Total
8779 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-14979 | 1 Asus | 2 Zenfone 3 Max, Zenfone 3 Max Firmware | 2024-08-05 | N/A |
| The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed app with a package name of com.asus.loguploader (versionCode=1570000275, versionName=7.0.0.55_170515). This app contains an exported service app component named com.asus.loguploader.LogUploaderService that, when accessed with a particular action string, will write a bugreport (kernel log, logcat log, and the state of system services including the text of active notifications), Wi-Fi Passwords, and other system data to external storage (sdcard). Any app with the READ_EXTERNAL_STORAGE permission on this device can read this data from the sdcard after it has been dumped there by the com.asus.loguploader. Third-party apps are not allowed to directly create a bugreport or access the user's stored wireless network credentials. | ||||
| CVE-2018-14941 | 1 Harmonicinc | 1 Nsg 9000 | 2024-08-05 | N/A |
| Harmonic NSG 9000 devices allow remote authenticated users to read the webapp.py source code via a direct request for the /webapp.py URI. | ||||
| CVE-2018-14928 | 1 Matera | 1 Banco | 2024-08-05 | N/A |
| /contingency/servlet/ServletFileDownload executes as root and provides unauthenticated access to files via the file parameter. | ||||
| CVE-2018-14902 | 1 Epson | 1 Iprint | 2024-08-05 | N/A |
| The ContentProvider in the EPSON iPrint application 6.6.3 for Android does not properly restrict data access. This allows an attacker's application to read scanned documents. | ||||
| CVE-2018-14831 | 1 Damicms | 1 Damicms | 2024-08-05 | N/A |
| An arbitrary file read vulnerability in DamiCMS v6.0.0 allows remote authenticated administrators to read any files in the server via a crafted /admin.php?s=Tpl/Add/id/ URI. | ||||
| CVE-2018-14865 | 1 Odoo | 1 Odoo | 2024-08-05 | N/A |
| Report engine in Odoo Community 9.0 through 11.0 and earlier and Odoo Enterprise 9.0 through 11.0 and earlier does not use secure options when passing documents to wkhtmltopdf, which allows remote attackers to read local files. | ||||
| CVE-2018-14730 | 1 Browserify-hot Module Replacement Project | 1 Browserify-hot Module Replacement | 2024-08-05 | 7.5 High |
| An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/ connection from any origin. | ||||
| CVE-2018-14735 | 3 Hitachi, Linux, Microsoft | 8 Command Suite, Compute Systems Manager, Device Manager and 5 more | 2024-08-05 | N/A |
| An Information Exposure issue was discovered in Hitachi Command Suite 8.5.3. A remote attacker may be able to exploit a flaw in the permission of messaging that may allow for information exposure via a crafted message. | ||||
| CVE-2018-14731 | 1 Parceljs | 1 Parcel | 2024-08-05 | N/A |
| An issue was discovered in HMRServer.js in Parcel parcel-bundler. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1 connection (with a random TCP port number) from any origin. The random port number can be found by connecting to http://127.0.0.1 and reading the "new WebSocket" line in the source code. | ||||
| CVE-2018-14696 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-08-05 | N/A |
| Incorrect access control in the /mysql/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information. | ||||
| CVE-2018-14695 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-08-05 | N/A |
| Incorrect access control in the /mysql/api/diags.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve diagnostic information via the "name" URL parameter. | ||||
| CVE-2018-14702 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-08-05 | N/A |
| Incorrect access control in the /drobopix/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information. | ||||
| CVE-2018-14685 | 1 Gxlcms | 1 Gxlcms | 2024-08-05 | N/A |
| The add function in www/Lib/Lib/Action/Admin/TplAction.class.php in Gxlcms v1.1.4 allows remote attackers to read arbitrary files via a crafted index.php?s=Admin-Tpl-ADD-id request, related to Lib/Common/Admin/function.php. | ||||
| CVE-2018-14669 | 1 Yandex | 1 Clickhouse | 2024-08-05 | N/A |
| ClickHouse MySQL client before versions 1.1.54390 had "LOAD DATA LOCAL INFILE" functionality enabled that allowed a malicious MySQL database read arbitrary files from the connected ClickHouse server. | ||||
| CVE-2018-14642 | 1 Redhat | 4 Enterprise Linux, Jboss Enterprise Application Platform, Jboss Single Sign On and 1 more | 2024-08-05 | 5.3 Medium |
| An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests. | ||||
| CVE-2018-14526 | 4 Canonical, Debian, Redhat and 1 more | 4 Ubuntu Linux, Debian Linux, Enterprise Linux and 1 more | 2024-08-05 | N/A |
| An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive information. | ||||
| CVE-2018-14602 | 1 Gitlab | 1 Gitlab | 2024-08-05 | N/A |
| An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. Information Disclosure can occur because the Prometheus metrics feature discloses private project pathnames. | ||||
| CVE-2018-14597 | 1 Broadcom | 2 Ca Identity Governance, Ca Identity Suite Virtual Appliance | 2024-08-05 | N/A |
| CA Technologies Identity Governance 12.6, 14.0, 14.1, and 14.2 and CA Identity Suite Virtual Appliance 14.0, 14.1, and 14.2 provide telling error messages that may allow remote attackers to enumerate account names. | ||||
| CVE-2018-14529 | 1 Invoxia | 2 Nvx220, Nvx220 Firmware | 2024-08-05 | N/A |
| Invoxia NVX220 devices allow access to /bin/sh via escape from a restricted CLI, leading to disclosure of password hashes. | ||||
| CVE-2018-14432 | 3 Debian, Openstack, Redhat | 3 Debian Linux, Keystone, Openstack | 2024-08-05 | N/A |
| In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected. | ||||