CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2101 CVE-2018-9502 125 2018-10-02 2018-11-20
6.1
None Local Network Low Not required Complete None None
In rfc_process_mx_message of rfc_ts_frames.cc, there is a possible out-of-bounds read due to a missing bounds check. This could lead to remote information disclosure in the Bluetooth service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9.0 Android ID: A-111936792
2102 CVE-2018-9331 22 Dir. Trav. 2018-04-06 2018-05-10
6.4
None Remote Low Not required None Partial Partial
An issue was discovered in zzcms 8.2. user/adv.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter. This can be leveraged for database access by deleting install.lock.
2103 CVE-2018-9327 20 Exec Code 2018-04-07 2018-05-11
6.8
None Remote Medium Not required Partial Partial Partial
Etherpad 1.5.x and 1.6.x before 1.6.4 allows an attacker to execute arbitrary code on the server. The instance has to be configured to use a document database (DirtyDB, CouchDB, MongoDB, or RethinkDB).
2104 CVE-2018-9302 918 2018-05-02 2018-06-07
6.4
None Remote Low Not required Partial Partial None
SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpit 0.4.4 through 0.5.5 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-14611, which was about version 0.13.0, which (surprisingly) is an earlier version than 0.4.4.
2105 CVE-2018-9281 352 XSS CSRF 2018-10-24 2018-12-10
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered on Eaton UPS 9PX 8000 SP devices. The administration panel is vulnerable to a CSRF attack on the change-password functionality. This vulnerability could be used to force a logged-in administrator to perform a silent password update. The affected forms are also vulnerable to Reflected Cross-Site Scripting vulnerabilities. This flaw could be triggered by driving an administrator logged into the Eaton application to a specially crafted web page. This attack could be done silently.
2106 CVE-2018-9275 200 +Info 2018-04-04 2018-05-21
6.4
None Remote Low Not required Partial None Partial
In check_user_token in util.c in the Yubico PAM module (aka pam_yubico) 2.18 through 2.25, successful logins can leak file descriptors to the auth mapping file, which can lead to information disclosure (serial number of a device) and/or DoS (reaching the maximum number of file descriptors).
2107 CVE-2018-9250 89 Exec Code Sql 2018-05-18 2018-06-20
6.5
None Remote Low Single system Partial Partial Partial
interface\super\edit_list.php in OpenEMR before v5_0_1_1 allows remote authenticated users to execute arbitrary SQL commands via the newlistname parameter.
2108 CVE-2018-9242 20 2018-07-03 2018-09-04
6.6
None Local Low Not required None Complete Complete
The PAN-OS management web interface page in PAN-OS 6.1.20 and earlier, PAN-OS 7.1.16 and earlier, PAN-OS 8.0.9 and earlier may allow an attacker to delete files in the system via specific request parameters.
2109 CVE-2018-9153 434 Exec Code CSRF 2018-04-16 2018-05-23
6.5
None Remote Low Single system Partial Partial Partial
The plugin upload component in Z-BlogPHP 1.5.1 allows remote attackers to execute arbitrary PHP code via the app_id parameter to zb_users/plugin/AppCentre/plugin_edit.php because of an unanchored regular expression, a different vulnerability than CVE-2018-8893. The component must be accessed directly by an administrator, or through CSRF.
2110 CVE-2018-9135 119 Overflow 2018-03-30 2018-04-18
6.8
None Remote Medium Not required Partial Partial Partial
In ImageMagick 7.0.7-24 Q16, there is a heap-based buffer over-read in IsWEBPImageLossless in coders/webp.c.
2111 CVE-2018-9134 352 Exec Code CSRF 2018-03-30 2018-04-23
6.8
None Remote Medium Not required Partial Partial Partial
file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename action, as demonstrated by renaming an arbitrary file under uploads/userup to a .php file under the web root to achieve PHP code execution. This uses the oldfilename and newfilename parameters.
2112 CVE-2018-9128 119 Overflow 2018-04-01 2019-04-03
6.8
None Remote Medium Not required Partial Partial Partial
DVD X Player Standard 5.5.3.9 has a Buffer Overflow via a crafted .plf file, a related issue to CVE-2007-3068.
2113 CVE-2018-9116 611 DoS 2018-03-29 2018-08-13
6.4
None Remote Low Not required Partial None Partial
An XXE vulnerability within WireMock before 2.16.0 allows a remote unauthenticated attacker to access local files and internal resources and potentially cause a Denial of Service.
2114 CVE-2018-9110 22 Dir. Trav. 2018-03-28 2018-05-29
6.4
None Remote Low Not required None Partial Partial
Studio 42 elFinder before 2.1.37 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a remote attacker to download files accessible by the web server process and delete files owned by the account running the web server process. NOTE: this issue exists because of an incomplete fix for CVE-2018-9109.
2115 CVE-2018-9109 22 Dir. Trav. 2018-03-28 2018-05-29
6.4
None Remote Low Not required None Partial Partial
Studio 42 elFinder before 2.1.36 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a remote attacker to download files accessible by the web server process and delete files owned by the account running the web server process.
2116 CVE-2018-9108 352 CSRF 2018-03-28 2018-04-20
6.8
None Remote Medium Not required Partial Partial Partial
CSRF in /admin/user/manage/add in QuickAppsCMS 2.0.0-beta2 allows an unauthorized remote attacker to create an account with admin privileges.
2117 CVE-2018-9107 20 2018-03-28 2018-04-19
6.8
None Remote Medium Not required Partial Partial Partial
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcyMailing extension before 5.9.6 for Joomla! via a value that is mishandled in a CSV export.
2118 CVE-2018-9106 20 2018-03-28 2018-04-19
6.8
None Remote Medium Not required Partial Partial Partial
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcySMS extension before 3.5.1 for Joomla! via a value that is mishandled in a CSV export.
2119 CVE-2018-9092 352 CSRF 2018-03-27 2018-10-30
6.8
None Remote Medium Not required Partial Partial Partial
There is a CSRF vulnerability in mc-admin/conf.php in MiniCMS 1.10 that can change the administrator account password.
2120 CVE-2018-9078 254 2018-09-28 2019-01-08
6.8
None Remote Medium Not required Partial Partial Partial
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device's origin instead of prompting to download the asset. The application does not prevent the user from uploading SVG images and returns these images within their origin. As a result, malicious users can upload SVG images that contain arbitrary JavaScript that is evaluated when the victim issues a request to download the file.
2121 CVE-2018-9074 22 Dir. Trav. 2018-09-28 2018-11-20
6.8
None Remote Low Single system None Complete None
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file upload functionality of the Content Explorer application is vulnerable to path traversal. As a result, users can upload files anywhere on the device's operating system as the root user.
2122 CVE-2018-9070 264 2018-07-13 2018-09-10
6.9
None Local Medium Not required Complete Complete Complete
For the Lenovo Smart Assistant Android app versions earlier than 12.1.82, an attacker with physical access to the smart speaker can, by pressing a specific button sequence, enter factory test mode and enable a web service intended for testing the device. As with most test modes, this provides extra privileges, including changing settings and running code. Lenovo Smart Assistant is an Amazon Alexa-enabled smart speaker developed by Lenovo.
2123 CVE-2018-9054 20 DoS 2018-03-26 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf100284c.
2124 CVE-2018-9053 20 DoS 2018-03-26 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf10026cc.
2125 CVE-2018-9052 20 DoS 2018-03-26 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf100283c.
2126 CVE-2018-9051 20 DoS 2018-03-26 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf1002021.
2127 CVE-2018-9050 20 DoS 2018-03-26 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf100202d.
2128 CVE-2018-9049 20 DoS 2018-03-26 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf1002833.
2129 CVE-2018-9048 20 DoS 2018-03-26 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf100282c.
2130 CVE-2018-9047 20 DoS 2018-03-26 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf1002841.
2131 CVE-2018-9046 20 DoS 2018-03-26 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf100282d.
2132 CVE-2018-9045 20 DoS 2018-03-26 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf1002849.
2133 CVE-2018-9044 20 DoS 2018-03-26 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_win10_x64.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c4060cc.
2134 CVE-2018-9043 20 DoS 2018-03-26 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_win10_x64.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c4060d0.
2135 CVE-2018-9042 20 DoS 2018-03-26 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_win10_x64.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c402000.
2136 CVE-2018-9041 20 DoS 2018-03-26 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_win10_x64.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c402004.
2137 CVE-2018-9040 20 DoS 2018-03-26 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_win10_x64.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c4060c4.
2138 CVE-2018-9037 434 Exec Code 2018-04-10 2018-05-17
6.5
None Remote Low Single system Partial Partial Partial
Monstra CMS 3.0.4 allows remote code execution via an upload_file request for a .zip file, which is automatically extracted and may contain .php files.
2139 CVE-2018-9035 20 2018-04-04 2018-05-21
6.8
None Remote Medium Not required Partial Partial Partial
CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form 7 to Database Extension plugin 2.10.32 for WordPress allows remote attackers to inject spreadsheet formulas into CSV files via the contact form.
2140 CVE-2018-9007 20 DoS 2018-03-24 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_x86.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c4060c4.
2141 CVE-2018-9006 20 DoS 2018-03-24 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_win7_x64.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c402004.
2142 CVE-2018-9005 20 DoS 2018-03-24 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_win7_x64.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c4060d0.
2143 CVE-2018-9004 20 DoS 2018-03-24 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_x86.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c4060d0.
2144 CVE-2018-9003 20 DoS 2018-03-24 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_x86.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c402000.
2145 CVE-2018-9002 20 DoS 2018-03-24 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_win7_x64.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c4060cc.
2146 CVE-2018-9001 20 DoS 2018-03-24 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_win7_x64.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c402000.
2147 CVE-2018-9000 20 DoS 2018-03-24 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_x86.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c402004.
2148 CVE-2018-8999 20 DoS 2018-03-24 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_win7_x64.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c4060c4.
2149 CVE-2018-8998 20 DoS 2018-03-24 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_x86.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c4060cc.
2150 CVE-2018-8997 20 DoS 2018-03-24 2018-03-30
6.1
None Local Low Not required Partial Partial Complete
In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xf1002004.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.