CVE-2018-16225
The QBee MultiSensor Camera through 4.16.4 accepts unencrypted network traffic from clients (such as the QBee Cam application through 1.0.5 for Android and the Swisscom Home application up to 10.7.2 for Android), which results in an attacker being able to reuse cookies to bypass authentication and disable the camera.
Source: CVE-2018-16225
CVE-2018-15546
Accusoft PrizmDoc version 13.3 and earlier contains a Stored Cross-Site Scripting issue through a crafted PDF file.
Source: CVE-2018-15546
CVE-2018-11084
Cloud Foundry Garden-runC release, versions prior to 1.16.1, prevents deletion of some app environments based on file attributes. A remote authenticated malicious user may create and delete apps with crafted file attributes to cause a denial of service for new app instances or scaling up of existing apps.
Source: CVE-2018-11084
CVE-2018-11071
Dell EMC Isilon OneFS versions 7.1.1.x, 7.2.1.x, 8.0.0.x, 8.0.1.x, 8.1.0.x and 8.1.x prior to 8.1.2 and Dell EMC IsilonSD Edge versions 8.0.0.x, 8.0.1.x, 8.1.0.x and 8.1.x prior to 8.1.2 contain a remote process crash vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to crash the isi_drive_d process by sending specially crafted input data to the affected system. This process will then be restarted.
Source: CVE-2018-11071
CVE-2018-16671
An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is system software information disclosure due to lack of authentication for /html/device-id.
Source: CVE-2018-16671
CVE-2018-16669
An issue was discovered in CIRCONTROL Open Charge Point Protocol (OCPP) before 1.5.0, as used in CirCarLife, PowerStudio, and other products. Due to storage of credentials in XML files, an unprivileged user can look at /services/config/config.xml for the admin credentials of the ocpp and circarlife panels.
Source: CVE-2018-16669
CVE-2018-16670
An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is PLC status disclosure due to lack of authentication for /html/devstat.html.
Source: CVE-2018-16670
CVE-2017-6913
Cross-site scripting (XSS) vulnerability in the Open-Xchange webmail before 7.6.3-rev28 allows remote attackers to inject arbitrary web script or HTML via the event attribute in a time tag.
Source: CVE-2017-6913
CVE-2018-16668
An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is internal installation path disclosure due to the lack of authentication for /html/repository.
Source: CVE-2018-16668
CVE-2018-17177
An issue was discovered on Neato Botvac Connected 2.2.0 and Botvac 85 1.2.1 devices. Static encryption is used for the copying of so-called "black box" logs (event logs and core dumps) to a USB stick. These logs are RC4-encrypted with a 9-character password of *^JEd4W!I that is obfuscated by hiding it within a custom /bin/rc4_crypt binary.
Source: CVE-2018-17177