| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1051 |
CVE-2018-1664 |
|
|
|
2018-09-25 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 echoing of AMP management interface authorization headers exposes login credentials in browser cache. IBM X-Force ID: 144890. |
|
1052 |
CVE-2018-1660 |
79 |
|
XSS |
2018-09-27 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-force ID: 144886. |
|
1053 |
CVE-2018-1659 |
79 |
|
XSS |
2018-09-25 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 144885. |
|
1054 |
CVE-2018-1610 |
79 |
|
XSS |
2018-09-26 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
IBM Rational DOORS Next Generation 5.0 through 5.0.2 and 6.0 through 6.0.6 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 143931. |
|
1055 |
CVE-2018-1607 |
611 |
|
|
2018-09-25 |
2019-10-09 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
None |
Partial |
|
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 143797. |
|
1056 |
CVE-2018-1588 |
611 |
|
|
2018-09-25 |
2019-10-09 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
None |
Partial |
|
IBM Jazz Foundation (IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6) is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 143501. |
|
1057 |
CVE-2018-1571 |
|
|
Exec Code |
2018-09-11 |
2019-10-09 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
IBM QRadar 7.2 and 7.3 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 143121. |
|
1058 |
CVE-2018-1567 |
502 |
|
Exec Code |
2018-09-07 |
2019-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through the SOAP connector with a serialized object from untrusted sources. IBM X-Force ID: 143024. |
|
1059 |
CVE-2018-1560 |
79 |
|
XSS |
2018-09-25 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 142958. |
|
1060 |
CVE-2018-1550 |
269 |
|
DoS |
2018-09-26 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
IBM Spectrum Protect 7.1 and 8.1 could allow a local user to corrupt or delete highly sensitive information that would cause a denial of service to other users. IBM X-Force ID: 142696. |
|
1061 |
CVE-2018-1545 |
326 |
|
|
2018-09-26 |
2021-11-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 142649. |
|
1062 |
CVE-2018-1539 |
287 |
|
Bypass |
2018-09-25 |
2019-10-09 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 could allow remote attackers to bypass authentication via a direct request or forced browsing to a page other than URL intended. IBM X-Force ID: 142561. |
|
1063 |
CVE-2018-1353 |
200 |
|
+Info |
2018-09-05 |
2018-10-25 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
An information disclosure vulnerability in Fortinet FortiManager 6.0.1 and below versions allows a standard user with adom assignment read the interface settings of vdoms unrelated to the assigned adom. |
|
1064 |
CVE-2018-1330 |
20 |
|
DoS |
2018-09-13 |
2019-01-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable. |
|
1065 |
CVE-2018-1251 |
601 |
|
|
2018-09-28 |
2019-10-09 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Dell EMC Unity and UnityVSA versions prior to 4.3.1.1525703027 contains a URL Redirection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to redirect Unity users to arbitrary web URLs by tricking the victim user to click on a maliciously crafted Unisphere URL. Attacker could potentially phish information, including Unisphere users' credentials, from the victim once they are redirected. |
|
1066 |
CVE-2018-1250 |
863 |
|
Bypass |
2018-09-28 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Dell EMC Unity and UnityVSA versions prior to 4.3.1.1525703027 contains an Authorization Bypass vulnerability. A remote authenticated user could potentially exploit this vulnerability to read files in NAS server by directly interacting with certain APIs of Unity OE, bypassing Role-Based Authorization control implemented only in Unisphere GUI. |
|
1067 |
CVE-2018-1246 |
79 |
|
Exec Code XSS |
2018-09-28 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Dell EMC Unity and UnityVSA contains reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or Java Script code to Unisphere, which is then reflected back to the victim and executed by the web browser. |
|
1068 |
CVE-2018-1223 |
532 |
|
|
2018-09-17 |
2020-03-09 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Cloud Foundry Container Runtime (kubo-release), versions prior to 0.14.0, may leak UAA and vCenter credentials to application logs. A malicious user with the ability to read the application logs could use these credentials to escalate privileges. |
|
1069 |
CVE-2018-1198 |
532 |
|
|
2018-09-17 |
2018-11-21 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Pivotal Cloud Cache, versions prior to 1.3.1, prints a superuser password in plain text during BOSH deployment logs. A malicious user with access to the logs could escalate their privileges using this password. |
|
1070 |
CVE-2018-1150 |
|
|
|
2018-09-19 |
2019-10-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
NUUO's NVRMini2 3.8.0 and below contains a backdoor that would allow an unauthenticated remote attacker to take over user accounts if the file /tmp/moses exists. |
|
1071 |
CVE-2018-1149 |
119 |
|
Exec Code Overflow |
2018-09-19 |
2018-12-07 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
cgi_system in NUUO's NVRMini2 3.8.0 and below allows remote attackers to execute arbitrary code via crafted HTTP requests. |
|
1072 |
CVE-2018-1127 |
384 |
|
|
2018-09-11 |
2019-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Tendrl API in Red Hat Gluster Storage before 3.4.0 does not immediately remove session tokens after a user logs out. Session tokens remain active for a few minutes allowing attackers to replay tokens acquired via sniffing/MITM attacks and authenticate as the target user. |
|
1073 |
CVE-2018-1114 |
400 |
|
|
2018-09-11 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak. |
|
1074 |
CVE-2018-0965 |
20 |
|
Exec Code |
2018-09-13 |
2018-11-05 |
7.7 |
None |
Local Network |
Low |
??? |
Complete |
Complete |
Complete |
|
A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, aka "Windows Hyper-V Remote Code Execution Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8439. |
|
1075 |
CVE-2018-0718 |
77 |
|
|
2018-09-14 |
2019-10-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Command injection vulnerability in Music Station 5.1.2 and earlier versions in QNAP QTS 4.3.3 and 4.3.4 could allow remote attackers to run arbitrary commands in the compromised application. |
|
1076 |
CVE-2018-0675 |
94 |
|
|
2018-09-04 |
2018-11-20 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
AttacheCase ver.3.3.0.0 and earlier allows an arbitrary script execution via unspecified vectors. |
|
1077 |
CVE-2018-0674 |
94 |
|
|
2018-09-04 |
2018-11-20 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
AttacheCase ver.2.8.4.0 and earlier allows an arbitrary script execution via unspecified vectors. |
|
1078 |
CVE-2018-0672 |
79 |
|
XSS |
2018-09-04 |
2018-10-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting vulnerability in Movable Type versions prior to Ver. 6.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
1079 |
CVE-2018-0664 |
20 |
|
|
2018-09-04 |
2018-11-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A vulnerability in NoMachine App for Android 5.0.63 and earlier allows attackers to alter environment variables via unspecified vectors. |
|
1080 |
CVE-2018-0663 |
798 |
|
Exec Code |
2018-09-07 |
2018-11-01 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier) use hardcoded credentials which may allow an remote authenticated attacker to execute arbitrary OS commands on the device via unspecified vector. |
|
1081 |
CVE-2018-0662 |
|
|
Exec Code |
2018-09-07 |
2019-10-03 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier) allow an attacker on the same network segment to add malicious files on the device and execute arbitrary code. |
|
1082 |
CVE-2018-0661 |
|
|
Bypass +Info |
2018-09-07 |
2019-10-03 |
8.3 |
None |
Local Network |
Low |
Not required |
Complete |
Complete |
Complete |
|
Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier) allow an attacker on the same network segment to bypass access restriction to add files on a specific directory that may result in executing arbitrary OS commands/code or information including credentials leakage or alteration. |
|
1083 |
CVE-2018-0660 |
22 |
|
Dir. Trav. |
2018-09-07 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Directory traversal vulnerability in ver.2.8.4.0 and earlier and ver.3.3.0.0 and earlier allows an attacker to create arbitrary files via specially crafted ATC file. |
|
1084 |
CVE-2018-0659 |
22 |
|
Dir. Trav. |
2018-09-07 |
2018-10-30 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Directory traversal vulnerability in ver.2.8.4.0 and earlier and ver.3.3.0.0 and earlier allows an attacker to create or overwrite existing files via specially crafted ATC file. |
|
1085 |
CVE-2018-0658 |
20 |
|
Exec Code |
2018-09-07 |
2018-11-20 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Input validation issue in EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier allows an attacker with administrative rights to execute arbitrary PHP code on the server via unspecified vectors. |
|
1086 |
CVE-2018-0657 |
79 |
|
XSS |
2018-09-07 |
2018-11-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting vulnerability in EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE (EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, and GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier) allow an attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors. |
|
1087 |
CVE-2018-0656 |
426 |
|
+Priv |
2018-09-04 |
2018-11-06 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Untrusted search path vulnerability in The installer of Digital Paper App version 1.4.0.16050 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. |
|
1088 |
CVE-2018-0655 |
79 |
|
XSS |
2018-09-07 |
2018-09-21 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the app settings section of admin page. |
|
1089 |
CVE-2018-0654 |
79 |
|
XSS |
2018-09-07 |
2018-09-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the modal for creating Wiki page. |
|
1090 |
CVE-2018-0653 |
79 |
|
XSS |
2018-09-07 |
2018-09-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via Wiki page view. |
|
1091 |
CVE-2018-0652 |
79 |
|
XSS |
2018-09-07 |
2018-09-21 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the UserGroup Management section of admin page. |
|
1092 |
CVE-2018-0650 |
295 |
|
+Info |
2018-09-07 |
2019-04-12 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The LINE MUSIC for Android version 3.1.0 to versions prior to 3.6.5 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1093 |
CVE-2018-0649 |
426 |
|
+Priv |
2018-09-07 |
2018-11-19 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Untrusted search path vulnerability in the installers of multiple Canon IT Solutions Inc. software programs (ESET Smart Security Premium, ESET Internet Security, ESET Smart Security, ESET NOD32 Antivirus, DESlock+ Pro, and CompuSec (all programs except packaged ones)) allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. |
|
1094 |
CVE-2018-0648 |
426 |
|
+Priv |
2018-09-07 |
2018-11-13 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Untrusted search path vulnerability in installer of ChatWork Desktop App for Windows 2.3.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. |
|
1095 |
CVE-2018-0647 |
352 |
|
CSRF |
2018-09-07 |
2018-10-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in WL-330NUL Firmware version prior to 3.0.0.46 allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
|
1096 |
CVE-2018-0646 |
22 |
|
Dir. Trav. |
2018-09-04 |
2018-11-06 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in Explzh v.7.58 and earlier allows an attacker to read arbitrary files via unspecified vectors. |
|
1097 |
CVE-2018-0645 |
434 |
|
Exec Code |
2018-09-07 |
2018-12-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
MTAppjQuery 1.8.1 and earlier allows remote PHP code execution via unspecified vectors. |
|
1098 |
CVE-2018-0644 |
119 |
|
Overflow |
2018-09-07 |
2018-11-16 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
Buffer overflow in Ubuntu14.04 ORCA (Online Receipt Computer Advantage) 4.8.0 (panda-client2) 1:1.4.9+p41-u4jma1 and earlier, Ubuntu14.04 ORCA (Online Receipt Computer Advantage) 5.0.0 (panda-client2) 1:2.0.0+p48-u4jma1 and earlier, and Ubuntu16.04 ORCA (Online Receipt Computer Advantage) 5.0.0 (panda-client2) 1:2.0.0+p48-u5jma1 and earlier allows authenticated attackers to cause denial-of-service (DoS) condition via unspecified vectors. |
|
1099 |
CVE-2018-0643 |
78 |
|
Exec Code |
2018-09-07 |
2018-11-13 |
7.4 |
None |
Local Network |
Medium |
??? |
Complete |
Complete |
Complete |
|
Ubuntu14.04 ORCA (Online Receipt Computer Advantage) 4.8.0 (panda-server) 1:1.4.9+p41-u4jma1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via unspecified vectors. |
|
1100 |
CVE-2018-0642 |
79 |
|
XSS |
2018-09-07 |
2018-11-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting vulnerability in FV Flowplayer Video Player 6.1.2 to 6.6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
