Search
Total
17685 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-6578 | 1 Jextn | 1 Je Paypervideo | 2018-02-14 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in the JE PayperVideo 3.0.0 component for Joomla! via the usr_plan parameter in a view=myplans&task=myplans.usersubscriptions request. | |||||
| CVE-2018-6365 | 1 Datacomponents | 1 Tsitebuilder | 2018-02-14 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in TSiteBuilder 1.0 via the id parameter to /site.php, /pagelist.php, or /page_new.php. | |||||
| CVE-2018-6367 | 1 Vastal | 1 I-tech Buddy Zone Facebook Clone | 2018-02-14 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in Vastal I-Tech Buddy Zone Facebook Clone 2.9.9 via the /chat_im/chat_window.php request_id parameter or the /search_events.php category parameter. | |||||
| CVE-2018-6364 | 1 Multilanguage Real Estate Mlm Script Project | 1 Multilanguage Real Estate Mlm Script | 2018-02-14 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in Multilanguage Real Estate MLM Script through 3.0 via the /product-list.php srch parameter. | |||||
| CVE-2018-1342 | 1 Netiq | 1 Access Manager | 2018-02-13 | 7.5 HIGH | 9.8 CRITICAL |
| A Vulnerability exists on Admin Console where an attacker can upload files to the Admin Console server, and potentially execute them. This impacts NetIQ Access Manager versions 4.3 and 4.4 as well as the Administrative console. | |||||
| CVE-2018-0506 | 1 Nootka Project | 1 Nootka | 2018-02-13 | 10.0 HIGH | 9.8 CRITICAL |
| Nootka 1.4.4 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors. | |||||
| CVE-2018-6376 | 1 Joomla | 1 Joomla\! | 2018-02-13 | 7.5 HIGH | 9.8 CRITICAL |
| In Joomla! before 3.8.4, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message. | |||||
| CVE-2018-6476 | 1 Superantispyware | 1 Superantispyware | 2018-02-13 | 10.0 HIGH | 9.8 CRITICAL |
| In SUPERAntiSpyware Professional Trial 6.0.1254, the SASKUTIL.SYS driver allows privilege escalation to NT AUTHORITY\SYSTEM because of not validating input values from IOCtl 0x9C402114 or 0x9C402124 or 0x9C40207c. | |||||
| CVE-2017-13696 | 1 Flexense | 4 Diskpulse, Disksavvy, Dupscout and 1 more | 2018-02-13 | 10.0 HIGH | 9.8 CRITICAL |
| A buffer overflow vulnerability lies in the web server component of Dup Scout Enterprise 9.9.14, Disk Savvy Enterprise 9.9.14, Sync Breeze Enterprise 9.9.16, and Disk Pulse Enterprise 9.9.16 where an attacker can craft a malicious GET request and exploit the web server component. Successful exploitation of the software will allow an attacker to gain complete access to the system with NT AUTHORITY / SYSTEM level privileges. The vulnerability lies due to improper handling and sanitization of the incoming request. | |||||
| CVE-2018-6308 | 1 Sugarcrm | 1 Sugarcrm | 2018-02-12 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\Campaigns\Tracker.php and modules\Campaigns\utils.php, the default_currency_name parameter to modules\Configurator\controller.php and modules\Currencies\Currency.php, the duplicate parameter to modules\Contacts\ShowDuplicates.php, the mergecur parameter to modules\Currencies\index.php and modules\Opportunities\Opportunity.php, and the load_signed_id parameter to modules\Documents\Document.php. | |||||
| CVE-2017-15697 | 1 Apache | 1 Nifi | 2018-02-12 | 7.5 HIGH | 9.8 CRITICAL |
| A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release. | |||||
| CVE-2018-5997 | 1 Ravpower | 1 Filehub Firmware | 2018-02-12 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in the HTTP Server in RAVPower Filehub 2.000.056. Due to an unrestricted upload feature and a path traversal vulnerability, it is possible to upload a file on a filesystem with root privileges: this will lead to remote code execution as root. | |||||
| CVE-2017-17999 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2018-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in RISE Ultimate Project Manager 1.9 allows remote attackers to execute arbitrary SQL commands via the search parameter to index.php/knowledge_base/get_article_suggestion/. | |||||
| CVE-2018-5778 | 1 Ipswitch | 1 Whatsup Gold | 2018-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1). Multiple SQL injection vulnerabilities are present in the legacy .ASP pages, which could allow attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2018-5973 | 1 Eihitech | 1 Professional Local Directory Script | 2018-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in Professional Local Directory Script 1.0 via the sellers_subcategories.php IndustryID parameter, or the suppliers.php IndustryID or CategoryID parameter. | |||||
| CVE-2018-5704 | 2 Debian, Openocd | 2 Debian Linux, Open On-chip Debugger | 2018-02-09 | 9.3 HIGH | 9.6 CRITICAL |
| Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use HTTP POST for sending data to 127.0.0.1 port 4444, which allows remote attackers to conduct cross-protocol scripting attacks, and consequently execute arbitrary commands, via a crafted web site. | |||||
| CVE-2018-5972 | 1 Quickad Project | 1 Quickad | 2018-02-08 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in Classified Ads CMS Quickad 4.0 via the keywords, placeid, cat, or subcat parameter to the listing URI. | |||||
| CVE-2017-17976 | 1 Perfexcrm | 1 Perfex Crm | 2018-02-08 | 7.5 HIGH | 9.8 CRITICAL |
| In Utilities.php in Perfex CRM 1.9.7, Unrestricted file upload can lead to remote code execution. | |||||
| CVE-2018-5985 | 1 Livecrm | 1 Livecrm Saas Cloud | 2018-02-07 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in the LiveCRM SaaS Cloud 1.0 component for Joomla! via an r=site/login&company_id= request. | |||||
| CVE-2018-5988 | 1 Flexible Poll Project | 1 Flexible Poll | 2018-02-07 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in Flexible Poll 1.2 via the id parameter to mobile_preview.php or index.php. | |||||
| CVE-2018-5984 | 1 Tumder Project | 1 Tumder | 2018-02-07 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in the Tumder (An Arcade Games Platform) 2.1 component for Joomla! via the PATH_INFO to the category/ URI. | |||||
| CVE-2018-5979 | 1 Wchat Project | 1 Wchat | 2018-02-07 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in Wchat Fully Responsive PHP AJAX Chat Script 1.5 via the login.php User field. | |||||
| CVE-2018-5978 | 1 Zechat Project | 1 Zechat | 2018-02-07 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in Facebook Style Php Ajax Chat Zechat 1.5 via the login.php User field. | |||||
| CVE-2018-5977 | 1 Getaffiligator | 1 Affiligator | 2018-02-07 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in Affiligator Affiliate Webshop Management System 2.1.0 via a search/?q=&price_type=range&price= request. | |||||
| CVE-2017-1204 | 1 Ibm | 1 Tealeaf Customer Experience | 2018-02-07 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Tealeaf Customer Experience 8.7, 8.8, and 9.0.2 contains hard-coded credentials. A remote attacker could exploit this vulnerability to gain access to the system. IBM X-Force ID: 123740. | |||||
| CVE-2017-14457 | 1 Ethereum | 1 Ethereum Virtual Machine | 2018-02-06 | 6.4 MEDIUM | 9.1 CRITICAL |
| An exploitable information leak/denial of service vulnerability exists in the libevm (Ethereum Virtual Machine) `create2` opcode handler of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read leading to memory disclosure or denial of service. An attacker can create/send malicious a smart contract to trigger this vulnerability. | |||||
| CVE-2017-18047 | 1 Labf | 1 Nfsaxe | 2018-02-06 | 7.5 HIGH | 9.8 CRITICAL |
| Buffer Overflow in the FTP client in LabF nfsAxe 3.7 allows remote FTP servers to execute arbitrary code via a long reply. | |||||
| CVE-2018-5724 | 1 Barni | 2 Master Ip Camera01, Master Ip Camera01 Firmware | 2018-02-05 | 10.0 HIGH | 9.8 CRITICAL |
| MASTER IPCAMERA01 3.3.4.2103 devices allow Unauthenticated Configuration Download and Upload, as demonstrated by restore.cgi. | |||||
| CVE-2018-5726 | 1 Barni | 2 Master Ip Camera01, Master Ip Camera01 Firmware | 2018-02-05 | 5.0 MEDIUM | 9.8 CRITICAL |
| MASTER IPCAMERA01 3.3.4.2103 devices allow remote attackers to obtain sensitive information via a crafted HTTP request, as demonstrated by the username, password, and configuration settings. | |||||
| CVE-2018-5723 | 1 Barni | 2 Master Ip Camera01, Master Ip Camera01 Firmware | 2018-02-05 | 10.0 HIGH | 9.8 CRITICAL |
| MASTER IPCAMERA01 3.3.4.2103 devices have a hardcoded password of cat1029 for the root account. | |||||
| CVE-2017-1000231 | 1 Nlnetlabs | 1 Ldns | 2018-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| A double-free vulnerability in parse.c in ldns 1.7.0 have unspecified impact and attack vectors. | |||||
| CVE-2017-16510 | 1 Wordpress | 1 Wordpress | 2018-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723. | |||||
| CVE-2016-1051 | 3 Adobe, Apple, Microsoft | 6 Acrobat, Acrobat Dc, Acrobat Reader Dc and 3 more | 2018-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-1045, CVE-2016-1046, CVE-2016-1047, CVE-2016-1048, CVE-2016-1049, CVE-2016-1050, CVE-2016-1052, CVE-2016-1053, CVE-2016-1054, CVE-2016-1055, CVE-2016-1056, CVE-2016-1057, CVE-2016-1058, CVE-2016-1059, CVE-2016-1060, CVE-2016-1061, CVE-2016-1065, CVE-2016-1066, CVE-2016-1067, CVE-2016-1068, CVE-2016-1069, CVE-2016-1070, CVE-2016-1075, CVE-2016-1094, CVE-2016-1121, CVE-2016-1122, CVE-2016-4102, and CVE-2016-4107. | |||||
| CVE-2017-16844 | 1 Procmail | 1 Procmail | 2018-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| Heap-based buffer overflow in the loadbuf function in formisc.c in formail in procmail 3.22 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted e-mail message because of a hardcoded realloc size, a different vulnerability than CVE-2014-3618. | |||||
| CVE-2017-1000480 | 1 Smarty | 1 Smarty | 2018-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Smarty 3 before 3.1.32 is vulnerable to a PHP code injection when calling fetch() or display() functions on custom resources that does not sanitize template name. | |||||
| CVE-2017-17946 | 1 Novosoft | 1 Handy Password | 2018-02-02 | 7.5 HIGH | 9.8 CRITICAL |
| A buffer overflow in Handy Password 4.9.3 allows remote attackers to execute arbitrary code via a long "Title name" field in "mail box" data that is mishandled in an "Open from mail box" action. | |||||
| CVE-2018-5195 | 1 Hancom | 1 Thinkfree Office Neo | 2018-02-02 | 7.5 HIGH | 9.8 CRITICAL |
| Hancom NEO versions 9.6.1.5183 and earlier have a buffer Overflow vulnerability that leads remote attackers to execute arbitrary commands when performing the hyperlink Attributes in document. | |||||
| CVE-2017-13179 | 1 Google | 1 Android | 2018-02-02 | 10.0 HIGH | 9.8 CRITICAL |
| In the ihevcd_allocate_static_bufs and ihevcd_create functions of SoftHEVC, there is a possible out-of-bounds write due to a use after free. Both ps_codec_obj and ps_create_op->s_ivd_create_op_t.pv_handle point to the same memory and ps_codec_obj could be freed without clearing ps_create_op->s_ivd_create_op_t.pv_handle. This could lead to remote code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-66969193. | |||||
| CVE-2017-16887 | 1 Fiberhome | 2 Lm53q1, Lm53q1 Firmware | 2018-02-02 | 5.0 MEDIUM | 9.8 CRITICAL |
| The portal on FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 uses SOAP based web services in order to interact with the portal. Unauthorized Access to Web Services can result in disclosure of the WLAN key/password. | |||||
| CVE-2017-16716 | 1 Advantech | 1 Webaccess | 2018-02-02 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL Injection issue was discovered in WebAccess versions prior to 8.3. WebAccess does not properly sanitize its inputs for SQL commands. | |||||
| CVE-2017-13178 | 1 Google | 1 Android | 2018-02-01 | 10.0 HIGH | 9.8 CRITICAL |
| In the initDecoder function of SoftAVCDec, there is a possible out-of-bounds write to mCodecCtx due to a use after free when buffer allocation fails. This could lead to remote code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-66969281. | |||||
| CVE-2017-13177 | 1 Google | 1 Android | 2018-02-01 | 10.0 HIGH | 9.8 CRITICAL |
| In several functions of libhevc, NEON registers are not preserved. This could lead to remote code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-68320413. | |||||
| CVE-2017-15883 | 1 Progress | 1 Sitefinity | 2018-02-01 | 7.5 HIGH | 9.8 CRITICAL |
| Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, and 10.x allow remote attackers to bypass authentication and consequently cause a denial of service on load balanced sites or gain privileges via vectors related to weak cryptography. | |||||
| CVE-2017-7997 | 1 Gespage | 1 Gespage | 2018-02-01 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL injection vulnerabilities in Gespage before 7.4.9 allow remote attackers to execute arbitrary SQL commands via the (1) show_prn parameter to webapp/users/prnow.jsp or show_month parameter to (2) webapp/users/blhistory.jsp or (3) webapp/users/prhistory.jsp. | |||||
| CVE-2014-4972 | 1 Ajax Upload For Gravity Forms Project | 1 Ajax Upload For Gravity Forms | 2018-02-01 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted file upload vulnerability in the Gravity Upload Ajax plugin 1.1 and earlier for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file under wp-content/uploads/gravity_forms. | |||||
| CVE-2017-5971 | 1 Newsbee Project | 1 Newsbee | 2018-02-01 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in NewsBee CMS allow remote attackers to execute arbitrary SQL commands. | |||||
| CVE-2018-5696 | 1 Ijoomla | 1 Com Adagency | 2018-02-01 | 7.5 HIGH | 9.8 CRITICAL |
| The iJoomla com_adagency plugin 6.0.9 for Joomla! allows SQL injection via the `advertiser_status` and `status_select` parameters to index.php. | |||||
| CVE-2017-17970 | 1 Muvikoscript | 1 Muviko | 2018-01-31 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL injection vulnerabilities in Muviko 1.1 allow remote attackers to execute arbitrary SQL commands via the (1) email parameter to login.php; the (2) season_id parameter to themes/flixer/ajax/load_season.php; the (3) movie_id parameter to themes/flixer/ajax/get_rating.php; the (4) rating or (5) movie_id parameter to themes/flixer/ajax/update_rating.php; or the (6) id parameter to themes/flixer/ajax/set_player_source.php. | |||||
| CVE-2017-1670 | 1 Ibm | 1 Security Key Lifecycle Manager | 2018-01-31 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 133637. | |||||
| CVE-2018-5211 | 1 Phpsugar | 1 Php Melody | 2018-01-31 | 7.5 HIGH | 9.8 CRITICAL |
| PHP Melody version 2.7.1 suffer from SQL Injection Time-based attack on the page ajax.php with the parameter playlist. | |||||