CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2018

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
901 CVE-2017-13106 798 2018-08-15 2019-10-09
5.0
None Remote Low Not required Partial None None
Cheetahmobile CM Launcher 3D - Theme, wallpaper, Secure, Efficient, 5.0.3, 2017-09-19, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
902 CVE-2017-13105 295 2018-08-15 2019-10-09
4.3
None Remote Medium Not required Partial None None
Hi Security Virus Cleaner - Antivirus, Booster, 3.7.1.1329, 2017-09-13, Android application accepts all SSL certificates during SSL communication. This opens the application up to a man-in-the-middle attack having all of its encrypted traffic intercepted and read by an attacker.
903 CVE-2017-13104 798 2018-08-15 2019-10-09
5.0
None Remote Low Not required Partial None None
Uber Technologies, Inc. UberEATS: Uber for Food Delivery, 1.108.10001, 2017-11-02, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
904 CVE-2017-13103 2018-08-15 2018-08-15
0.0
None ??? ??? ??? ??? ??? ???
Pinterest, 6.37, 2017-10-24, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
905 CVE-2017-13102 798 2018-08-15 2019-10-09
5.0
None Remote Low Not required Partial None None
Gameloft Asphalt Xtreme: Offroad Rally Racing, 1.6.0, 2017-08-13, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
906 CVE-2017-13101 798 2018-08-15 2019-10-09
5.0
None Remote Low Not required Partial None None
Musical.ly Inc., musical.ly - your video social network, 6.1.6, 2017-10-03, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
907 CVE-2017-13100 798 2018-08-15 2019-10-09
5.0
None Remote Low Not required Partial None None
DistinctDev, Inc., The Moron Test, 6.3.1, 2017-05-04, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
908 CVE-2017-12614 79 XSS 2018-08-06 2018-10-04
4.3
None Remote Medium Not required None Partial None
It was noticed an XSS in certain 404 pages that could be exploited to perform an XSS attack. Chrome will detect this as a reflected XSS attempt and prevent the page from loading. Firefox and other browsers don't, and are vulnerable to this attack. Mitigation: The fix for this is to upgrade to Apache Airflow 1.9.0 or above.
909 CVE-2017-12577 798 Exec Code 2018-08-24 2018-11-05
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on the PLANEX CS-QR20 1.30. A hardcoded account / password ("admin:password") is used in the Android application that allows attackers to use a hidden API URL "/goform/SystemCommand" to execute any command with root permission.
910 CVE-2017-12576 668 Exec Code 2018-08-24 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered on the PLANEX CS-QR20 1.30. A hidden and undocumented management page allows an attacker to execute arbitrary code on the device when the user is authenticated. The management page was used for debugging purposes, once you login and access the page directly (/admin/system_command.asp), you can execute any command.
911 CVE-2017-12575 306 2018-08-24 2021-01-26
5.0
None Remote Low Not required Partial None None
An issue was discovered on the NEC Aterm WG2600HP2 1.0.2. The router has a set of web service APIs for access to and setup of the configuration. Some APIs don't require authentication. An attacker could exploit this vulnerability by sending a crafted HTTP request to retrieve DHCP clients, firmware version, and network status (ex.: curl -X http://[IP]/aterm_httpif.cgi/negotiate -d "REQ_ID=SUPPORT_IF_GET").
912 CVE-2017-12574 798 2018-08-24 2018-11-21
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on PLANEX CS-W50HD devices with firmware before 030720. A hardcoded credential "supervisor:dangerous" was injected into web authentication database "/.htpasswd" during booting process, which allows attackers to gain unauthorized access and control the device completely; the account can't be modified or deleted.
913 CVE-2017-12573 Exec Code 2018-08-24 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered on PLANEX CS-W50HD devices with firmware before 030720. The device has a command-injection vulnerability in the web management UI on NAS settings page "/cgi-bin/nasset.cgi". An attacker can send a crafted HTTP POST request to execute arbitrary code. Authentication is required before executing the attack.
914 CVE-2017-11564 787 Exec Code 2018-08-24 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
The D-Link EyeOn Baby Monitor (DCS-825L) 1.08.1 has multiple command injection vulnerabilities in the web service framework. An attacker can forge malicious HTTP requests to execute commands; authentication is required before executing the attack.
915 CVE-2017-11563 119 Exec Code Overflow 2018-08-24 2018-11-02
10.0
None Remote Low Not required Complete Complete Complete
D-Link EyeOn Baby Monitor (DCS-825L) 1.08.1 has a remote code execution vulnerability. A UDP "Discover" service, which provides multiple functions such as changing the passwords and getting basic information, was installed on the device. A remote attacker can send a crafted UDP request to finderd to perform stack overflow and execute arbitrary code with root privilege on the device.
916 CVE-2017-9821 798 Bypass 2018-08-24 2018-11-01
7.5
None Remote Low Not required Partial Partial Partial
The National Payments Corporation of India BHIM application 1.3 for Android relies on three hardcoded strings (AK-NPCIMB, IM-NPCIBM, and VK-NPCIBM) for SMS validation, which makes it easier for attackers to bypass authentication.
917 CVE-2017-9820 287 Bypass 2018-08-24 2018-11-01
7.5
None Remote Low Not required Partial Partial Partial
The National Payments Corporation of India BHIM application 1.3 for Android uses a custom keypad for which the input element is available to the Accessibility service, which makes it easier for attackers to bypass authentication.
918 CVE-2017-9819 287 Bypass 2018-08-24 2018-11-01
7.5
None Remote Low Not required Partial Partial Partial
The National Payments Corporation of India BHIM application 1.3 for Android does not properly restrict use of the OTP feature, which makes it easier for attackers to bypass authentication.
919 CVE-2017-9818 521 2018-08-24 2019-10-03
5.0
None Remote Low Not required Partial None None
The National Payments Corporation of India BHIM application 1.3 for Android relies on a four-digit passcode, which makes it easier for attackers to obtain access.
920 CVE-2017-9120 190 DoS Overflow 2018-08-02 2019-08-19
7.5
None Remote Low Not required Partial Partial Partial
PHP 7.x through 7.1.5 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a long string because of an Integer overflow in mysqli_real_escape_string.
921 CVE-2017-9118 125 2018-08-02 2019-08-19
5.0
None Remote Low Not required None None Partial
PHP 7.1.5 has an Out of bounds access in php_pcre_replace_impl via a crafted preg_replace call.
922 CVE-2017-9003 119 Exec Code Overflow Mem. Corr. 2018-08-06 2018-10-18
7.8
None Remote Low Not required None None Complete
Multiple memory corruption flaws are present in ArubaOS which could allow an unauthenticated user to crash ArubaOS processes. With sufficient time and effort, it is possible these vulnerabilities could lead to the ability to execute arbitrary code - remote code execution has not yet been confirmed.
923 CVE-2017-9002 79 XSS +Info 2018-08-06 2018-10-18
4.3
None Remote Medium Not required None Partial None
All versions of Aruba ClearPass prior to 6.6.8 contain reflected cross-site scripting vulnerabilities. By exploiting this vulnerability, an attacker who can trick a logged-in ClearPass administrative user into clicking a link could obtain sensitive information, such as session cookies or passwords. The vulnerability requires that an administrative users click on the malicious link while currently logged into ClearPass in the same browser.
924 CVE-2017-9001 Exec Code 2018-08-06 2019-10-03
9.3
None Remote Medium Not required Complete Complete Complete
Aruba ClearPass 6.6.3 and later includes a feature called "SSH Lockout", which causes ClearPass to lock accounts with too many login failures through SSH. When this feature is enabled, an unauthenticated remote command execution vulnerability is present which could allow an unauthenticated user to execute arbitrary commands on the underlying operating system with "root" privilege level. This vulnerability is only present when a specific feature has been enabled. The SSH Lockout feature is not enabled by default, so only systems which have enabled this feature are vulnerable.
925 CVE-2017-9000 200 +Info 2018-08-06 2018-10-18
5.0
None Remote Low Not required Partial None None
ArubaOS, all versions prior to 6.3.1.25, 6.4 prior to 6.4.4.16, 6.5.x prior to 6.5.1.9, 6.5.2, 6.5.3 prior to 6.5.3.3, 6.5.4 prior to 6.5.4.2, 8.x prior to 8.1.0.4 FIPS and non-FIPS versions of software are both affected equally is vulnerable to unauthenticated arbitrary file access. An unauthenticated user with network access to an Aruba mobility controller on TCP port 8080 or 8081 may be able to access arbitrary files stored on the mobility controller. Ports 8080 and 8081 are used for captive portal functionality and are listening, by default, on all IP interfaces of the mobility controller, including captive portal interfaces. The attacker could access files which could contain passwords, keys, and other sensitive information that could lead to full system compromise.
926 CVE-2017-8992 2018-08-06 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
HPE has identified a remote privilege escalation vulnerability in HPE CentralView Fraud Risk Management earlier than version CV 6.1. This issue is resolved in HF16 for HPE CV 6.1 or subsequent version.
927 CVE-2017-8991 79 XSS 2018-08-06 2018-10-05
3.5
None Remote Medium ??? None Partial None
HPE has identified a cross site scripting (XSS) vulnerability in HPE CentralView Fraud Risk Management earlier than version CV 6.1. This issue is resolved in HF16 for HPE CV 6.1 or subsequent version.
928 CVE-2017-8990 Exec Code 2018-08-06 2018-10-05
7.5
None Remote Low Not required Partial Partial Partial
A remote code execution vulnerability was identified in HPE Intelligent Management Center (iMC) Wireless Service Manager (WSM) Software earlier than version WSM 7.3 (E0506). This issue was resolved in HPE IMC Wireless Services Manager Software IMC WSM 7.3 E0506P01 or subsequent version.
929 CVE-2017-8989 601 2018-08-06 2018-10-17
6.4
None Remote Low Not required Partial Partial None
A security vulnerability in HPE IceWall SSO Dfw 10.0 and 11.0 on RHEL, HP-UX, and Windows could be exploited remotely to allow URL Redirection.
930 CVE-2017-8988 Bypass 2018-08-06 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
A Remote Bypass of Security Restrictions vulnerability was identified in HPE XP Command View Advanced Edition Software Earlier than 8.5.3-00. The vulnerability impacts DevMgr Earlier than 8.5.3-00 (for Windows, Linux), RepMgr earlier than 8.5.3-00 (for Windows, Linux) and HDLM earlier than 8.5.3-00 (for Windows, Linux, Solaris, AIX).
931 CVE-2017-8987 DoS 2018-08-06 2019-10-03
7.8
None Remote Low Not required None None Complete
A Unauthenticated Remote Denial of Service vulnerability was identified in HPE Integrated Lights-Out 3 (iLO 3) version v1.88 only. The vulnerability is resolved in iLO3 v1.89 or subsequent versions.
932 CVE-2017-8968 Exec Code 2018-08-06 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
A remote execution of arbitrary code vulnerability has been identified in HPE RESTful Interface Tool 1.5, 2.0 (hprest-1.5-79.x86_64.rpm, ilorest-2.0-403.x86_64.rpm). The issue is resolved in iLOREST v2.1 or subsequent versions.
933 CVE-2017-8316 611 2018-08-03 2018-10-23
7.8
None Remote Low Not required Complete None None
IntelliJ IDEA XML parser was found vulnerable to XML External Entity attack, an attacker can exploit the vulnerability by implementing malicious code on both Androidmanifest.xml.
934 CVE-2017-7528 93 2018-08-22 2019-10-09
3.3
None Local Network Low Not required None Partial None
Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using callback).
935 CVE-2017-7513 295 2018-08-22 2019-10-09
5.8
None Remote Medium Not required Partial Partial None
It was found that Satellite 5 configured with SSL/TLS for the PostgreSQL backend failed to correctly validate X.509 server certificate host name fields. A man-in-the-middle attacker could use this flaw to spoof a PostgreSQL server using a specially crafted X.509 certificate.
936 CVE-2017-7500 59 +Priv 2018-08-13 2019-10-09
7.2
None Local Low Not required Complete Complete Complete
It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.
937 CVE-2017-6920 19 Exec Code 2018-08-06 2018-10-04
7.5
None Remote Low Not required Partial Partial Partial
Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations.
938 CVE-2017-6215 79 Exec Code XSS 2018-08-02 2018-09-27
3.5
None Remote Medium ??? None Partial None
paypal/permissions-sdk-php is vulnerable to reflected XSS in the samples/GetAccessToken.php verification_code parameter, resulting in code execution.
939 CVE-2017-6213 79 Exec Code XSS 2018-08-02 2018-09-27
3.5
None Remote Medium ??? None Partial None
paypal/invoice-sdk-php is vulnerable to reflected XSS in samples/permissions.php via the permToken parameter, resulting in code execution.
940 CVE-2017-5692 125 DoS 2018-08-01 2018-10-11
2.1
None Local Low Not required None None Partial
Out-of-bounds read condition in older versions of some Intel Graphics Driver for Windows code branches allows local users to perform a denial of service attack.
941 CVE-2017-2662 269 2018-08-22 2019-10-09
4.0
None Remote Low ??? Partial None None
A flaw was found in Foreman's katello plugin version 3.4.5. After setting a new role to allow restricted access on a repository with a filter (filter set on the Product Name), the filter is not respected when the actions are done via hammer using the repository id.
942 CVE-2017-2654 200 +Info 2018-08-06 2019-10-09
5.0
None Remote Low Not required Partial None None
jenkins-email-ext before version 2.57.1 is vulnerable to an Information Exposure. The Email Extension Plugins is able to send emails to a dynamically created list of users based on the changelogs, like authors of SCM changes since the last successful build. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses.
943 CVE-2017-2635 476 DoS 2018-08-22 2019-10-09
4.0
None Remote Low ??? None None Partial
A NULL pointer deference flaw was found in the way libvirt from 2.5.0 to 3.0.0 handled empty drives. A remote authenticated attacker could use this flaw to crash libvirtd daemon resulting in denial of service.
944 CVE-2017-2627 22 Dir. Trav. 2018-08-22 2021-08-04
7.2
None Local Low Not required Complete Complete Complete
A flaw was found in openstack-tripleo-common as shipped with Red Hat Openstack Enterprise 10 and 11. The sudoers file as installed with OSP's openstack-tripleo-common package is much too permissive. It contains several lines for the mistral user that have wildcards that allow directory traversal with '..' and it grants full passwordless root access to the validations user.
945 CVE-2017-2575 476 2018-08-22 2019-10-09
4.3
None Remote Medium Not required None None Partial
A vulnerability was found while fuzzing libbpg 0.9.7. It is a NULL pointer dereference issue due to missing check of the return value of function malloc in the BPG encoder. This vulnerability appeared while converting a malicious JPEG file to BPG.
946 CVE-2017-1755 Exec Code 2018-08-06 2019-10-09
4.6
None Local Low Not required Partial Partial Partial
IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 could allow a local attacker to inject commands into malicious files that could be executed by the administrator. IBM X-Force ID: 135855.
947 CVE-2017-1753 94 Exec Code 2018-08-20 2019-10-09
3.5
None Remote Medium ??? None Partial None
Multiple IBM Rational products are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 135655.
948 CVE-2017-1749 22 Dir. Trav. 2018-08-13 2019-10-09
5.0
None Remote Low Not required None Partial None
IBM UrbanCode Deploy 6.1 through 6.9.6.0 could allow a remote attacker to traverse directories on the system. An unauthenticated attacker could alter UCD deployments. IBM X-Force ID: 135522.
949 CVE-2017-1732 200 +Info 2018-08-17 2019-10-09
5.0
None Remote Low Not required Partial None None
IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 134913.
950 CVE-2017-1412 200 +Info 2018-08-06 2019-10-09
4.0
None Remote Low ??? Partial None None
IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 generates an error message that includes sensitive information about its environment, users, or associated data. IBM X-Force ID: 127400.
Total number of vulnerabilities : 1019   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 (This Page)20 21
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.