CVE List - 2018 / May
Showing 301 - 400 of 1162 CVEs for May 2018 (Page 4 of 12)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2018-8860 | 2018-05-09 | In Vecna VGo Robot versions prior to 3.0.3.52164, an attacker may be able to capture firmware updates through the adjacent network. |
| CVE-2017-2601 | 2018-05-10 | Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript... |
| CVE-2018-10949 | 2018-05-10 | mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 allows Account Enumeration by leveraging a Discrepancy between the "HTTP 404 - account is not active" and... |
| CVE-2018-10950 | 2018-05-10 | mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows Information Exposure through Verbose Error Messages containing a stack dump, tracing data, or full... |
| CVE-2018-10951 | 2018-05-10 | mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows zimbraSSLPrivateKey read access via a GetServer, GetAllServers, or GetAllActiveServers call in the Admin SOAP... |
| CVE-2018-10952 | 2018-05-10 | In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not... |
| CVE-2018-10953 | 2018-05-10 | In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not... |
| CVE-2018-10954 | 2018-05-10 | In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not... |
| CVE-2018-10955 | 2018-05-10 | In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not... |
| CVE-2018-10957 | 2018-05-10 | CSRF exists on D-Link DIR-868L devices, leading to (for example) a change to the Admin password. hedwig.cgi and pigwidgeon.cgi are two of the affected components. |
| CVE-2018-10958 | 2018-05-10 | In types.cpp in Exiv2 0.26, a large size value may lead to a SIGABRT during an attempt at memory allocation for an Exiv2::Internal::PngChunk::zlibUncompress call. |
| CVE-2018-10962 | 2018-05-10 | An issue was discovered in Shanghai 2345 Security Guard 3.7.0. 2345MPCSafe.exe, 2345SafeTray.exe, and 2345Speedup.exe allow local users to bypass intended process protections, and consequently terminate processes, because mouse_event is not... |
| CVE-2018-10963 | 2018-05-10 | The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability... |
| CVE-2018-10314 | 2018-05-10 | Cross-site scripting (XSS) vulnerability in Open-AudIT Community 2.2.0 allows remote attackers to inject arbitrary web script or HTML via a crafted name of a component, as demonstrated by the action... |
| CVE-2018-10942 | 2018-05-10 | modules/attributewizardpro/file_upload.php in the Attribute Wizard addon 1.6.9 for PrestaShop 1.4.0.1 through 1.6.1.18 allows remote attackers to execute arbitrary code by uploading a .phtml file. |
| CVE-2018-8060 | 2018-05-10 | HWiNFO AMD64 Kernel driver version 8.98 and lower allows an unprivileged user to send an IOCTL to the device driver. If input and/or output buffer pointers are NULL or if... |
| CVE-2018-8061 | 2018-05-10 | HWiNFO AMD64 Kernel driver version 8.98 and lower allows an unprivileged user to send IOCTL 0x85FE2608 to the device driver with the HWiNFO32 symbolic device name, resulting in direct physical... |
| CVE-2018-8824 | 2018-05-10 | modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute a SQL Injection through function calls in the code parameter. |
| CVE-2018-9111 | 2018-05-10 | Cross Site Scripting (XSS) exists on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15 via the configuration of a user account. An attacker can execute arbitrary script on an unsuspecting... |
| CVE-2018-9112 | 2018-05-10 | A low privileged admin account with a weak default password of admin exists on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15. In addition, its web management page relies on... |
| CVE-2018-1130 | 2018-05-10 | Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in that allows a local user to cause a denial of service by... |
| CVE-2018-8910 | 2018-05-10 | Cross-site scripting (XSS) vulnerability in Attachment Preview in Synology Drive before 1.0.1-10253 allows remote authenticated users to inject arbitrary web script or HTML via malicious attachments. |
| CVE-2018-8914 | 2018-05-10 | SQL injection vulnerability in UPnP DMA in Synology Media Server before 1.7.6-2842 and before 1.4-2654 allows remote attackers to execute arbitrary SQL commands via the ObjectID parameter. |
| CVE-2018-8915 | 2018-05-10 | Cross-site scripting (XSS) vulnerability in Notification Center in Synology Calendar before 2.1.1-0502 allows remote authenticated users to inject arbitrary web script or HTML via title parameter. |
| CVE-2017-18266 | 2018-05-10 | The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct... |
| CVE-2018-10655 | 2018-05-10 | DLPnpAuditor.exe in DeviceLock Plug and Play Auditor (freeware) 5.72 has a Unicode Buffer Overflow (SEH). |
| CVE-2018-10803 | 2018-05-10 | Cross-site scripting (XSS) vulnerability in the add credentials functionality in Zoho ManageEngine NetFlow Analyzer v12.3 before 12.3.125 (build 123125) allows remote attackers to inject arbitrary web script or HTML via... |
| CVE-2018-7933 | 2018-05-10 | Huawei home gateway products HiRouter-CD20 and WS5200 with the versions before HiRouter-CD20-10 1.9.6 and the versions before WS5200-10 1.9.6 have a path traversal vulnerability. Due to the lack of validation... |
| CVE-2018-7940 | 2018-05-10 | Huawei smart phones Mate 10 and Mate 10 Pro with earlier versions than 8.0.0.129(SP2C00) and earlier versions than 8.0.0.129(SP2C01) have an authentication bypass vulnerability. An attacker with high privilege obtains... |
| CVE-2018-7941 | 2018-05-10 | Huawei iBMC V200R002C60 have an authentication bypass vulnerability. A remote attacker with low privilege may craft specific messages to upload authentication certificate to the affected products. Due to improper validation... |
| CVE-2018-9849 | 2018-05-10 | Pulse Secure Pulse Connect Secure 8.1.x before 8.1R14, 8.2.x before 8.2R11, and 8.3.x before 8.3R5 do not properly process nested XML entities, which allows remote attackers to cause a denial... |
| CVE-2017-6289 | 2018-05-10 | In Android before the 2018-05-05 security patch level, NVIDIA Trusted Execution Environment (TEE) contains a memory corruption (due to unusual root cause) vulnerability, which if run within the speculative execution... |
| CVE-2017-6293 | 2018-05-10 | In Android before the 2018-05-05 security patch level, NVIDIA Tegra X1 TZ contains a vulnerability in Widevine TA where the software writes data past the end, or before the beginning,... |
| CVE-2018-6246 | 2018-05-10 | In Android before the 2018-05-05 security patch level, NVIDIA Widevine Trustlet contains a vulnerability in Widevine TA where the software reads data past the end, or before the beginning, of... |
| CVE-2018-6254 | 2018-05-10 | In Android before the 2018-05-05 security patch level, NVIDIA Media Server contains an out-of-bounds read (due to improper input validation) vulnerability which could lead to local information disclosure. This issue... |
| CVE-2017-18267 | 2018-05-10 | The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler through 0.64.0 allows remote attackers to cause a denial of service (infinite recursion) via a crafted PDF file, as demonstrated by pdftops. |
| CVE-2018-10971 | 2018-05-10 | An issue was discovered in Free Lossless Image Format (FLIF) 0.3. The Plane function in image/image.hpp allows remote attackers to cause a denial of service (attempted excessive memory allocation) via... |
| CVE-2018-10972 | 2018-05-10 | An issue was discovered in Free Lossless Image Format (FLIF) 0.3. The TransformPaletteC::process function in transform/palette_C.hpp allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly... |
| CVE-2018-10974 | 2018-05-10 | In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not... |
| CVE-2018-10975 | 2018-05-10 | In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not... |
| CVE-2018-10976 | 2018-05-10 | In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not... |
| CVE-2018-10977 | 2018-05-10 | In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not... |
| CVE-2018-10706 | 2018-05-10 | An integer overflow in the transferMulti function of a smart contract implementation for Social Chain (SCA), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets,... |
| CVE-2018-10973 | 2018-05-10 | An integer overflow in the transferMulti function of a smart contract implementation for KoreaShow, an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets via crafted... |
| CVE-2018-1115 | 2018-05-10 | postgresql before versions 10.4, 9.6.9 is vulnerable in the adminpack extension, the pg_catalog.pg_logfile_rotate() function doesn't follow the same ACLs than pg_rorate_logfile. If the adminpack is added to a database, an... |
| CVE-2018-10981 | 2018-05-10 | An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (host OS infinite loop) in situations where a QEMU device... |
| CVE-2018-1118 | 2018-05-10 | Linux kernel vhost since version 4.8 does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This can allow local... |
| CVE-2018-3612 | 2018-05-10 | Intel NUC kits with insufficient input validation in system firmware, potentially allows a local attacker to elevate privileges to System Management Mode (SMM). |
| CVE-2018-3649 | 2018-05-10 | DLL injection vulnerability in the installation executables (Autorun.exe and Setup.exe) for Intel's wireless drivers and related software in Intel Dual Band Wireless-AC, Tri-Band Wireless-AC and Wireless-AC family of products allows... |
| CVE-2018-10982 | 2018-05-10 | An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (unexpectedly high interrupt number, array overrun, and hypervisor crash) or... |
| CVE-2016-8627 | 2018-05-11 | admin-cli before versions 3.0.0.alpha25, 2.2.1.cr2 is vulnerable to an EAP feature to download server log files that allows logs to be available via GET requests making them vulnerable to cross-origin... |
| CVE-2017-6015 | 2018-05-11 | Without quotation marks, any whitespace in the file path for Rockwell Automation FactoryTalk Activation version 4.00.02 remains ambiguous, which may allow an attacker to link to or run a malicious... |
| CVE-2018-10580 | 2018-05-11 | The "Latest Posts on Profile" plugin 1.1 for MyBB has XSS because there is an added section in a user profile that displays that user's most recent posts without sanitizing... |
| CVE-2018-7248 | 2018-05-11 | An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an... |
| CVE-2009-5150 | 2018-05-11 | Absolute Computrace Agent V80.845 and V80.866 does not have a digital signature for the configuration block, which allows attackers to set up communication with a web site other than the... |
| CVE-2009-5151 | 2018-05-11 | The stub component of Absolute Computrace Agent V70.785 executes code from a disk's inter-partition space without requiring a digital signature for that code, which allows attackers to execute code on... |
| CVE-2009-5152 | 2018-05-11 | Absolute Computrace Agent, as distributed on certain Dell Inspiron systems through 2009, has a race condition with the Dell Client Configuration Utility (DCCU), which allows privileged local users to change... |
| CVE-2018-1257 | 2018-05-11 | Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker... |
| CVE-2018-1258 | 2018-05-11 | Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access... |
| CVE-2018-1259 | 2018-05-11 | Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper... |
| CVE-2018-1260 | 2018-05-11 | Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability.... |
| CVE-2018-1261 | 2018-05-11 | Spring-integration-zip versions prior to 1.0.1 exposes an arbitrary file write vulnerability, which can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war,... |
| CVE-2018-1278 | 2018-05-11 | Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any... |
| CVE-2018-1280 | 2018-05-11 | Pivotal Greenplum Command Center versions 2.x prior to 2.5.1 contains a blind SQL injection vulnerability. An unauthenticated user can perform a SQL injection in the command center which results in... |
| CVE-2018-10832 | 2018-05-11 | ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based, which are vulnerable... |
| CVE-2018-5303 | 2018-05-11 | An issue was discovered on the Impinj Speedway Connect R420 RFID Reader before 2.2.2. The license key parameter of the web application is vulnerable to Cross Site Scripting; this vulnerability... |
| CVE-2018-5304 | 2018-05-11 | An issue was discovered on the Impinj Speedway Connect R420 RFID Reader before 2.2.2. The affected web interface is vulnerable to ClickJacking or UI Redressing: it is possible to access... |
| CVE-2018-6023 | 2018-05-11 | Fastweb FASTgate 0.00.47 devices are vulnerable to CSRF, with impacts including Wi-Fi password changing, Guest Wi-Fi activating, etc. |
| CVE-2018-6361 | 2018-05-11 | Easy Hosting Control Panel (EHCP) v0.37.12.b has XSS via the op parameter, as demonstrated by adding a backdoor FTP account. |
| CVE-2018-6362 | 2018-05-11 | Easy Hosting Control Panel (EHCP) v0.37.12.b has XSS via the domainop action parameter, as demonstrated by reading the PHPSESSID cookie. |
| CVE-2018-6458 | 2018-05-11 | Easy Hosting Control Panel (EHCP) v0.37.12.b allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection. |
| CVE-2018-6617 | 2018-05-11 | Easy Hosting Control Panel (EHCP) v0.37.12.b, when using a local MySQL server, allows attackers to change passwords of arbitrary database users by leveraging failure to ask for the current password. |
| CVE-2018-6618 | 2018-05-11 | Easy Hosting Control Panel (EHCP) v0.37.12.b allows attackers to obtain sensitive information by leveraging cleartext password storage. |
| CVE-2018-6619 | 2018-05-11 | Easy Hosting Control Panel (EHCP) v0.37.12.b makes it easier for attackers to crack database passwords by leveraging use of a weak hashing algorithm without a salt. |
| CVE-2018-10992 | 2018-05-11 | lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL,... |
| CVE-2018-10996 | 2018-05-12 | The weblogin_log function in /htdocs/cgibin on D-Link DIR-629-B1 devices allows attackers to execute arbitrary code or cause a denial of service (buffer overflow) via a session.cgi?ACTION=logout request involving a long... |
| CVE-2018-10998 | 2018-05-12 | An issue was discovered in Exiv2 0.26. readMetadata in jp2image.cpp allows remote attackers to cause a denial of service (SIGABRT) by triggering an incorrect Safe::add call. |
| CVE-2018-10999 | 2018-05-12 | An issue was discovered in Exiv2 0.26. The Exiv2::Internal::PngChunk::parseTXTChunk function has a heap-based buffer over-read. |
| CVE-2018-11003 | 2018-05-12 | An issue was discovered in YXcms 1.4.7. Cross-site request forgery (CSRF) vulnerability in protected/apps/admin/controller/adminController.php allows remote attackers to delete administrator accounts via index.php?r=admin/admin/admindel. |
| CVE-2018-11004 | 2018-05-12 | An issue was discovered in SDcms v1.5. Cross-site request forgery (CSRF) vulnerability in /WWW//app/admin/controller/admincontroller.php allows remote attackers to add administrator accounts via m=admin&c=admin&a=add. |
| CVE-2018-11011 | 2018-05-12 | ruibaby Halo 0.0.2 has stored XSS via the commentAuthor field to FrontCommentController.java. |
| CVE-2018-11012 | 2018-05-12 | ruibaby Halo 0.0.2 has stored XSS via the loginName and loginPwd parameters in a failed login attempt to AdminController.java. |
| CVE-2018-11013 | 2018-05-13 | Stack-based buffer overflow in the websRedirect function in GoAhead on D-Link DIR-816 A2 (CN) routers with firmware version 1.10B05 allows unauthenticated remote attackers to execute arbitrary code via a request... |
| CVE-2018-10678 | 2018-05-13 | MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection attacks. |
| CVE-2018-11017 | 2018-05-13 | The newVar_N function in decompile.c in libming through 0.4.8 mishandles cases where the header indicates a file size greater than the actual size, which allows remote attackers to cause a... |
| CVE-2018-11018 | 2018-05-13 | An issue was discovered in PbootCMS v1.0.7. Cross-site request forgery (CSRF) vulnerability in apps/admin/controller/system/RoleController.php allows remote attackers to add administrator accounts via admin.php/role/add.html. |
| CVE-2018-11031 | 2018-05-14 | application/home/controller/debug.php in PHPRAP 1.0.4 through 1.0.8 has SSRF via the /debug URI, as demonstrated by an api[url]=file:////etc/passwd&api[method]=get POST request. |
| CVE-2018-11032 | 2018-05-14 | PHPRAP 1.0.4 through 1.0.8 has SQL Injection via the application/home/controller/project.php search() function. |
| CVE-2018-11033 | 2018-05-14 | The DCTStream::readHuffSym function in Stream.cc in the DCT decoder in xpdf before 4.00 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact... |
| CVE-2018-10944 | 2018-05-14 | The request_dividend function of a smart contract implementation for ROC (aka Rasputin Online Coin), an Ethereum ERC20 token, allows attackers to steal all of the contract's Ether. |
| CVE-2018-11034 | 2018-05-14 | In 2345 Security Guard 3.7, the driver file (2345NsProtect.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not... |
| CVE-2018-11035 | 2018-05-14 | In 2345 Security Guard 3.7, the driver file (2345NsProtect.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not... |
| CVE-2018-11037 | 2018-05-14 | In Exiv2 0.26, the Exiv2::PngImage::printStructure function in pngimage.cpp allows remote attackers to cause an information leak via a crafted file. |
| CVE-2018-0568 | 2018-05-14 | Unrestricted file upload vulnerability in SiteBridge Inc. Joruri Gw Ver 3.2.0 and earlier allows remote authenticated users to execute arbitrary PHP code via unspecified vectors. |
| CVE-2018-0576 | 2018-05-14 | Cross-site scripting vulnerability in Events Manager plugin prior to version 5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| CVE-2018-0577 | 2018-05-14 | Cross-site scripting vulnerability in WP Google Map Plugin prior to version 4.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| CVE-2018-0578 | 2018-05-14 | Cross-site scripting vulnerability in PixelYourSite plugin prior to version 5.3.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| CVE-2018-0579 | 2018-05-14 | Cross-site scripting vulnerability in Open Graph for Facebook, Google+ and Twitter Card Tags plugin prior to version 2.2.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML... |
| CVE-2018-0580 | 2018-05-14 | Untrusted search path vulnerability in CELSYS, Inc CLIP STUDIO series (CLIP STUDIO PAINT (for Windows) EX/PRO/DEBUT Ver.1.7.3 and earlier, CLIP STUDIO ACTION (for Windows) Ver.1.5.5 and earlier, with its timestamp... |
| CVE-2018-0581 | 2018-05-14 | Cross-site scripting vulnerability in ASUS RT-AC87U Firmware version prior to 3.0.0.4.378.9383 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |