CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2018

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
351 CVE-2018-18804 89 Sql 2018-11-16 2018-12-17
7.5
None Remote Low Not required Partial Partial Partial
Bakeshop Inventory System 1.0 has SQL injection via the login screen, related to include/publicfunction.vb.
352 CVE-2018-18803 89 Sql 2018-11-16 2018-12-17
7.5
None Remote Low Not required Partial Partial Partial
Curriculum Evaluation System 1.0 allows SQL Injection via the login screen, related to frmCourse.vb and includes/user.vb.
353 CVE-2018-18801 89 Sql 2018-11-16 2018-12-18
7.5
None Remote Low Not required Partial Partial Partial
The BSEN Ordering software 1.0 has SQL Injection via student/index.php?view=view&id=[SQL] or index.php?q=single-item&id=[SQL].
354 CVE-2018-18799 352 CSRF 2018-11-16 2018-12-18
6.8
None Remote Medium Not required Partial Partial Partial
School Attendance Monitoring System 1.0 has CSRF via event/controller.php?action=photos.
355 CVE-2018-18797 352 CSRF 2018-11-16 2018-12-18
6.8
None Remote Medium Not required Partial Partial Partial
School Attendance Monitoring System 1.0 has CSRF via /user/user/edit.php.
356 CVE-2018-18796 89 Sql 2018-11-16 2018-12-18
7.5
None Remote Low Not required Partial Partial Partial
Library Management System 1.0 has SQL Injection via the "Search for Books" screen.
357 CVE-2018-18795 89 Sql 2018-11-16 2018-12-18
7.5
None Remote Low Not required Partial Partial Partial
School Event Management System 1.0 has SQL Injection via the student/index.php or event/index.php id parameter.
358 CVE-2018-18794 352 CSRF 2018-11-16 2018-12-18
6.8
None Remote Medium Not required Partial Partial Partial
School Event Management System 1.0 allows CSRF via user/controller.php?action=edit.
359 CVE-2018-18793 434 2018-11-16 2018-12-18
7.5
None Remote Low Not required Partial Partial Partial
School Event Management System 1.0 allows Arbitrary File Upload via event/controller.php?action=photos.
360 CVE-2018-18777 22 Dir. Trav. Bypass 2018-11-01 2018-12-12
4.0
None Remote Low Single system Partial None None
Directory traversal vulnerability in Microstrategy Web, version 7, in "/WebMstr7/servlet/mstrWeb" (in the parameter subpage) allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application. NOTE: this is a deprecated product.
361 CVE-2018-18776 79 XSS 2018-11-01 2018-12-12
4.3
None Remote Medium Not required None Partial None
Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the admin/admin.asp ShowAll parameter. NOTE: this is a deprecated product.
362 CVE-2018-18775 79 XSS 2018-11-01 2018-12-12
4.3
None Remote Medium Not required None Partial None
Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the Login.asp Msg parameter. NOTE: this is a deprecated product.
363 CVE-2018-18774 79 XSS 2018-11-20 2018-11-29
4.3
None Remote Medium Not required None Partial None
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows XSS via the admin/index.php module parameter.
364 CVE-2018-18773 352 CSRF 2018-11-20 2018-11-29
6.8
None Remote Medium Not required Partial Partial Partial
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=rootpwd, as demonstrated by changing the root password.
365 CVE-2018-18772 352 CSRF 2018-11-20 2018-11-29
6.8
None Remote Medium Not required Partial Partial Partial
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=send_ssh, as demonstrated by executing an arbitrary OS command.
366 CVE-2018-18763 89 Sql 2018-11-16 2018-12-18
7.5
None Remote Low Not required Partial Partial Partial
SaltOS 3.1 r8126 allows action=ajax&query=numbers&page=usuarios&action2=[SQL] SQL Injection.
367 CVE-2018-18761 89 Sql 2018-11-16 2018-12-18
7.5
None Remote Low Not required Partial Partial Partial
SaltOS 3.1 r8126 allows action=login&querystring=&user=[SQL] SQL Injection.
368 CVE-2018-18760 352 CSRF 2018-11-16 2018-12-17
4.3
None Remote Medium Not required Partial None None
RhinOS 3.0 build 1190 allows CSRF.
369 CVE-2018-18759 119 Overflow 2018-11-16 2019-01-14
5.0
None Remote Low Not required None None Partial
Modbus Slave 7.0.0 in modbus tools has a Buffer Overflow.
370 CVE-2018-18756 119 Overflow 2018-11-16 2018-12-31
5.0
None Remote Low Not required None None Partial
Local Server 1.0.9 has a Buffer Overflow via crafted data on Port 4008.
371 CVE-2018-18755 89 Sql 2018-11-16 2018-12-18
7.5
None Remote Low Not required Partial Partial Partial
K-iwi Framework 1775 has SQL Injection via the admin/user/group/update user_group_id parameter or the admin/user/user/update user_id parameter.
372 CVE-2018-18716 79 XSS 2018-11-20 2018-12-10
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine OpManager 12.3 before 123219 has a Self XSS Vulnerability.
373 CVE-2018-18715 79 XSS 2018-11-20 2018-12-10
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine OpManager 12.3 before 123219 has stored XSS.
374 CVE-2018-18714 119 DoS Exec Code Overflow 2018-11-01 2018-12-10
7.2
None Local Low Not required Complete Complete Complete
RegFilter.sys in IOBit Malware Fighter 6.2 and earlier is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E010. This can lead to denial of service (DoS) or code execution with root privileges.
375 CVE-2018-18695 119 Overflow 2018-11-01 2018-12-12
4.6
None Local Low Not required Partial Partial Partial
M2SOFT Report Designer Viewer 5.0 allows a Buffer Overflow with Extended Instruction Pointer (EIP) control via a crafted MRD file.
376 CVE-2018-18649 20 Exec Code 2018-11-29 2018-12-27
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the wiki API in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for remote code execution.
377 CVE-2018-18619 89 Sql 2018-11-29 2018-12-28
7.5
None Remote Low Not required Partial Partial Partial
internal/advanced_comment_system/admin.php in Advanced Comment System 1.0 is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query, allowing remote attackers to execute the sqli attack via a URL in the "page" parameter. NOTE: The product is discontinued.
378 CVE-2018-18591 200 +Info 2018-11-13 2019-10-09
4.0
None Remote Low Single system Partial None None
A potential unauthorized disclosure of data vulnerability has been identified in Micro Focus Service Manager versions: 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51. The vulnerability could be exploited to release unauthorized disclosure of data.
379 CVE-2018-18590 200 Exec Code +Info 2018-11-07 2019-10-09
5.8
None Local Network Low Not required Partial Partial Partial
A potential remote code execution and information disclosure vulnerability exists in Micro Focus Operations Bridge containerized suite versions 2017.11, 2018.02, 2018.05, 2018.08. This vulnerability could allow for information disclosure.
380 CVE-2018-18565 434 2018-11-20 2018-12-28
4.1
None Local Network Low Single system None Partial Partial
An issue was discovered in Roche Accu-Chek Inform II Instrument before 03.06.00 (Serial number below 14000) and 04.x before 04.03.00 (Serial Number above 14000), CoaguChek Pro II before 04.03.00, CoaguChek XS Plus before 03.01.06, CoaguChek XS Pro before 03.01.06, cobas h 232 before 03.01.03 (Serial number below KQ0400000 or KS0400000), and cobas h 232 before 04.00.04 (Serial number above KQ0400000 or KS0400000). A vulnerability in the software update mechanism allows authenticated attackers in the adjacent network to overwrite arbitrary files on the system through a crafted update package.
381 CVE-2018-18564 284 2018-11-20 2019-10-02
3.3
None Local Network Low Not required None Partial None
An issue was discovered in Roche Accu-Chek Inform II Instrument before 03.06.00 (Serial number below 14000) and 04.x before 04.03.00 (Serial Number above 14000), CoaguChek Pro II before 04.03.00, and cobas h 232 before 04.00.04 (Serial number above KQ0400000 or KS0400000). Improper access control allows attackers in the adjacent network to change the instrument configuration.
382 CVE-2018-18563 434 Exec Code 2018-11-20 2019-10-02
8.3
None Local Network Low Not required Complete Complete Complete
An issue was discovered in Roche Accu-Chek Inform II Instrument before 03.06.00 (Serial number below 14000) and 04.x before 04.03.00 (Serial Number above 14000), CoaguChek Pro II before 04.03.00, CoaguChek XS Plus before 03.01.06, CoaguChek XS Pro before 03.01.06, cobas h 232 before 03.01.03 (Serial Number below KQ0400000 or KS0400000) and cobas h 232 before 04.00.04 (Serial Number above KQ0400000 or KS0400000). Improper access control to a service command allows attackers in the adjacent network to execute arbitrary code on the system through a crafted Poct1-A message.
383 CVE-2018-18562 521 2018-11-20 2019-10-02
3.3
None Local Network Low Not required Partial None None
An issue was discovered in Roche Accu-Chek Inform II Base Unit / Base Unit Hub before 03.01.04 and CoaguChek / cobas h232 Handheld Base Unit before 03.01.04. Weak access credentials may enable attackers in the adjacent network to gain unauthorized service access via a service interface.
384 CVE-2018-18561 287 Exec Code 2018-11-20 2018-12-28
7.7
None Local Network Low Single system Complete Complete Complete
An issue was discovered in Roche Accu-Chek Inform II Base Unit / Base Unit Hub before 03.01.04 and CoaguChek / cobas h232 Handheld Base Unit before 03.01.04. Insecure permissions in a service interface may allow authenticated attackers in the adjacent network to execute arbitrary commands on the operating system.
385 CVE-2018-18519 426 +Priv 2018-11-19 2019-06-21
6.8
None Remote Medium Not required Partial Partial Partial
BestXsoftware Best Free Keylogger before 6.0.0 allows local users to gain privileges via a Trojan horse "%PROGRAMFILES%\BFK 5.2.9\syscrb.exe" file because of insecure permissions for the BUILTIN\Users group.
386 CVE-2018-18440 119 Overflow 2018-11-20 2019-01-02
7.2
None Local Low Not required Complete Complete Complete
DENX U-Boot through 2018.09-rc1 has a locally exploitable buffer overflow via a crafted kernel image because filesystem loading is mishandled.
387 CVE-2018-18439 119 Overflow 2018-11-20 2019-01-02
10.0
None Remote Low Not required Complete Complete Complete
DENX U-Boot through 2018.09-rc1 has a remotely exploitable buffer overflow via a malicious TFTP server because TFTP traffic is mishandled. Also, local exploitation can occur via a crafted kernel image.
388 CVE-2018-18203 Exec Code 2018-11-28 2018-11-28
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability in the update mechanism of Subaru StarLink Harman head units 2017, 2018, and 2019 may give an attacker (with physical access to the vehicle's USB ports) the ability to rewrite the firmware of the head unit. This occurs because the device accepts modified QNX6 filesystem images (as long as the attacker obtains access to certain Harman decryption/encryption code) as a consequence of a bug where unsigned images pass a validity check. An attacker could potentially install persistent malicious head unit firmware and execute arbitrary code as the root user.
389 CVE-2018-17960 79 XSS 2018-11-14 2019-07-17
4.3
None Remote Medium Not required None Partial None
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
390 CVE-2018-17953 2018-11-27 2019-10-09
9.3
None Remote Medium Not required Complete Complete Complete
A incorrect variable in a SUSE specific patch for pam_access rule matching in PAM 1.3.0 in openSUSE Leap 15.0 and SUSE Linux Enterprise 15 could lead to pam_access rules not being applied (fail open).
391 CVE-2018-17948 601 2018-11-20 2018-12-26
5.8
None Remote Medium Not required Partial Partial None
An open redirect vulnerability exists in the Access Manager Identity Provider prior to 4.4 SP3.
392 CVE-2018-17936 434 Exec Code 2018-11-27 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
NUUO CMS All versions 3.3 and prior the application allows the upload of arbitrary files that can modify or overwrite configuration files to the server, which could allow remote code execution.
393 CVE-2018-17934 22 Exec Code Dir. Trav. +Info 2018-11-27 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
NUUO CMS All versions 3.3 and prior the application allows external input to construct a pathname that is able to be resolved outside the intended directory. This could allow an attacker to impersonate a legitimate user, obtain restricted information, or execute arbitrary code.
394 CVE-2018-17930 119 Exec Code Overflow 2018-11-28 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
A stack-based buffer overflow vulnerability has been identified in Teledyne DALSA Sherlock Version 7.2.7.4 and prior, which may allow remote code execution.
395 CVE-2018-17922 532 2018-11-02 2019-10-09
5.0
None Remote Low Not required Partial None None
Circontrol CirCarLife all versions prior to 4.3.1, the PAP credentials of the device are stored in clear text in a log file that is accessible without authentication.
396 CVE-2018-17918 287 Bypass 2018-11-02 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
Circontrol CirCarLife all versions prior to 4.3.1, authentication to the device can be bypassed by entering the URL of a specific page.
397 CVE-2018-17916 119 Exec Code Overflow 2018-11-02 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
InduSoft Web Studio versions prior to 8.1 SP2, and InTouch Edge HMI (formerly InTouch Machine Edition) versions prior to 2017 SP2. A remote attacker could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code to be executed. If InduSoft Web Studio remote communication security was not enabled, or a password was left blank, a remote user could send a carefully crafted packet to invoke an arbitrary process, with potential for code to be executed. The code would be executed under the privileges of the InduSoft Web Studio or InTouch Edge HMI runtime and could lead to a compromise of the InduSoft Web Studio or InTouch Edge HMI server machine.
398 CVE-2018-17914 Exec Code 2018-11-02 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
InduSoft Web Studio versions prior to 8.1 SP2, and InTouch Edge HMI (formerly InTouch Machine Edition) versions prior to 2017 SP2. This vulnerability could allow an unauthenticated user to remotely execute code with the same privileges as that of the InduSoft Web Studio or InTouch Edge HMI (formerly InTouch Machine Edition) runtime.
399 CVE-2018-17913 704 Exec Code 2018-11-05 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
A type confusion vulnerability exists when processing project files in Omron CX-Supervisor Versions 3.4.1.0 and prior, which may allow an attacker to execute code in the context of the application.
400 CVE-2018-17912 611 2018-11-02 2019-10-09
5.0
None Remote Low Not required Partial None None
An XXE vulnerability exists in CASE Suite Versions 3.10 and prior when processing parameter entities, which may allow remote file disclosure.
Total number of vulnerabilities : 982   Page : 1 2 3 4 5 6 7 8 (This Page)9 10 11 12 13 14 15 16 17 18 19 20
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.