| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
11301 |
CVE-2018-14996 |
|
|
Exec Code |
2019-04-25 |
2019-10-02 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The Oppo F5 Android device with a build fingerprint of OPPO/CPH1723/CPH1723:7.1.1/N6F26Q/1513597833:user/release-keys contains a pre-installed platform app with a package name of com.dropboxchmod (versionCode=1, versionName=1.0) that contains an exported service named com.dropboxchmod.DropboxChmodService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user's text messages, and more. This vulnerability can also be used to secretly record audio of the user without their awareness on the Oppo F5 device. The pre-installed com.oppo.engineermode app (versionCode=25, versionName=V1.01) has an exported activity that can be started to initiate a recording and quickly dismissed. The activity can be started in a way that the user will not be able to see the app in the recent apps list. The resulting audio amr file can be copied from a location on internal storage using the arbitrary command execution as system user vulnerability. Executing commands as system user can allow a third-party app to factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, obtain the user's text messages, and more. |
|
11302 |
CVE-2018-14994 |
20 |
|
|
2019-04-25 |
2019-05-02 |
9.4 |
None |
Remote |
Low |
Not required |
None |
Complete |
Complete |
|
The Essential Phone Android device with a build fingerprint of essential/mata/mata:8.1.0/OPM1.180104.166/297:user/release-keys contains a pre-installed platform app with a package name of com.ts.android.hiddenmenu (versionName=1.0, platformBuildVersionName=8.1.0) that contains an exported activity app component named com.ts.android.hiddenmenu.rtn.RTNResetActivity that allows any app co-located on the device to programmatically initiate a factory reset. In addition, the app initiating the factory reset does not require any permissions. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of a pre-installed platform app. |
|
11303 |
CVE-2018-14993 |
|
|
Exec Code |
2019-04-25 |
2019-10-02 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The ASUS Zenfone V Live Android device with a build fingerprint of asus/VZW_ASUS_A009/ASUS_A009:7.1.1/NMF26F/14.0610.1802.78-20180313:user/release-keys and the Asus ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys both contain a pre-installed platform app with a package name of com.asus.splendidcommandagent (versionCode=1510200090, versionName=1.2.0.18_160928) that contains an exported service named com.asus.splendidcommandagent.SplendidCommandAgentService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, obtain the user's text messages, and more. |
|
11304 |
CVE-2018-14991 |
20 |
|
|
2019-04-25 |
2019-05-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Coolpad Defiant device with a build fingerprint of Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys, the ZTE ZMAX Pro with a build fingerprint of ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys, and the T-Mobile Revvl Plus with a build fingerprint of Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys all contain a vulnerable, pre-installed Rich Communication Services (RCS) app. These devices contain an that app has a package name of com.suntek.mway.rcs.app.service (versionCode=1, versionName=RCS_sdk_M_native_20161008_01; versionCode=1, versionName=RCS_sdk_M_native_20170406_01) with an exported content provider named com.suntek.mway.rcs.app.service.provider.message.MessageProvider and a refactored version of the app with a package name of com.rcs.gsma.na.sdk (versionCode=1, versionName=RCS_SDK_20170804_01) with a content provider named com.rcs.gsma.na.provider.message.MessageProvider allow any app co-located on the device to read, write, insert, and modify the user's text messages. This is enabled by an exported content provider app component that serves as a wrapper to the official content provider that contains the user's text messages. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. |
|
11305 |
CVE-2018-14990 |
20 |
|
|
2019-04-25 |
2019-05-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The Coolpad Defiant device with a build fingerprint of Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys, the ZTE ZMAX Pro with a build fingerprint of ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys, and the T-Mobile Revvl Plus with a build fingerprint of Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys all contain a vulnerable, pre-installed Rich Communication Services (RCS) app. These devices contain an that app has a package name of com.suntek.mway.rcs.app.service (versionCode=1, versionName=RCS_sdk_M_native_20161008_01; versionCode=1, versionName=RCS_sdk_M_native_20170406_01) with a broadcast receiver app component named com.suntek.mway.rcs.app.test.TestReceiver and a refactored version of the app with a package name of com.rcs.gsma.na.sdk (versionCode=1, versionName=RCS_SDK_20170804_01) with a broadcast receiver app component named com.rcs.gsma.na.test.TestReceiver allow any app co-located on the device to programmatically send text messages where the number and body of the text message is controlled by the attacker due to an exported broadcast receiver app component. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. A separate vulnerability in the app allows a zero-permission app to programmatically delete text messages, so the sent text messages can be removed to not alert the user. |
|
11306 |
CVE-2018-14989 |
20 |
|
|
2019-04-25 |
2019-05-02 |
9.4 |
None |
Remote |
Low |
Not required |
None |
Complete |
Complete |
|
The Plum Compass Android device with a build fingerprint of PLUM/c179_hwf_221/c179_hwf_221:6.0/MRA58K/W16.51.5-22:user/release-keys contains a pre-installed platform app with a package name of com.android.settings (versionCode=23, versionName=6.0-eng.root.20161223.224055) that contains an exported broadcast receiver app component which allows any app co-located on the device to programmatically perform a factory reset. In addition, the app initiating the factory reset does not require any permissions. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of a pre-installed platform app. |
|
11307 |
CVE-2018-14985 |
862 |
|
|
2018-12-28 |
2019-10-02 |
5.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Complete |
|
The Leagoo Z5C Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a pre-installed platform app with a package name of com.android.settings (versionCode=23, versionName=6.0-android.20170630.092853) that contains an exported broadcast receiver that allows any app co-located on the device to programmatically initiate a factory reset. In addition, the app initiating the factory reset does not require any permissions. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of a pre-installed platform app. |
|
11308 |
CVE-2018-14982 |
732 |
|
|
2018-08-17 |
2019-10-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Certain LG devices based on Android 6.0 through 8.1 have incorrect access control in the GNSS application. The LG ID is LVE-SMP-180004. |
|
11309 |
CVE-2018-14981 |
732 |
|
|
2018-08-17 |
2019-10-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Certain LG devices based on Android 6.0 through 8.1 have incorrect access control for SystemUI application intents. The LG ID is LVE-SMP-180005. |
|
11310 |
CVE-2018-14978 |
352 |
|
CSRF |
2018-08-06 |
2018-10-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in QCMS 3.0.1. CSRF exists via the backend/user/admin/add.html URI. |
|
11311 |
CVE-2018-14977 |
79 |
|
XSS |
2018-08-06 |
2018-10-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in QCMS 3.0.1. upload/System/Controller/guest.php has XSS, as demonstrated by the name parameter, a different vulnerability than CVE-2018-8070. |
|
11312 |
CVE-2018-14968 |
89 |
|
Sql |
2018-08-06 |
2018-10-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in EMLsoft 5.4.5. upload\eml\action\action.address.php has SQL Injection via the numPerPage parameter. |
|
11313 |
CVE-2018-14967 |
89 |
|
Sql |
2018-08-06 |
2018-10-04 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
An issue was discovered in EMLsoft 5.4.5. upload\eml\action\action.user.php has SQL Injection via the numPerPage parameter. |
|
11314 |
CVE-2018-14966 |
352 |
|
CSRF |
2018-08-06 |
2018-10-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in EMLsoft 5.4.5. The eml/upload/eml/?action=user&do=add page allows CSRF. |
|
11315 |
CVE-2018-14965 |
352 |
|
CSRF |
2018-08-06 |
2018-10-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in EMLsoft 5.4.5. The eml/upload/eml/?action=address&do=add page allows CSRF. |
|
11316 |
CVE-2018-14963 |
352 |
|
CSRF |
2018-08-06 |
2018-10-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
zzcms 8.3 has CSRF via the admin/adminadd.php?action=add URI. |
|
11317 |
CVE-2018-14961 |
89 |
|
Sql |
2018-08-06 |
2018-10-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
dl/dl_sendmail.php in zzcms 8.3 has SQL Injection via the sql parameter. |
|
11318 |
CVE-2018-14960 |
352 |
|
CSRF |
2018-08-06 |
2018-10-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Xiao5uCompany 1.7 has CSRF via admin/Admin.asp. |
|
11319 |
CVE-2018-14959 |
352 |
|
CSRF |
2018-08-05 |
2018-10-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in WeaselCMS v0.3.5. CSRF can create new pages via an index.php?b=pages&a=new URI. |
|
11320 |
CVE-2018-14958 |
352 |
|
CSRF |
2018-08-05 |
2018-10-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in WeaselCMS v0.3.5. CSRF can update the website settings (such as the theme, title, and description) via index.php. |
|
11321 |
CVE-2018-14957 |
22 |
|
Dir. Trav. |
2018-09-27 |
2018-12-19 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
CMS ISWEB 3.5.3 is vulnerable to directory traversal and local file download, as demonstrated by moduli/downloadFile.php?file=oggetto_documenti/../.././inc/config.php (one can take the control of the application because credentials are present in that config.php file). |
|
11322 |
CVE-2018-14956 |
89 |
|
Sql +Info |
2018-09-27 |
2018-11-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
CMS ISWEB 3.5.3 is vulnerable to multiple SQL injection flaws. An attacker can inject malicious queries into the application and obtain sensitive information. |
|
11323 |
CVE-2018-14955 |
79 |
|
XSS |
2018-08-05 |
2019-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The mail message display page in SquirrelMail through 1.4.22 has XSS via SVG animations (animate to attribute). |
|
11324 |
CVE-2018-14954 |
79 |
|
XSS |
2018-08-05 |
2019-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The mail message display page in SquirrelMail through 1.4.22 has XSS via the formaction attribute. |
|
11325 |
CVE-2018-14953 |
79 |
|
XSS |
2018-08-05 |
2019-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math xlink:href=" attack. |
|
11326 |
CVE-2018-14952 |
79 |
|
XSS |
2018-08-05 |
2019-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math><maction xlink:href=" attack. |
|
11327 |
CVE-2018-14951 |
79 |
|
XSS |
2018-08-05 |
2019-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<form action='data:text" attack. |
|
11328 |
CVE-2018-14950 |
79 |
|
XSS |
2018-08-05 |
2019-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<svg><a xlink:href=" attack. |
|
11329 |
CVE-2018-14948 |
119 |
|
Overflow |
2018-08-05 |
2018-10-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue has been found in dilawar sound through 2017-11-27. The end of openWavFile in wav-file.cc has Mismatched Memory Management Routines (operator new [] versus operator delete). |
|
11330 |
CVE-2018-14947 |
119 |
|
Overflow |
2018-08-05 |
2018-10-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue has been found in PDF2JSON 0.69. XmlFontAccu::CSStyle in XmlFonts.cc has Mismatched Memory Management Routines (operator new [] versus operator delete). |
|
11331 |
CVE-2018-14946 |
119 |
|
Overflow |
2018-08-05 |
2018-10-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue has been found in PDF2JSON 0.69. The HtmlString class in ImgOutputDev.cc has Mismatched Memory Management Routines (malloc versus operator delete). |
|
11332 |
CVE-2018-14945 |
119 |
|
Overflow |
2018-08-05 |
2018-10-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue has been found in jpeg_encoder through 2015-11-27. It is a heap-based buffer overflow in the function readFromBMP in jpeg_encoder.cpp. |
|
11333 |
CVE-2018-14944 |
787 |
|
|
2018-08-05 |
2018-10-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue has been found in jpeg_encoder through 2015-11-27. It is a SEGV in the function readFromBMP in jpeg_encoder.cpp. The signal is caused by an out-of-bounds write. |
|
11334 |
CVE-2018-14943 |
798 |
|
|
2018-08-05 |
2018-10-17 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Harmonic NSG 9000 devices have a default password of nsgadmin for the admin account, a default password of nsgguest for the guest account, and a default password of nsgconfig for the config account. |
|
11335 |
CVE-2018-14942 |
22 |
|
Dir. Trav. |
2018-08-05 |
2018-10-05 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Harmonic NSG 9000 devices allow remote authenticated users to conduct directory traversal attacks, as demonstrated by "POST /PY/EMULATION_GET_FILE" or "POST /PY/EMULATION_EXPORT" with FileName=../../../passwd in the POST data. |
|
11336 |
CVE-2018-14941 |
200 |
|
+Info |
2018-08-05 |
2018-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Harmonic NSG 9000 devices allow remote authenticated users to read the webapp.py source code via a direct request for the /webapp.py URI. |
|
11337 |
CVE-2018-14940 |
400 |
|
DoS |
2018-08-05 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
PHPCMS 9 allows remote attackers to cause a denial of service (resource consumption) via large font_size, height, and width parameters in an api.php?op=checkcode request. |
|
11338 |
CVE-2018-14939 |
119 |
|
DoS Overflow |
2018-08-05 |
2018-10-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The get_app_path function in desktop/unx/source/start.c in LibreOffice through 6.0.5 mishandles the realpath function in certain environments such as FreeBSD libc, which might allow attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact if LibreOffice is automatically launched during web browsing with pathnames controlled by a remote web site. |
|
11339 |
CVE-2018-14938 |
125 |
|
DoS Overflow |
2018-08-04 |
2019-05-06 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
An issue was discovered in wifipcap/wifipcap.cpp in TCPFLOW through 1.5.0-alpha. There is an integer overflow in the function handle_prism during caplen processing. If the caplen is less than 144, one can cause an integer overflow in the function handle_80211, which will result in an out-of-bounds read and may allow access to sensitive memory (or a denial of service). |
|
11340 |
CVE-2018-14935 |
79 |
|
XSS |
2018-11-15 |
2018-12-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Web administration console on Polycom Trio devices with software before 5.5.4 has XSS. |
|
11341 |
CVE-2018-14933 |
78 |
|
Exec Code |
2018-08-04 |
2019-10-02 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
upgrade_handle.php on NUUO NVRmini devices allows Remote Command Execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command. |
|
11342 |
CVE-2018-14931 |
601 |
|
|
2019-04-30 |
2019-05-03 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
An issue was discovered in the Core and Portal modules in Polaris FT Intellect Core Banking 9.7.1. An open redirect exists via a /IntellectMain.jsp?IntellectSystem= URI. |
|
11343 |
CVE-2018-14930 |
352 |
|
CSRF |
2019-04-30 |
2019-05-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in the Armor module in Polaris FT Intellect Core Banking 9.7.1. CSRF can occur via a /CollatWebApp/gcmsRefInsert?name=SUPP URI. |
|
11344 |
CVE-2018-14929 |
79 |
|
XSS |
2018-08-03 |
2018-10-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Matera Banco 1.0.0 is vulnerable to multiple reflected XSS, as demonstrated by the /contingency/web/index.jsp (aka home page) url parameter. |
|
11345 |
CVE-2018-14928 |
200 |
|
+Info |
2018-08-03 |
2018-10-11 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
/contingency/servlet/ServletFileDownload executes as root and provides unauthenticated access to files via the file parameter. |
|
11346 |
CVE-2018-14927 |
22 |
|
Dir. Trav. |
2018-08-03 |
2018-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Matera Banco 1.0.0 is vulnerable to path traversal (allowing access to system files outside the default application folder) via the /contingency/servlet/ServletFileDownload file parameter, related to /contingency/web/receiptQuery/receiptDisplay.jsp. |
|
11347 |
CVE-2018-14926 |
352 |
|
CSRF |
2018-08-03 |
2018-10-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Matera Banco 1.0.0 allows CSRF, as demonstrated by a /contingency/web/messageSend/messageSendHandler.jsp request. |
|
11348 |
CVE-2018-14925 |
209 |
|
|
2018-08-03 |
2019-10-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Matera Banco 1.0.0 mishandles Java errors in the backend, as demonstrated by a stack trace revealing use of net.sf.acegisecurity components. |
|
11349 |
CVE-2018-14924 |
79 |
|
XSS |
2018-08-03 |
2018-10-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Matera Banco 1.0.0 is vulnerable to multiple stored XSS, as demonstrated by the sca/privilegio/consultarUsuario.jsf "Nome Completo" (aka user fullname) field. |
|
11350 |
CVE-2018-14923 |
20 |
|
Exec Code |
2018-08-03 |
2018-10-10 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
A vulnerability in uniview EZPlayer 1.0.6 could allow an attacker to execute arbitrary code on a targeted system via video playback. |
