The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2018-13351 | Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the edit password form. | LOW | Nov 27, 2018 | n/a |
| CVE-2018-13350 | SQL injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute SQL queries via the Event parameter. | HIGH | Nov 27, 2018 | n/a |
| CVE-2018-13349 | Cross-site scripting in the web application taskbar in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the user\'s username. | MEDIUM | Nov 27, 2018 | n/a |
| CVE-2018-13348 | The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001. | MEDIUM | Jul 5, 2018 | n/a |
| CVE-2018-13347 | mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002. | HIGH | Jul 5, 2018 | n/a |
| CVE-2018-13346 | The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004. | MEDIUM | Jul 5, 2018 | n/a |
| CVE-2018-13342 | The server API in the Anda app relies on hardcoded credentials. | HIGH | Oct 24, 2018 | n/a |
| CVE-2018-13341 | Crestron TSW-X60 all versions prior to 2.001.0037.001 and MC3 all versions prior to 1.502.0047.00, The passwords for special sudo accounts may be calculated using information accessible to those with regular user privileges. Attackers could decipher these passwords, which may allow them to execute hidden API calls and escape the CTP console sandbox environment with elevated privileges. | MEDIUM | Aug 10, 2018 | n/a |
| CVE-2018-13340 | Gleez CMS 1.2.0 has CSRF, as demonstrated by a /page/add request. | MEDIUM | Jul 5, 2018 | n/a |
| CVE-2018-13339 | Imperavi Redactor 3 in Angular Redactor 1.1.6, when HTML content mode is used, allows stored XSS, as demonstrated by an onerror attribute of an IMG element, a related issue to CVE-2018-7035. | MEDIUM | Jul 5, 2018 | n/a |
| CVE-2018-13338 | System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the username parameter during user creation. | HIGH | Nov 27, 2018 | n/a |
| CVE-2018-13337 | Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users\' session cookies via JavaScript. | MEDIUM | Nov 27, 2018 | n/a |
| CVE-2018-13336 | System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the pwd parameter during user creation. | HIGH | Nov 27, 2018 | n/a |
| CVE-2018-13335 | Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing shared folders via their descriptions. | LOW | Nov 27, 2018 | n/a |
| CVE-2018-13334 | Cross-site scripting in handle.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the options[sysname] parameter. | MEDIUM | Nov 27, 2018 | n/a |
| CVE-2018-13333 | Cross-site scripting in File Manager in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript in the permissions window by placing JavaScript in users\' usernames. | MEDIUM | Nov 27, 2018 | n/a |
| CVE-2018-13332 | Directory Traversal in the explorer application in TerraMaster TOS version 3.1.03 allows attackers to upload files to arbitrary locations via the path URL parameter. | MEDIUM | Nov 27, 2018 | n/a |
| CVE-2018-13331 | Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing users by placing JavaScript in their usernames. | MEDIUM | Nov 27, 2018 | n/a |
| CVE-2018-13330 | System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands during group creation via the groupname parameter. | HIGH | Nov 27, 2018 | n/a |
| CVE-2018-13329 | Cross-site scripting in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the lines URL parameter. | MEDIUM | Nov 27, 2018 | n/a |
| CVE-2018-13328 | The transfer, transferFrom, and mint functions of a smart contract implementation for PFGc, an Ethereum token, have an integer overflow. | MEDIUM | Jul 5, 2018 | n/a |
| CVE-2018-13327 | ** DISPUTED ** The transfer and transferFrom functions of a smart contract implementation for ChuCunLingAIGO (CCLAG), an Ethereum token, have an integer overflow. NOTE: this has been disputed by a third party. | MEDIUM | Jul 5, 2018 | n/a |
| CVE-2018-13326 | ** DISPUTED ** The transfer and transferFrom functions of a smart contract implementation for Bittelux (BTX), an Ethereum token, have an integer overflow. NOTE: this has been disputed by a third party. | MEDIUM | Jul 5, 2018 | n/a |
| CVE-2018-13325 | The _sell function of a smart contract implementation for GROWCHAIN (GROW), an Ethereum token, has an integer overflow. | MEDIUM | Jul 5, 2018 | n/a |
| CVE-2018-13324 | Incorrect access control in nasapi in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to bypass authentication by sending a modified HTTP Host header. | HIGH | Nov 26, 2018 | n/a |
| CVE-2018-13323 | Cross-site scripting in detail.html in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to execute JavaScript via the username cookie. | MEDIUM | Nov 26, 2018 | n/a |
| CVE-2018-13322 | Directory traversal in list_folders method in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to list directory contents via the path parameter. | MEDIUM | Nov 26, 2018 | n/a |
| CVE-2018-13321 | Incorrect access controls in nasapi in Buffalo TS5600D1206 version 3.61-0.10 allow attackers to call dangerous internal functions via the method parameter. | MEDIUM | Nov 26, 2018 | n/a |
| CVE-2018-13320 | System Command Injection in network.set_auth_settings in Buffalo TS5600D1206 version 3.70-0.10 allows attackers to execute system commands via the adminUsername and adminPassword parameters. | MEDIUM | Nov 26, 2018 | n/a |
| CVE-2018-13319 | Incorrect access control in get_portal_info in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to determine sensitive device information via an unauthenticated POST request. | MEDIUM | Nov 26, 2018 | n/a |
| CVE-2018-13318 | System command injection in User.create method in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to execute system commands via the name parameter. | MEDIUM | Nov 26, 2018 | n/a |
| CVE-2018-13317 | Password disclosure in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to obtain the plaintext password for the admin user by making a GET request for password.htm. | MEDIUM | Nov 26, 2018 | n/a |
| CVE-2018-13316 | System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the subnet POST parameter. | HIGH | Nov 27, 2018 | n/a |
| CVE-2018-13315 | Incorrect access control in formPasswordSetup in TOTOLINK A3002RU version 1.0.8 allows attackers to change the admin user\'s password via an unauthenticated POST request. | MEDIUM | Nov 26, 2018 | n/a |
| CVE-2018-13314 | System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the ipAddr POST parameter. | HIGH | Nov 27, 2018 | n/a |
| CVE-2018-13313 | In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the user to change their account name and password. This page, password.htm, contains JavaScript which is used to confirm the user knows their current password before allowing them to change their password. However, this JavaScript contains the current user’s password in plaintext. | MEDIUM | Feb 24, 2020 | n/a |
| CVE-2018-13312 | Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the Input your notice URL field. | MEDIUM | Nov 26, 2018 | n/a |
| CVE-2018-13311 | System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the sambaUser POST parameter. | HIGH | Nov 26, 2018 | n/a |
| CVE-2018-13310 | Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user\'s username. | MEDIUM | Nov 26, 2018 | n/a |
| CVE-2018-13309 | Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user\'s password. | MEDIUM | Nov 26, 2018 | n/a |
| CVE-2018-13308 | Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the User phrases button field. | MEDIUM | Nov 26, 2018 | n/a |
| CVE-2018-13307 | System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the ntpServerIp2 POST parameter. Certain payloads cause the device to become permanently inoperable. | HIGH | Nov 27, 2018 | n/a |
| CVE-2018-13306 | System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the ftpUser POST parameter. | HIGH | Nov 27, 2018 | n/a |
| CVE-2018-13305 | In FFmpeg 4.0.1, due to a missing check for negative values of the mquant variable, the vc1_put_blocks_clamped function in libavcodec/vc1_block.c may trigger an out-of-array access while converting a crafted AVI file to MPEG4, leading to an information disclosure or a denial of service. | MEDIUM | Jul 6, 2018 | n/a |
| CVE-2018-13304 | In libavcodec in FFmpeg 4.0.1, improper maintenance of the consistency between the context profile field and studio_profile in libavcodec may trigger an assertion failure while converting a crafted AVI file to MPEG4, leading to a denial of service, related to error_resilience.c, h263dec.c, and mpeg4videodec.c. | MEDIUM | Jul 5, 2018 | n/a |
| CVE-2018-13303 | In FFmpeg 4.0.1, a missing check for failure of a call to init_get_bits8() in the avpriv_ac3_parse_header function in libavcodec/ac3_parser.c may trigger a NULL pointer dereference while converting a crafted AVI file to MPEG4, leading to a denial of service. | MEDIUM | Jul 9, 2018 | n/a |
| CVE-2018-13302 | In FFmpeg 4.0.1, improper handling of frame types (other than EAC3_FRAME_TYPE_INDEPENDENT) that have multiple independent substreams in the handle_eac3 function in libavformat/movenc.c may trigger an out-of-array access while converting a crafted AVI file to MPEG4, leading to a denial of service or possibly unspecified other impact. | MEDIUM | Jul 9, 2018 | n/a |
| CVE-2018-13301 | In FFmpeg 4.0.1, due to a missing check of a profile value before setting it, the ff_mpeg4_decode_picture_header function in libavcodec/mpeg4videodec.c may trigger a NULL pointer dereference while converting a crafted AVI file to MPEG4, leading to a denial of service. | MEDIUM | Jul 9, 2018 | n/a |
| CVE-2018-13300 | In FFmpeg 3.2 and 4.0.1, an improper argument (AVCodecParameters) passed to the avpriv_request_sample function in the handle_eac3 function in libavformat/movenc.c may trigger an out-of-array read while converting a crafted AVI file to MPEG4, leading to a denial of service and possibly an information disclosure. | MEDIUM | Jul 9, 2018 | n/a |
| CVE-2018-13299 | Relative path traversal vulnerability in Attachment Uploader in Synology Calendar before 2.2.2-0532 allows remote authenticated users to upload arbitrary files via the filename parameter. | MEDIUM | Apr 5, 2019 | n/a |
