Total
12478 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-7233 | 1 Schneider-electric | 40 Ibp1110-1er, Ibp1110-1er Firmware, Ibp219-1er and 37 more | 2024-11-21 | 9.8 Critical |
| A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow execution of commands due to lack of validation of the shell meta characters with the value of 'model_name' or 'mac_address'. | ||||
| CVE-2018-7232 | 1 Schneider-electric | 40 Ibp1110-1er, Ibp1110-1er Firmware, Ibp219-1er and 37 more | 2024-11-21 | 9.8 Critical |
| A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow execution of commands due to lack of validation of the shell meta characters with the value of 'network.ieee8021x.delete_certs'. | ||||
| CVE-2018-7231 | 1 Schneider-electric | 40 Ibp1110-1er, Ibp1110-1er Firmware, Ibp219-1er and 37 more | 2024-11-21 | 9.8 Critical |
| A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow execution of commands due to lack of validation of the shell meta characters with the value of 'system.opkg.remove'. | ||||
| CVE-2018-7208 | 2 Gnu, Redhat | 5 Binutils, Enterprise Linux, Enterprise Linux Desktop and 2 more | 2024-11-21 | N/A |
| In the coff_pointerize_aux function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, an index is not validated, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted file, as demonstrated by objcopy of a COFF object. | ||||
| CVE-2018-7187 | 2 Debian, Golang | 2 Debian Linux, Go | 2024-11-21 | 8.8 High |
| The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. | ||||
| CVE-2018-7167 | 2 Nodejs, Redhat | 2 Node.js, Rhel Software Collections | 2024-11-21 | 7.5 High |
| Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable. | ||||
| CVE-2018-7162 | 1 Nodejs | 1 Node.js | 2024-11-21 | 7.5 High |
| All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpected messages during the handshake. This vulnerability has been addressed by updating the TLS implementation. | ||||
| CVE-2018-7161 | 2 Nodejs, Redhat | 2 Node.js, Rhel Software Collections | 2024-11-21 | 7.5 High |
| All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers a cleanup bug where objects are used in native code after they are no longer available. This has been addressed by updating the http2 implementation. | ||||
| CVE-2018-7160 | 2 Nodejs, Redhat | 2 Node.js, Rhel Software Collections | 2024-11-21 | 8.8 High |
| The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access. | ||||
| CVE-2018-7159 | 2 Nodejs, Redhat | 3 Node.js, Enterprise Linux, Rhel Software Collections | 2024-11-21 | 5.3 Medium |
| The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete. | ||||
| CVE-2018-7081 | 1 Arubanetworks | 1 Arubaos | 2024-11-21 | 9.8 Critical |
| A remote code execution vulnerability is present in network-listening components in some versions of ArubaOS. An attacker with the ability to transmit specially-crafted IP traffic to a mobility controller could exploit this vulnerability and cause a process crash or to execute arbitrary code within the underlying operating system with full system privileges. Such an attack could lead to complete system compromise. The ability to transmit traffic to an IP interface on the mobility controller is required to carry out an attack. The attack leverages the PAPI protocol (UDP port 8211). If the mobility controller is only bridging L2 traffic to an uplink and does not have an IP address that is accessible to the attacker, it cannot be attacked. | ||||
| CVE-2018-7059 | 1 Hp | 1 Aruba Clearpass Policy Manager | 2024-11-21 | N/A |
| Aruba ClearPass prior to 6.6.9 has a vulnerability in the API that helps to coordinate cluster actions. An authenticated user with the "mon" permission could use this vulnerability to obtain cluster credentials which could allow privilege escalation. This vulnerability is only present when authenticated as a user with "mon" permission. | ||||
| CVE-2018-6924 | 1 Freebsd | 1 Freebsd | 2024-11-21 | N/A |
| In FreeBSD before 11.1-STABLE, 11.2-RELEASE-p3, 11.1-RELEASE-p14, 10.4-STABLE, and 10.4-RELEASE-p12, insufficient validation in the ELF header parser could allow a malicious ELF binary to cause a kernel crash or disclose kernel memory. | ||||
| CVE-2018-6903 | 1 Hot Scripts Clone Project | 1 Hot Scripts Clone | 2024-11-21 | N/A |
| PHP Scripts Mall Hot Scripts Clone Script Classified v3.1 uses the client side to enforce validation of an e-mail address, which allows remote attackers to modify a registered e-mail address by removing the validation code. | ||||
| CVE-2018-6879 | 1 Website Seller Script Project | 1 Website Seller Script | 2024-11-21 | N/A |
| PHP Scripts Mall Website Seller Script 2.0.3 uses the client side to enforce validation of an e-mail address, which allows remote attackers to modify a registered e-mail address by removing the validation code. | ||||
| CVE-2018-6835 | 1 Etherpad | 1 Etherpad | 2024-11-21 | N/A |
| node/hooks/express/apicalls.js in Etherpad Lite before v1.6.3 mishandles JSONP, which allows remote attackers to bypass intended access restrictions. | ||||
| CVE-2018-6790 | 2 Kde, Redhat | 2 Plasma-workspace, Enterprise Linux | 2024-11-21 | N/A |
| An issue was discovered in KDE Plasma Workspace before 5.12.0. dataengines/notifications/notificationsengine.cpp allows remote attackers to discover client IP addresses via a URL in a notification, as demonstrated by the src attribute of an IMG element. | ||||
| CVE-2018-6788 | 1 Jiangmin | 1 Antivirus | 2024-11-21 | N/A |
| In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x2208C0. | ||||
| CVE-2018-6787 | 1 Jiangmin | 1 Antivirus | 2024-11-21 | N/A |
| In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x221808. | ||||
| CVE-2018-6786 | 1 Jiangmin | 1 Antivirus | 2024-11-21 | N/A |
| In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220840. | ||||