CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2601 CVE-2018-7253 119 Overflow 2018-02-19 2018-03-15
6.8
None Remote Medium Not required Partial Partial Partial
The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (heap-based buffer over-read) or possibly overwrite the heap via a maliciously crafted DSDIFF file.
2602 CVE-2018-7249 416 2018-02-26 2018-03-22
6.9
None Local Medium Not required Complete Complete Complete
An issue was discovered in secdrv.sys as shipped in Microsoft Windows Vista, Windows 7, Windows 8, and Windows 8.1 before KB3086255, and as shipped in Macrovision SafeDisc. Two carefully timed calls to IOCTL 0xCA002813 can cause a race condition that leads to a use-after-free. When exploited, an unprivileged attacker can run arbitrary code in the kernel.
2603 CVE-2018-7245 285 2018-04-18 2018-05-23
6.4
None Remote Low Not required None Partial Partial
An improper authorization vulnerability exists In Schneider Electric's 66074 MGE Network Management Card Transverse installed in MGE UPS and MGE STS. The integrated web server (Port 80/443/TCP) of the affected devices could allow a remote attacker to change UPS control and shutdown parameters or other critical settings without authorization.
2604 CVE-2018-7240 264 DoS Exec Code 2018-04-18 2018-05-22
6.5
None Remote Low Single system Partial Partial Partial
A vulnerability exists in Schneider Electric's Modicon Quantum in all versions of the communication modules which could allow arbitrary code execution. An FTP command used to upgrade the firmware of the module can be misused to cause a denial of service, or in extreme cases, to load a malicious firmware.
2605 CVE-2018-7239 426 Exec Code 2018-03-09 2018-03-26
6.8
None Remote Medium Not required Partial Partial Partial
A DLL hijacking vulnerability exists in Schneider Electric's SoMove Software and associated DTM software components in all versions prior to 2.6.2 which could allow an attacker to execute arbitrary code.
2606 CVE-2018-7237 20 2018-03-09 2018-03-27
6.4
None Remote Low Not required None Partial Partial
A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow a remote attacker to delete arbitrary system file due to lack of validation of the /login/bin/set_param to the file name with the value of 'system.delete.sd_file'
2607 CVE-2018-7230 611 2018-03-09 2018-03-27
6.8
None Remote Medium Not required Partial Partial Partial
A XML external entity (XXE) vulnerability exists in the import.cgi of the web interface component of the Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67.
2608 CVE-2018-7219 352 CSRF 2018-02-19 2018-03-14
6.8
None Remote Medium Not required Partial Partial Partial
application/admin/controller/Admin.php in NoneCms 1.3.0 has CSRF, as demonstrated by changing an admin password or adding an account via a public/index.php/admin/admin/edit.html request.
2609 CVE-2018-7217 434 2018-02-18 2018-03-18
6.5
None Remote Low Single system Partial Partial Partial
In Bravo Tejari Procurement Portal, uploaded files are not properly validated by the application either on the client or the server side. An attacker can take advantage of this vulnerability and upload malicious executable files to compromise the application, as demonstrated by an esop/evm/OPPreliminaryForms.do?formId=857 request.
2610 CVE-2018-7216 352 CSRF 2018-02-18 2018-03-16
6.0
None Remote Medium Single system Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in esop/toolkit/profile/regData.do in Bravo Tejari Procurement Portal allows remote authenticated users to hijack the authentication of application users for requests that modify their personal data by leveraging lack of anti-CSRF tokens.
2611 CVE-2018-7208 20 DoS 2018-02-17 2019-04-26
6.8
None Remote Medium Not required Partial Partial Partial
In the coff_pointerize_aux function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, an index is not validated, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted file, as demonstrated by objcopy of a COFF object.
2612 CVE-2018-7206 264 2018-02-17 2018-03-20
6.5
None Remote Low Single system Partial Partial Partial
An issue was discovered in Project Jupyter JupyterHub OAuthenticator 0.6.x before 0.6.2 and 0.7.x before 0.7.3. When using JupyterHub with GitLab group whitelisting for access control, group membership was not checked correctly, allowing members not in the whitelisted groups to create accounts on the Hub. (Users were not allowed to access other users' accounts, but could create their own accounts on the Hub linked to their GitLab account. GitLab authentication not using gitlab_group_whitelist is unaffected. No other Authenticators are affected.)
2613 CVE-2018-7201 74 2019-05-22 2019-05-23
6.8
None Remote Medium Not required Partial Partial Partial
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
2614 CVE-2018-7176 352 CSRF 2018-02-15 2018-03-14
6.8
None Remote Medium Not required Partial Partial Partial
FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page).
2615 CVE-2018-7160 254 Exec Code Bypass 2018-05-17 2018-06-27
6.8
None Remote Medium Not required Partial Partial Partial
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.
2616 CVE-2018-7125 20 Exec Code 2019-06-05 2019-06-06
6.5
None Remote Low Single system Partial Partial Partial
A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
2617 CVE-2018-7107 89 Sql 2018-09-27 2018-11-21
6.5
None Remote Low Single system Partial Partial Partial
A potential security vulnerability has been identified in HPE Device Entitlement Gateway (DEG) v3.2.4, v3.3 and v3.3.1. The vulnerability could be remotely exploited to allow local SQL injection and elevation of privilege.
2618 CVE-2018-7097 352 CSRF 2018-08-14 2018-10-10
6.8
None Remote Medium Not required Partial Partial Partial
A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7). The vulnerability may be exploited remotely to allow cross-site request forgery.
2619 CVE-2018-7092 22 Dir. Trav. 2018-08-06 2018-10-05
6.4
None Remote Low Not required None Partial Partial
A potential security vulnerability has been identified in HPE Intelligent Management Center Platform (IMC Plat) 7.3 E0506P09. The vulnerability could be remotely exploited to allow for remote directory traversal leading to arbitrary file deletion.
2620 CVE-2018-7060 352 CSRF 2018-08-06 2018-10-10
6.8
None Remote Medium Not required Partial Partial Partial
Aruba ClearPass 6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1 is vulnerable to CSRF attacks against authenticated users. An attacker could manipulate an authenticated user into performing actions on the web administrative interface.
2621 CVE-2018-6961 77 Exec Code 2018-06-11 2018-08-09
6.8
None Remote Medium Not required Partial Partial Partial
VMware NSX SD-WAN Edge by VeloCloud prior to version 3.1.0 contains a command injection vulnerability in the local web UI component. This component is disabled by default and should not be enabled on untrusted networks. VeloCloud by VMware will be removing this service from the product in future releases. Successful exploitation of this issue could result in remote code execution.
2622 CVE-2018-6960 287 Bypass 2018-04-20 2018-05-22
6.5
None Remote Low Single system Partial Partial Partial
VMware Horizon DaaS (7.x before 8.0.0) contains a broken authentication vulnerability that may allow an attacker to bypass two-factor authentication. Note: In order to exploit this issue, an attacker must have a legitimate account on Horizon DaaS.
2623 CVE-2018-6941 352 Exec Code XSS CSRF 2018-02-20 2018-03-13
6.8
None Remote Medium Not required Partial Partial Partial
A /shell?cmd= CSRF issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with XSS.
2624 CVE-2018-6934 352 CSRF 2018-04-12 2018-05-11
6.8
None Remote Medium Not required Partial Partial Partial
CSRF exists in student/personal-info in PHP Scripts Mall Online Tutoring Script 2.0.3.
2625 CVE-2018-6889 94 2018-02-11 2018-03-06
6.5
None Remote Low Single system Partial Partial Partial
An issue was discovered in Typesetter 5.1. It suffers from a Host header injection vulnerability, Using this attack, a malicious user can poison the web cache or perform advanced password reset attacks or even trigger arbitrary user re-direction.
2626 CVE-2018-6888 352 CSRF 2018-02-11 2018-03-06
6.0
None Remote Medium Single system Partial Partial Partial
An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a user account due to the lack of an anti-CSRF token.
2627 CVE-2018-6874 352 CSRF 2018-04-04 2018-05-15
6.8
None Remote Medium Not required Partial Partial Partial
CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled.
2628 CVE-2018-6860 434 Exec Code 2018-02-11 2018-02-26
6.5
None Remote Low Single system Partial Partial Partial
Arbitrary File Upload and Remote Code Execution exist in PHP Scripts Mall Schools Alert Management Script 2.0.2 via a profile picture.
2629 CVE-2018-6843 89 Sql 2018-03-19 2018-04-12
6.5
None Remote Low Single system Partial Partial Partial
Kentico 10 before 10.0.50 and 11 before 11.0.3 has SQL injection in the administration interface.
2630 CVE-2018-6830 22 Dir. Trav. 2018-07-09 2018-09-10
6.4
None Remote Low Not required None Partial Partial
Directory traversal vulnerability in Foscam Cameras C1 Lite V3, and C1 V3 with firmware 2.82.2.33 and earlier, FI9800P V3, FI9803P V4, FI9851P V3, and FI9853EP V2 2.84.2.33 and earlier, FI9816P V3, FI9821EP V2, FI9821P V3, FI9826P V3, and FI9831P V3 2.81.2.33 and earlier, C1, C1 V2, C1 Lite, and C1 Lite V2 2.52.2.47 and earlier, FI9800P, FI9800P V2, FI9803P V2, FI9803P V3, and FI9851P V2 2.54.2.47 and earlier, FI9815P, FI9815P V2, FI9816P, and FI9816P V2, 2.51.2.47 and earlier, R2 and R4 2.71.1.59 and earlier, C2 and FI9961EP 2.72.1.59 and earlier, FI9900EP, FI9900P, and FI9901EP 2.74.1.59 and earlier, FI9928P 2.74.1.58 and earlier, FI9803EP and FI9853EP 2.22.2.31 and earlier, FI9803P and FI9851P 2.24.2.31 and earlier, FI9821P V2, FI9826P V2, FI9831P V2, and FI9821EP 2.21.2.31 and earlier, FI9821W V2, FI9831W, FI9826W, FI9821P, FI9831P, and FI9826P 2.11.1.120 and earlier, FI9818W V2 2.13.2.120 and earlier, FI9805W, FI9804W, FI9804P, FI9805E, and FI9805P 2.14.1.120 and earlier, FI9828P, and FI9828W 2.13.1.120 and earlier, and FI9828P V2 2.11.1.133 and earlier allows remote attackers to delete arbitrary files via a .. (dot dot) in the URI path component.
2631 CVE-2018-6827 295 Exec Code +Info 2018-02-09 2018-03-08
6.8
None Remote Medium Not required Partial Partial Partial
VOBOT CLOCK before 0.99.30 devices do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information, and consequently execute arbitrary code, via a crafted certificate, as demonstrated by leveraging a hardcoded --no-check-certificate Wget option.
2632 CVE-2018-6799 119 DoS Overflow 2018-02-07 2019-06-29
6.8
None Remote Medium Not required Partial Partial Partial
The AcquireCacheNexus function in magick/pixel_cache.c in GraphicsMagick before 1.3.28 allows remote attackers to cause a denial of service (heap overwrite) or possibly have unspecified other impact via a crafted image file, because a pixel staging area is not used.
2633 CVE-2018-6792 89 Exec Code Sql 2018-02-06 2018-03-01
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in Saifor CVMS HUB 1.3.1 allow an authenticated user to execute arbitrary SQL commands via multiple parameters to the /cvms-hub/privado/seccionesmib/secciones.xhtml resource. The POST parameters are j_idt118, j_idt120, j_idt122, j_idt124, j_idt126, j_idt128, and j_idt130 under formularioGestionarSecciones:tablaSeccionesMib:*:filter. The GET parameter is nombreAgente.
2634 CVE-2018-6788 20 DoS 2018-02-06 2018-02-22
6.1
None Local Low Not required Partial Partial Complete
In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x2208C0.
2635 CVE-2018-6787 20 DoS 2018-02-06 2018-02-22
6.1
None Local Low Not required Partial Partial Complete
In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x221808.
2636 CVE-2018-6786 20 DoS 2018-02-06 2018-02-22
6.1
None Local Low Not required Partial Partial Complete
In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220840.
2637 CVE-2018-6785 20 DoS 2018-02-06 2018-02-22
6.1
None Local Low Not required Partial Partial Complete
In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008254.
2638 CVE-2018-6784 20 DoS 2018-02-06 2018-02-22
6.1
None Local Low Not required Partial Partial Complete
In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A00824C.
2639 CVE-2018-6783 20 DoS 2018-02-06 2018-02-22
6.1
None Local Low Not required Partial Partial Complete
In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A00825C.
2640 CVE-2018-6782 20 DoS 2018-02-06 2018-02-22
6.1
None Local Low Not required Partial Partial Complete
In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A0081DC.
2641 CVE-2018-6781 20 DoS 2018-02-06 2018-02-22
6.1
None Local Low Not required Partial Partial Complete
In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008264.
2642 CVE-2018-6780 20 DoS 2018-02-06 2018-02-22
6.1
None Local Low Not required Partial Partial Complete
In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A0081E4.
2643 CVE-2018-6779 20 DoS 2018-02-06 2018-02-22
6.1
None Local Low Not required Partial Partial Complete
In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008240.
2644 CVE-2018-6778 20 DoS 2018-02-06 2018-02-22
6.1
None Local Low Not required Partial Partial Complete
In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008268.
2645 CVE-2018-6777 20 DoS 2018-02-06 2018-02-22
6.1
None Local Low Not required Partial Partial Complete
In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220400.
2646 CVE-2018-6776 20 DoS 2018-02-06 2018-02-22
6.1
None Local Low Not required Partial Partial Complete
In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A00813C.
2647 CVE-2018-6775 20 DoS 2018-02-06 2018-02-22
6.1
None Local Low Not required Partial Partial Complete
In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x990081C8.
2648 CVE-2018-6774 20 DoS 2018-02-06 2018-02-22
6.1
None Local Low Not required Partial Partial Complete
In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008088.
2649 CVE-2018-6773 20 DoS 2018-02-06 2018-02-22
6.1
None Local Low Not required Partial Partial Complete
In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9A008084.
2650 CVE-2018-6772 20 DoS 2018-02-06 2018-02-22
6.1
None Local Low Not required Partial Partial Complete
In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x99008208.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.