ReportizFlow
Filtered by vendor
Subscriptions
Total
322231 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-15495 | 1 Tecrail | 1 Responsive Filemanager | 2024-11-21 | N/A |
| /filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value. | ||||
| CVE-2018-15494 | 2 Debian, Dojotoolkit | 2 Debian Linux, Dojo | 2024-11-21 | N/A |
| In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid. | ||||
| CVE-2018-15493 | 1 Vbulletin | 1 Vbulletin | 2024-11-21 | N/A |
| vBulletin 5.4.3 has an Open Redirect. | ||||
| CVE-2018-15492 | 1 Gemalto | 1 Sentinel License Manager | 2024-11-21 | N/A |
| A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification. | ||||
| CVE-2018-15491 | 1 Zemana | 1 Antilogger | 2024-11-21 | N/A |
| A vulnerability in the permission and encryption implementation of Zemana Anti-Logger 1.9.3.527 and prior (fixed in 1.9.3.602) allows an attacker to take control of the whitelisting feature (MyRules2.ini under %LOCALAPPDATA%\Zemana\ZALSDK) to permit execution of unauthorized applications (such as ones that record keystrokes). | ||||
| CVE-2018-15490 | 2 Expressvpn, Microsoft | 2 Expressvpn, Windows | 2024-11-21 | N/A |
| An issue was discovered in ExpressVPN on Windows. The Xvpnd.exe process (which runs as a service with SYSTEM privileges) listens on TCP port 2015, which is used as an RPC interface for communication with the client side of the ExpressVPN application. A JSON-RPC protocol over HTTP is used for communication. The JSON-RPC XVPN.GetPreference and XVPN.SetPreference methods are vulnerable to path traversal, and allow reading and writing files on the file system on behalf of the service. | ||||
| CVE-2018-15486 | 1 Kone | 2 Group Controller, Group Controller Firmware | 2024-11-21 | N/A |
| An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. Unauthenticated Local File Inclusion and File modification is possible through the open HTTP interface by modifying the name parameter of the file endpoint, aka KONE-02. | ||||
| CVE-2018-15485 | 1 Kone | 2 Group Controller, Group Controller Firmware | 2024-11-21 | N/A |
| An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. FTP does not require authentication or authorization, aka KONE-03. | ||||
| CVE-2018-15484 | 1 Kone | 2 Group Controller, Group Controller Firmware | 2024-11-21 | N/A |
| An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. Unauthenticated Remote Code Execution is possible through the open HTTP interface by modifying autoexec.bat, aka KONE-01. | ||||
| CVE-2018-15483 | 1 Kone | 2 Group Controller, Group Controller Firmware | 2024-11-21 | N/A |
| An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. Denial of Service can occur through the open HTTP interface, aka KONE-04. | ||||
| CVE-2018-15482 | 2 Google, Lg | 15 Android, G5, G6 and 12 more | 2024-11-21 | N/A |
| Certain LG devices based on Android 6.0 through 8.1 have incorrect access control for MLT application intents. The LG ID is LVE-SMP-180006. | ||||
| CVE-2018-15481 | 1 Ucopia | 2 Wireless Appliance, Wireless Appliance Firmware | 2024-11-21 | N/A |
| Improper input sanitization within the restricted administration shell on UCOPIA Wireless Appliance devices using firmware version 5.1.x before 5.1.13 allows authenticated remote attackers to escape the shell and escalate their privileges by adding a LocalCommand to the SSH configuration file in the user home folder. | ||||
| CVE-2018-15480 | 1 Mystrom | 12 Wifi Bulb, Wifi Bulb Firmware, Wifi Button and 9 more | 2024-11-21 | N/A |
| An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. The cloud API had a hidden parameter, which allowed an authenticated user to reconfigure the server URL for a device registered to their account. In combination with an insecure device registration vulnerability, this allowed an attacker to reconfigure a maliciously registered device to their own rogue replica of the myStrom API and issue commands to the device, including firmware update commands. | ||||
| CVE-2018-15479 | 1 Mystrom | 12 Wifi Bulb, Wifi Bulb Firmware, Wifi Button and 9 more | 2024-11-21 | N/A |
| An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. Devices did not authenticate themselves to the cloud in device to cloud communication. This lack of device authentication allowed an attacker to impersonate any device by guessing or learning their MAC address. | ||||
| CVE-2018-15478 | 1 Mystrom | 12 Wifi Bulb, Wifi Bulb Firmware, Wifi Button and 9 more | 2024-11-21 | N/A |
| An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. The process of registering a device with a cloud account was based on an activation code derived from the device MAC address. By guessing valid MAC addresses or using MAC addresses printed on devices in shops and reverse engineering the protocol, an attacker would have been able to register previously unregistered devices to their account. When the rightful owner would have connected them after purchase to their WiFi network, the devices would not have registered with their account, would subsequently not have been controllable from the owner's mobile app, and would not have been visible in the owner's account. Instead, they would have been under control of the attacker. | ||||
| CVE-2018-15477 | 1 Mystrom | 2 Wifi Switch, Wifi Switch Firmware | 2024-11-21 | N/A |
| myStrom WiFi Switch V1 devices before 2.66 did not sanitize a parameter received from the cloud that was used in an OS command. Malicious servers were able to run operating system commands on the device. | ||||
| CVE-2018-15476 | 1 Mystrom | 12 Wifi Bulb, Wifi Bulb Firmware, Wifi Button and 9 more | 2024-11-21 | N/A |
| An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. The SSL/TLS server certificate in the device to cloud communication was not verified by the device. As a result, an attacker in control of the network traffic of a device could have taken control of a device by intercepting and modifying commands issued from the server to the device in a Man-in-the-Middle attack. This included the ability to inject firmware update commands into the communication and cause the device to install maliciously modified firmware. | ||||
| CVE-2018-15474 | 1 Dokuwiki | 1 Dokuwiki | 2024-11-21 | N/A |
| CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated "this is not a security problem in DokuWiki. | ||||
| CVE-2018-15473 | 7 Canonical, Debian, Netapp and 4 more | 25 Ubuntu Linux, Debian Linux, Aff Baseboard Management Controller and 22 more | 2024-11-21 | 5.3 Medium |
| OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. | ||||
| CVE-2018-15471 | 3 Canonical, Linux, Xen | 3 Ubuntu Linux, Linux Kernel, Xen | 2024-11-21 | 7.8 High |
| An issue was discovered in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c in the Linux kernel through 4.18.1, as used in Xen through 4.11.x and other products. The Linux netback driver allows frontends to control mapping of requests to request queues. When processing a request to set or change this mapping, some input validation (e.g., for an integer overflow) was missing or flawed, leading to OOB access in hash handling. A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in one or more of privilege escalation, Denial of Service (DoS), or information leaks. | ||||