Total
3672 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-10825 | 1 Mimobaby | 2 Mimo Baby 2, Mimo Baby 2 Firmware | 2024-11-21 | 2.9 LOW | 5.3 MEDIUM |
| Mimo Baby 2 devices do not use authentication or encryption for the Bluetooth Low Energy (BLE) communication from a Turtle to a Lilypad, which allows attackers to inject fake information about the position and temperature of a baby via a replay or spoofing attack. | |||||
| CVE-2018-10683 | 1 Redhat | 1 Wildfly | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in WildFly 10.1.2.Final. In the case of a default installation without a security realm reference, an attacker can successfully access the server without authentication. NOTE: the Security Realms documentation in the product's Admin Guide indicates that "without a security realm reference" implies "effectively unsecured." The vendor explicitly supports these unsecured configurations because they have valid use cases during development | |||||
| CVE-2018-10682 | 1 Wildfly | 1 Wildfly | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in WildFly 10.1.2.Final. It is possible for an attacker to access the administration panel on TCP port 9990 without any authentication using "anonymous" access that is automatically created. Once logged in, a misconfiguration present by default (auto-deployment) permits an anonymous user to deploy a malicious .war file, leading to remote code execution. NOTE: the vendor indicates that anonymous access is not available in the default installation; however, it remains optional because there are several use cases for it, including development environments and network architectures that have a proxy server for access control to the WildFly server | |||||
| CVE-2018-10641 | 1 Dlink | 2 Dir-600l, Dir-601 Firmware | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| D-Link DIR-601 A1 1.02NA devices do not require the old password for a password change, which occurs in cleartext. | |||||
| CVE-2018-10630 | 1 Crestron | 15 Mc3, Mc3 Firmware, Tsw-1060-b-s and 12 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| For Crestron TSW-X60 version prior to 2.001.0037.001 and MC3 version prior to 1.502.0047.001, The devices are shipped with authentication disabled, and there is no indication to users that they need to take steps to enable it. When compromised, the access to the CTP console is left open. | |||||
| CVE-2018-10611 | 1 Ge | 1 Mds Pulsenet | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Java remote method invocation (RMI) input port in GE MDS PulseNET and MDS PulseNET Enterprise version 3.2.1 and prior may be exploited to allow unauthenticated users to launch applications and support remote code execution through web services. | |||||
| CVE-2018-10603 | 1 Martem | 4 Telem-gw6, Telem-gw6 Firmware, Telem-gwm and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Martem TELEM GW6 and GWM devices with firmware 2018.04.18-linux_4-01-601cb47 and prior do not perform authentication of IEC-104 control commands, which may allow a rogue node a remote control of the industrial process. | |||||
| CVE-2018-10576 | 1 Watchguard | 6 Ap100, Ap100 Firmware, Ap102 and 3 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Improper authentication handling by the native Access Point web UI allows authentication using a local system account (instead of the dedicated web-only user). | |||||
| CVE-2018-10544 | 1 Meross | 2 Mss110, Mss110 Firmware | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| Meross MSS110 devices through 1.1.24 contain an unauthenticated admin.htm administrative interface. | |||||
| CVE-2018-10362 | 1 Phpliteadmin | 1 Phpliteadmin | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in phpLiteAdmin 1.9.5 through 1.9.7.1. Due to loose comparison with '==' instead of '===' in classes/Authorization.php for the user-provided login password, it is possible to login with a simpler password if the password has the form of a power in scientific notation (like '2e2' for '200' or '0e1234' for '0'). This is possible because, in the loose comparison case, PHP interprets the string as a number in scientific notation, and thus converts it to a number. After that, the comparison with '==' casts the user input (e.g., the string '200' or '0') to a number, too. Hence the attacker can login with just a '0' or a simple number he has to brute force. Strong comparison with '===' prevents the cast into numbers. | |||||
| CVE-2018-0886 | 1 Microsoft | 7 Windows 10, Windows 7, Windows 8.1 and 4 more | 2024-11-21 | 7.6 HIGH | 7.0 HIGH |
| The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709 allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka "CredSSP Remote Code Execution Vulnerability". | |||||
| CVE-2018-0676 | 1 Panasonic | 2 Bn-sdwbp3, Bn-sdwbp3 Firmware | 2024-11-21 | 5.8 MEDIUM | 8.8 HIGH |
| BN-SDWBP3 firmware version 1.0.9 and earlier allows an attacker on the same network segment to bypass authentication to access to the management screen and execute an arbitrary command via unspecified vectors. | |||||
| CVE-2018-0670 | 1 Mnc | 1 Inplc-rt | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| INplc-RT 3.08 and earlier allows remote attackers to bypass authentication to execute an arbitrary command through the protocol-compliant traffic. This is a different vulnerability than CVE-2018-0669. | |||||
| CVE-2018-0669 | 1 Mnc | 1 Inplc-rt | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| INplc-RT 3.08 and earlier allows remote attackers to bypass authentication to execute an arbitrary command through the protocol-compliant traffic. This is a different vulnerability than CVE-2018-0670. | |||||
| CVE-2018-0528 | 1 Cybozu | 1 Office | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Cybozu Office 10.0.0 to 10.7.0 allows authenticated attackers to bypass authentication to view the schedules that are not permitted to access via unspecified vectors. | |||||
| CVE-2018-0505 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where BotPasswords can bypass CentralAuth's account lock | |||||
| CVE-2018-0435 | 1 Cisco | 1 Umbrella | 2024-11-21 | 6.5 MEDIUM | 9.1 CRITICAL |
| A vulnerability in the Cisco Umbrella API could allow an authenticated, remote attacker to view and modify data across their organization and other organizations. The vulnerability is due to insufficient authentication configurations for the API interface of Cisco Umbrella. An attacker could exploit this vulnerability to view and potentially modify data for their organization or other organizations. A successful exploit could allow the attacker to read or modify data across multiple organizations. | |||||
| CVE-2018-0382 | 1 Cisco | 1 Wireless Lan Controller Software | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the session identification management functionality of the web-based interface of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to hijack a valid user session on an affected system. The vulnerability exists because the affected software does not properly clear previously assigned session identifiers for a user session when a user authenticates to the web-based interface. An attacker could exploit this vulnerability by using an existing session identifier to connect to the software through the web-based interface. Successful exploitation could allow the attacker to hijack an authenticated user's browser session on the system. Versions 8.1 and 8.5 are affected. | |||||
| CVE-2018-0362 | 1 Cisco | 42 5100 Enterprise Network Compute System, 5100 Enterprise Network Compute System Firmware, 5400 Enterprise Network Compute System and 39 more | 2024-11-21 | 4.6 MEDIUM | 4.3 MEDIUM |
| A vulnerability in BIOS authentication management of Cisco 5000 Series Enterprise Network Compute System and Cisco Unified Computing (UCS) E-Series Servers could allow an unauthenticated, local attacker to bypass the BIOS authentication and execute actions as an unprivileged user. The vulnerability is due to improper security restrictions that are imposed by the affected system. An attacker could exploit this vulnerability by submitting an empty password value to an affected device's BIOS authentication prompt. An exploit could allow the attacker to have access to a restricted set of user-level BIOS commands. Cisco Bug IDs: CSCvh83260. | |||||
| CVE-2018-0321 | 1 Cisco | 3 Prime Collaboration, Prime Collaboration Assurance, Prime Collaboration Provisioning | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in Cisco Prime Collaboration Provisioning (PCP) could allow an unauthenticated, remote attacker to access the Java Remote Method Invocation (RMI) system. The vulnerability is due to an open port in the Network Interface and Configuration Engine (NICE) service. An attacker could exploit this vulnerability by accessing the open RMI system on an affected PCP instance. An exploit could allow the attacker to perform malicious actions that affect PCP and the devices that are connected to it. This vulnerability affects Cisco Prime Collaboration Provisioning (PCP) Releases 11.6 and prior. Cisco Bug IDs: CSCvd61746. | |||||