CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2018

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
551 CVE-2018-13353 78 Exec Code 2018-11-27 2019-10-02
9.0
None Remote Low Single system Complete Complete Complete
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute commands via the "checkport" parameter.
552 CVE-2018-13352 200 +Info 2018-11-27 2018-12-21
5.0
None Remote Low Not required Partial None None
Session Exposure in the web application for TerraMaster TOS version 3.1.03 allows attackers to view active session tokens in a world-readable directory.
553 CVE-2018-13351 79 XSS 2018-11-27 2018-12-19
3.5
None Remote Medium Single system None Partial None
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the edit password form.
554 CVE-2018-13350 89 Sql 2018-11-27 2018-12-19
7.5
None Remote Low Not required Partial Partial Partial
SQL injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute SQL queries via the "Event" parameter.
555 CVE-2018-13349 79 XSS 2018-11-27 2018-12-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in the web application taskbar in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the user's username.
556 CVE-2018-13338 78 Exec Code 2018-11-27 2019-10-02
10.0
None Remote Low Not required Complete Complete Complete
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "username" parameter during user creation.
557 CVE-2018-13337 384 2018-11-27 2018-12-21
5.8
None Remote Medium Not required Partial Partial None
Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via JavaScript.
558 CVE-2018-13336 78 Exec Code 2018-11-27 2019-10-02
10.0
None Remote Low Not required Complete Complete Complete
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "pwd" parameter during user creation.
559 CVE-2018-13335 79 XSS 2018-11-27 2018-12-19
3.5
None Remote Medium Single system None Partial None
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing shared folders via their descriptions.
560 CVE-2018-13334 79 XSS 2018-11-27 2018-12-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in handle.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "options[sysname]" parameter.
561 CVE-2018-13333 79 XSS 2018-11-27 2018-12-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in File Manager in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript in the permissions window by placing JavaScript in users' usernames.
562 CVE-2018-13332 22 Dir. Trav. 2018-11-27 2018-12-20
5.0
None Remote Low Not required None Partial None
Directory Traversal in the explorer application in TerraMaster TOS version 3.1.03 allows attackers to upload files to arbitrary locations via the "path" URL parameter.
563 CVE-2018-13331 79 XSS 2018-11-27 2018-12-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing users by placing JavaScript in their usernames.
564 CVE-2018-13330 78 Exec Code 2018-11-27 2019-10-02
9.0
None Remote Low Single system Complete Complete Complete
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands during group creation via the "groupname" parameter.
565 CVE-2018-13329 79 XSS 2018-11-27 2018-12-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "lines" URL parameter.
566 CVE-2018-13324 863 Bypass 2018-11-26 2019-10-02
7.5
None Remote Low Not required Partial Partial Partial
Incorrect access control in nasapi in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to bypass authentication by sending a modified HTTP Host header.
567 CVE-2018-13323 79 XSS 2018-11-26 2018-12-26
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in detail.html in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to execute JavaScript via the "username" cookie.
568 CVE-2018-13322 22 Dir. Trav. 2018-11-26 2018-12-26
4.0
None Remote Low Single system Partial None None
Directory traversal in list_folders method in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to list directory contents via the "path" parameter.
569 CVE-2018-13321 732 2018-11-26 2019-10-02
6.5
None Remote Low Single system Partial Partial Partial
Incorrect access controls in nasapi in Buffalo TS5600D1206 version 3.61-0.10 allow attackers to call dangerous internal functions via the "method" parameter.
570 CVE-2018-13320 78 Exec Code 2018-11-26 2019-10-02
6.5
None Remote Low Single system Partial Partial Partial
System Command Injection in network.set_auth_settings in Buffalo TS5600D1206 version 3.70-0.10 allows attackers to execute system commands via the adminUsername and adminPassword parameters.
571 CVE-2018-13319 200 +Info 2018-11-26 2018-12-31
5.0
None Remote Low Not required Partial None None
Incorrect access control in get_portal_info in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to determine sensitive device information via an unauthenticated POST request.
572 CVE-2018-13318 78 Exec Code 2018-11-26 2019-10-02
6.5
None Remote Low Single system Partial Partial Partial
System command injection in User.create method in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to execute system commands via the "name" parameter.
573 CVE-2018-13317 79 XSS 2018-11-26 2018-12-20
4.3
None Remote Medium Not required None Partial None
Password disclosure in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to obtain the plaintext password for the admin user by making a GET request for password.htm.
574 CVE-2018-13316 78 Exec Code 2018-11-27 2019-10-02
10.0
None Remote Low Not required Complete Complete Complete
System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "subnet" POST parameter.
575 CVE-2018-13315 20 2018-11-26 2018-12-20
5.0
None Remote Low Not required None Partial None
Incorrect access control in formPasswordSetup in TOTOLINK A3002RU version 1.0.8 allows attackers to change the admin user's password via an unauthenticated POST request.
576 CVE-2018-13314 78 Exec Code 2018-11-27 2019-10-02
10.0
None Remote Low Not required Complete Complete Complete
System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ipAddr" POST parameter.
577 CVE-2018-13312 79 XSS 2018-11-26 2018-12-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "Input your notice URL" field.
578 CVE-2018-13311 78 Exec Code 2018-11-26 2019-10-02
10.0
None Remote Low Not required Complete Complete Complete
System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "sambaUser" POST parameter.
579 CVE-2018-13310 79 XSS 2018-11-26 2018-12-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's username.
580 CVE-2018-13309 79 XSS 2018-11-26 2018-12-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's password.
581 CVE-2018-13308 79 XSS 2018-11-26 2018-12-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "User phrases button" field.
582 CVE-2018-13307 78 Exec Code 2018-11-27 2019-10-02
10.0
None Remote Low Not required Complete Complete Complete
System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter. Certain payloads cause the device to become permanently inoperable.
583 CVE-2018-13306 78 Exec Code 2018-11-27 2019-10-02
10.0
None Remote Low Not required Complete Complete Complete
System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ftpUser" POST parameter.
584 CVE-2018-13023 78 Exec Code 2018-11-27 2019-10-02
9.0
None Remote Low Single system Complete Complete Complete
System command injection vulnerability in wifi_access in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute system commands via the "timeout" URL parameter.
585 CVE-2018-13022 79 XSS 2018-11-27 2018-12-21
4.3
None Remote Medium Not required None Partial None
Cross-site scripting vulnerability in the API 404 page on Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary JavaScript via a modified URL path.
586 CVE-2018-12543 20 2018-11-15 2019-10-09
5.0
None Remote Low Not required None None Partial
In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is published to Mosquitto that has a topic starting with $, but that is not $SYS, e.g. $test/test, then an assert is triggered that should otherwise not be reachable and Mosquitto will exit.
587 CVE-2018-12480 79 XSS 2018-11-15 2018-12-27
4.3
None Remote Medium Not required None Partial None
Mitigates an XSS issue in NetIQ Access Manager versions prior to 4.4 SP3.
588 CVE-2018-12416 352 CSRF 2018-11-13 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
The GridServer Broker and GridServer Director components of TIBCO Software Inc.'s TIBCO DataSynapse GridServer Manager contain vulnerabilities which may allow an unauthenticated user to perform cross-site request forgery (CSRF). Affected releases are TIBCO Software Inc. TIBCO DataSynapse GridServer Manager: versions up to and including 5.2.0; 6.0.0; 6.0.1; 6.0.2; 6.1.0; 6.1.1; 6.2.0; 6.3.0.
589 CVE-2018-12415 CSRF 2018-11-06 2018-11-08
0.0
None ??? ??? ??? ??? ??? ???
The Central Administration server (emsca) component of TIBCO Software Inc.'s TIBCO Enterprise Messaging Service, TIBCO Enterprise Messaging Service - Community Edition, and TIBCO Enterprise Messaging Service - Developer Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Enterprise Messaging Service: versions up to and including 8.4.0, TIBCO Enterprise Messaging Service - Community Edition: versions up to and including 8.4.0, and TIBCO Enterprise Messaging Service - Developer Edition versions up to and including 8.4.0.
590 CVE-2018-12414 352 CSRF 2018-11-06 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
The Rendezvous Routing Daemon (rvrd), Rendezvous Secure Routing Daemon (rvrsd), Rendezvous Secure Daemon (rvsd), Rendezvous Cache (rvcache), and Rendezvous Daemon Manager (rvdm) components of TIBCO Software Inc.'s TIBCO Rendezvous, TIBCO Rendezvous Developer Edition, TIBCO Rendezvous for z/Linux, TIBCO Rendezvous for z/OS, TIBCO Rendezvous Network Server, TIBCO Substation ES contain vulnerabilities which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Rendezvous: versions up to and including 8.4.5, TIBCO Rendezvous Developer Edition: versions up to and including 8.4.5, TIBCO Rendezvous for z/Linux: versions up to and including 8.4.5, TIBCO Rendezvous for z/OS: versions up to and including 8.4.5, TIBCO Rendezvous Network Server: versions up to and including 1.1.2, and TIBCO Substation ES: versions up to and including 2.12.2.
591 CVE-2018-12413 352 CSRF 2018-11-06 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
The Schema repository server (tibschemad) component of TIBCO Software Inc.'s TIBCO Messaging - Apache Kafka Distribution - Schema Repository - Community Edition, and TIBCO Messaging - Apache Kafka Distribution - Schema Repository - Enterprise Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc. TIBCO Messaging - Apache Kafka Distribution - Schema Repository - Community Edition: 1.0.0, and TIBCO Messaging - Apache Kafka Distribution - Schema Repository - Enterprise Edition: 1.0.0.
592 CVE-2018-12412 352 CSRF 2018-11-06 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
The realm server (tibrealmserver) component of TIBCO Software Inc. TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc. TIBCO FTL - Community Edition: versions up to and including 5.4.0, TIBCO FTL - Developer Edition: versions up to and including 5.4.0, TIBCO FTL - Enterprise Edition: versions up to and including 5.4.0.
593 CVE-2018-12411 352 CSRF 2018-11-06 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
The administrative daemon (tibdgadmind) of TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition, TIBCO ActiveSpaces - Developer Edition, and TIBCO ActiveSpaces - Enterprise Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition: 3.3.0; 3.4.0; 3.5.0, TIBCO ActiveSpaces - Developer Edition: 3.0.0; 3.1.0; 3.3.0; 3.4.0; 3.5.0, and TIBCO ActiveSpaces - Enterprise Edition: 3.0.0; 3.1.0; 3.2.0; 3.3.0; 3.4.0; 3.5.0.
594 CVE-2018-12245 426 2018-11-29 2018-12-28
6.8
None Remote Medium Not required Partial Partial Partial
Symantec Endpoint Protection prior to 14.2 MP1 may be susceptible to a DLL Preloading vulnerability, which in this case is an issue that can occur when an application being installed unintentionally loads a DLL provided by a potential attacker. Note that this particular type of exploit only manifests at install time; no remediation is required for software that has already been installed. This issue only impacted the Trialware media for Symantec Endpoint Protection, which has since been updated.
595 CVE-2018-12241 XSS 2018-11-27 2018-11-28
0.0
None ??? ??? ??? ??? ??? ???
The Symantec Security Analytics (SA) 7.x prior to 7.3.4 Web UI is susceptible to a reflected cross-site scripting (XSS) vulnerability. A remote attacker with knowledge of the SA web UI hostname or IP address can craft a malicious URL for the SA web UI and target SA web UI users with phishing attacks or other social engineering techniques. A successful attack allows injecting malicious JavaScript code into the SA web UI client application.
596 CVE-2018-12239 Bypass 2018-11-29 2019-10-02
4.6
None Local Low Not required Partial Partial Partial
Norton prior to 22.15; Symantec Endpoint Protection (SEP) prior to 12.1.7454.7000 & 14.2; Symantec Endpoint Protection Small Business Edition (SEP SBE) prior to NIS-22.15.1.8 & SEP-12.1.7454.7000; and Symantec Endpoint Protection Cloud (SEP Cloud) prior to 22.15.1 may be susceptible to an AV bypass issue, which is a type of exploit that works to circumvent one of the virus detection engines to avoid a specific type of virus protection. One of the antivirus engines depends on a signature pattern from a database to identify malicious files and viruses; the antivirus bypass exploit looks to alter the file being scanned so it is not detected.
597 CVE-2018-12238 Bypass 2018-11-29 2019-10-02
4.6
None Local Low Not required Partial Partial Partial
Norton prior to 22.15; Symantec Endpoint Protection (SEP) prior to 12.1.7454.7000 & 14.2; Symantec Endpoint Protection Small Business Edition (SEP SBE) prior to NIS-22.15.1.8 & SEP-12.1.7454.7000; and Symantec Endpoint Protection Cloud (SEP Cloud) prior to 22.15.1 may be susceptible to an AV bypass issue, which is a type of exploit that works to circumvent one of the virus detection engines to avoid a specific type of virus protection. One of the antivirus engines depends on a signature pattern from a database to identify malicious files and viruses; the antivirus bypass exploit looks to alter the file being scanned so it is not detected.
598 CVE-2018-12174 119 Overflow 2018-11-14 2018-12-13
4.6
None Local Low Not required Partial Partial Partial
Heap overflow in Intel Trace Analyzer 2018 in Intel Parallel Studio XE 2018 Update 3 may allow an authenticated user to potentially escalate privileges via local access.
599 CVE-2018-12123 20 2018-11-28 2019-07-22
4.3
None Remote Medium Not required None Partial None
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.
600 CVE-2018-12122 400 DoS 2018-11-28 2019-07-22
5.0
None Remote Low Not required None None Partial
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.
Total number of vulnerabilities : 982   Page : 1 2 3 4 5 6 7 8 9 10 11 12 (This Page)13 14 15 16 17 18 19 20
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.