ../ Directory Traversal, as demonstrated by reading /etc/passwd. |
| CVE-2018-19327 | 2018-11-17 | An issue was discovered in JTBC(PHP) 3.0.1.7. aboutus/manage.php?type=action&action=add allows CSRF. |
| CVE-2018-19328 | 2018-11-17 | LAOBANCMS 2.0 allows install/mysql_hy.php?riqi=../ Directory Traversal. |
| CVE-2018-19329 | 2018-11-17 | GreenCMS v2.3.0603 allows remote authenticated administrators to delete arbitrary files by modifying a base64-encoded pathname in an m=admin&c=media&a=delfilehandle&id= call, related to the m=admin&c=media&a=restorefile delete button. |
| CVE-2018-19331 | 2018-11-17 | An issue was discovered in S-CMS v1.5. There is a SQL injection vulnerability in search.php via the keyword parameter. |
| CVE-2018-19332 | 2018-11-17 | An issue was discovered in S-CMS v1.5. There is a CSRF vulnerability that can add a new user via the admin/ajax.php?type=member&action=add URI. |
| CVE-2018-19333 | 2018-11-17 | pkg/sentry/kernel/shm/shm.go in Google gVisor before 2018-11-01 allows attackers to overwrite memory locations in processes running as root (but not escape the sandbox) via vectors involving IPC_RMID shmctl calls, because reference... |
| CVE-2018-19340 | 2018-11-17 | Guriddo Form PHP 5.3 has XSS via the demos/jqform/defaultnodb/default.php OrderID, ShipName, ShipAddress, ShipCity, ShipPostalCode, ShipCountry, Freight, or details parameter. |