| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
4851 |
CVE-2018-6882 |
79 |
|
XSS |
2018-03-27 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment. |
|
4852 |
CVE-2018-6879 |
20 |
|
|
2018-04-12 |
2018-05-16 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
PHP Scripts Mall Website Seller Script 2.0.3 uses the client side to enforce validation of an e-mail address, which allows remote attackers to modify a registered e-mail address by removing the validation code. |
|
4853 |
CVE-2018-6876 |
119 |
|
DoS Overflow |
2018-02-09 |
2018-03-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The OLEProperty class in ole/oleprop.cpp in libfpx 1.3.1-10, as used in ImageMagick 7.0.7-22 Q16 and other products, allows remote attackers to cause a denial of service (stack-based buffer under-read) via a crafted bmp image. |
|
4854 |
CVE-2018-6872 |
125 |
|
DoS |
2018-02-09 |
2018-11-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The elf_parse_notes function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (out-of-bounds read and segmentation violation) via a note with a large alignment. |
|
4855 |
CVE-2018-6870 |
79 |
|
XSS |
2018-04-12 |
2018-05-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Reflected XSS exists in PHP Scripts Mall Website Seller Script 2.0.3 via the Listings Search feature. |
|
4856 |
CVE-2018-6869 |
770 |
|
DoS |
2018-02-09 |
2019-10-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
In ZZIPlib 0.13.68, there is an uncontrolled memory allocation and a crash in the __zzip_parse_root_directory function of zzip/zip.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file. |
|
4857 |
CVE-2018-6849 |
200 |
|
+Info |
2018-04-01 |
2018-05-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
In the WebRTC component in DuckDuckGo 4.2.0, after visiting a web site that attempts to gather complete client information (such as https://ip.voidsec.com), the browser can disclose a private IP address in a STUN request. |
|
4858 |
CVE-2018-6845 |
79 |
|
XSS |
2018-02-11 |
2018-02-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
PHP Scripts Mall Multi Language Olx Clone Script 2.0.6 has XSS via the Leave Comment field. |
|
4859 |
CVE-2018-6834 |
79 |
|
XSS |
2018-02-08 |
2018-02-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
static/js/pad_utils.js in Etherpad Lite before v1.6.3 has XSS via window.location.href. |
|
4860 |
CVE-2018-6824 |
79 |
|
XSS |
2018-02-07 |
2018-02-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cozy version 2 has XSS allowing remote attackers to obtain administrative access via JavaScript code in the url parameter to the /api/proxy URI, as demonstrated by an XMLHttpRequest call with an 'email:"[email protected]"' request, which can be followed by a password reset. |
|
4861 |
CVE-2018-6811 |
79 |
|
XSS |
2018-03-06 |
2018-03-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Citrix NetScaler ADC 10.5, 11.0, 11.1, and 12.0, and NetScaler Gateway 10.5, 11.0, 11.1, and 12.0 allow remote attackers to inject arbitrary web script or HTML via the Citrix NetScaler interface. |
|
4862 |
CVE-2018-6806 |
200 |
|
+Info |
2018-02-07 |
2019-09-11 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Marked 2 through 2.5.11 allows remote attackers to read arbitrary files via a crafted HTML document that triggers a redirect to an x-marked://preview?text= URL. The value of the text parameter can include arbitrary JavaScript code, e.g., making XMLHttpRequest calls. |
|
4863 |
CVE-2018-6764 |
346 |
|
Exec Code Bypass |
2018-02-23 |
2019-10-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
util/virlog.c in libvirt does not properly determine the hostname on LXC container startup, which allows local guest OS users to bypass an intended container protection mechanism and execute arbitrary commands via a crafted NSS module. |
|
4864 |
CVE-2018-6759 |
20 |
|
DoS |
2018-02-06 |
2018-11-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The bfd_get_debug_link_info_1 function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, has an unchecked strnlen operation. Remote attackers could leverage this vulnerability to cause a denial of service (segmentation fault) via a crafted ELF file. |
|
4865 |
CVE-2018-6757 |
|
|
Exec Code |
2018-12-06 |
2019-10-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Privilege Escalation vulnerability in Microsoft Windows client in McAfee True Key (TK) 5.1.230.7 and earlier allows local users to execute arbitrary code via specially crafted malware. |
|
4866 |
CVE-2018-6756 |
|
|
Exec Code |
2018-12-06 |
2019-10-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Authentication Abuse vulnerability in Microsoft Windows client in McAfee True Key (TK) 5.1.230.7 and earlier allows local users to execute unauthorized commands via specially crafted malware. |
|
4867 |
CVE-2018-6755 |
732 |
|
Exec Code |
2018-12-06 |
2019-10-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Weak Directory Permission Vulnerability in Microsoft Windows client in McAfee True Key (TK) 5.1.230.7 and earlier allows local users to execute arbitrary code via specially crafted malware. |
|
4868 |
CVE-2018-6707 |
400 |
|
DoS Exec Code |
2018-12-13 |
2019-10-09 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Denial of Service through Resource Depletion vulnerability in the agent in non-Windows McAfee Agent (MA) 5.0.0 through 5.0.6, 5.5.0, and 5.5.1 allows local users to cause DoS, unexpected behavior, or potentially unauthorized code execution via knowledge of the internal trust mechanism. |
|
4869 |
CVE-2018-6705 |
|
|
Exec Code |
2018-12-12 |
2019-10-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Privilege escalation vulnerability in McAfee Agent (MA) for Linux 5.0.0 through 5.0.6, 5.5.0, and 5.5.1 allows local users to perform arbitrary command execution via specific conditions. |
|
4870 |
CVE-2018-6704 |
|
|
Exec Code |
2018-12-12 |
2019-10-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Privilege escalation vulnerability in McAfee Agent (MA) for Linux 5.0.0 through 5.0.6, 5.5.0, and 5.5.1 allows local users to perform arbitrary command execution via specific conditions. |
|
4871 |
CVE-2018-6695 |
|
|
|
2018-10-03 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
SSH host keys generation vulnerability in the server in McAfee Threat Intelligence Exchange Server (TIE Server) 1.3.0, 2.0.x, 2.1.x, 2.2.0 allows man-in-the-middle attackers to spoof servers via acquiring keys from another environment. |
|
4872 |
CVE-2018-6689 |
287 |
|
Bypass |
2018-10-03 |
2019-10-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Authentication Bypass vulnerability in McAfee Data Loss Prevention Endpoint (DLPe) 10.0.x earlier than 10.0.510, and 11.0.x earlier than 11.0.600 allows attackers to bypass local security protection via specific conditions. |
|
4873 |
CVE-2018-6687 |
400 |
|
|
2019-02-21 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Loop with Unreachable Exit Condition ('Infinite Loop') in McAfee GetSusp (GetSusp) 3.0.0.461 and earlier allows attackers to DoS a manual GetSusp scan via while scanning a specifically crafted file . GetSusp is a free standalone McAfee tool that runs on several versions of Microsoft Windows. |
|
4874 |
CVE-2018-6686 |
287 |
|
Bypass |
2018-07-27 |
2019-10-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Authentication Bypass vulnerability in TPM autoboot in McAfee Drive Encryption (MDE) 7.1.0 and above allows physically proximate attackers to bypass local security protection via specific set of circumstances. |
|
4875 |
CVE-2018-6683 |
276 |
|
Bypass |
2018-07-23 |
2019-10-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Exploiting Incorrectly Configured Access Control Security Levels vulnerability in McAfee Data Loss Prevention (DLP) for Windows versions prior to 10.0.505 and 11.0.405 allows local users to bypass DLP policy via editing of local policy files when offline. |
|
4876 |
CVE-2018-6682 |
79 |
|
XSS |
2018-09-24 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Cross Site Scripting Exposure in McAfee True Key (TK) 4.0.0.0 and earlier allows local users to expose confidential data via a crafted web site. |
|
4877 |
CVE-2018-6672 |
200 |
|
+Info |
2018-06-15 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Information disclosure vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.9.0 through 5.9.1 allows authenticated users to view sensitive information in plain text format via unspecified vectors. |
|
4878 |
CVE-2018-6671 |
|
|
Bypass |
2018-06-15 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
Application Protection Bypass vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.9.0 through 5.9.1 allows remote authenticated users to bypass localhost only access security protection for some ePO features via a specially crafted HTTP request. |
|
4879 |
CVE-2018-6670 |
611 |
|
|
2018-06-07 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
External Entity Attack vulnerability in the ePO extension in McAfee Common UI (CUI) 2.0.2 allows remote authenticated users to view confidential information via a crafted HTTP request parameter. |
|
4880 |
CVE-2018-6668 |
|
|
Bypass |
2018-12-31 |
2019-10-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
A whitelist bypass vulnerability in McAfee Application Control / Change Control 7.0.1 and before allows execution bypass, for example, with simple DLL through interpreters such as PowerShell. |
|
4881 |
CVE-2018-6660 |
22 |
|
Dir. Trav. Bypass |
2018-04-02 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Directory Traversal vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.2, 5.3.1, 5.3.0 and 5.9.0 allows administrators to use Windows alternate data streams, which could be used to bypass the file extensions, via not properly validating the path when exporting a particular XML file. |
|
4882 |
CVE-2018-6643 |
79 |
|
XSS |
2018-08-28 |
2018-11-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Infoblox NetMRI 7.1.1 has Reflected Cross-Site Scripting via the /api/docs/index.php query parameter. |
|
4883 |
CVE-2018-6621 |
125 |
|
DoS |
2018-02-04 |
2019-01-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The decode_frame function in libavcodec/utvideodec.c in FFmpeg through 3.4.1 allows remote attackers to cause a denial of service (out of array read) via a crafted AVI file. |
|
4884 |
CVE-2018-6616 |
400 |
|
DoS |
2018-02-04 |
2019-08-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
In OpenJPEG 2.3.0, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. |
|
4885 |
CVE-2018-6612 |
190 |
|
|
2018-02-04 |
2018-02-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
An integer underflow bug in the process_EXIF function of the exif.c file of jhead 3.00 raises a heap-based buffer over-read when processing a malicious JPEG file, which may allow a remote attacker to cause a denial-of-service attack or unspecified other impact. |
|
4886 |
CVE-2018-6608 |
200 |
|
+Info |
2018-03-28 |
2018-04-23 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
In the WebRTC component in Opera 51.0.2830.55, after visiting a web site that attempts to gather complete client information (such as https://ip.voidsec.com), the browser can disclose a private IP address in a STUN request. |
|
4887 |
CVE-2018-6606 |
732 |
|
|
2018-02-03 |
2019-10-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper access control in zam32.sys and zam64.sys allows a non-privileged process to register itself with the driver by sending IOCTL 0x80002010 and then using IOCTL 0x8000204C to \\.\ZemanaAntiMalware to elevate privileges. |
|
4888 |
CVE-2018-6603 |
79 |
|
XSS Http R.Spl. |
2018-02-07 |
2018-03-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Promise Technology WebPam Pro-E devices allow remote attackers to conduct XSS, HTTP Response Splitting, and CRLF Injection attacks via JavaScript code in a PHPSESSID cookie. |
|
4889 |
CVE-2018-6593 |
732 |
|
|
2018-02-03 |
2019-10-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper access control in zam32.sys and zam64.sys allows a non-privileged process to register itself with the driver by connecting to the filter communication port and then using IOCTL 0x8000204C to \\.\ZemanaAntiMalware to elevate privileges. |
|
4890 |
CVE-2018-6592 |
404 |
|
|
2018-02-19 |
2019-10-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unisys Stealth 3.3 Windows endpoints before 3.3.016.1 allow local users to gain access to Stealth-enabled devices by leveraging improper cleanup of memory used for negotiation key storage. |
|
4891 |
CVE-2018-6590 |
79 |
|
XSS |
2018-08-03 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
CA API Developer Portal 4.x, prior to v4.2.5.3 and v4.2.7.1, has an unspecified reflected cross-site scripting vulnerability. |
|
4892 |
CVE-2018-6588 |
79 |
|
XSS |
2018-03-29 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
CA API Developer Portal 3.5 up to and including 3.5 CR5 has a reflected cross-site scripting vulnerability related to the apiExplorer. |
|
4893 |
CVE-2018-6587 |
79 |
|
XSS |
2018-03-29 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
CA API Developer Portal 3.5 up to and including 3.5 CR6 has a reflected cross-site scripting vulnerability related to the widgetID variable. |
|
4894 |
CVE-2018-6586 |
79 |
|
XSS |
2018-03-29 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
CA API Developer Portal 3.5 up to and including 3.5 CR6 has a stored cross-site scripting vulnerability related to profile picture processing. |
|
4895 |
CVE-2018-6574 |
94 |
|
Exec Code |
2018-02-07 |
2019-10-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. |
|
4896 |
CVE-2018-6561 |
79 |
|
XSS |
2018-02-02 |
2018-02-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
dijit.Editor in Dojo Toolkit 1.13 allows XSS via the onload attribute of an SVG element. |
|
4897 |
CVE-2018-6560 |
436 |
|
|
2018-02-02 |
2019-10-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon. |
|
4898 |
CVE-2018-6558 |
|
|
+Priv |
2018-08-23 |
2019-10-02 |
4.9 |
None |
Remote |
Medium |
Single system |
None |
Partial |
Partial |
|
The pam_fscrypt module in fscrypt before 0.2.4 may incorrectly restore primary and supplementary group IDs to the values associated with the root user, which allows attackers to gain privileges via a successful login through certain applications that use Linux-PAM (aka pam). |
|
4899 |
CVE-2018-6557 |
59 |
|
DoS |
2018-08-21 |
2018-11-21 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The MOTD update script in the base-files package in Ubuntu 18.04 LTS before 10.1ubuntu2.2, and Ubuntu 18.10 before 10.1ubuntu6 incorrectly handled temporary files. A local attacker could use this issue to cause a denial of service, or possibly escalate privileges if kernel symlink restrictions were disabled. |
|
4900 |
CVE-2018-6554 |
772 |
|
DoS |
2018-09-04 |
2019-10-09 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket. |
