Vulnerabilities (CVE)

CWE filter

CWE-254

Filter

744 total CVE
CVE Vendors Products Updated CVSS
CVE-2018-1150 1 Nuuo 1 Nvrmini2 Firmware 2018-12-07 7.5
NUUO's NVRMini2 3.8.0 and below contains a backdoor that would allow an unauthenticated remote attacker to take over user accounts if the file /tmp/moses exists.
CVE-2018-17175 1 Marshmallow Project 1 Marshmallow 2018-12-07 5.0
In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if...
CVE-2018-12381 1 Mozilla 2 Firefox, Firefox Esr 2018-12-06 5.0
Manually dragging and dropping an Outlook email message into the browser will trigger a page navigation when the message's mail columns are incorrectly interpreted as a URL. *Note: this issue only affects Windows operating systems with Outlook...
CVE-2018-12368 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2018-12-06 9.3
Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this...
CVE-2018-16958 1 Oracle 1 Webcenter Interaction 2018-12-06 5.8
An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The ASP.NET_SessionID primary session cookie, when Internet Information Services (IIS) with ASP.NET is used, is not protected with the HttpOnly attribute. The attribute cannot...
CVE-2018-15590 2018-12-06 2.1
An issue was discovered in Ivanti Workspace Control before 10.3.0.0 and RES One Workspace, when file and folder security are configured. A local authenticated user can bypass file and folder security restriction by leveraging an unspecified attack vector.
CVE-2018-18284 3 Artifex, Canonical, Debian 3 Ghostscript, Ubuntu Linux, Debian Linux 2018-12-06 7.5
Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving the 1Policy operator.
CVE-2018-8530 1 Microsoft 1 Edge 2018-12-06 4.3
A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins, aka "Microsoft Edge Security Feature Bypass Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8512.
CVE-2018-8039 2 Apache, Redhat 2 Cxf, Jboss Enterprise Application Platform 2018-12-05 6.8
It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try...
CVE-2018-8014 2 Apache, Canonical 2 Tomcat, Ubuntu Linux 2018-12-05 7.5
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS...
CVE-2017-15377 1 Openinfosecfoundation 1 Suricata 2018-12-05 5.0
In Suricata before 4.x, it was possible to trigger lots of redundant checks on the content of crafted network traffic with a certain signature, because of DetectEngineContentInspection in detect-engine-content-inspection.c. The search engine...
CVE-2018-17925 2018-12-04 4.4
Multiple instances of this vulnerability (Unsafe ActiveX Control Marked Safe For Scripting) have been identified in the third-party ActiveX object provided to GE iFIX versions 2.0 - 5.8 by Gigasoft. Only the independent use of the Gigasoft...
CVE-2018-15316 1 F5 2 Big-ip Access Policy Manager, Big-ip Access Policy Manager Client 2018-12-04 2.1
In F5 BIG-IP APM 13.0.0-13.1.1.1, APM Client 7.1.5-7.1.6, and/or Edge Client 7101-7160, the BIG-IP APM Edge Client component loads the policy library with user permission and bypassing the endpoint checks.
CVE-2018-18377 1 Orange 1 Airbox Firmware 2018-12-04 5.0
goform/setReset on Orange AirBox Y858_FL_01.16_04 devices allows attackers to reset a router to factory settings, which can be used to login using the default admin:admin credentials.
CVE-2018-17137 1 Prezi 1 Next 2018-12-04 7.5
Prezi Next 1.3.101.11 has a documented purpose of creating HTML5 presentations but has SE_DEBUG_PRIVILEGE on Windows, which might allow attackers to bypass intended access restrictions.
CVE-2016-2118 2 Samba, Canonical 2 Ubuntu Linux, Samba 2018-11-30 6.8
The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC connections, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and...
CVE-2015-1793 2 Openssl, Oracle 4 Jd Edwards Enterpriseone Tools, Opus 10g Ethernet Switch Family, Supply Chain Products Suite and 1 more 2018-11-30 6.4
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote...
CVE-2018-16983 2018-11-30 7.5
NoScript Classic before 5.1.8.7, as used in Tor Browser 7.x and other products, allows attackers to bypass script blocking via the text/html;/json Content-Type value.
CVE-2018-7939 2018-11-30 4.9
Huawei smart phones G9 Lite, Honor 5A, Honor 6X, Honor 8 with the versions before VNS-L53C605B120CUSTC605D103, the versions before CAM-L03C605B143CUSTC605D008, the versions before CAM-L21C10B145, the versions before CAM-L21C185B156, the versions...
CVE-2018-8492 1 Microsoft 3 Windows 10, Windows Server 2016, Windows Server 2019 2018-11-30 4.6
A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session, aka "Device Guard Code Integrity Policy Security Feature Bypass Vulnerability." This affects...