Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-9283 | 1 Cremecrm | 1 Cremecrm | 2018-10-30 | 3.5 LOW | 5.4 MEDIUM |
| An XSS issue was discovered in CremeCRM 1.6.12. It is affected by 10 stored Cross-Site Scripting (XSS) vulnerabilities in the firstname, lastname, billing_address-address, billing_address-zipcode, billing_address-city, billing_address-department, shipping_address-address, shipping_address-zipcode, shipping_address-city, and shipping_address-department parameters in the contact creation and modification page. The payload is stored within the application database and allows the execution of JavaScript code each time a client visit an infected page. | |||||
| CVE-2014-4932 | 1 Wordfence | 1 Wordfence Security | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Wordfence Security plugin before 5.1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the val parameter to whois.php. | |||||
| CVE-2018-15697 | 1 Asustor | 1 Data Master | 2018-10-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on a share by providing the full path. For example, /home/admin/.ash_history. | |||||
| CVE-2018-15699 | 1 Asustor | 1 Data Master | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| ASUSTOR Data Master 3.1.5 and below makes an HTTP request for a configuration file that is vulnerable to XSS. A man in the middle can take advantage of this by inserting Javascript into the configuration files Version field. | |||||
| CVE-2018-15696 | 1 Asustor | 1 Data Master | 2018-10-30 | 4.0 MEDIUM | 4.3 MEDIUM |
| ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to enumerate all user accounts via user.cgi. | |||||
| CVE-2018-15698 | 1 Asustor | 1 Data Master | 2018-10-30 | 6.8 MEDIUM | 6.5 MEDIUM |
| ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on the file system when providing the full path to loginimage.cgi. | |||||
| CVE-2018-15695 | 1 Asustor | 1 Data Master | 2018-10-30 | 8.5 HIGH | 6.5 MEDIUM |
| ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to delete any file on the file system due to a path traversal vulnerability in wallpaper.cgi. | |||||
| CVE-2018-18655 | 1 Prayer Project | 1 Prayer | 2018-10-30 | 4.3 MEDIUM | 4.3 MEDIUM |
| Prayer through 1.3.5 sends a Referer header, containing a user's username, when a user clicks on a link in their email because header.t lacks a no-referrer setting. | |||||
| CVE-2018-0659 | 1 Hibara | 1 Attachecase | 2018-10-30 | 5.8 MEDIUM | 5.5 MEDIUM |
| Directory traversal vulnerability in ver.2.8.4.0 and earlier and ver.3.3.0.0 and earlier allows an attacker to create or overwrite existing files via specially crafted ATC file. | |||||
| CVE-2017-15299 | 1 Linux | 1 Linux Kernel | 2018-10-30 | 4.9 MEDIUM | 5.5 MEDIUM |
| The KEYS subsystem in the Linux kernel through 4.13.7 mishandles use of add_key for a key that already exists but is uninstantiated, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call. | |||||
| CVE-2017-18216 | 1 Linux | 1 Linux Kernel | 2018-10-30 | 2.1 LOW | 5.5 MEDIUM |
| In fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, local users can cause a denial of service (NULL pointer dereference and BUG) because a required mutex is not used. | |||||
| CVE-2018-12824 | 6 Adobe, Apple, Google and 3 more | 11 Flash Player, Flash Player Desktop Runtime, Mac Os X and 8 more | 2018-10-29 | 4.3 MEDIUM | 5.9 MEDIUM |
| Adobe Flash Player 30.0.0.134 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure. | |||||
| CVE-2018-16142 | 1 Phpok | 1 Phpok | 2018-10-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHPOK 4.8.278 has a Reflected XSS vulnerability in framework/www/login_control.php via the _back parameter to the ok_f function. | |||||
| CVE-2018-16381 | 1 E107 | 1 E107 | 2018-10-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| e107 2.1.8 has XSS via the e107_admin/users.php?mode=main&action=list user_loginname parameter. | |||||
| CVE-2018-16780 | 1 Complete Responsive Cms Blog Project | 1 Complete Responsive Cms Blog | 2018-10-29 | 3.5 LOW | 5.4 MEDIUM |
| Complete Responsive CMS Blog through 2018-05-20 has XSS via a comment. | |||||
| CVE-2018-6599 | 1 Orbic | 2 Wonder Rc555l, Wonder Rc555l Firmware | 2018-10-29 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered on Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys devices, allowing attackers to obtain sensitive information (such as text-message content) by reading a copy of the Android log on the SD card. The system-wide Android logs are not directly available to third-party apps since they tend to contain sensitive data. Third-party apps can read from the log but only the log messages that the app itself has written. Certain apps can leak data to the Android log due to not sanitizing log messages, which is in an insecure programming practice. Pre-installed system apps and apps that are signed with the framework key can read from the system-wide Android log. We found a pre-installed app on the Orbic Wonder that when started via an Intent will write the Android log to the SD card, also known as external storage, via com.ckt.mmitest.MmiMainActivity. Any app that requests the READ_EXTERNAL_STORAGE permission can read from the SD card. Therefore, a local app on the device can quickly start a specific component in the pre-installed system app to have the Android log written to the SD card. Therefore, any app co-located on the device with the READ_EXTERNAL_STORAGE permission can obtain the data contained within the Android log and continually monitor it and mine the log for relevant data. In addition, the default messaging app (com.android.mms) writes the body of sent and received text messages to the Android log, as well as the recipient phone number for sent text messages and the sending phone number for received text messages. In addition, any call data contains phone numbers for sent and received calls. | |||||
| CVE-2018-14474 | 1 Goodoldweb | 1 Orange Forum | 2018-10-29 | 5.8 MEDIUM | 6.1 MEDIUM |
| views/auth.go in Orange Forum 1.4.0 allows Open Redirection via the next parameter to /login or /signup. | |||||
| CVE-2018-16665 | 1 Contiki-ng | 1 Contiki-ng. | 2018-10-26 | 3.6 LOW | 6.1 MEDIUM |
| An issue was discovered in Contiki-NG through 4.1. There is a buffer overflow while parsing AQL in lvm_shift_for_operator in os/storage/antelope/lvm.c. | |||||
| CVE-2018-16725 | 1 Baijiacms Project | 1 Baijiacms | 2018-10-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue is discovered in baijiacms V4. XSS exists via the assets/weengine/components/zclip/ZeroClipboard.swf id parameter, aka "Non-standard use of the flash component." | |||||
| CVE-2018-15605 | 1 Phpmyadmin | 1 Phpmyadmin | 2018-10-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in phpMyAdmin before 4.8.3. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted file to manipulate an authenticated user who loads that file through the import feature. | |||||
| CVE-2018-16642 | 3 Canonical, Debian, Imagemagick | 3 Ubuntu Linux, Debian Linux, Imagemagick | 2018-10-25 | 4.3 MEDIUM | 6.5 MEDIUM |
| The function InsertRow in coders/cut.c in ImageMagick 7.0.7-37 allows remote attackers to cause a denial of service via a crafted image file due to an out-of-bounds write. | |||||
| CVE-2018-16410 | 1 Vanillaforums | 1 Vanilla | 2018-10-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| Vanilla before 2.6.1 allows SQL injection via an invitationID array to /profile/deleteInvitation, related to applications/dashboard/models/class.invitationmodel.php and applications/dashboard/controllers/class.profilecontroller.php. | |||||
| CVE-2018-16330 | 1 Ipandao | 1 Editor.md | 2018-10-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Pandao Editor.md 1.5.0 allows XSS via crafted attributes of an invalid IMG element. | |||||
| CVE-2018-1353 | 1 Fortinet | 1 Fortimanager | 2018-10-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| An information disclosure vulnerability in Fortinet FortiManager 6.0.1 and below versions allows a standard user with adom assignment read the interface settings of vdoms unrelated to the assigned adom. | |||||
| CVE-2018-1000661 | 1 Jsish | 1 Jsish | 2018-10-25 | 4.3 MEDIUM | 6.5 MEDIUM |
| jsish version 2.4.67 contains a CWE-476: NULL Pointer Dereference vulnerability in Jsi_LogMsg (jsiUtils.c:196) that can result in Crash due to segmentation fault. This attack appear to be exploitable via the victim executing specially crafted javascript code. This vulnerability appears to have been fixed in 2.4.69. | |||||
| CVE-2018-1000663 | 1 Jsish | 1 Jsish | 2018-10-25 | 4.3 MEDIUM | 6.5 MEDIUM |
| jsish version 2.4.70 2.047 contains a Buffer Overflow vulnerability in function _jsi_evalcode from jsiEval.c that can result in Crash due to segmentation fault. This attack appear to be exploitable via The victim must execute crafted javascript code. | |||||
| CVE-2018-1000655 | 1 Jsish | 1 Jsish | 2018-10-25 | 4.3 MEDIUM | 6.5 MEDIUM |
| Jsish version 2.4.65 contains a CWE-476: NULL Pointer Dereference vulnerability in Function jsi_ValueCopyMove from jsiValue.c:240 that can result in Crash due to segmentation fault. This attack appear to be exploitable via a crafted javascript code. This vulnerability appears to have been fixed in 2.4.67. | |||||
| CVE-2018-1000668 | 1 Jsish | 1 Jsish | 2018-10-25 | 4.3 MEDIUM | 6.5 MEDIUM |
| jsish version 2.4.70 2.047 contains a CWE-125: Out-of-bounds Read vulnerability in function jsi_ObjArrayLookup (jsiObj.c:274) that can result in Crash due to segmentation fault. This attack appear to be exploitable via The victim must execute crafted javascript code. This vulnerability appears to have been fixed in 2.4.71. | |||||
| CVE-2018-16337 | 1 Chshcms | 1 Cscms | 2018-10-25 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Cscms V4.1.8. There is a CSRF vulnerability that can modify a website's basic configuration via upload/admin.php/setting/save. | |||||
| CVE-2018-16315 | 1 Bijiadao | 1 Waimai Super Cms | 2018-10-25 | 4.3 MEDIUM | 6.5 MEDIUM |
| In waimai Super Cms 20150505, there is a CSRF vulnerability that can change the configuration via admin.php?m=Config&a=add. | |||||
| CVE-2018-16348 | 1 Seacms | 1 Seacms | 2018-10-25 | 3.5 LOW | 4.8 MEDIUM |
| SeaCMS V6.61 has XSS via the admin_video.php v_content parameter, related to the site name. | |||||
| CVE-2018-16347 | 1 Gleezcms | 1 Gleez Cms | 2018-10-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Gleez CMS v1.2.0. There is XSS via media/imagecache/resize. | |||||
| CVE-2018-16342 | 1 Showdoc | 1 Showdoc | 2018-10-25 | 3.5 LOW | 5.4 MEDIUM |
| ShowDoc v1.8.0 has XSS via a new page. | |||||
| CVE-2018-16361 | 1 Btiteam | 1 Xbtit | 2018-10-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in BTITeam XBTIT 2.5.4. news.php allows XSS via the id parameter. | |||||
| CVE-2018-16373 | 1 Frog Cms Project | 1 Frog Cms | 2018-10-25 | 4.0 MEDIUM | 4.9 MEDIUM |
| Frog CMS 0.9.5 has an Upload vulnerability that can create files via /admin/?/plugin/file_manager/save. | |||||
| CVE-2018-16372 | 1 Ideacms | 1 Ideacms | 2018-10-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| The issue was discovered in IdeaCMS through 2016-04-30. There is reflected XSS via the index.php?c=content&a=search kw parameter. NOTE: this product is discontinued. | |||||
| CVE-2018-16450 | 1 Craftedweb Project | 1 Craftedweb | 2018-10-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| CraftedWeb through 2013-09-24 has reflected XSS via the p parameter. | |||||
| CVE-2018-16458 | 1 Baigo | 1 Baigo Cms | 2018-10-25 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in baigo CMS v2.1.1. There is an index.php?m=article&c=request CSRF that can cause publication of any article. | |||||
| CVE-2018-0672 | 1 Sixapart | 1 Movable Type | 2018-10-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Movable Type versions prior to Ver. 6.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-16358 | 1 Dotclear | 1 Dotclear | 2018-10-24 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in inc/core/class.dc.core.php in the media manager in Dotclear through 2.14.1 allows remote authenticated users to upload HTML content containing an XSS payload with the file extension .ahtml. | |||||
| CVE-2018-16371 | 1 Pescms | 1 Pescms Team | 2018-10-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| PESCMS Team 2.2.1 has multiple reflected XSS via the keyword parameter: g=Team&m=User&a=index&keyword=, g=Team&m=User_group&a=index&keyword=, g=Team&m=Department&a=index&keyword=, and g=Team&m=Bulletin&a=index&keyword=. | |||||
| CVE-2018-16374 | 1 Frog Cms Project | 1 Frog Cms | 2018-10-24 | 3.5 LOW | 4.8 MEDIUM |
| Frog CMS 0.9.5 has stored XSS via /admin/?/plugin/comment/settings. | |||||
| CVE-2017-15418 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2018-10-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| Use of uninitialized memory in Skia in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||||
| CVE-2018-15161 | 1 Libesedb Project | 1 Libesedb | 2018-10-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| ** DISPUTED ** The libesedb_key_append_data function in libesedb_key.c in libesedb through 2018-04-01 allows remote attackers to cause a heap-based buffer over-read via a crafted esedb file. NOTE: the vendor has disputed this as described in the GitHub issue comments. | |||||
| CVE-2018-16350 | 1 Wuzhi Cms Project | 1 Wuzhi Cms | 2018-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| WUZHI CMS 4.1.0 has XSS via the index.php?m=core&f=set&v=basic form[statcode] parameter. | |||||
| CVE-2018-16349 | 1 Wuzhi Cms Project | 1 Wuzhi Cms | 2018-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| WUZHI CMS 4.1.0 has XSS via the index.php?m=link&f=index&v=add form[remark] parameter. | |||||
| CVE-2014-6050 | 1 Phpmyfaq | 1 Phpmyfaq | 2018-10-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| phpMyFAQ before 2.8.13 allows remote attackers to bypass the CAPTCHA protection mechanism by replaying the request. | |||||
| CVE-2014-6048 | 1 Phpmyfaq | 1 Phpmyfaq | 2018-10-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| phpMyFAQ before 2.8.13 allows remote attackers to read arbitrary attachments via a direct request. | |||||
| CVE-2014-6047 | 1 Phpmyfaq | 1 Phpmyfaq | 2018-10-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| phpMyFAQ before 2.8.13 allows remote authenticated users with certain permissions to read arbitrary attachments by leveraging incorrect "download an attachment" permission checks. | |||||
| CVE-2018-16236 | 1 Cpanel | 1 Cpanel | 2018-10-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| cPanel through 74 allows XSS via a crafted filename in the logs subdirectory of a user account, because the filename is mishandled during frontend/THEME/raw/index.html rendering. | |||||