CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2018

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
751 CVE-2018-3787 22 Dir. Trav. 2018-08-31 2019-10-09
5.0
None Remote Low Not required Partial None None
Path traversal in simplehttpserver <v0.2.1 allows listing any file on the server.
752 CVE-2018-3786 78 Exec Code 2018-08-24 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
A command injection vulnerability in egg-scripts <v2.8.1 allows arbitrary shell command execution through a maliciously crafted command line argument.
753 CVE-2018-3785 78 Exec Code 2018-08-17 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
A command injection in git-dummy-commit v1.3.0 allows os level commands to be executed due to an unescaped parameter.
754 CVE-2018-3784 94 Exec Code 2018-08-17 2020-09-18
7.5
None Remote Low Not required Partial Partial Partial
A code injection in cryo 0.0.6 allows an attacker to arbitrarily execute code due to insecure implementation of deserialization.
755 CVE-2018-3783 89 Sql 2018-08-17 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
A privilege escalation detected in flintcms versions <= 1.1.9 allows account takeover due to blind MongoDB injection in password reset.
756 CVE-2018-3781 79 XSS 2018-08-13 2019-10-09
3.5
None Remote Medium ??? None Partial None
A missing sanitization of search results for an autocomplete field in NextCloud Talk <3.2.5 could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.
757 CVE-2018-3780 79 XSS 2018-08-13 2019-10-09
3.5
None Remote Medium ??? None Partial None
A missing sanitization of search results for an autocomplete field in NextCloud Server <13.0.5 could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.
758 CVE-2018-3779 Exec Code 2018-08-10 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
active-support ruby gem 5.2.0 could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system.
759 CVE-2018-3778 863 2018-08-08 2019-10-09
5.0
None Remote Low Not required None Partial None
Improper authorization in aedes version <0.35.0 will publish a LWT in a channel when a client is not authorized.
760 CVE-2018-3777 172 2018-08-03 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
Insufficient URI encoding in restforce before 3.0.0 allows attacker to inject arbitrary parameters into Salesforce API requests.
761 CVE-2018-3776 532 2018-08-12 2019-10-09
5.0
None Remote Low Not required None Partial None
Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log.
762 CVE-2018-3775 287 Bypass 2018-08-12 2019-10-09
4.0
None Remote Low ??? None Partial None
Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obtained user credentials to bypass the 2 Factor Authentication.
763 CVE-2018-3774 601 Bypass 2018-08-12 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.
764 CVE-2018-3672 Exec Code 2018-08-01 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
Driver module in Intel Smart Sound Technology before version 9.21.00.3541 potentially allows a local attacker to execute arbitrary code as administrator via a system calls.
765 CVE-2018-3671 2018-08-01 2019-10-03
2.7
None Local Network Low ??? Partial None None
Escalation of privilege in Intel Saffron admin application before 11.4 allows an authenticated user to access unauthorized information.
766 CVE-2018-3670 119 Exec Code Overflow 2018-08-01 2018-10-01
7.2
None Local Low Not required Complete Complete Complete
Driver module in Intel Smart Sound Technology before version 9.21.00.3541 potentially allows a local attacker to execute arbitrary code as administrator via a buffer overflow.
767 CVE-2018-3666 Exec Code Overflow 2018-08-01 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
Driver module in Intel Smart Sound Technology before version 9.21.00.3541 potentially allows a local attacker to execute arbitrary code as administrator via a non-paged pool overflow.
768 CVE-2018-3663 2018-08-01 2019-10-03
2.7
None Local Network Low ??? Partial None None
Escalation of privilege in Intel Saffron MemoryBase before 11.4 allows an authenticated user access to privileged information.
769 CVE-2018-3662 Exec Code 2018-08-01 2019-10-03
7.7
None Local Network Low ??? Complete Complete Complete
Escalation of privilege in Intel Saffron MemoryBase before version 11.4 potentially allows an authorized user of the Saffron application to execute arbitrary code as root.
770 CVE-2018-3650 20 Bypass 2018-08-01 2018-11-19
4.6
None Local Low Not required Partial Partial Partial
Insufficient Input Validation in Bleach module in INTEL Distribution for Python versions prior to IDP 2018 Update 2 allows unprivileged user to bypass URI sanitization via local vector.
771 CVE-2018-3646 2018-08-14 2020-08-24
4.7
None Local Medium Not required Complete None None
Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.
772 CVE-2018-3620 203 2018-08-14 2020-08-24
4.7
None Local Medium Not required Complete None None
Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.
773 CVE-2018-3615 203 2018-08-14 2020-08-24
5.4
None Local Medium Not required Complete Partial None
Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.
774 CVE-2018-3110 2018-08-10 2019-10-03
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability was discovered in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18. Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Java VM. While the vulnerability is in Java VM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java VM. CVSS 3.0 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
775 CVE-2018-3109 2018-08-02 2019-10-03
4.0
None Remote Low ??? Partial None None
Vulnerability in the Oracle Fusion Middleware MapViewer component of Oracle Fusion Middleware (subcomponent: Map Builder). Supported versions that are affected are 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Fusion Middleware MapViewer. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Fusion Middleware MapViewer accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
776 CVE-2018-3108 2018-08-02 2019-10-03
3.5
None Remote Medium ??? Partial None None
Vulnerability in the Oracle Fusion Middleware component of Oracle Fusion Middleware (subcomponent: Oracle Notification Service). Supported versions that are affected are 12.2.1.2 and 12.2.1.3. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Fusion Middleware. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Fusion Middleware accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N).
777 CVE-2018-2933 2018-08-02 2019-10-03
4.9
None Remote Medium ??? Partial Partial None
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. Note: Please refer to MOS document
778 CVE-2018-2451 613 2018-08-14 2020-08-24
6.0
None Remote Medium ??? Partial Partial Partial
XS Command-Line Interface (CLI) user sessions with the SAP HANA Extended Application Services (XS), version 1, advanced server may have an unintentional prolonged period of validity. Consequently, a platform user could access controller resources via active CLI session even after corresponding authorizations have been revoked meanwhile by an administrator user. Similarly, an attacker who managed to gain access to the platform user's session might misuse the session token even after the session has been closed.
779 CVE-2018-2450 89 Sql 2018-08-14 2018-10-11
6.5
None Remote Low ??? Partial Partial Partial
SAP MaxDB (liveCache), versions 7.8 and 7.9, allows an attacker who gets DBM operator privileges to execute crafted database queries and therefore read, modify or delete sensitive data from database.
780 CVE-2018-2449 287 2018-08-14 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
SAP SRM MDM Catalog versions 3.73, 7.31, 7.32 in (SAP NetWeaver 7.3) - import functionality does not perform authentication checks for valid repository user. This is an unauthenticated functionality that you can use on windows machines to do SMB relaying.
781 CVE-2018-2448 2018-08-14 2020-08-24
5.0
None Remote Low Not required Partial None None
Under certain conditions SAP SRM-MDM (CATALOG versions 3.0, 7.01, 7.02) utilities functionality allows an attacker to access information of user existence which would otherwise be restricted.
782 CVE-2018-2447 89 Sql 2018-08-14 2018-10-11
4.0
None Remote Low ??? Partial None None
SAP BusinessObjects Business Intelligence (Launchpad Web Intelligence), version 4.2, allows an attacker to execute crafted InfoObject queries, exposing the CMS InfoObjects database.
783 CVE-2018-2446 2018-08-14 2020-09-29
5.0
None Remote Low Not required Partial None None
Admin tools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allow an unauthenticated user to read sensitive information (server name), hence leading to an information disclosure.
784 CVE-2018-2445 918 2018-08-14 2018-10-15
5.5
None Remote Low ??? Partial Partial None
AdminTools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application, resulting in a Server-Side Request Forgery (SSRF) vulnerability.
785 CVE-2018-2444 79 XSS 2018-08-14 2018-10-12
4.3
None Remote Medium Not required None Partial None
SAP BusinessObjects Financial Consolidation, versions 10.0, 10.1, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
786 CVE-2018-2442 352 2018-08-14 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
In SAP BusinessObjects Business Intelligence, versions 4.0, 4.1 and 4.2, while viewing a Web Intelligence report from BI Launchpad, the user session details captured by an HTTP analysis tool could be reused in a HTML page while the user session is still valid.
787 CVE-2018-2441 2018-08-14 2020-08-24
5.5
None Remote Low ??? Partial Partial None
Under certain conditions the SAP Change and Transport System (ABAP), SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49, 7.53 and 7.73, allows an attacker to transport information which would otherwise be restricted.
788 CVE-2018-1755 200 +Info 2018-08-24 2019-10-09
4.3
None Remote Medium Not required Partial None None
IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by incorrect transport being used when Liberty is configured to use Java Authentication SPI for Containers (JASPIC). This can happen when the Application Server is configured to permit access on non-secure (http) port and using JASPIC or JSR375 authentication.
789 CVE-2018-1722 Exec Code 2018-08-24 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
IBM Security Access Manager Appliance 9.0.4.0 and 9.0.5.0 could allow remote code execution when Advanced Access Control or Federation services are running. IBM X-Force ID: 147370.
790 CVE-2018-1715 79 XSS 2018-08-16 2019-10-09
3.5
None Remote Medium ??? None Partial None
IBM Maximo Asset Management 7.6 through 7.6.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 147003.
791 CVE-2018-1712 352 2018-08-16 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
IBM API Connect's Developer Portal 5.0.0.0 through 5.0.8.3 is vulnerable to Server Side Request Forgery. An attacker, using specially crafted input parameters can trick the server into making potentially malicious calls within the trusted network. IBM X-Force ID: 146370.
792 CVE-2018-1705 200 +Info 2018-08-28 2019-10-09
4.0
None Remote Low ??? Partial None None
IBM Platform Symphony 7.1 Fix Pack 1 and 7.1.1 and IBM Spectrum Symphony 7.1.2 and 7.2.0.2 contain an information disclosure vulnerability that could allow an authenticated attacker to obtain highly sensitive information. IBM X-Force ID: 146340.
793 CVE-2018-1699 89 Sql 2018-08-24 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
IBM Maximo Asset Management 7.6 through 7.6.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 145968.
794 CVE-2018-1690 79 XSS 2018-08-07 2019-10-09
3.5
None Remote Medium ??? None Partial None
IBM Rhapsody Model Manager 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 145510.
795 CVE-2018-1656 22 Dir. Trav. 2018-08-20 2019-10-09
4.3
None Remote Medium Not required None Partial None
The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Technology Edition 6.0 , 7.0, and 8.0) does not protect against path traversal attacks when extracting compressed dump files. IBM X-Force ID: 144882.
796 CVE-2018-1644 200 +Info 2018-08-27 2019-10-09
4.0
None Remote Low ??? Partial None None
IBM WebSphere Commerce Enterprise, Professional, Express, and Developer 9.0.0.0 - 9.0.0.4, 8.0.0.0 - 8.0.0.19, 8.0.1.0 - 8.0.1.13, 8.0.3.0 - 8.0.3.6, 8.0.4.0 - 8.0.4.14, and 7.0.0.0 Feature Pack 8 could allow an authenticated user to obtain sensitive information about another user.
797 CVE-2018-1599 20 2018-08-22 2019-10-09
3.5
None Remote Medium ??? None Partial None
IBM API Connect 5.0.0.0 through 5.0.8.3 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 143744.
798 CVE-2018-1595 Exec Code 2018-08-01 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
IBM Spectrum Symphony and Platform Symphony 7.1.2 and 7.2.0.2 could allow an authenticated user to execute arbitrary commands due to improper handling of user supplied input. IBM X-Force ID: 143622.
799 CVE-2018-1554 79 XSS 2018-08-02 2019-10-09
3.5
None Remote Medium ??? None Partial None
IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 142891.
800 CVE-2018-1551 732 2018-08-06 2019-10-09
6.0
None Remote Medium ??? Partial Partial Partial
IBM WebSphere MQ 8.0.0.2 through 8.0.0.8 and 9.0.0.0 through 9.0.0.3 could allow users to have more authority than they should have if an MQ administrator creates an invalid user group name. IBM X-Force ID: 142888.
Total number of vulnerabilities : 1019   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 (This Page)17 18 19 20 21
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.