CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
8151 CVE-2018-6440 DoS +Info 2018-12-03 2019-10-03
6.4
None Remote Low Not required Partial None Partial
A vulnerability in the proxy service of Brocade Fabric OS versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow remote unauthenticated attackers to obtain sensitive information and possibly cause a denial of service attack.
8152 CVE-2018-6408 352 CSRF 2018-01-30 2018-02-27
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 devices. CSRF exists in hy-cgi/user.cgi, as demonstrated by changing an administrator password or adding a new administrator account.
8153 CVE-2018-6406 125 DoS +Info 2018-01-30 2019-10-03
6.8
None Remote Medium Not required Partial Partial Partial
The function ParseVP9SuperFrameIndex in common/libwebm_util.cc in libwebm through 2018-01-30 does not validate the child_frame_length data obtained from a .webm file, which allows remote attackers to cause an information leak or a denial of service (heap-based buffer over-read and later out-of-bounds write), or possibly have unspecified other impact.
8154 CVE-2018-6393 89 Sql 2018-01-29 2019-12-10
6.5
None Remote Low ??? Partial Partial Partial
** DISPUTED ** FreePBX 10.13.66-32bit and 14.0.1.24 (SNG7-PBX-64bit-1712-2) allow post-authentication SQL injection via the order parameter. NOTE: the vendor disputes this issue because it is intentional that a user can "directly modify SQL tables ... [or] run shell scripts ... once ... logged in to the administration interface; there is no need to try to find input validation errors."
8155 CVE-2018-6391 352 CSRF 2018-01-29 2018-02-14
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery web vulnerability has been discovered on Netis WF2419 V2.2.36123 devices. A remote attacker is able to delete Address Reservation List settings.
8156 CVE-2018-6383 184 Exec Code 2018-01-29 2021-06-08
6.5
None Remote Low ??? Partial Partial Partial
Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048.
8157 CVE-2018-6374 295 2018-01-31 2018-02-24
6.4
None Remote Low Not required None Partial Partial
The GUI component (aka PulseUI) in Pulse Secure Desktop Linux clients before PULSE5.2R9.2 and 5.3.x before PULSE5.3R4.2 does not perform strict SSL Certificate Validation. This can lead to the manipulation of the Pulse Connection set.
8158 CVE-2018-6360 20 Exec Code 2018-01-28 2019-03-01
6.8
None Remote Medium Not required Partial Partial Partial
mpv through 0.28.0 allows remote attackers to execute arbitrary code via a crafted web site, because it reads HTML documents containing VIDEO elements, and accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdl_hook.lua. For example, an av://lavfi:ladspa=file= URL signifies that the product should call dlopen on a shared object file located at an arbitrary local pathname. The issue exists because the product does not consider that youtube-dl can provide a potentially unsafe URL.
8159 CVE-2018-6359 416 DoS 2018-01-27 2019-04-26
6.8
None Remote Medium Not required Partial Partial Partial
The decompileIF function (util/decompile.c) in libming through 0.4.8 is vulnerable to a use-after-free, which may allow attackers to cause a denial of service or unspecified other impact via a crafted SWF file.
8160 CVE-2018-6358 787 DoS Overflow 2018-01-27 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
The printDefineFont2 function (util/listfdb.c) in libming through 0.4.8 is vulnerable to a heap-based buffer overflow, which may allow attackers to cause a denial of service or unspecified other impact via a crafted FDB file.
8161 CVE-2018-6357 352 XSS CSRF 2018-01-27 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
The acx_asmw_saveorder_callback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant social_widget_icon_array_order XSS.
8162 CVE-2018-6340 125 2018-12-31 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
The Memcache::getextendedstats function can be used to trigger an out-of-bounds read. Exploiting this issue requires control over memcached server hostnames and/or ports. This affects all supported versions of HHVM (3.30 and 3.27.4 and below).
8163 CVE-2018-6336 354 Exec Code 2018-12-31 2020-09-18
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in osquery. A maliciously crafted Universal/fat binary can evade third-party code signing checks. By not completing full inspection of the Universal/fat binary, the user of the third-party tool will believe that the code is signed by Apple, but the malicious unsigned code will execute. This issue affects osquery prior to v3.2.7
8164 CVE-2018-6330 89 Sql 2019-03-28 2019-03-28
6.5
None Remote Low ??? Partial Partial Partial
Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php via dhx_user and dhx_version parameters.
8165 CVE-2018-6323 190 DoS Overflow 2018-01-26 2019-10-31
6.8
None Remote Medium Not required Partial Partial Partial
The elf_object_p function in elfcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, has an unsigned integer overflow because bfd_size_type multiplication is not used. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
8166 CVE-2018-6317 134 DoS 2018-02-02 2018-02-15
6.4
None Remote Low Not required Partial None Partial
The remote management interface in Claymore Dual Miner 10.5 and earlier is vulnerable to an unauthenticated format string vulnerability, allowing remote attackers to read memory or cause a denial of service.
8167 CVE-2018-6316 863 Bypass 2018-02-15 2019-10-03
6.0
None Remote Medium ??? Partial Partial Partial
Ivanti Endpoint Security (formerly HEAT Endpoint Management and Security Suite) 8.5 Update 1 and earlier allows an authenticated user with low privileges and access to the local network to bypass application whitelisting when using the Application Control module on Ivanti Endpoint Security in lockdown mode.
8168 CVE-2018-6315 125 DoS Overflow 2018-01-25 2019-04-26
6.8
None Remote Medium Not required Partial Partial Partial
The outputSWF_TEXT_RECORD function (util/outputscript.c) in libming through 0.4.8 is vulnerable to an integer overflow and resultant out-of-bounds read, which may allow attackers to cause a denial of service or unspecified other impact via a crafted SWF file.
8169 CVE-2018-6307 416 Exec Code 2018-12-19 2019-10-31
6.8
None Remote Medium Not required Partial Partial Partial
LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.
8170 CVE-2018-6306 426 Exec Code 2018-04-19 2018-05-22
6.8
None Remote Medium Not required Partial Partial Partial
Unauthorized code execution from specific DLL and is known as DLL Hijacking attack in Kaspersky Password Manager versions before 8.0.6.538.
8171 CVE-2018-6288 352 CSRF 2018-02-06 2018-03-01
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site Request Forgery leading to Administrative account takeover in Kaspersky Secure Mail Gateway version 1.1.
8172 CVE-2018-6236 362 Exec Code 2018-05-25 2018-06-28
6.9
None Local Medium Not required Complete Complete Complete
A Time-of-Check Time-of-Use privilege escalation vulnerability in Trend Micro Maximum Security (Consumer) 2018 could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within processing of IOCTL 0x222813 by the tmusa driver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
8173 CVE-2018-6224 352 CSRF 2018-03-15 2018-04-04
6.8
None Remote Medium Not required Partial Partial Partial
A lack of cross-site request forgery (CSRF) protection vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to submit authenticated requests to a user browsing an attacker-controlled domain.
8174 CVE-2018-6219 295 2018-03-15 2018-04-04
6.4
None Remote Low Not required Partial Partial None
An Insecure Update via HTTP vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to eavesdrop and tamper with certain types of update data.
8175 CVE-2018-6209 20 DoS 2018-01-25 2018-02-07
6.1
None Local Low Not required Partial Partial Complete
In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxCryptMon.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220019.
8176 CVE-2018-6208 20 DoS 2018-01-25 2018-02-07
6.1
None Local Low Not required Partial Partial Complete
In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxProtector32.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x22000d.
8177 CVE-2018-6207 20 DoS 2018-01-25 2018-02-07
6.1
None Local Low Not required Partial Partial Complete
In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxProtector32.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220019.
8178 CVE-2018-6206 20 DoS 2018-01-25 2018-02-07
6.1
None Local Low Not required Partial Partial Complete
In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxProtector32.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220011.
8179 CVE-2018-6205 20 DoS 2018-01-25 2018-02-07
6.1
None Local Low Not required Partial Partial Complete
In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxProtector32.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220009.
8180 CVE-2018-6204 20 DoS 2018-01-25 2018-02-07
6.1
None Local Low Not required Partial Partial Complete
In Max Secure Anti Virus 19.0.3.019,, the driver file (SDActMon.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220019.
8181 CVE-2018-6203 20 DoS 2018-01-25 2018-02-08
6.1
None Local Low Not required Partial Partial Complete
In eScan Antivirus 14.0.1400.2029, the driver file (econceal.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x8300210C.
8182 CVE-2018-6202 20 DoS 2018-01-25 2018-02-08
6.1
None Local Low Not required Partial Partial Complete
In eScan Antivirus 14.0.1400.2029, the driver file (econceal.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x830020F8.
8183 CVE-2018-6201 20 DoS 2018-01-25 2018-02-08
6.1
None Local Low Not required Partial Partial Complete
In eScan Antivirus 14.0.1400.2029, the driver file (econceal.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x830020E0 or 0x830020E4.
8184 CVE-2018-6195 915 2018-01-30 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
admin/partials/wp-splashing-admin-main.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via crafted serialized data in the 'session' HTTP GET parameter to wp-admin/upload.php.
8185 CVE-2018-6174 190 Exec Code Overflow 2019-01-09 2019-01-14
6.8
None Remote Medium Not required Partial Partial Partial
Integer overflows in Swiftshader in Google Chrome prior to 68.0.3440.75 potentially allowed a remote attacker to execute arbitrary code via a crafted HTML page.
8186 CVE-2018-6170 787 2019-01-09 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
A bad cast in PDFium in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.
8187 CVE-2018-6162 787 2019-01-09 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Improper deserialization in WebGL in Google Chrome on Mac prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
8188 CVE-2018-6161 20 Bypass 2019-06-27 2019-06-28
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient policy enforcement in Blink in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to bypass same origin policy via a crafted HTML page.
8189 CVE-2018-6157 704 2019-06-27 2019-07-01
6.8
None Remote Medium Not required Partial Partial Partial
Type confusion in WebRTC in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted video file.
8190 CVE-2018-6156 787 2019-06-27 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Incorect derivation of a packet length in WebRTC in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted video file.
8191 CVE-2018-6154 787 2019-06-27 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient data validation in WebGL in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
8192 CVE-2018-6153 787 2019-01-09 2019-01-14
6.8
None Remote Medium Not required Partial Partial Partial
A precision error in Skia in Google Chrome prior to 68.0.3440.75 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page.
8193 CVE-2018-6152 434 2018-12-04 2019-02-05
6.8
None Remote Medium Not required Partial Partial Partial
The implementation of the Page.downloadBehavior backend unconditionally marked downloaded files as safe, regardless of file type in Google Chrome prior to 66.0.3359.117 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted HTML page and user interaction.
8194 CVE-2018-6151 125 2019-01-09 2019-01-15
6.8
None Remote Medium Not required Partial Partial Partial
Bad cast in DevTools in Google Chrome on Win, Linux, Mac, Chrome OS prior to 66.0.3359.117 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted Chrome Extension.
8195 CVE-2018-6149 787 2019-06-27 2019-07-02
6.8
None Remote Medium Not required Partial Partial Partial
Type confusion in JavaScript in Google Chrome prior to 67.0.3396.87 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
8196 CVE-2018-6144 787 2019-01-09 2019-01-14
6.8
None Remote Medium Not required Partial Partial Partial
Off-by-one error in PDFium in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform an out of bounds memory write via a crafted PDF file.
8197 CVE-2018-6141 125 2019-01-09 2019-01-14
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient validation of an image filter in Skia in Google Chrome prior to 67.0.3396.62 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory read via a crafted HTML page.
8198 CVE-2018-6139 20 Exec Code 2019-01-09 2019-01-16
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient target checks on the chrome.debugger API in DevTools in Google Chrome prior to 67.0.3396.62 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension.
8199 CVE-2018-6131 787 2019-06-27 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Object lifecycle issue in WebAssembly in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
8200 CVE-2018-6127 416 2019-01-09 2019-01-30
6.8
None Remote Medium Not required Partial Partial Partial
Early free of object in use in IndexDB in Google Chrome prior to 67.0.3396.62 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
Total number of vulnerabilities : 22306   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 (This Page)165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.