Total
1375 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-15869 | 1 Hashicorp | 1 Packer | 2024-08-05 | N/A |
| An Amazon Web Services (AWS) developer who does not specify the --owners flag when describing images via AWS CLI, and therefore not properly validating source software per AWS recommended security best practices, may unintentionally load an undesired and potentially malicious Amazon Machine Image (AMI) from the uncurated public community AMI catalog. | ||||
| CVE-2018-15835 | 1 Google | 1 Android | 2024-08-05 | N/A |
| Android 1.0 through 9.0 has Insecure Permissions. The Android bug ID is 77286983. | ||||
| CVE-2018-15645 | 1 Odoo | 1 Odoo | 2024-08-05 | 6.5 Medium |
| Improper access control in message routing in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier allows remote authenticated users to create arbitrary records via crafted payloads, which may allow privilege escalation. | ||||
| CVE-2018-15681 | 1 Btiteam | 1 Xbtit | 2024-08-05 | N/A |
| An issue was discovered in BTITeam XBTIT 2.5.4. When a user logs in, their password hash is rehashed using a predictable salt and stored in the "pass" cookie, which is not flagged as HTTPOnly. Due to the weak and predictable salt that is in place, an attacker who successfully steals this cookie can efficiently brute-force it to retrieve the user's cleartext password. | ||||
| CVE-2018-15482 | 2 Google, Lg | 15 Android, G5, G6 and 12 more | 2024-08-05 | N/A |
| Certain LG devices based on Android 6.0 through 8.1 have incorrect access control for MLT application intents. The LG ID is LVE-SMP-180006. | ||||
| CVE-2018-15508 | 1 Five9 | 1 Agent Desktop Plus | 2024-08-05 | N/A |
| Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control allowing a remote attackers to cause a denial of service via opening a connection on port 8083 to a device running the Five9 SoftPhone(issue 1 of 2). | ||||
| CVE-2018-15502 | 1 Lwolf | 1 Loading Docs | 2024-08-05 | N/A |
| Insecure permissions in Lone Wolf Technologies loadingDOCS 2018-08-13 allow remote attackers to download any confidential files via https requests for predictable URLs. | ||||
| CVE-2018-15509 | 1 Five9 | 1 Agent Desktop Plus | 2024-08-05 | N/A |
| Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2). | ||||
| CVE-2018-15491 | 1 Zemana | 1 Antilogger | 2024-08-05 | N/A |
| A vulnerability in the permission and encryption implementation of Zemana Anti-Logger 1.9.3.527 and prior (fixed in 1.9.3.602) allows an attacker to take control of the whitelisting feature (MyRules2.ini under %LOCALAPPDATA%\Zemana\ZALSDK) to permit execution of unauthorized applications (such as ones that record keystrokes). | ||||
| CVE-2018-14987 | 1 Mxq Project | 2 Mxq Tv Box, Mxq Tv Box Firmware | 2024-08-05 | N/A |
| The MXQ TV Box 4.4.2 Android device with a build fingerprint of MBX/m201_N/m201_N:4.4.2/KOT49H/20160106:user/test-keys contains the Android framework with a package name of android (versionCode=19, versionName=4.4.2-20170213) that dynamically registers a broadcast receiver app component named com.android.server.MasterClearReceiver instead of statically registering it in the AndroidManifest.xml file of the core Android package, as done in Android Open Source Project (AOSP) code for Android 4.4.2. The dynamic-registration of the MasterClearReceiver broadcast receiver app component is not protected with the android.permission.MASTER_CLEAR permission during registration, so any app co-located on the device, even those without any permissions, can programmatically initiate a factory reset of the device. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of core Android process. | ||||
| CVE-2018-14981 | 2 Google, Lg | 15 Android, G5, G6 and 12 more | 2024-08-05 | N/A |
| Certain LG devices based on Android 6.0 through 8.1 have incorrect access control for SystemUI application intents. The LG ID is LVE-SMP-180005. | ||||
| CVE-2018-14982 | 2 Google, Lg | 15 Android, G5, G6 and 12 more | 2024-08-05 | N/A |
| Certain LG devices based on Android 6.0 through 8.1 have incorrect access control in the GNSS application. The LG ID is LVE-SMP-180004. | ||||
| CVE-2018-14980 | 1 Asus | 2 Zenfone 3 Max, Zenfone 3 Max Firmware | 2024-08-05 | N/A |
| The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains the android framework (i.e., system_server) with a package name of android (versionCode=24, versionName=7.0) that has been modified by ASUS or another entity in the supply chain. The system_server process in the core android package has an exported broadcast receiver that allows any app co-located on the device to programmatically initiate the taking of a screenshot and have the resulting screenshot be written to external storage (i.e., sdcard). The taking of a screenshot is not transparent to the user; the device has a screen animation as the screenshot is taken and there is a notification indicating that a screenshot occurred. If the attacking app also requests the EXPAND_STATUS_BAR permission, it can wake the device up using certain techniques and expand the status bar to take a screenshot of the user's notifications even if the device has an active screen lock. The notifications may contain sensitive data such as text messages used in two-factor authentication. The system_server process that provides this capability cannot be disabled, as it is part of the Android framework. The notification can be removed by a local Denial of Service (DoS) attack to reboot the device. | ||||
| CVE-2018-14916 | 1 Loytec | 2 Lgate-902, Lgate-902 Firmware | 2024-08-05 | N/A |
| LOYTEC LGATE-902 6.3.2 devices allow Arbitrary file deletion. | ||||
| CVE-2018-14934 | 1 Polycom | 2 Trio 8500, Trio 8500 Firmware | 2024-08-05 | N/A |
| The Bluetooth subsystem on Polycom Trio devices with software before 5.5.4 has Incorrect Access Control. An attacker can connect without authentication and subsequently record audio from the device microphone. | ||||
| CVE-2018-14886 | 1 Odoo | 1 Odoo | 2024-08-05 | N/A |
| The module-description renderer in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not disable RST's local file inclusion, which allows privileged authenticated users to read local files via a crafted module description. | ||||
| CVE-2018-14862 | 1 Odoo | 1 Odoo | 2024-08-05 | N/A |
| Incorrect access control in the mail templating system in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated internal users to delete arbitrary menuitems via a crafted RPC request. | ||||
| CVE-2018-14861 | 1 Odoo | 1 Odoo | 2024-08-05 | N/A |
| Improper data access control in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows authenticated users to perform a CSV export of the secure hashed passwords of other users. | ||||
| CVE-2018-14866 | 1 Odoo | 1 Odoo | 2024-08-05 | N/A |
| Incorrect access control in the TransientModel framework in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated attackers to access data in transient records that they do not own by making an RPC call before garbage collection occurs. | ||||
| CVE-2018-14703 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-08-05 | N/A |
| Incorrect access control in the /mysql/api/droboapp/data endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve the MySQL database root password. | ||||