Total
2384 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-18397 | 3 Canonical, Linux, Redhat | 12 Ubuntu Linux, Linux Kernel, Enterprise Linux and 9 more | 2024-11-21 | N/A |
| The userfaultfd implementation in the Linux kernel before 4.19.7 mishandles access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and mm/userfaultfd.c. | ||||
| CVE-2018-17950 | 1 Microfocus | 1 Edirectory | 2024-11-21 | N/A |
| Incorrect enforcement of authorization checks in eDirectory prior to 9.1 SP2 | ||||
| CVE-2018-17857 | 1 Joomla | 1 Joomla\! | 2024-11-21 | N/A |
| An issue was discovered in Joomla! before 3.8.13. Inadequate checks on the tags search fields can lead to an access level violation. | ||||
| CVE-2018-17195 | 1 Apache | 1 Nifi | 2024-11-21 | N/A |
| The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level. Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS) policy request filtering was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. | ||||
| CVE-2018-16620 | 1 Sonatype | 1 Nexus Repository Manager | 2024-11-21 | N/A |
| Sonatype Nexus Repository Manager before 3.14 has Incorrect Access Control. | ||||
| CVE-2018-16597 | 4 Linux, Netapp, Opensuse and 1 more | 5 Linux Kernel, Active Iq Performance Analytics Services, Element Software and 2 more | 2024-11-21 | N/A |
| An issue was discovered in the Linux kernel before 4.8. Incorrect access checking in overlayfs mounts could be used by local attackers to modify or truncate files in the underlying filesystem. | ||||
| CVE-2018-15774 | 1 Dell | 3 Idrac7 Firmware, Idrac8 Firmware, Idrac9 Firmware | 2024-11-21 | N/A |
| Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 and iDRAC9 versions prior to 3.20.21.20, 3.21.24.22, 3.21.26.22, and 3.23.23.23 contain a privilege escalation vulnerability. An authenticated malicious iDRAC user with operator privileges could potentially exploit a permissions check flaw in the Redfish interface to gain administrator access. | ||||
| CVE-2018-15767 | 1 Dell | 1 Openmanage Network Manager | 2024-11-21 | N/A |
| The Dell OpenManage Network Manager virtual appliance versions prior to 6.5.3 contain an improper authorization vulnerability caused by a misconfiguration in the /etc/sudoers file. | ||||
| CVE-2018-15754 | 1 Pivotal Software | 1 Cloud Foundry Uaa-release | 2024-11-21 | N/A |
| Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider. | ||||
| CVE-2018-15693 | 1 Inova-software | 1 Inova Partner | 2024-11-21 | N/A |
| Inova Partner 5.0.5-RELEASE, Build 0510-0906 and earlier allows authenticated users authorization bypass via insecure direct object reference. | ||||
| CVE-2018-15692 | 1 Inova-software | 1 Inova Partner | 2024-11-21 | N/A |
| Inova Partner 5.0.5-RELEASE, Build 0510-0906 and earlier allows authenticated users authorization bypass and data manipulation in certain functions. | ||||
| CVE-2018-15640 | 1 Odoo | 1 Odoo | 2024-11-21 | 8.8 High |
| Improper access control in the Helpdesk App of Odoo Enterprise 10.0 through 12.0 allows remote authenticated attackers to obtain elevated privileges via a crafted request. | ||||
| CVE-2018-15468 | 1 Xen | 1 Xen | 2024-11-21 | N/A |
| An issue was discovered in Xen through 4.11.x. The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must only be available to fully trusted guests. Unfortunately, in the case that vPMU is disabled, all value checking was skipped, allowing the guest to choose any MSR_DEBUGCTL setting it likes. A malicious or buggy guest administrator (on Intel x86 HVM or PVH) can lock up the entire host, causing a Denial of Service. | ||||
| CVE-2018-14748 | 1 Qnap | 1 Qts | 2024-11-21 | N/A |
| Improper Authorization vulnerability in QTS 4.3.5 build 20181013, QTS 4.3.4 build 20181008, QTS 4.3.3 build 20180829, QTS 4.2.6 build 20180829 and earlier versions could allow remote attackers to power off the NAS. | ||||
| CVE-2018-14666 | 1 Redhat | 1 Satellite | 2024-11-21 | N/A |
| An improper authorization flaw was found in the Smart Class feature of Foreman. An attacker can use it to change configuration of any host registered in Red Hat Satellite, independent of the organization the host belongs to. This flaw affects all Red Hat Satellite 6 versions. | ||||
| CVE-2018-13356 | 1 Terra-master | 1 Terramaster Operating System | 2024-11-21 | N/A |
| Incorrect access control on ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to elevate user permissions. | ||||
| CVE-2018-13324 | 1 Buffalo | 2 Ts5600d1206, Ts5600d1206 Firmware | 2024-11-21 | N/A |
| Incorrect access control in nasapi in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to bypass authentication by sending a modified HTTP Host header. | ||||
| CVE-2018-13109 | 1 Adbglobal | 8 Dv2210, Dv2210 Firmware, Prg Av4202n and 5 more | 2024-11-21 | N/A |
| All ADB broadband gateways / routers based on the Epicentro platform are affected by an authorization bypass vulnerability where attackers are able to access and manipulate settings within the web interface that are forbidden to end users (e.g., by the ISP). An attacker would be able to enable the TELNET server or other settings as well. | ||||
| CVE-2018-12391 | 2 Google, Mozilla | 4 Android, Firefox, Firefox Esr and 1 more | 2024-11-21 | N/A |
| During HTTP Live Stream playback on Firefox for Android, audio data can be accessed across origins in violation of security policies. Because the problem is in the underlying Android service, this issue is addressed by treating all HLS streams as cross-origin and opaque to access. *Note: this issue only affects Firefox for Android. Desktop versions of Firefox are unaffected.*. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3. | ||||
| CVE-2018-12369 | 2 Canonical, Mozilla | 3 Ubuntu Linux, Firefox, Firefox Esr | 2024-11-21 | N/A |
| WebExtensions bundled with embedded experiments were not correctly checked for proper authorization. This allowed a malicious WebExtension to gain full browser permissions. This vulnerability affects Firefox ESR < 60.1 and Firefox < 61. | ||||