The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2018-1002008 | There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in list-user.html.php:4: via GET request offset variable. | LOW | Dec 4, 2018 |
| CVE-2018-1002009 | There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in unsubscribe.html.php:3: via GET reuqest to the email variable. | LOW | Dec 4, 2018 |
| CVE-2018-11347 | The YunoHost 2.7.2 through 2.7.14 web application is affected by one HTTP Response Header Injection. This flaw allows an attacker to inject, into the response from the server, one or several HTTP Header. It requires an interaction with the user to send him the malicious link. It could be used to perform other attacks such as user redirection to a malicious website, HTTP response splitting, or HTTP cache poisoning. | MEDIUM | Dec 4, 2018 |
| CVE-2018-11348 | Two XSS vulnerabilities are located in the profile edition page of the user panel of the YunoHost 2.7.2 through 2.7.14 web application. By injecting a JavaScript payload, these flaws could be used to manipulate a user\'s session. | LOW | Dec 4, 2018 |
| CVE-2018-12305 | Cross-site scripting in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute JavaScript by uploading SVG images with embedded JavaScript. | MEDIUM | Dec 4, 2018 |
| CVE-2018-12306 | Directory Traversal in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to view arbitrary files by modifying the file1 URL parameter, a similar issue to CVE-2018-11344. | MEDIUM | Dec 4, 2018 |
| CVE-2018-12307 | OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the name POST parameter. | HIGH | Dec 4, 2018 |
| CVE-2018-12308 | Encryption key disclosure in share.cgi in ASUSTOR ADM version 3.1.1 allows attackers to obtain the encryption key via the encrypt_key URL parameter. | MEDIUM | Dec 4, 2018 |
| CVE-2018-12309 | Directory Traversal in upload.cgi in ASUSTOR ADM version 3.1.1 allows attackers to upload files to arbitrary locations by modifying the path URL parameter. NOTE: the filename POST parameter is covered by CVE-2018-11345. | MEDIUM | Dec 4, 2018 |
| CVE-2018-12310 | Cross-site scripting in the Login page in ASUSTOR ADM version 3.1.1 allows attackers to execute JavaScript via the System Announcement feature. | LOW | Dec 4, 2018 |
| CVE-2018-12311 | Cross-site scripting vulnerability in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute arbitrary JavaScript when a file is moved via a malicious filename. | LOW | Dec 4, 2018 |
| CVE-2018-12312 | OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the secret_key URL parameter. | HIGH | Dec 4, 2018 |
| CVE-2018-12313 | OS command injection in snmp.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands without authentication via the rocommunity URL parameter. | HIGH | Dec 4, 2018 |
| CVE-2018-12314 | Directory Traversal in downloadwallpaper.cgi in ASUSTOR ADM version 3.1.1 allows attackers to download arbitrary files by manipulating the file and folder URL parameters. | HIGH | Dec 4, 2018 |
| CVE-2018-12315 | Missing verification of a password in ASUSTOR ADM version 3.1.1 allows attackers to change account passwords without entering the current password. | MEDIUM | Dec 4, 2018 |
| CVE-2018-12316 | OS Command Injection in upload.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands by modifying the filename POST parameter. | HIGH | Dec 4, 2018 |
| CVE-2018-12317 | OS command injection in group.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root by modifying the name POST parameter. | HIGH | Dec 4, 2018 |
| CVE-2018-12318 | Information disclosure in the SNMP settings page in ASUSTOR ADM version 3.1.1 allows attackers to obtain the SNMP password in cleartext. | MEDIUM | Dec 4, 2018 |
| CVE-2018-12319 | Denial-of-service in the login page of ASUSTOR ADM 3.1.1 allows attackers to prevent users from signing in by placing malformed text in the title. | MEDIUM | Dec 4, 2018 |
| CVE-2018-15980 | Adobe Photoshop CC versions 19.1.6 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure. | Medium | Dec 4, 2018 |
| CVE-2018-16478 | A Path Traversal in simplehttpserver versions <=0.2.1 allows to list any file in another folder of web root. | MEDIUM | Dec 4, 2018 |
| CVE-2018-16628 | panel/login in Kirby v2.5.12 allows XSS via a blog name. | LOW | Dec 4, 2018 |
| CVE-2018-16629 | panel/uploads/#elf_l1_XA in Subrion CMS v4.2.1 allows XSS via an SVG file with JavaScript in a SCRIPT element. | MEDIUM | Dec 4, 2018 |
| CVE-2018-16631 | Subrion CMS v4.2.1 allows XSS via the panel/configuration/general/ SITE TITLE parameter. | LOW | Dec 4, 2018 |
| CVE-2018-16633 | Pluck v4.7.7 allows XSS via the admin.php?action=editpage&page= page title. | LOW | Dec 4, 2018 |
| CVE-2018-16634 | Pluck v4.7.7 allows CSRF via admin.php?action=settings. | MEDIUM | Dec 4, 2018 |
| CVE-2018-17939 | An issue was discovered in GitLab Community and Enterprise Edition 11.1.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via the merge request JSON endpoint. | MEDIUM | Dec 4, 2018 |
| CVE-2018-17975 | An issue was discovered in GitLab Community Edition 11.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via the GFM markdown API. | MEDIUM | Dec 4, 2018 |
| CVE-2018-17976 | An issue was discovered in GitLab Community Edition 11.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via Epic change descriptions. | MEDIUM | Dec 4, 2018 |
| CVE-2018-18640 | An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Information Exposure Through Browser Caching. | MEDIUM | Dec 4, 2018 |
| CVE-2018-18641 | An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Cleartext Storage of Sensitive Information. | MEDIUM | Dec 4, 2018 |
| CVE-2018-18642 | An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has XSS. | MEDIUM | Dec 4, 2018 |
| CVE-2018-18644 | An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows Information Exposure via a Gitlab Prometheus integration. | MEDIUM | Dec 4, 2018 |
| CVE-2018-18645 | An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for Information Exposure via unsubscribe links in email replies. | MEDIUM | Dec 4, 2018 |
| CVE-2018-18646 | An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows SSRF. | MEDIUM | Dec 4, 2018 |
| CVE-2018-18647 | An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Missing Authorization. | MEDIUM | Dec 4, 2018 |
| CVE-2018-18648 | An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Information Exposure Through an Error Message. | MEDIUM | Dec 4, 2018 |
| CVE-2018-18843 | The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4.4 has SSRF. | HIGH | Dec 4, 2018 |
| CVE-2018-1897 | IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5., and 11.1 db2pdcfg is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow an attacker to execute arbitrary code. IBM X-Force ID: 152462. | MEDIUM | Dec 4, 2018 |
| CVE-2018-19837 | In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp allows attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, because of certain incorrect parsing of \'%\' as a modulo operator in parser.cpp. | MEDIUM | Dec 4, 2018 |
| CVE-2018-19838 | In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy(). | MEDIUM | Dec 4, 2018 |
| CVE-2018-19839 | In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file. | MEDIUM | Dec 4, 2018 |
| CVE-2018-19842 | getToken in libr/asm/p/asm_x86_nz.c in radare2 before 3.1.0 allows attackers to cause a denial of service (stack-based buffer over-read) via crafted x86 assembly data, as demonstrated by rasm2. | MEDIUM | Dec 4, 2018 |
| CVE-2018-19843 | opmov in libr/asm/p/asm_x86_nz.c in radare2 before 3.1.0 allows attackers to cause a denial of service (buffer over-read) via crafted x86 assembly data, as demonstrated by rasm2. | MEDIUM | Dec 4, 2018 |
| CVE-2018-19849 | An issue was discovered in YzmCMS 5.2. XSS exists via the admin/content/search.html searinfo parameter. | LOW | Dec 4, 2018 |
| CVE-2018-19853 | An issue was discovered in hitshop through 2014-07-15. There is an elevation-of-privilege vulnerability (that allows control over the whole web site) via the admin.php/user/add URI because a storekeeper account (which is supposed to have only privileges for commodity management) can add an administrator account. | MEDIUM | Dec 4, 2018 |
| CVE-2018-5496 | Data ONTAP operating in 7-Mode versions prior to 8.2.5P2 are susceptible to a vulnerability which discloses sensitive information to an unauthorized user. | LOW | Dec 4, 2018 |
| CVE-2018-7112 | The HPE-provided Windows firmware installer for certain Gen9, Gen8, G7,and G6 HPE servers allows local disclosure of privileged information. This issue was resolved in previously provided firmware updates as follows. The HPE Windows firmware installer was updated in the system ROM updates which also addressed the original Spectre/Meltdown set of vulnerabilities. At that time, the Windows firmware installer was also updated in the versions of HPE Integrated Lights-Out 2, 3, and 4 (iLO 2, 3, and 4) listed in the security bulletin. The updated HPE Windows firmware installer was released in the system ROM and HPE Integrated Lights-Out (iLO) releases documented in earlier HPE Security Bulletins: HPESBHF03805, HPESBHF03835, HPESBHF03831. Windows-based systems that have already been updated to the system ROM or iLO versions described in these security bulletins require no further action. | MEDIUM | Dec 4, 2018 |
| CVE-2018-7113 | A security vulnerability in HPE Integrated Lights-Out 5 (iLO 5) prior to v1.37 could be locally exploited to bypass the security restrictions for firmware updates. | HIGH | Dec 4, 2018 |
| CVE-2018-7956 | Huawei VIP App is a mobile app for Malaysia customers that purchased P20 Series, Nova 3/3i and Mate 20. There is a vulnerability in versions before 4.0.5 that attackers can conduct bruteforce to the VIP App Web Services to get user information. | MEDIUM | Dec 4, 2018 |
