Total
2179 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-11767 | 1 Apache | 1 Hadoop | 2024-11-21 | 5.8 MEDIUM | 7.4 HIGH |
| In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. | |||||
| CVE-2018-11323 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the access levels of user groups with higher permissions. | |||||
| CVE-2018-11190 | 1 Quest | 1 Disk Backup | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Quest DR Series Disk Backup software version before 4.0.3.1 allows privilege escalation (issue 2 of 6). | |||||
| CVE-2018-11008 | 1 K7computing | 4 Antivrius, Enterprise Security, Total Security and 1 more | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| An Incorrect Access Control issue was discovered in K7Computing K7AntiVirus Premium 15.01.00.53. | |||||
| CVE-2018-11006 | 1 K7computing | 4 Antivrius, Enterprise Security, Total Security and 1 more | 2024-11-21 | 8.8 HIGH | 5.5 MEDIUM |
| An Incorrect Access Control issue was discovered in K7Computing K7AntiVirus Premium 15.01.00.53. | |||||
| CVE-2018-10906 | 3 Debian, Fuse Project, Redhat | 5 Debian Linux, Fuse, Enterprise Linux Desktop and 2 more | 2024-11-21 | 4.6 MEDIUM | 5.3 MEDIUM |
| In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects. | |||||
| CVE-2018-10853 | 3 Canonical, Debian, Linux | 3 Ubuntu Linux, Debian Linux, Linux Kernel | 2024-11-21 | 4.6 MEDIUM | 7.0 HIGH |
| A flaw was found in the way Linux kernel KVM hypervisor before 4.18 emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest. | |||||
| CVE-2018-10550 | 1 Octopus | 1 Octopus Deploy | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Octopus Deploy before 2018.4.7, target and tenant tag variable scopes were not checked against the list of tenants the user has access to. | |||||
| CVE-2018-10514 | 2 Microsoft, Trendmicro | 5 Windows, Antivirus \+ Security, Internet Security and 2 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| A Missing Impersonation Privilege Escalation vulnerability in Trend Micro Security 2018 (Consumer) products could allow a local attacker to escalate privileges on vulnerable installations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit the vulnerability. | |||||
| CVE-2018-10190 | 1 Londontrustmedia | 1 Private Internet Access | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in London Trust Media Private Internet Access (PIA) VPN Client v77 for Windows could allow an unauthenticated, local attacker to run executable files with elevated privileges. The vulnerability is due to insufficient implementation of access controls. The "Changelog" and "Help" options available from the system tray context menu spawn an elevated instance of the user's default web browser. An attacker could exploit this vulnerability by selecting "Run as Administrator" from the context menu of an executable file within the file browser of the spawned default web browser. This may allow the attacker to execute privileged commands on the targeted system. | |||||
| CVE-2018-10172 | 1 7-zip | 1 7-zip | 2024-11-21 | 7.2 HIGH | 8.8 HIGH |
| 7-Zip through 18.01 on Windows implements the "Large memory pages" option by calling the LsaAddAccountRights function to add the SeLockMemoryPrivilege privilege to the user's account, which makes it easier for attackers to bypass intended access restrictions by using this privilege in the context of a sandboxed process. Note: This has been disputed by 3rd parties who argue this is a valid feature of Windows. | |||||
| CVE-2018-10168 | 1 Tp-link | 1 Eap Controller | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows do not control privileges for usage of the Web API, allowing a low-privilege user to make any request as an Administrator. This is fixed in version 2.6.1_Windows. | |||||
| CVE-2018-10143 | 1 Paloaltonetworks | 1 Expedition | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The Palo Alto Networks Expedition Migration tool 1.0.107 and earlier may allow an unauthenticated attacker with remote access to run system level commands on the device hosting this service/application. | |||||
| CVE-2018-10079 | 1 Vertiv | 1 Watchdog Console | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
| Geist WatchDog Console 3.2.2 uses a weak ACL for the C:\ProgramData\WatchDog Console directory, which allows local users to modify configuration data by updating (1) config.xml or (2) servers.xml. | |||||
| CVE-2018-1000866 | 2 Jenkins, Redhat | 2 Pipeline\, Openshift Container Platform | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure permission, or unauthorized attackers with SCM commit privileges and corresponding pipelines based on Jenkinsfiles set up in Jenkins, to execute arbitrary code on the Jenkins master JVM | |||||
| CVE-2018-1000865 | 2 Jenkins, Redhat | 2 Script Security, Openshift Container Platform | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy sandbox are installed. | |||||
| CVE-2018-1000648 | 1 Librehealth | 1 Librehealth Ehr | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| LibreHealthIO lh-ehr version REL-2.0.0 contains a Authenticated Unrestricted File Write vulnerability in Patient file letter functions that can result in Write files with malicious content and may lead to remote code execution. This attack appear to be exploitable via User controlled parameters. | |||||
| CVE-2018-1000634 | 1 Openmicroscopy | 1 Omero | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The Open Microscopy Environment OMERO.server version 5.4.0 to 5.4.6 contains an Improper Access Control vulnerability in User management that can result in administrative user with privilege restrictions logging in as a more powerful administrator. This attack appear to be exploitable via Use user administration privilege to set the password of a more powerful administrator. This vulnerability appears to have been fixed in 5.4.7. | |||||
| CVE-2018-1000624 | 1 Battelle | 1 V2i Hub | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| Battelle V2I Hub 2.5.1 is vulnerable to a denial of service, caused by the failure to restrict access to a sensitive functionality. By visiting http://V2I_HUB/UI/powerdown.php, a remote attacker could exploit this vulnerability to shut down the system. | |||||
| CVE-2018-1000503 | 1 Mybb | 1 Mybb | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to have been fixed in 1.8.15. | |||||