Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-15429 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Inappropriate implementation in V8 WebAssembly JS bindings in Google Chrome prior to 63.0.3239.108 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. | |||||
| CVE-2018-1000670 | 1 Koha | 1 Koha | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Scripting (XSS) vulnerability in Multiple fields on multiple pages including /cgi-bin/koha/acqui/supplier.pl?op=enter , /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number] , /cgi-bin/koha/serials/subscription-add.pl that can result in Privilege escalation by taking control of higher privileged users browser sessions. This attack appear to be exploitable via Victims must be socially engineered to visit a vulnerable webpage containing malicious payload. This vulnerability appears to have been fixed in 17.11. | |||||
| CVE-2018-12150 | 1 Intel | 1 Extreme Tuning Utility | 2018-11-07 | 4.6 MEDIUM | 6.7 MEDIUM |
| Escalation of privilege in Installer for Intel Extreme Tuning Utility before 6.4.1.21 may allow an authenticated user to potentially execute code or disclose information as administrator via local access. | |||||
| CVE-2018-16670 | 1 Circontrol | 1 Circarlife Scada | 2018-11-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is PLC status disclosure due to lack of authentication for /html/devstat.html. | |||||
| CVE-2017-15417 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2018-11-07 | 2.6 LOW | 5.3 MEDIUM |
| Inappropriate implementation in Skia canvas composite operations in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2017-15422 | 5 Canonical, Debian, Google and 2 more | 7 Ubuntu Linux, Debian Linux, Chrome and 4 more | 2018-11-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| Integer overflow in international date handling in International Components for Unicode (ICU) for C/C++ before 60.1, as used in V8 in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. | |||||
| CVE-2018-16671 | 1 Circontrol | 1 Circarlife Scada | 2018-11-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is system software information disclosure due to lack of authentication for /html/device-id. | |||||
| CVE-2017-15416 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2018-11-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| Heap buffer overflow in Blob API in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, aka a Blink out-of-bounds read. | |||||
| CVE-2018-3686 | 1 Intel | 1 Sa-00086 Detection Tool | 2018-11-07 | 4.6 MEDIUM | 6.7 MEDIUM |
| Code injection vulnerability in INTEL-SA-00086 Detection Tool before version 1.2.7.0 may allow a privileged user to potentially execute arbitrary code via local access. | |||||
| CVE-2018-17021 | 1 Asus | 2 Gt-ac5300, Gt-ac5300 Firmware | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability on ASUS GT-AC5300 devices with firmware through 3.0.0.4.384_32738 allows remote attackers to inject arbitrary web script or HTML via the appGet.cgi hook parameter. | |||||
| CVE-2018-17034 | 1 Ucms Project | 1 Ucms | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| UCMS 1.4.6 has XSS via the install/index.php mysql_dbname parameter. | |||||
| CVE-2018-17061 | 1 Bullguard | 1 Safe Browsing | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| BullGuard Safe Browsing before 18.1.355.9 allows XSS on Google, Bing, and Yahoo! pages via domains indexed in search results. | |||||
| CVE-2018-17062 | 1 Seacms | 1 Seacms | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in SeaCMS 6.64. XSS exists in admin_video.php via the action, area, type, yuyan, jqtype, v_isunion, v_recycled, v_ismoney, or v_ispsd parameter. | |||||
| CVE-2018-17085 | 1 Otcms | 1 Otcms | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in OTCMS 3.61. XSS exists in admin/users.php via these parameters: dataTypeCN dataMode dataModeStr. | |||||
| CVE-2018-17086 | 1 Otcms | 1 Otcms | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in OTCMS 3.61. XSS exists in admin/share_switch.php via these parameters: fieldName fieldName2 tabName. | |||||
| CVE-2018-17128 | 1 Mybb | 1 Mybb | 2018-11-07 | 3.5 LOW | 5.4 MEDIUM |
| A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode. | |||||
| CVE-2017-15419 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2018-11-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in Resource Timing API in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to infer browsing history by triggering a leaked cross-origin URL via a crafted HTML page. | |||||
| CVE-2018-16607 | 1 Opmantek | 1 Open-audit | 2018-11-07 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Orgs Page in Open-AudIT Professional edition in 2.2.7 allows remote attackers to inject arbitrary web script via the Orgs name field. | |||||
| CVE-2018-16759 | 1 Easycms | 1 Easycms | 2018-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The removeXSS function in App/Common/common.php (called from App/Modules/Index/Action/SearchAction.class.php) in EasyCMS v1.4 allows XSS via an onhashchange event. | |||||
| CVE-2018-16141 | 1 Thinkcmf | 1 Thinkcmfx | 2018-11-06 | 5.5 MEDIUM | 6.5 MEDIUM |
| ThinkCMF X2.2.3 has an arbitrary file deletion vulnerability in do_avatar in \application\User\Controller\ProfileController.class.php via an imgurl parameter with a ..\ sequence. A member user can delete any file on a Windows server. | |||||
| CVE-2018-16761 | 1 Eventum Project | 1 Eventum | 2018-11-06 | 5.8 MEDIUM | 6.1 MEDIUM |
| Eventum before 3.4.0 has an open redirect vulnerability. | |||||
| CVE-2018-16736 | 1 Rcfilters Project | 1 Rcfilters | 2018-11-06 | 3.5 LOW | 5.4 MEDIUM |
| In the rcfilters plugin 2.1.6 for Roundcube, XSS exists via the _whatfilter and _messages parameters (in the Filters section of the settings). | |||||
| CVE-2018-16363 | 1 Webdesi9 | 1 File Manager | 2018-11-06 | 3.5 LOW | 5.4 MEDIUM |
| The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via the lang parameter in a wp-admin/admin.php?page=wp_file_manager request because set_transient is used in file_folder_manager.php and there is an echo of lang in lib\wpfilemanager.php. | |||||
| CVE-2018-16324 | 1 Icewarp | 1 Mail Server | 2018-11-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| In IceWarp Server 12.0.3.1 and before, there is XSS in the /webmail/ username field. | |||||
| CVE-2018-8271 | 1 Microsoft | 7 Windows 10, Windows 7, Windows 8.1 and 4 more | 2018-11-06 | 2.1 LOW | 5.5 MEDIUM |
| An information disclosure vulnerability exists in Windows when the Windows bowser.sys kernel-mode driver fails to properly handle objects in memory, aka "Windows Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. | |||||
| CVE-2018-15683 | 1 Btiteam | 1 Xbtit | 2018-11-06 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in BTITeam XBTIT. The "returnto" parameter of the login page is vulnerable to an open redirect due to a lack of validation. If a user is already logged in when accessing the page, they will be instantly redirected. | |||||
| CVE-2018-15499 | 1 Gearsoftware | 1 Gearaspiwdm | 2018-11-06 | 4.7 MEDIUM | 4.7 MEDIUM |
| GEAR Software products that include GEARAspiWDM.sys, 2.2.5.0, allow local users to cause a denial of service (Race Condition and BSoD on Windows) by not checking that user-mode memory is available right before writing to it. A check is only performed at the beginning of a long subroutine. | |||||
| CVE-2018-15574 | 1 Reprisesoftware | 1 Reprise License Manager | 2018-11-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** An issue was discovered in the license editor in Reprise License Manager (RLM) through 12.2BL2. It is a cross-site scripting vulnerability in the /goform/edit_lf_get_data lf parameter via GET or POST. NOTE: the vendor has stated "We do not consider this a vulnerability." | |||||
| CVE-2018-15684 | 1 Btiteam | 1 Xbtit | 2018-11-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in BTITeam XBTIT. PHP error logs are stored in an open directory (/include/logs) using predictable file names, which can lead to full path disclosure and leakage of sensitive data. | |||||
| CVE-2018-15679 | 1 Btiteam | 1 Xbtit | 2018-11-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in BTITeam XBTIT 2.5.4. The "keywords" parameter in the search function available at /index.php?page=forums&action=search is vulnerable to reflected cross-site scripting. | |||||
| CVE-2018-15678 | 1 Btiteam | 1 Xbtit | 2018-11-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in BTITeam XBTIT 2.5.4. The "act" parameter in the sign-up page available at /index.php?page=signup is vulnerable to reflected cross-site scripting. | |||||
| CVE-2018-6643 | 1 Infoblox | 1 Netmri | 2018-11-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Infoblox NetMRI 7.1.1 has Reflected Cross-Site Scripting via the /api/docs/index.php query parameter. | |||||
| CVE-2018-16437 | 1 Gxlcms | 1 Gxlcms | 2018-11-05 | 4.0 MEDIUM | 4.9 MEDIUM |
| Gxlcms 2.0 before bug fix 20180915 has Directory Traversal exploitable by an administrator. | |||||
| CVE-2018-15562 | 1 Isweb | 1 Isweb | 2018-11-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| CMS ISWEB 3.5.3 has XSS via the ordineRis, sezioneRicerca, or oggettiRicerca parameter to index.php. | |||||
| CVE-2018-16298 | 1 1234n | 1 Minicms | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MiniCMS 1.10. There is an mc-admin/post.php?tag= XSS vulnerability for a state=delete, state=draft, or state=publish request. | |||||
| CVE-2018-16313 | 1 Bludit | 1 Bludit | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Bludit 2.3.4 allows XSS via a user name. | |||||
| CVE-2018-16325 | 1 Get-simple | 1 Getsimple Cms | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is XSS in GetSimple CMS 3.4.0.9 via the admin/edit.php title field. | |||||
| CVE-2018-16622 | 1 Html-js | 1 Doracms | 2018-11-02 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in /api/content/addOne in DoraCMS v2.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) discription or (2) comments field, related to users/userAddContent. | |||||
| CVE-2018-16285 | 1 Userproplugin | 1 Userpro | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| The UserPro plugin through 4.9.23 for WordPress allows XSS via the shortcode parameter in a userpro_shortcode_template action to wp-admin/admin-ajax.php. | |||||
| CVE-2018-16654 | 1 Zurmo | 1 Zurmo Crm | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zurmo 3.2.4 Stable allows XSS via app/index.php/accounts/default/details?id=2&kanbanBoard=1&openToTaskId=1. | |||||
| CVE-2018-16389 | 1 E107 | 1 E107 | 2018-11-02 | 5.5 MEDIUM | 6.5 MEDIUM |
| e107_admin/banlist.php in e107 2.1.8 allows SQL injection via the old_ip parameter. | |||||
| CVE-2018-16728 | 1 Feindura | 1 Feindura | 2018-11-02 | 3.5 LOW | 5.4 MEDIUM |
| feindura 2.0.7 allows XSS via the tags field of a new page created at index.php?category=0&page=new. | |||||
| CVE-2018-16980 | 1 Dotcms | 1 Dotcms | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| dotCMS V5.0.1 has XSS in the /html/portlet/ext/contentlet/image_tools/index.jsp fieldName and inode parameters. | |||||
| CVE-2017-15423 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2018-11-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| Inappropriate implementation in BoringSSL SPAKE2 in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to leak the low-order bits of SHA512(password) by inspecting protocol traffic. | |||||
| CVE-2017-15427 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a socially engineered user to XSS themselves by dragging and dropping a javascript: URL into the URL bar. | |||||
| CVE-2018-0715 | 1 Qnap | 1 Photo Station | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in QNAP Photo Station versions 5.7.0 and earlier could allow remote attackers to inject Javascript code in the compromised application. | |||||
| CVE-2018-15546 | 1 Accusoft | 1 Prizmdoc | 2018-11-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Accusoft PrizmDoc version 13.3 and earlier contains a Stored Cross-Site Scripting issue through a crafted PDF file. | |||||
| CVE-2018-15880 | 1 Joomla | 1 Joomla\! | 2018-11-02 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Joomla! before 3.8.12. Inadequate output filtering on the user profile page could lead to a stored XSS attack. | |||||
| CVE-2018-8437 | 1 Microsoft | 2 Windows 10, Windows Server 2016 | 2018-11-02 | 5.5 MEDIUM | 6.2 MEDIUM |
| A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system, aka "Windows Hyper-V Denial of Service Vulnerability." This affects Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8436, CVE-2018-8438. | |||||
| CVE-2018-8438 | 1 Microsoft | 4 Windows 10, Windows 8.1, Windows Server and 1 more | 2018-11-02 | 6.8 MEDIUM | 6.8 MEDIUM |
| A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system, aka "Windows Hyper-V Denial of Service Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8436, CVE-2018-8437. | |||||