Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-18552 | 1 Serverscheck | 1 Monitoring Software | 2018-12-06 | 5.0 MEDIUM | 6.5 MEDIUM |
| ServersCheck Monitoring Software through 14.3.3 allows local users to cause a denial of service (menu functionality loss) by creating an LNK file that points to a second LNK file, if this second LNK file is associated with a Start menu. Ultimately, this behavior comes from a Directory Traversal bug (via the sensor_details.html id parameter) that allows creating empty files in arbitrary directories. | |||||
| CVE-2018-18840 | 1 Sem-cms | 1 Semcms | 2018-12-06 | 3.5 LOW | 5.4 MEDIUM |
| XSS was discovered in SEMCMS PHP V3.4 via the SEMCMS_SeoAndTag.php?Class=edit&CF=SeoAndTag tag_indexmetatit parameter. | |||||
| CVE-2018-18783 | 1 Sem-cms | 1 Semcms | 2018-12-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS was discovered in SEMCMS V3.4 via the semcms_remail.php?type=ok umail parameter. | |||||
| CVE-2018-18841 | 1 Sem-cms | 1 Semcms | 2018-12-06 | 3.5 LOW | 4.8 MEDIUM |
| XSS was discovered in SEMCMS PHP V3.4 via the SEMCMS_SeoAndTag.php?Class=edit&CF=SeoAndTag tag_indexkey parameter. | |||||
| CVE-2018-7989 | 1 Huawei | 2 Mate 10 Pro, Mate 10 Pro Firmware | 2018-12-06 | 2.1 LOW | 4.6 MEDIUM |
| Huawei Mate 10 pro smartphones with the versions before BLA-AL00B 8.1.0.326(C00) have an improper authentication vulnerability. App Lock is a function to prevent unauthorized use of apps on smartphones, an attacker could directly change the lock password after a series of operations. Successful exploit could allow the attacker to use the application which is locked. | |||||
| CVE-2018-18778 | 1 Acme | 1 Mini-httpd | 2018-12-06 | 4.0 MEDIUM | 6.5 MEDIUM |
| ACME mini_httpd before 1.30 lets remote users read arbitrary files. | |||||
| CVE-2018-18650 | 1 Xpdfreader | 1 Xpdf | 2018-12-06 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in Xpdf 4.00. XRef::readXRefStream in XRef.cc allows attackers to launch a denial of service (Integer Overflow) via a crafted /Size value in a pdf file, as demonstrated by pdftohtml. This is mainly caused by the program attempting a malloc operation for a large amount of memory. | |||||
| CVE-2018-12382 | 2 Google, Mozilla | 2 Android, Firefox | 2018-12-06 | 5.0 MEDIUM | 5.3 MEDIUM |
| The displayed addressbar URL can be spoofed on Firefox for Android using a javascript: URI in concert with JavaScript to insert text before the loaded domain name, scrolling the loaded domain out of view to the right. This can lead to user confusion. *This vulnerability only affects Firefox for Android < 62.* | |||||
| CVE-2018-18829 | 1 Libav | 1 Libav | 2018-12-06 | 4.3 MEDIUM | 6.5 MEDIUM |
| There exists a NULL pointer dereference in ff_vc1_parse_frame_header_adv in vc1.c in Libav 12.3, which allows attackers to cause a denial-of-service through a crafted aac file. | |||||
| CVE-2018-18827 | 1 Libav | 1 Libav | 2018-12-06 | 4.3 MEDIUM | 6.5 MEDIUM |
| There exists a heap-based buffer over-read in ff_vc1_pred_dc in vc1_block.c in Libav 12.3, which allows attackers to cause a denial-of-service via a crafted aac file. | |||||
| CVE-2018-18517 | 1 Citrix | 1 Netscaler Gateway Firmware | 2018-12-06 | 3.5 LOW | 4.8 MEDIUM |
| Citrix NetScaler Gateway 10.5.x before 10.5.69.003, 11.1.x before 11.1.59.004, 12.0.x before 12.0.58.7, and 12.1.x before 12.1.49.1 has XSS. | |||||
| CVE-2018-18635 | 1 Mailcleaner | 1 Mailcleaner | 2018-12-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| www/guis/admin/application/controllers/UserController.php in the administration login interface in MailCleaner CE 2018.08 and 2018.09 allows XSS via the admin/login/user/message/ PATH_INFO. | |||||
| CVE-2018-16956 | 1 Oracle | 1 Webcenter Interaction | 2018-12-06 | 4.0 MEDIUM | 6.5 MEDIUM |
| The AjaxControl component of Oracle WebCenter Interaction Portal 10.3.3 does not validate the names of pages when processing page rename requests. Pages can be renamed to include characters unsupported for URIs by the web server hosting the WCI Portal software (such as IIS). Renaming pages to include unsupported characters, such as 0x7f, prevents these pages from being accessed over the web server, causing a Denial of Service (DoS) to the page. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support. | |||||
| CVE-2018-12367 | 3 Canonical, Debian, Mozilla | 5 Ubuntu Linux, Debian Linux, Firefox and 2 more | 2018-12-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| In the previous mitigations for Spectre, the resolution or precision of various methods was reduced to counteract the ability to measure precise time intervals. In that work PerformanceNavigationTiming was not adjusted but it was found that it could be used as a precision timer. This vulnerability affects Thunderbird < 60, Firefox ESR < 60.1, and Firefox < 61. | |||||
| CVE-2018-16959 | 1 Oracle | 1 Webcenter Interaction | 2018-12-06 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The portal component is delivered with an insecure default User Profile community configuration that allows anonymous users to retrieve the account names of all portal users via /portal/server.pt/user/user/ requests. When WCI is synchronised with Active Directory (AD), this vulnerability can expose the account names of all AD users. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support. | |||||
| CVE-2018-12358 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2018-12-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| Service workers can use redirection to avoid the tainting of cross-origin resources in some instances, allowing a malicious site to read responses which are supposed to be opaque. This vulnerability affects Firefox < 61. | |||||
| CVE-2018-8512 | 1 Microsoft | 2 Edge, Windows 10 | 2018-12-06 | 5.8 MEDIUM | 5.4 MEDIUM |
| A security feature bypass vulnerability exists in Microsoft Edge when the Edge Content Security Policy (CSP) fails to properly validate certain specially crafted documents, aka "Microsoft Edge Security Feature Bypass Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8530. | |||||
| CVE-2018-8889 | 1 Blackberry | 1 Enterprise Mobility Server | 2018-12-04 | 4.7 MEDIUM | 4.7 MEDIUM |
| A directory traversal vulnerability in the Connect Service of the BlackBerry Enterprise Mobility Server (BEMS) 2.8.17.29 and earlier could allow an attacker to retrieve arbitrary files in the context of a BEMS administrator account. | |||||
| CVE-2018-18720 | 1 Yunucms | 1 Yunucms | 2018-12-04 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in index.php/admin/system/basic in YUNUCMS 1.1.5. | |||||
| CVE-2018-18721 | 1 Yunucms | 1 Yunucms | 2018-12-04 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in admin/link/editlink?id=5 in YUNUCMS 1.1.5. | |||||
| CVE-2018-18723 | 1 Yunucms | 1 Yunucms | 2018-12-04 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in index.php/admin/area/editarea/id/110000 in YUNUCMS 1.1.5. | |||||
| CVE-2018-18722 | 1 Yunucms | 1 Yunucms | 2018-12-04 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in admin/content/editcontent?id=29&gopage=1 in YUNUCMS 1.1.5. | |||||
| CVE-2018-18724 | 1 Yunucms | 1 Yunucms | 2018-12-04 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in index.php/admin/category/editcategory?id=73 in YUNUCMS 1.1.5. | |||||
| CVE-2018-18725 | 1 Yunucms | 1 Yunucms | 2018-12-04 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in admin/banner/editbanner?id=20 in YUNUCMS 1.1.5. | |||||
| CVE-2018-12901 | 1 Mitel | 2 St, St Firmware | 2018-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the conferencing component of Mitel ST 14.2, versions GA29 (19.49.9400.0) and earlier, could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the signin.php page. A successful exploit could allow an attacker to execute arbitrary scripts. | |||||
| CVE-2018-18726 | 1 Yunucms | 1 Yunucms | 2018-12-04 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in admin/sitelink/editsitelink?id=16 in YUNUCMS 1.1.5. | |||||
| CVE-2018-18621 | 1 Communigate | 1 Communigate Pro | 2018-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| CommuniGate Pro 6.2 allows stored XSS via a message body in Pronto! Mail Composer, which is mishandled in /MIME/INBOX-MM-1/ if the raw email link (in .txt format) is modified and then renamed with a .html or .wssp extension. | |||||
| CVE-2018-18745 | 1 Sem-cms | 1 Semcms | 2018-12-04 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in SEMCMS 3.4 via admin/SEMCMS_Menu.php?lgid=1 during editing. | |||||
| CVE-2018-18744 | 1 Sem-cms | 1 Semcms | 2018-12-04 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in SEMCMS 3.4 via the fifth text box to the admin/SEMCMS_Main.php URI. | |||||
| CVE-2018-18741 | 1 Sem-cms | 1 Semcms | 2018-12-04 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in SEMCMS 3.4 via admin/SEMCMS_Download.php?lgid=1 during editing. | |||||
| CVE-2018-18743 | 1 Sem-cms | 1 Semcms | 2018-12-04 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in SEMCMS 3.4 via the second text field to the admin/SEMCMS_Categories.php?pid=1&lgid=1 URI. | |||||
| CVE-2018-18738 | 1 Sem-cms | 1 Semcms | 2018-12-04 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in SEMCMS 3.4 via the admin/SEMCMS_Categories.php?pid=1&lgid=1 category_key parameter. | |||||
| CVE-2018-18739 | 1 Sem-cms | 1 Semcms | 2018-12-04 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in SEMCMS 3.4 via the admin/SEMCMS_Products.php?lgid=1 Keywords field. | |||||
| CVE-2018-18740 | 1 Sem-cms | 1 Semcms | 2018-12-04 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in SEMCMS 3.4 via the first input field to the admin/SEMCMS_Link.php?lgid=1 URI. | |||||
| CVE-2015-4631 | 1 Koha | 1 Koha | 2018-12-04 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-search.pl; the (2) value parameter to authorities/authorities-home.pl; the (3) delay parameter to acqui/lateorders.pl; the (4) authtypecode or (5) tagfield to admin/auth_subfields_structure.pl; the (6) tagfield parameter to admin/marc_subfields_structure.pl; the (7) limit parameter to catalogue/search.pl; the (8) bookseller_filter, (9) callnumber_filter, (10) EAN_filter, (11) ISSN_filter, (12) publisher_filter, or (13) title_filter parameter to serials/serials-search.pl; or the (14) author, (15) collectiontitle, (16) copyrightdate, (17) isbn, (18) manageddate_from, (19) manageddate_to, (20) publishercode, (21) suggesteddate_from, or (22) suggesteddate_to parameter to suggestion/suggestion.pl; or the (23) direction, (24) display or (25) addshelf parameter to opac-shelves.pl. | |||||
| CVE-2018-18622 | 1 Bijiadao | 1 Waimai Super Cms | 2018-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Waimai Super Cms 20150505. There is XSS via the index.php?m=public&a=doregister username parameter. | |||||
| CVE-2018-18290 | 1 Nconsulting | 1 Nc-cms | 2018-12-04 | 3.5 LOW | 4.8 MEDIUM |
| ** DISPUTED ** An issue was discovered in nc-cms through 2017-03-10. index.php?action=edit_html&name=home_content allows XSS via the HTML Source Editor. NOTE: the vendor disputes this because the form requires administrator privileges, and entering JavaScript is supported functionality. | |||||
| CVE-2018-18291 | 1 Asus | 2 Rt-ac58u, Rt-ac58u Firmware | 2018-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross site scripting (XSS) vulnerability on ASUS RT-AC58U 3.0.0.4.380_6516 devices allows remote attackers to inject arbitrary web script or HTML via Advanced_ASUSDDNS_Content.asp, Advanced_WSecurity_Content.asp, Advanced_Wireless_Content.asp, Logout.asp, Main_Login.asp, MobileQIS_Login.asp, QIS_wizard.htma, YandexDNS.asp, ajax_status.xml, apply.cgi, clients.asp, disk.asp, disk_utility.asp, or internet.asp. | |||||
| CVE-2018-16051 | 1 Gitlab | 1 Gitlab | 2018-12-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Orphaned Upload Files Exposure. | |||||
| CVE-2018-18324 | 1 Centos-webpanel | 1 Centos Web Panel | 2018-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has XSS via the admin/fileManager2.php fm_current_dir parameter, or the admin/index.php module, service_start, service_fullstatus, service_restart, service_stop, or file (within the file_editor) parameter. | |||||
| CVE-2018-18416 | 1 Pokkho | 1 Lango | 2018-12-04 | 3.5 LOW | 4.8 MEDIUM |
| LANGO Codeigniter Multilingual Script 1.0 has XSS in the input and upload sections, as demonstrated by the site_name parameter to the admin/settings/update URI. | |||||
| CVE-2018-18553 | 1 Leanote | 1 Leanote | 2018-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Leanote 2.6.1 has XSS via the Blog Basic Setting title field, which is mishandled during rendering of the "likes" page. | |||||
| CVE-2018-15315 | 1 F5 | 13 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 10 more | 2018-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| On F5 BIG-IP 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a reflected Cross Site Scripting (XSS) vulnerability in an undisclosed Configuration Utility page. | |||||
| CVE-2018-15314 | 1 F5 | 1 Big-ip Advanced Firewall Manager | 2018-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| On F5 BIG-IP AFM 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a Reflected Cross Site Scripting vulnerability in undisclosed TMUI page. | |||||
| CVE-2018-18547 | 1 Vestacp | 1 Control Panel | 2018-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Vesta Control Panel through 0.9.8-22 has XSS via the edit/web/ domain parameter, the list/backup/ backup parameter, the list/rrd/ period parameter, the list/directory/ dir_a parameter, or the filename to the list/directory/ URI. | |||||
| CVE-2018-18636 | 1 D-link | 2 Dsl-2640t, Dsl-2640t Firmware | 2018-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in cgi-bin/webcm on D-link DSL-2640T routers via the var:RelaodHref or var:conid parameter. | |||||
| CVE-2018-18478 | 1 Librenms | 1 Librenms | 2018-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent Cross-Site Scripting (XSS) issues in LibreNMS before 1.44 allow remote attackers to inject arbitrary web script or HTML via the dashboard_name parameter in the /ajax_form.php resource, related to html/includes/forms/add-dashboard.inc.php, html/includes/forms/delete-dashboard.inc.php, and html/includes/forms/edit-dashboard.inc.php. | |||||
| CVE-2018-18417 | 1 Creativeitem | 1 Ekushey Project Manager | 2018-12-04 | 3.5 LOW | 5.4 MEDIUM |
| In the 3.1 version of Ekushey Project Manager CRM, Stored XSS has been discovered in the input and upload sections, as demonstrated by the name parameter to the index.php/admin/client/create URI. | |||||
| CVE-2018-18419 | 1 Ardawan | 1 User Management | 2018-12-04 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS has been discovered in the upload section of ARDAWAN.COM User Management 1.1, as demonstrated by a .jpg filename to the /account URI. | |||||
| CVE-2018-18608 | 1 Dedecms | 1 Dedecms | 2018-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| DedeCMS 5.7 SP2 allows XSS via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php, /member/content_list.php, or /plus/feedback.php. | |||||