Total
8110 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-12990 | 1 Phpwcms | 1 Phpwcms | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| phpwcms 1.8.9 allows remote attackers to discover the installation path via an invalid csrf_token_value field. | |||||
| CVE-2018-12927 | 1 Northernnep | 2 Northern Electric \& Power Inverter, Northern Electric \& Power Inverter Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Northern Electric & Power (NEP) inverter devices allow remote attackers to obtain potentially sensitive information via a direct request for the nep/status/index/1 URI. | |||||
| CVE-2018-12926 | 1 Pharoscontrols | 2 Pharos, Pharos Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Pharos Controls devices allow remote attackers to obtain potentially sensitive information via a direct request for the default/index.lsp or default/log.lsp URI. | |||||
| CVE-2018-12923 | 1 Bwssystems | 1 Ha Bridge | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| BWS Systems HA-Bridge devices allow remote attackers to obtain potentially sensitive information via a direct request for the #!/system URI. | |||||
| CVE-2018-12921 | 1 Electroind | 2 Gaugetech Nexus, Gaugetech Nexus Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Electro Industries GaugeTech Nexus devices allow remote attackers to obtain potentially sensitive information via a direct request for the meter_information.htm, diag_system.htm, or diag_dnp_lan_wan.htm URI. | |||||
| CVE-2018-12920 | 1 Flir | 2 Brickstream 2300, Brickstream 2300 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Brickstream 2300 devices allow remote attackers to obtain potentially sensitive information via a direct request for the basic.html#ipsettings or basic.html#datadelivery URI. | |||||
| CVE-2018-12908 | 1 Brynamics | 1 Brynamics | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| Brynamics "Online Trade - Online trading and cryptocurrency investment system" allows remote attackers to obtain sensitive information via a direct request for the /dashboard/deposit URI, as demonstrated by discovering database credentials. | |||||
| CVE-2018-12907 | 1 Rclone | 1 Rclone | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue. | |||||
| CVE-2018-12892 | 2 Debian, Xen | 2 Debian Linux, Xen | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
| An issue was discovered in Xen 4.7 through 4.10.x. libxl fails to pass the readonly flag to qemu when setting up a SCSI disk, due to what was probably an erroneous merge conflict resolution. Malicious guest administrators or (in some situations) users may be able to write to supposedly read-only disk images. Only emulated SCSI disks (specified as "sd" in the libxl disk configuration, or an equivalent) are affected. IDE disks ("hd") are not affected (because attempts to make them readonly are rejected). Additionally, CDROM devices (that is, devices specified to be presented to the guest as CDROMs, regardless of the nature of the backing storage on the host) are not affected; they are always read only. Only systems using qemu-xen (rather than qemu-xen-traditional) as the device model version are vulnerable. Only systems using libxl or libxl-based toolstacks are vulnerable. (This includes xl, and libvirt with the libxl driver.) The vulnerability is present in Xen versions 4.7 and later. (In earlier versions, provided that the patch for XSA-142 has been applied, attempts to create read only disks are rejected.) If the host and guest together usually support PVHVM, the issue is exploitable only if the malicious guest administrator has control of the guest kernel or guest kernel command line. | |||||
| CVE-2018-12735 | 1 Saj-electric | 1 Saj Solar Inverter | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| SAJ Solar Inverter allows remote attackers to obtain potentially sensitive information via a direct request for the inverter_info.htm or english_main.htm URI. | |||||
| CVE-2018-12716 | 1 Google | 4 Chromecast, Chromecast Firmware, Home and 1 more | 2024-11-21 | 3.3 LOW | 4.3 MEDIUM |
| The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding attacks from reading the scan_results JSON data, which allows remote attackers to determine the physical location of most web browsers by leveraging the presence of one of these devices on its local network, extracting the scan_results bssid fields, and sending these fields in a geolocation/v1/geolocate Google Maps Geolocation API request. | |||||
| CVE-2018-12684 | 1 Civetweb Project | 1 Civetweb | 2024-11-21 | 5.8 MEDIUM | 7.1 HIGH |
| Out-of-bounds Read in the send_ssi_file function in civetweb.c in CivetWeb through 1.10 allows attackers to cause a Denial of Service or Information Disclosure via a crafted SSI file. | |||||
| CVE-2018-12673 | 1 Sv3c | 4 H.264 Poe Ip Camera Firmware, Sv-b01poe-1080p-l, Sv-b11vpoe-1080p-l and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An attacker with remote access to the SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) web interface can disclose information about the camera including camera hardware, wireless network, and local area network information. | |||||
| CVE-2018-12671 | 1 Sv3c | 4 H.264 Poe Ip Camera Firmware, Sv-b01poe-1080p-l, Sv-b11vpoe-1080p-l and 1 more | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| An attacker with remote access to the SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) web interface can disclose information about the camera including all password sets set within the camera. This information can then be used to gain access to the web interface. | |||||
| CVE-2018-12634 | 1 Circontrol | 1 Circarlife Scada | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| CirCarLife Scada before 4.3 allows remote attackers to obtain sensitive information via a direct request for the html/log or services/system/info.html URI. | |||||
| CVE-2018-12632 | 1 Redatam | 1 Redatam | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Redatam7 (formerly Redatam WebServer) allows remote attackers to discover the installation path via an invalid LFN parameter to the /redbin/rpwebutilities.exe/text URI. | |||||
| CVE-2018-12610 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| OX App Suite 7.8.4 and earlier allows Information Exposure. | |||||
| CVE-2018-12594 | 1 Reliablecontrols | 2 Mach-prowebcom, Mach-prowebcom Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Reliable Controls MACH-ProWebCom 7.80 devices allow remote attackers to obtain sensitive information via a direct request for the data/fileinfo.xml or job/job.json file, as demonstrated the Master Password field. | |||||
| CVE-2018-12592 | 1 Polycom | 1 Realpresence Web Suite | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Polycom RealPresence Web Suite before 2.2.0 does not block a user's video for a few seconds upon joining a meeting (when the user has explicitly chosen to turn off the video using a specific option). During those seconds, a meeting invitee may unknowingly be on camera with other participants able to view. | |||||
| CVE-2018-12557 | 1 Zuul-ci | 1 Zuul | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents of the loop items would be printed in the console. This could lead to accidentally leaking credentials or secrets. | |||||