Total
12594 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-11873 | 1 Qualcomm | 2 Sd845, Sd845 Firmware | 2024-11-21 | N/A |
| Improper input validation leads to buffer overwrite in the WLAN function that handles WLAN roam buffer in Snapdragon Mobile in version SD 845. | ||||
| CVE-2018-11872 | 1 Qualcomm | 6 Sd 845, Sd 845 Firmware, Sd 850 and 3 more | 2024-11-21 | N/A |
| Improper input validation leads to buffer overwrite in the WLAN function that handles WMI commands in Snapdragon Mobile in version SD 845, SD 850, SDA660 | ||||
| CVE-2018-11864 | 1 Qualcomm | 84 Ipq8074, Ipq8074 Firmware, Mdm9150 and 81 more | 2024-11-21 | N/A |
| Bytes can be written to fuses from Secure region which can be read later by HLOS in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in versions IPQ8074, MDM9150, MDM9206, MDM9607, MDM9650, MDM9655, MSM8996AU, QCA8081, QCS605, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130. | ||||
| CVE-2018-11847 | 1 Qualcomm | 66 Ipq8074, Ipq8074 Firmware, Mdm9206 and 63 more | 2024-11-21 | N/A |
| Malicious TA can tag QSEE kernel memory and map to EL0, there by corrupting the physical memory as well it can be used to corrupt the QSEE kernel and compromise the whole TEE in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables and Snapdragon Wired Infrastructure and Networking in versions IPQ8074, MDM9206, MDM9607, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCA8081, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 650/52, SD 820, SD 820A, SD 835, SD 8CX, SDM439 and Snapdragon_High_Med_2016 | ||||
| CVE-2018-11830 | 1 Qualcomm | 16 Mdm9206, Mdm9206 Firmware, Mdm9607 and 13 more | 2024-11-21 | N/A |
| Improper input validation in QCPE create function may lead to integer overflow in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile in MDM9206, MDM9607, MDM9650, MDM9655, MSM8996AU, SD 410/12, SD 820A | ||||
| CVE-2018-11808 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | N/A |
| Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by sending a specially crafted request to the server. | ||||
| CVE-2018-11799 | 1 Apache | 1 Oozie | 2024-11-21 | N/A |
| Vulnerability allows a user of Apache Oozie 3.1.3-incubating to 5.0.0 to impersonate other users. The malicious user can construct an XML that results workflows running in other user's name. | ||||
| CVE-2018-11782 | 2 Apache, Redhat | 2 Subversion, Enterprise Linux | 2024-11-21 | 6.5 Medium |
| In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer. This can lead to disruption for users of the server. | ||||
| CVE-2018-11773 | 1 Apache | 1 Virtual Computing Lab | 2024-11-21 | N/A |
| Apache VCL versions 2.1 through 2.5 do not properly validate form input when processing a submitted block allocation. The form data is then used as an argument to the php built in function strtotime. This allows for an attack against the underlying implementation of that function. The implementation of strtotime at the time the issue was discovered appeared to be resistant to a malicious attack. However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. This vulnerability was found and reported to the Apache VCL project by ADLab of Venustech. | ||||
| CVE-2018-11763 | 5 Apache, Canonical, Netapp and 2 more | 11 Http Server, Ubuntu Linux, Storage Automation Store and 8 more | 2024-11-21 | N/A |
| In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. | ||||
| CVE-2018-11762 | 1 Apache | 1 Tika | 2024-11-21 | N/A |
| In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file. | ||||
| CVE-2018-11750 | 1 Puppet | 1 Cisco Ios Module | 2024-11-21 | N/A |
| Previous releases of the Puppet cisco_ios module did not validate a host's identity before starting a SSH connection. As of the 0.4.0 release of cisco_ios, host key checking is enabled by default. | ||||
| CVE-2018-11686 | 1 Flowpaper | 1 Flexpaper | 2024-11-21 | N/A |
| The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php. | ||||
| CVE-2018-11678 | 1 Monstra | 1 Monstra Cms | 2024-11-21 | N/A |
| plugins/box/users/users.plugin.php in Monstra CMS 3.0.4 allows Login Rate Limiting Bypass via manipulation of the login_attempts cookie. | ||||
| CVE-2018-11615 | 1 Mosca Project | 1 Mosca | 2024-11-21 | N/A |
| This vulnerability allows remote attackers to deny service on vulnerable installations of npm mosca 2.8.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of topics. A crafted regular expression can cause the broker to crash. An attacker can leverage this vulnerability to deny access to the target system. Was ZDI-CAN-6306. | ||||
| CVE-2018-11574 | 2 Canonical, Point-to-point Protocol Project | 2 Ubuntu Linux, Point-to-point Protocol | 2024-11-21 | 9.8 Critical |
| Improper input validation together with an integer overflow in the EAP-TLS protocol implementation in PPPD may cause a crash, information disclosure, or authentication bypass. This implementation is distributed as a patch for PPPD 0.91, and includes the affected eap.c and eap-tls.c files. Configurations that use the `refuse-app` option are unaffected. | ||||
| CVE-2018-11548 | 1 Block | 1 Eos | 2024-11-21 | N/A |
| An issue was discovered in EOS.IO DAWN 4.2. plugins/net_plugin/net_plugin.cpp does not limit the number of P2P connections from the same source IP address. | ||||
| CVE-2018-11537 | 1 Auth0 | 1 Angular-jwt | 2024-11-21 | N/A |
| Auth0 angular-jwt before 0.1.10 treats whiteListedDomains entries as regular expressions, which allows remote attackers with knowledge of the jwtInterceptorProvider.whiteListedDomains setting to bypass the domain whitelist filter via a crafted domain. | ||||
| CVE-2018-11518 | 1 Hcltech | 2 Legacy Ivr, Legacy Ivr Firmware | 2024-11-21 | N/A |
| A vulnerability allows a phreaking attack on HCL legacy IVR systems that do not use VoIP. These IVR systems rely on various frequencies of audio signals; based on the frequency, certain commands and functions are processed. Since these frequencies are accepted within a phone call, an attacker can record these frequencies and use them for service activations. This is a request-forgery issue when the required series of DTMF signals for a service activation is predictable (e.g., the IVR system does not speak a nonce to the caller). In this case, the IVR system accepts an activation request from a less-secure channel (any loudspeaker in the caller's physical environment) without verifying that the request was intended (it matches a nonce sent over a more-secure channel to the caller's earpiece). | ||||
| CVE-2018-11481 | 1 Tp-link | 8 Ipc Tl-ipc223\(p\)-6, Ipc Tl-ipc223\(p\)-6 Firmware, Tl-ipc323k-d and 5 more | 2024-11-21 | N/A |
| TP-LINK IPC TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4 devices allow authenticated remote code execution via crafted JSON data because /usr/lib/lua/luci/torchlight/validator.lua does not block various punctuation characters. | ||||