CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In June 2018

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
401 CVE-2018-11808 20 2018-06-06 2018-08-07
10.0
None Remote Low Not required Complete Complete Complete
Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by sending a specially crafted request to the server.
402 CVE-2018-11806 787 Overflow 2018-06-13 2021-08-04
7.2
None Local Low Not required Complete Complete Complete
m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams.
403 CVE-2018-11743 824 DoS 2018-06-05 2018-07-20
7.5
None Remote Low Not required Partial Partial Partial
The init_copy function in kernel.c in mruby 1.4.1 makes initialize_copy calls for TT_ICLASS objects, which allows attackers to cause a denial of service (mrb_hash_keys uninitialized pointer and application crash) or possibly have unspecified other impact.
404 CVE-2018-11740 125 DoS 2018-06-05 2018-07-13
5.8
None Remote Medium Not required Partial None Partial
An issue was discovered in libtskbase.a in The Sleuth Kit (TSK) from release 4.0.2 through to 4.6.1. An out-of-bounds read of a memory region was found in the function tsk_UTF16toUTF8 in tsk/base/tsk_unicode.c which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service attack.
405 CVE-2018-11739 125 DoS 2018-06-05 2018-07-13
5.8
None Remote Medium Not required Partial None Partial
An issue was discovered in libtskimg.a in The Sleuth Kit (TSK) from release 4.0.2 through to 4.6.1. An out-of-bounds read of a memory region was found in the function raw_read in tsk/img/raw.c which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service attack.
406 CVE-2018-11738 125 DoS 2018-06-05 2018-07-13
5.8
None Remote Medium Not required Partial None Partial
An issue was discovered in libtskfs.a in The Sleuth Kit (TSK) from release 4.0.2 through to 4.6.1. An out-of-bounds read of a memory region was found in the function ntfs_make_data_run in tsk/fs/ntfs.c which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service attack.
407 CVE-2018-11737 125 DoS 2018-06-05 2018-07-13
5.8
None Remote Medium Not required Partial None Partial
An issue was discovered in libtskfs.a in The Sleuth Kit (TSK) from release 4.0.2 through to 4.6.1. An out-of-bounds read of a memory region was found in the function ntfs_fix_idxrec in tsk/fs/ntfs_dent.cpp which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
408 CVE-2018-11736 434 Exec Code 2018-06-05 2018-07-23
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the image/jpeg content type for a .htaccess file.
409 CVE-2018-11735 79 XSS 2018-06-05 2018-07-23
4.3
None Remote Medium Not required None Partial None
index.php?action=createaccount in Ximdex 4.0 has XSS via the sname or fname parameter.
410 CVE-2018-11731 200 +Info 2018-06-19 2018-09-01
1.9
None Local Medium Not required Partial None None
** DISPUTED ** The libfsntfs_mft_entry_read_attributes function in libfsntfs_mft_entry.c in libfsntfs through 2018-04-20 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted ntfs file. NOTE: the vendor has disputed this as described in libyal/libfsntfs issue 8 on GitHub.
411 CVE-2018-11730 415 DoS 2018-06-19 2018-09-01
1.9
None Local Medium Not required None None Partial
** DISPUTED ** The libfsntfs_security_descriptor_values_free function in libfsntfs_security_descriptor_values.c in libfsntfs through 2018-04-20 allows remote attackers to cause a denial of service (double-free) via a crafted ntfs file. NOTE: the vendor has disputed this as described in libyal/libfsntfs issue 8 on GitHub.
412 CVE-2018-11729 200 +Info 2018-06-19 2018-09-01
1.9
None Local Medium Not required Partial None None
** DISPUTED ** The libfsntfs_mft_entry_read_header function in libfsntfs_mft_entry.c in libfsntfs through 2018-04-20 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted ntfs file. NOTE: the vendor has disputed this as described in libyal/libfsntfs issue 8 on GitHub.
413 CVE-2018-11728 200 +Info 2018-06-19 2018-09-01
1.9
None Local Medium Not required Partial None None
** DISPUTED ** The libfsntfs_reparse_point_values_read_data function in libfsntfs_reparse_point_values.c in libfsntfs through 2018-04-20 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted ntfs file. NOTE: the vendor has disputed this as described in libyal/libfsntfs issue 8 on GitHub.
414 CVE-2018-11727 200 +Info 2018-06-19 2018-09-01
1.9
None Local Medium Not required Partial None None
** DISPUTED ** The libfsntfs_attribute_read_from_mft function in libfsntfs_attribute.c in libfsntfs through 2018-04-20 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted ntfs file. NOTE: the vendor has disputed this as described in libyal/libfsntfs issue 8 on GitHub.
415 CVE-2018-11726 787 DoS Overflow 2018-06-19 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
The mobi_decode_font_resource function in util.c in Libmobi 0.3 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted mobi file.
416 CVE-2018-11725 125 2018-06-19 2018-08-08
4.3
None Remote Medium Not required Partial None None
The mobi_parse_index_entry function in index.c in Libmobi 0.3 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted mobi file.
417 CVE-2018-11724 125 DoS Overflow 2018-06-19 2019-10-03
6.8
None Remote Medium Not required Partial Partial Partial
The mobi_pk1_decrypt function in encryption.c in Libmobi 0.3 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted mobi file.
418 CVE-2018-11723 125 2018-06-19 2018-09-01
1.9
None Local Medium Not required Partial None None
** DISPUTED ** The libpff_name_to_id_map_entry_read function in libpff_name_to_id_map.c in libyal libpff through 2018-04-28 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted pff file. NOTE: the vendor has disputed this as described in libyal/libpff issue 66 on GitHub.
419 CVE-2018-11722 89 Sql 2018-06-05 2018-07-23
7.5
None Remote Low Not required Partial Partial Partial
WUZHI CMS 4.1.0 has a SQL Injection in api/uc.php via the 'code' parameter, because 'UC_KEY' is hard coded.
420 CVE-2018-11715 79 XSS 2018-06-04 2018-07-18
3.5
None Remote Medium ??? None Partial None
The Recent Threads plugin before 1.1 for MyBB allows XSS via a thread subject.
421 CVE-2018-11714 384 2018-06-04 2018-07-31
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on TP-Link TL-WR840N v5 00000005 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n and TL-WR841N v13 00000013 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n devices. This issue is caused by improper session handling on the /cgi/ folder or a /cgi file. If an attacker sends a header of "Referer: http://192.168.0.1/mainFrame.htm" then no authentication is required for any action.
422 CVE-2018-11713 2018-06-04 2019-10-03
4.3
None Remote Medium Not required None Partial None
WebCore/platform/network/soup/SocketStreamHandleImplSoup.cpp in the libsoup network backend of WebKit, as used in WebKitGTK+ prior to version 2.20.0 or without libsoup 2.62.0, unexpectedly failed to use system proxy settings for WebSocket connections. As a result, users could be deanonymized by crafted web sites via a WebSocket connection.
423 CVE-2018-11712 295 2018-06-04 2018-10-21
5.0
None Remote Low Not required Partial None None
WebCore/platform/network/soup/SocketStreamHandleImplSoup.cpp in the libsoup network backend of WebKit, as used in WebKitGTK+ versions 2.20.0 and 2.20.1, failed to perform TLS certificate verification for WebSocket connections.
424 CVE-2018-11711 287 Bypass 2018-06-04 2018-08-01
10.0
None Remote Low Not required Complete Complete Complete
** DISPUTED ** A remote attacker can bypass the System Manager Mode on the Canon MF210 and MF220 web interface without knowing the PIN for /login.html via vectors involving /portal_top.html to get full access to the device. NOTE: the vendor reportedly responded that this issue occurs when a customer keeps the default settings without using the countermeasures and best practices shown in the documentation.
425 CVE-2018-11710 787 DoS 2018-06-04 2018-07-16
6.8
None Remote Medium Not required Partial Partial Partial
soundlib/pattern.h in libopenmpt before 0.3.9 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted AMS file because of an invalid write near address 0 in an out-of-memory situation.
426 CVE-2018-11709 79 XSS 2018-06-04 2018-07-16
4.3
None Remote Medium Not required None Partial None
wpforo_get_request_uri in wpf-includes/functions.php in the wpForo Forum plugin before 1.4.12 for WordPress allows Unauthenticated Reflected Cross-Site Scripting (XSS) via the URI.
427 CVE-2018-11707 119 Overflow 2018-06-20 2018-07-02
6.8
None Remote Medium Not required Partial Partial Partial
FastStone Image Viewer 6.2 has a User Mode Read and Execute AV at 0x0057898e, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.
428 CVE-2018-11706 119 Overflow 2018-06-20 2018-07-02
6.8
None Remote Medium Not required Partial Partial Partial
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00578dd8, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.
429 CVE-2018-11705 119 Overflow 2018-06-20 2018-07-02
6.8
None Remote Medium Not required Partial Partial Partial
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00578cc4, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.
430 CVE-2018-11704 119 Overflow 2018-06-20 2018-07-02
6.8
None Remote Medium Not required Partial Partial Partial
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00402d7d, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.
431 CVE-2018-11703 119 Overflow 2018-06-20 2018-07-02
6.8
None Remote Medium Not required Partial Partial Partial
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00402d6a, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.
432 CVE-2018-11702 119 Overflow 2018-06-20 2018-07-02
6.8
None Remote Medium Not required Partial Partial Partial
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00578cb3, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.
433 CVE-2018-11701 119 Overflow 2018-06-20 2018-07-02
6.8
None Remote Medium Not required Partial Partial Partial
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x005cb509, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.
434 CVE-2018-11698 125 DoS 2018-06-04 2019-03-11
5.8
None Remote Medium Not required Partial None Partial
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
435 CVE-2018-11697 125 DoS 2018-06-04 2019-03-11
5.8
None Remote Medium Not required Partial None Partial
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
436 CVE-2018-11696 476 DoS 2018-06-04 2019-03-11
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Inspect::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
437 CVE-2018-11695 476 DoS 2018-06-04 2020-07-28
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in LibSass <3.5.3. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
438 CVE-2018-11694 476 DoS 2018-06-04 2019-03-11
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
439 CVE-2018-11693 125 DoS 2018-06-04 2019-03-11
5.8
None Remote Medium Not required Partial None Partial
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scopes which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
440 CVE-2018-11692 287 Bypass 2018-06-04 2018-07-20
10.0
None Remote Low Not required Complete Complete Complete
** DISPUTED ** An issue was discovered on Canon LBP6650, LBP3370, LBP3460, and LBP7750C devices. It is possible to bypass the Administrator Mode authentication for /tlogin.cgi via vectors involving frame.cgi?page=DevStatus. NOTE: the vendor reportedly responded that this issue occurs when a customer keeps the default settings without using the countermeasures and best practices shown in the documentation.
441 CVE-2018-11690 79 XSS 2018-06-14 2019-03-14
4.3
None Remote Medium Not required None Partial None
The Balbooa Gridbox extension version 2.4.0 and previous versions for Joomla! is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
442 CVE-2018-11689 79 XSS 2018-06-14 2022-01-04
4.3
None Remote Medium Not required None Partial None
Web Viewer for Hanwha DVR 2.17 and Smart Viewer in Samsung Web Viewer for Samsung DVR are vulnerable to XSS via the /cgi-bin/webviewer_login_page data3 parameter. (The same Web Viewer codebase was transitioned from Samsung to Hanwha.)
443 CVE-2018-11688 79 XSS 2018-06-13 2019-06-20
4.3
None Remote Medium Not required None Partial None
Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
444 CVE-2018-11685 787 Overflow 2018-06-04 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Liblouis 3.5.0 has a stack-based Buffer Overflow in the function compileHyphenation in compileTranslationTable.c.
445 CVE-2018-11684 787 Overflow 2018-06-04 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Liblouis 3.5.0 has a stack-based Buffer Overflow in the function includeFile in compileTranslationTable.c.
446 CVE-2018-11683 787 Overflow 2018-06-04 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
Liblouis 3.5.0 has a stack-based Buffer Overflow in the function parseChars in compileTranslationTable.c, a different vulnerability than CVE-2018-11440.
447 CVE-2018-11682 798 Exec Code 2018-06-02 2019-06-27
10.0
None Remote Low Not required Complete Complete Complete
** DISPUTED ** Default and unremovable support credentials allow attackers to gain total super user control of an IoT device through a TELNET session to products using the Stanza Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine.
448 CVE-2018-11681 798 Exec Code 2018-06-02 2019-06-27
10.0
None Remote Low Not required Complete Complete Complete
** DISPUTED ** Default and unremovable support credentials (user:nwk password:nwk2) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the RadioRA 2 Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine.
449 CVE-2018-11680 352 CSRF 2018-06-02 2018-07-09
4.3
None Remote Medium Not required None None Partial
An issue was discovered in CmsEasy 6.1_20180508. There is a CSRF vulnerability in the rich text editor that can add an IFRAME element. This might be used in a DoS attack if a referenced remote URL is refreshed at a rapid rate.
450 CVE-2018-11679 352 CSRF 2018-06-02 2018-07-09
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in CmsEasy 6.1_20180508. There is a CSRF vulnerability that can add an article via /index.php?case=table&act=add&table=archive&admin_dir=admin.
Total number of vulnerabilities : 1788   Page : 1 2 3 4 5 6 7 8 9 (This Page)10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.