National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 110,523 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2018-20161

A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the Wi-Fi network. (Access to live video from the app also becomes unavailable.)

Published: December 15, 2018; 01:29:00 AM -05:00
(not available)
CVE-2018-20159

i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a ".zip" file because a ZIP archive is accepted by /admin/?req=modules&action=add as a plugin, and extracted to the main directory. In order for the ".zip" file to be accepted, it must also contain a package.json file.

Published: December 15, 2018; 12:29:00 AM -05:00
(not available)
CVE-2018-20157

The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.

Published: December 14, 2018; 07:29:00 PM -05:00
(not available)
CVE-2018-20156

The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated "site administrator" users to execute arbitrary PHP code throughout a multisite network.

Published: December 14, 2018; 05:29:00 PM -05:00
(not available)
CVE-2018-20155

The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.

Published: December 14, 2018; 05:29:00 PM -05:00
(not available)
CVE-2018-20154

The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.

Published: December 14, 2018; 05:29:00 PM -05:00
(not available)
CVE-2018-20153

In WordPress versions before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.

Published: December 14, 2018; 03:29:00 PM -05:00
(not available)
CVE-2018-20152

In WordPress versions before 5.0.1, authors could bypass intended restrictions on post types via crafted input.

Published: December 14, 2018; 03:29:00 PM -05:00
(not available)
CVE-2018-20151

In WordPress versions before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default.

Published: December 14, 2018; 03:29:00 PM -05:00
(not available)
CVE-2018-20150

In WordPress versions before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins.

Published: December 14, 2018; 03:29:00 PM -05:00
(not available)
CVE-2018-20149

In WordPress versions before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS.

Published: December 14, 2018; 03:29:00 PM -05:00
(not available)
CVE-2018-20148

In WordPress versions before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata.

Published: December 14, 2018; 03:29:00 PM -05:00
(not available)
CVE-2018-20147

In WordPress versions before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.

Published: December 14, 2018; 03:29:00 PM -05:00
(not available)
CVE-2018-19007

In Geutebrueck GmbH E2 Camera Series versions prior to 1.12.0.25 the DDNS configuration (in the Network Configuration panel) is vulnerable to an OS system command injection as root.

Published: December 14, 2018; 03:29:00 PM -05:00
(not available)
CVE-2018-1977

IBM DB2 for Linux, UNIX and Windows 11.1 (includes DB2 Connect Server) contains a denial of service vulnerability. A remote, authenticated DB2 user could exploit this vulnerability by issuing a specially-crafted SELECT statement with TRUNCATE function. IBM X-Force ID: 154032.

Published: December 14, 2018; 11:29:00 AM -05:00
(not available)
CVE-2018-1848

IBM Business Automation Workflow 18.0.0.0 and 18.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 150947.

Published: December 14, 2018; 11:29:00 AM -05:00
(not available)
CVE-2018-19413

A vulnerability in the API of SonarSource SonarQube before 7.4 could allow an authenticated user to discover sensitive information such as valid user-account logins in the web application. The vulnerability occurs because of improperly configured access controls that cause the API to return the externalIdentity field to non-administrator users. The attacker could use this information in subsequent attacks against the system.

Published: December 14, 2018; 10:29:00 AM -05:00
(not available)
CVE-2018-19003

GE Mark VIe, EX2100e, EX2100e_Reg, and LS2100e Versions 03.03.28C to 05.02.04C, EX2100e All versions prior to v04.09.00C, EX2100e_Reg All versions prior to v04.09.00C, and LS2100e All versions prior to v04.09.00C The affected versions of the application have a path traversal vulnerability that fails to restrict the ability of an attacker to gain access to restricted information.

Published: December 14, 2018; 10:29:00 AM -05:00
(not available)
CVE-2018-18984

Medtronic CareLink 2090 Programmer CareLink 9790 Programmer 29901 Encore Programmer, all versions, The affected products do not encrypt or do not sufficiently encrypt the following sensitive information while at rest PII and PHI.

Published: December 14, 2018; 10:29:00 AM -05:00
(not available)
CVE-2018-18006

Hardcoded credentials in the Ricoh myPrint application 2.9.2.4 for Windows and 2.2.7 for Android give access to any externally disclosed myPrint WSDL API, as demonstrated by discovering API secrets of related Google cloud printers, encrypted passwords of mail servers, and names of printed files.

Published: December 14, 2018; 10:29:00 AM -05:00
(not available)