Total
2234 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-14828 | 1 Advantech | 1 Webaccess | 2024-11-21 | N/A |
| Advantech WebAccess 8.3.1 and earlier has an improper privilege management vulnerability, which may allow an attacker to access those files and perform actions at a system administrator level. | ||||
| CVE-2018-14825 | 2 Google, Honeywell | 15 Android, Ck75, Cn51 and 12 more | 2024-11-21 | N/A |
| On Honeywell Mobile Computers (CT60 running Android OS 7.1, CN80 running Android OS 7.1, CT40 running Android OS 7.1, CK75 running Android OS 6.0, CN75 running Android OS 6.0, CN75e running Android OS 6.0, CT50 running Android OS 6.0, D75e running Android OS 6.0, CT50 running Android OS 4.4, D75e running Android OS 4.4, CN51 running Android OS 6.0, EDA50k running Android 4.4, EDA50 running Android OS 7.1, EDA50k running Android OS 7.1, EDA70 running Android OS 7.1, EDA60k running Android OS 7.1, and EDA51 running Android OS 8.1), a skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges. This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable information, photos, emails, or business-critical documents. | ||||
| CVE-2018-14808 | 1 Emerson | 1 Ams Device Manager | 2024-11-21 | N/A |
| Emerson AMS Device Manager v12.0 to v13.5. Non-administrative users are able to change executable and library files on the affected products. | ||||
| CVE-2018-14791 | 1 Emerson | 1 Deltav | 2024-11-21 | 7.8 High |
| Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 may allow non-administrative users to change executable and library files on the affected products. | ||||
| CVE-2018-14787 | 1 Philips | 2 Intellispace Cardiovascular, Xcelera | 2024-11-21 | 7.8 High |
| In Philips' IntelliSpace Cardiovascular (ISCV) products (ISCV Version 2.x or prior and Xcelera Version 4.1 or prior), an attacker with escalated privileges could access folders which contain executables where authenticated users have write permissions, and could then execute arbitrary code with local administrative permissions. | ||||
| CVE-2018-13802 | 1 Siemens | 2 Rox Ii, Rox Ii Firmware | 2024-11-21 | N/A |
| A vulnerability has been identified in ROX II (All versions < V2.12.1). An authenticated attacker with a high-privileged user account access via SSH could circumvent restrictions in place and execute arbitrary operating system commands. Successful exploitation requires that the attacker has network access to the SSH interface in on port 22/tcp. The attacker must be authenticated to exploit the vulnerability. The vulnerability could allow an attacker to execute arbitrary code on the device. | ||||
| CVE-2018-13801 | 1 Siemens | 2 Rox Ii, Rox Ii Firmware | 2024-11-21 | N/A |
| A vulnerability has been identified in ROX II (All versions < V2.12.1). An attacker with network access to port 22/tcp and valid low-privileged user credentials for the target device could perform a privilege escalation and gain root privileges. Successful exploitation requires user privileges of a low-privileged user but no user interaction. The vulnerability could allow an attacker to compromise confidentiality, integrity and availability of the system. | ||||
| CVE-2018-13799 | 1 Siemens | 1 Simatic Wincc Open Architecture | 2024-11-21 | N/A |
| A vulnerability has been identified in SIMATIC WinCC OA V3.14 and prior (All versions < V3.14-P021). Improper access control to a data point of the affected product could allow an unauthenticated remote user to escalate its privileges in the context of SIMATIC WinCC OA V3.14. This vulnerability could be exploited by an attacker with network access to port 5678/TCP of the SIMATIC WinCC OA V3.14 server. Successful exploitation requires no user privileges and no user interaction. This vulnerability could allow an attacker to compromise integrity and availability of the SIMATIC WinCC OA system. At the time of advisory publication no public exploitation of this vulnerability was known. | ||||
| CVE-2018-13405 | 6 Canonical, Debian, F5 and 3 more | 34 Ubuntu Linux, Debian Linux, Big-ip Access Policy Manager and 31 more | 2024-11-21 | 7.8 High |
| The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID. | ||||
| CVE-2018-13400 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | N/A |
| Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers who have obtained access to administrator's session to access certain administrative resources without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability. | ||||
| CVE-2018-12884 | 1 Octopus | 1 Octopus Deploy | 2024-11-21 | N/A |
| In Octopus Deploy 3.0 onwards (before 2018.6.7), an authenticated user with incorrect permissions may be able to create Accounts under the Infrastructure menu. | ||||
| CVE-2018-12596 | 1 Episerver | 1 Ektron Cms | 2024-11-21 | N/A |
| Episerver Ektron CMS before 9.0 SP3 Site CU 31, 9.1 before SP3 Site CU 45, or 9.2 before SP2 Site CU 22 allows remote attackers to call aspx pages via the "activateuser.aspx" page, even if a page is located under the /WorkArea/ path, which is forbidden (normally available exclusively for local admins). | ||||
| CVE-2018-12261 | 1 Apollotechnologiesinc | 2 Momentum Axel 720p, Momentum Axel 720p Firmware | 2024-11-21 | N/A |
| An issue was discovered on Momentum Axel 720P 5.1.8 devices. All processes run as root. | ||||
| CVE-2018-11965 | 1 Google | 1 Android | 2024-11-21 | N/A |
| In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Anyone can execute proptrigger.sh which will lead to change in properties. | ||||
| CVE-2018-11912 | 1 Google | 1 Android | 2024-11-21 | N/A |
| In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper configuration of daemons may lead to unprivileged access. | ||||
| CVE-2018-11911 | 1 Google | 1 Android | 2024-11-21 | N/A |
| In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper configuration of script may lead to unprivileged access. | ||||
| CVE-2018-11786 | 1 Apache | 1 Karaf | 2024-11-21 | N/A |
| In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a bit by using chroot to change the root directory to protect files outside of the Karaf install directory; it can be further locked down by defining a security manager policy that limits file system access to those directories beneath the Karaf home that are necessary for the system to run. However, this still allows anyone with ssh access to the Karaf process to read and write a large number of files as the Karaf process user. | ||||
| CVE-2018-11767 | 1 Apache | 1 Hadoop | 2024-11-21 | N/A |
| In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. | ||||
| CVE-2018-11614 | 1 Samsung | 1 Samsung Members | 2024-11-21 | N/A |
| This vulnerability allows remote attackers to escalate privileges on vulnerable installations of Samsung Members Fixed in version 2.4.25. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of Intents. The issue lies in the ability to send an Intent that would not otherwise be reachable. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the application. Was ZDI-CAN-5361. | ||||
| CVE-2018-11323 | 1 Joomla | 1 Joomla\! | 2024-11-21 | N/A |
| An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the access levels of user groups with higher permissions. | ||||