The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2018-14936 | The Add page option in my little forum 2.4.12 allows XSS via the Title field. | LOW | Aug 4, 2018 |
| CVE-2018-14935 | The Web administration console on Polycom Trio devices with software before 5.5.4 has XSS. | MEDIUM | Nov 15, 2018 |
| CVE-2018-14934 | The Bluetooth subsystem on Polycom Trio devices with software before 5.5.4 has Incorrect Access Control. An attacker can connect without authentication and subsequently record audio from the device microphone. | LOW | Nov 15, 2018 |
| CVE-2018-14933 | upgrade_handle.php on NUUO NVRmini devices allows Remote Command Execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command. | HIGH | Aug 4, 2018 |
| CVE-2018-14931 | An issue was discovered in the Core and Portal modules in Polaris FT Intellect Core Banking 9.7.1. An open redirect exists via a /IntellectMain.jsp?IntellectSystem= URI. | MEDIUM | May 3, 2019 |
| CVE-2018-14930 | An issue was discovered in the Armor module in Polaris FT Intellect Core Banking 9.7.1. CSRF can occur via a /CollatWebApp/gcmsRefInsert?name=SUPP URI. | MEDIUM | May 3, 2019 |
| CVE-2018-14929 | Matera Banco 1.0.0 is vulnerable to multiple reflected XSS, as demonstrated by the /contingency/web/index.jsp (aka home page) url parameter. | MEDIUM | Aug 3, 2018 |
| CVE-2018-14928 | /contingency/servlet/ServletFileDownload executes as root and provides unauthenticated access to files via the file parameter. | HIGH | Aug 3, 2018 |
| CVE-2018-14927 | Matera Banco 1.0.0 is vulnerable to path traversal (allowing access to system files outside the default application folder) via the /contingency/servlet/ServletFileDownload file parameter, related to /contingency/web/receiptQuery/receiptDisplay.jsp. | MEDIUM | Aug 3, 2018 |
| CVE-2018-14926 | Matera Banco 1.0.0 allows CSRF, as demonstrated by a /contingency/web/messageSend/messageSendHandler.jsp request. | MEDIUM | Aug 3, 2018 |
| CVE-2018-14925 | Matera Banco 1.0.0 mishandles Java errors in the backend, as demonstrated by a stack trace revealing use of net.sf.acegisecurity components. | HIGH | Aug 3, 2018 |
| CVE-2018-14924 | Matera Banco 1.0.0 is vulnerable to multiple stored XSS, as demonstrated by the sca/privilegio/consultarUsuario.jsf Nome Completo (aka user fullname) field. | MEDIUM | Aug 3, 2018 |
| CVE-2018-14923 | A vulnerability in uniview EZPlayer 1.0.6 could allow an attacker to execute arbitrary code on a targeted system via video playback. | HIGH | Aug 3, 2018 |
| CVE-2018-14922 | Multiple cross-site scripting (XSS) vulnerabilities in Monstra CMS 3.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) first name or (2) last name field in the edit profile page. | MEDIUM | Aug 14, 2018 |
| CVE-2018-14919 | LOYTEC LGATE-902 6.3.2 devices allow XSS. | MEDIUM | Jul 3, 2019 |
| CVE-2018-14918 | LOYTEC LGATE-902 6.3.2 devices allow Directory Traversal. | HIGH | Jul 3, 2019 |
| CVE-2018-14917 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 |
| CVE-2018-14916 | LOYTEC LGATE-902 6.3.2 devices allow Arbitrary file deletion. | HIGH | Jul 3, 2019 |
| CVE-2018-14915 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 |
| CVE-2018-14912 | cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request. | MEDIUM | Aug 6, 2018 |
| CVE-2018-14911 | A file upload vulnerability exists in ukcms v1.1.7 and earlier. The vulnerability is due to the system not strictly filtering the file upload type. An attacker can exploit the vulnerability to upload a script Trojan to admin.php/admin/configset/index/group/upload.html to gain server control by composing a request for a .txt upload and then changing it to a .php upload. The attacker must have admin access to change the upload_file_ext (aka Allow upload file suffix) setting, and must use php,php in this setting to bypass the php restriction. | MEDIUM | Aug 3, 2018 |
| CVE-2018-14910 | SeaCMS v6.61 allows Remote Code execution by placing PHP code in an allowed IP address (aka ip) to /admin/admin_ip.php (aka /adm1n/admin_ip.php). The code is executed by visiting adm1n/admin_ip.php or data/admin/ip.php. This can also be exploited through CSRF. | MEDIUM | Aug 3, 2018 |
| CVE-2018-14908 | Samsung Syncthru Web Service V4.05.61 is vulnerable to CSRF on every request, as demonstrated by sws.application/printinformation/printReportSetupView.sws for a Print emails sent action. | MEDIUM | Aug 3, 2018 |
| CVE-2018-14907 | The Web server in 3CX version 15.5.8801.3 is vulnerable to Information Leakage, because of improper error handling in Stack traces, as demonstrated by discovering a full pathname. | MEDIUM | Aug 3, 2018 |
| CVE-2018-14906 | The Web server in 3CX version 15.5.8801.3 is vulnerable to Reflected XSS on all stack traces' propertyPath parameters. | MEDIUM | Aug 3, 2018 |
| CVE-2018-14905 | The Web server in 3CX version 15.5.8801.3 is vulnerable to Reflected XSS on the api/CallLog TimeZoneName parameter. | MEDIUM | Aug 3, 2018 |
| CVE-2018-14904 | Samsung Syncthru Web Service V4.05.61 is vulnerable to Multiple unauthenticated XSS attacks on several parameters, as demonstrated by ruiFw_pid. | MEDIUM | Aug 3, 2018 |
| CVE-2018-14903 | EPSON WF-2750 printers with firmware JP02I2 do not properly validate files before running updates, which allows remote attackers to cause a printer malfunction or send malicious data to the printer. | MEDIUM | Aug 30, 2018 |
| CVE-2018-14902 | The ContentProvider in the EPSON iPrint application 6.6.3 for Android does not properly restrict data access. This allows an attacker's application to read scanned documents. | MEDIUM | Aug 30, 2018 |
| CVE-2018-14901 | The EPSON iPrint application 6.6.3 for Android contains hard-coded API and Secret keys for the Dropbox, Box, Evernote and OneDrive services. | MEDIUM | Aug 30, 2018 |
| CVE-2018-14900 | On EPSON WF-2750 printers with firmware JP02I2, there is no filtering of print jobs. Remote attackers can send print jobs directly to the printer via TCP port 9100. | MEDIUM | Aug 30, 2018 |
| CVE-2018-14899 | On the EPSON WF-2750 printer with firmware JP02I2, the Web interface AirPrint Setup page is vulnerable to HTML Injection that can redirect users to malicious sites. | MEDIUM | Aug 30, 2018 |
| CVE-2018-14894 | CyberArk Endpoint Privilege Manager 10.2.1.603 and earlier allows an attacker (who is able to edit permissions of a file) to bypass intended access restrictions and execute blocked applications. | MEDIUM | Apr 12, 2019 |
| CVE-2018-14893 | A system command injection vulnerability in zyshclient in ZyXEL NSA325 V2 version 4.81 allows attackers to execute system commands via the web application API. | HIGH | Nov 27, 2018 |
| CVE-2018-14892 | Missing protections against Cross-Site Request Forgery in the web application in ZyXEL NSA325 V2 version 4.81 allow attackers to perform state-changing actions via crafted HTTP forms. | MEDIUM | Nov 27, 2018 |
| CVE-2018-14891 | Management Console in Vectra Networks Cognito Brain and Sensor before 4.3 contains a local privilege escalation vulnerability. | MEDIUM | Sep 21, 2018 |
| CVE-2018-14890 | Vectra Networks Cognito Brain and Sensor before 4.2 contains a cross-site scripting (XSS) vulnerability in the Web Management Console. | LOW | Sep 21, 2018 |
| CVE-2018-14889 | CouchDB in Vectra Networks Cognito Brain and Sensor before 4.3 contains a local code execution vulnerability. | MEDIUM | Sep 21, 2018 |
| CVE-2018-14888 | inc/plugins/thankyoulike.php in the Eldenroot Thank You/Like plugin before 3.1.0 for MyBB allows XSS via a post or thread subject. | MEDIUM | Aug 14, 2018 |
| CVE-2018-14887 | Improper Host header sanitization in the dbfilter routing component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows a remote attacker to deny access to the service and to disclose database names via a crafted request. | MEDIUM | Jul 5, 2019 |
| CVE-2018-14886 | The module-description renderer in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not disable RST\'s local file inclusion, which allows privileged authenticated users to read local files via a crafted module description. | MEDIUM | Jul 5, 2019 |
| CVE-2018-14885 | Incorrect access control in the database manager component in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows a remote attacker to restore a database dump without knowing the super-admin password. An arbitrary password succeeds. | HIGH | Jul 5, 2019 |
| CVE-2018-14884 | An issue was discovered in PHP 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. Inappropriately parsing an HTTP response leads to a segmentation fault because http_header_value in ext/standard/http_fopen_wrapper.c can be a NULL value that is mishandled in an atoi call. | MEDIUM | Aug 3, 2018 |
| CVE-2018-14883 | An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. An Integer Overflow leads to a heap-based buffer over-read in exif_thumbnail_extract of exif.c. | MEDIUM | Aug 3, 2018 |
| CVE-2018-14882 | The ICMPv6 parser in tcpdump before 4.9.3 has a buffer over-read in print-icmp6.c. | High | Oct 11, 2019 |
| CVE-2018-14881 | The BGP parser in tcpdump before 4.9.3 has a buffer over-read in print-bgp.c:bgp_capabilities_print() (BGP_CAPCODE_RESTART). | High | Oct 11, 2019 |
| CVE-2018-14880 | The OSPFv3 parser in tcpdump before 4.9.3 has a buffer over-read in print-ospf6.c:ospf6_print_lshdr(). | High | Oct 3, 2019 |
| CVE-2018-14879 | The command-line argument parser in tcpdump before 4.9.3 has a buffer overflow in tcpdump.c:get_next_file(). | High | Oct 11, 2019 |
| CVE-2018-14878 | JetBrains dotPeek before 2018.2 and ReSharper Ultimate before 2018.1.4 allow attackers to execute code by decompiling a compiled .NET object (such as a DLL or EXE file) with a specific file, because of Deserialization of Untrusted Data. | MEDIUM | Aug 13, 2018 |
| CVE-2018-14877 | An issue was discovered in WeaselCMS v0.3.5. XSS exists via Site Language, Site Title, Site Description, and Site Keywords on the SETTINGS page. | LOW | Aug 2, 2018 |
