CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
3801 CVE-2018-6474 20 DoS 2018-01-31 2018-02-13
6.1
None Local Low Not required Partial Partial Complete
In SUPERAntiSpyware Professional Trial 6.0.1254, the driver file (SASKUTIL.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9C402148.
3802 CVE-2018-6473 20 DoS 2018-01-31 2018-02-13
6.1
None Local Low Not required Partial Partial Complete
In SUPERAntiSpyware Professional Trial 6.0.1254, the driver file (SASKUTIL.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9C402080.
3803 CVE-2018-6472 20 DoS 2018-01-31 2018-02-13
6.1
None Local Low Not required Partial Partial Complete
In SUPERAntiSpyware Professional Trial 6.0.1254, the driver file (SASKUTIL.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9C40204c.
3804 CVE-2018-6471 20 DoS 2018-01-31 2018-02-13
6.1
None Local Low Not required Partial Partial Complete
In SUPERAntiSpyware Professional Trial 6.0.1254, the driver file (SASKUTIL.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9C402078.
3805 CVE-2018-6467 352 CSRF 2018-02-06 2018-02-28
6.8
None Remote Medium Not required Partial Partial Partial
The flickrRSS plugin 5.3.1 for WordPress has CSRF via wp-admin/options-general.php.
3806 CVE-2018-6462 787 Exec Code 2018-01-31 2019-10-02
6.8
None Remote Medium Not required Partial Partial Partial
Tracker PDF-XChange Viewer and Viewer AX SDK before 2.5.322.8 mishandle conversion from YCC to RGB colour spaces by calculating on the basis of 1 bpc instead of 8 bpc, which might allow remote attackers to execute arbitrary code via a crafted PDF document.
3807 CVE-2018-6458 352 CSRF 2018-05-11 2018-06-13
6.8
None Remote Medium Not required Partial Partial Partial
Easy Hosting Control Panel (EHCP) v0.37.12.b allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection.
3808 CVE-2018-6442 Exec Code 2018-11-08 2019-10-02
6.5
None Remote Low Single system Partial Partial Partial
A vulnerability in the Brocade Webtools firmware update section of Brocade Fabric OS before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow remote authenticated attackers to execute arbitrary commands.
3809 CVE-2018-6440 DoS +Info 2018-12-03 2019-10-02
6.4
None Remote Low Not required Partial None Partial
A vulnerability in the proxy service of Brocade Fabric OS versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow remote unauthenticated attackers to obtain sensitive information and possibly cause a denial of service attack.
3810 CVE-2018-6408 352 CSRF 2018-01-30 2018-02-27
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 devices. CSRF exists in hy-cgi/user.cgi, as demonstrated by changing an administrator password or adding a new administrator account.
3811 CVE-2018-6406 125 DoS +Info 2018-01-30 2019-10-02
6.8
None Remote Medium Not required Partial Partial Partial
The function ParseVP9SuperFrameIndex in common/libwebm_util.cc in libwebm through 2018-01-30 does not validate the child_frame_length data obtained from a .webm file, which allows remote attackers to cause an information leak or a denial of service (heap-based buffer over-read and later out-of-bounds write), or possibly have unspecified other impact.
3812 CVE-2018-6393 89 Sql 2018-01-29 2019-04-16
6.5
None Remote Low Single system Partial Partial Partial
** DISPUTED ** FreePBX 10.13.66-32bit and 14.0.1.24 (SNG7-PBX-64bit-1712-2) allow post-authentication SQL injection via the order parameter. NOTE: the vendor disputes this issue because it is intentional that a user can "directly modify SQL tables ... [or] run shell scripts ... once ... logged in to the administration interface; there is no need to try to find input validation errors."
3813 CVE-2018-6391 352 CSRF 2018-01-29 2018-02-14
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery web vulnerability has been discovered on Netis WF2419 V2.2.36123 devices. A remote attacker is able to delete Address Reservation List settings.
3814 CVE-2018-6383 184 Exec Code 2018-01-29 2018-02-21
6.5
None Remote Low Single system Partial Partial Partial
Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048.
3815 CVE-2018-6374 295 2018-01-31 2018-02-24
6.4
None Remote Low Not required None Partial Partial
The GUI component (aka PulseUI) in Pulse Secure Desktop Linux clients before PULSE5.2R9.2 and 5.3.x before PULSE5.3R4.2 does not perform strict SSL Certificate Validation. This can lead to the manipulation of the Pulse Connection set.
3816 CVE-2018-6360 20 Exec Code 2018-01-27 2018-10-21
6.8
None Remote Medium Not required Partial Partial Partial
mpv through 0.28.0 allows remote attackers to execute arbitrary code via a crafted web site, because it reads HTML documents containing VIDEO elements, and accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdl_hook.lua. For example, an av://lavfi:ladspa=file= URL signifies that the product should call dlopen on a shared object file located at an arbitrary local pathname. The issue exists because the product does not consider that youtube-dl can provide a potentially unsafe URL.
3817 CVE-2018-6359 416 DoS 2018-01-27 2019-04-26
6.8
None Remote Medium Not required Partial Partial Partial
The decompileIF function (util/decompile.c) in libming through 0.4.8 is vulnerable to a use-after-free, which may allow attackers to cause a denial of service or unspecified other impact via a crafted SWF file.
3818 CVE-2018-6358 119 DoS Overflow 2018-01-27 2019-04-26
6.8
None Remote Medium Not required Partial Partial Partial
The printDefineFont2 function (util/listfdb.c) in libming through 0.4.8 is vulnerable to a heap-based buffer overflow, which may allow attackers to cause a denial of service or unspecified other impact via a crafted FDB file.
3819 CVE-2018-6357 352 XSS CSRF 2018-01-27 2018-02-15
6.8
None Remote Medium Not required Partial Partial Partial
The acx_asmw_saveorder_callback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant social_widget_icon_array_order XSS.
3820 CVE-2018-6340 125 2018-12-31 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
The Memcache::getextendedstats function can be used to trigger an out-of-bounds read. Exploiting this issue requires control over memcached server hostnames and/or ports. This affects all supported versions of HHVM (3.30 and 3.27.4 and below).
3821 CVE-2018-6336 254 Exec Code 2018-12-31 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in osquery. A maliciously crafted Universal/fat binary can evade third-party code signing checks. By not completing full inspection of the Universal/fat binary, the user of the third-party tool will believe that the code is signed by Apple, but the malicious unsigned code will execute. This issue affects osquery prior to v3.2.7
3822 CVE-2018-6330 89 Sql 2019-03-28 2019-03-28
6.5
None Remote Low Single system Partial Partial Partial
Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php via dhx_user and dhx_version parameters.
3823 CVE-2018-6323 190 DoS Overflow 2018-01-26 2018-02-16
6.8
None Remote Medium Not required Partial Partial Partial
The elf_object_p function in elfcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, has an unsigned integer overflow because bfd_size_type multiplication is not used. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
3824 CVE-2018-6317 134 DoS 2018-02-02 2018-02-15
6.4
None Remote Low Not required Partial None Partial
The remote management interface in Claymore Dual Miner 10.5 and earlier is vulnerable to an unauthenticated format string vulnerability, allowing remote attackers to read memory or cause a denial of service.
3825 CVE-2018-6316 863 Bypass 2018-02-15 2019-10-02
6.0
None Remote Medium Single system Partial Partial Partial
Ivanti Endpoint Security (formerly HEAT Endpoint Management and Security Suite) 8.5 Update 1 and earlier allows an authenticated user with low privileges and access to the local network to bypass application whitelisting when using the Application Control module on Ivanti Endpoint Security in lockdown mode.
3826 CVE-2018-6315 125 DoS Overflow 2018-01-25 2019-04-26
6.8
None Remote Medium Not required Partial Partial Partial
The outputSWF_TEXT_RECORD function (util/outputscript.c) in libming through 0.4.8 is vulnerable to an integer overflow and resultant out-of-bounds read, which may allow attackers to cause a denial of service or unspecified other impact via a crafted SWF file.
3827 CVE-2018-6306 426 Exec Code 2018-04-19 2018-05-22
6.8
None Remote Medium Not required Partial Partial Partial
Unauthorized code execution from specific DLL and is known as DLL Hijacking attack in Kaspersky Password Manager versions before 8.0.6.538.
3828 CVE-2018-6288 352 CSRF 2018-02-06 2018-03-01
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site Request Forgery leading to Administrative account takeover in Kaspersky Secure Mail Gateway version 1.1.
3829 CVE-2018-6236 362 Exec Code 2018-05-25 2018-06-28
6.9
None Local Medium Not required Complete Complete Complete
A Time-of-Check Time-of-Use privilege escalation vulnerability in Trend Micro Maximum Security (Consumer) 2018 could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within processing of IOCTL 0x222813 by the tmusa driver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
3830 CVE-2018-6224 352 CSRF 2018-03-15 2018-04-04
6.8
None Remote Medium Not required Partial Partial Partial
A lack of cross-site request forgery (CSRF) protection vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to submit authenticated requests to a user browsing an attacker-controlled domain.
3831 CVE-2018-6219 295 2018-03-15 2018-04-04
6.4
None Remote Low Not required Partial Partial None
An Insecure Update via HTTP vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to eavesdrop and tamper with certain types of update data.
3832 CVE-2018-6209 20 DoS 2018-01-24 2018-02-07
6.1
None Local Low Not required Partial Partial Complete
In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxCryptMon.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220019.
3833 CVE-2018-6208 20 DoS 2018-01-24 2018-02-07
6.1
None Local Low Not required Partial Partial Complete
In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxProtector32.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x22000d.
3834 CVE-2018-6207 20 DoS 2018-01-24 2018-02-07
6.1
None Local Low Not required Partial Partial Complete
In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxProtector32.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220019.
3835 CVE-2018-6206 20 DoS 2018-01-24 2018-02-07
6.1
None Local Low Not required Partial Partial Complete
In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxProtector32.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220011.
3836 CVE-2018-6205 20 DoS 2018-01-24 2018-02-07
6.1
None Local Low Not required Partial Partial Complete
In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxProtector32.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220009.
3837 CVE-2018-6204 20 DoS 2018-01-24 2018-02-07
6.1
None Local Low Not required Partial Partial Complete
In Max Secure Anti Virus 19.0.3.019,, the driver file (SDActMon.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220019.
3838 CVE-2018-6203 20 DoS 2018-01-24 2018-02-08
6.1
None Local Low Not required Partial Partial Complete
In eScan Antivirus 14.0.1400.2029, the driver file (econceal.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x8300210C.
3839 CVE-2018-6202 20 DoS 2018-01-24 2018-02-08
6.1
None Local Low Not required Partial Partial Complete
In eScan Antivirus 14.0.1400.2029, the driver file (econceal.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x830020F8.
3840 CVE-2018-6201 20 DoS 2018-01-24 2018-02-08
6.1
None Local Low Not required Partial Partial Complete
In eScan Antivirus 14.0.1400.2029, the driver file (econceal.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x830020E0 or 0x830020E4.
3841 CVE-2018-6195 94 2018-01-30 2018-02-15
6.5
None Remote Low Single system Partial Partial Partial
admin/partials/wp-splashing-admin-main.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via crafted serialized data in the 'session' HTTP GET parameter to wp-admin/upload.php.
3842 CVE-2018-6174 190 Exec Code Overflow 2019-01-09 2019-01-14
6.8
None Remote Medium Not required Partial Partial Partial
Integer overflows in Swiftshader in Google Chrome prior to 68.0.3440.75 potentially allowed a remote attacker to execute arbitrary code via a crafted HTML page.
3843 CVE-2018-6170 787 2019-01-09 2019-01-14
6.8
None Remote Medium Not required Partial Partial Partial
A bad cast in PDFium in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.
3844 CVE-2018-6161 20 Bypass 2019-06-27 2019-06-28
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient policy enforcement in Blink in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to bypass same origin policy via a crafted HTML page.
3845 CVE-2018-6157 704 2019-06-27 2019-07-01
6.8
None Remote Medium Not required Partial Partial Partial
Type confusion in WebRTC in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted video file.
3846 CVE-2018-6156 119 Overflow 2019-06-27 2019-06-28
6.8
None Remote Medium Not required Partial Partial Partial
Incorect derivation of a packet length in WebRTC in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted video file.
3847 CVE-2018-6154 119 Overflow 2019-06-27 2019-06-28
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient data validation in WebGL in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
3848 CVE-2018-6153 787 2019-01-09 2019-01-14
6.8
None Remote Medium Not required Partial Partial Partial
A precision error in Skia in Google Chrome prior to 68.0.3440.75 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page.
3849 CVE-2018-6151 125 2019-01-09 2019-01-15
6.8
None Remote Medium Not required Partial Partial Partial
Bad cast in DevTools in Google Chrome on Win, Linux, Mac, Chrome OS prior to 66.0.3359.117 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted Chrome Extension.
3850 CVE-2018-6149 787 2019-06-27 2019-07-02
6.8
None Remote Medium Not required Partial Partial Partial
Type confusion in JavaScript in Google Chrome prior to 67.0.3396.87 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.