Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-12273 | 1 Ximdex | 1 Ximdex | 2018-08-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| The /edit URI in the DMS component in Ximdex 4.0 has XSS via the Ciudad or Nombre parameter. | |||||
| CVE-2018-12272 | 1 Ximdex | 1 Ximdex | 2018-08-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| xowl/request.php in Ximdex 4.0 has XSS via the content parameter. | |||||
| CVE-2015-5146 | 3 Debian, Fedoraproject, Ntp | 3 Debian Linux, Fedora, Ntp | 2018-08-02 | 3.5 LOW | 5.3 MEDIUM |
| ntpd in ntp before 4.2.8p3 with remote configuration enabled allows remote authenticated users with knowledge of the configuration password and access to a computer entrusted to perform remote configuration to cause a denial of service (service crash) via a NULL byte in a crafted configuration directive packet. | |||||
| CVE-2018-5521 | 1 F5 | 13 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 10 more | 2018-08-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| On F5 BIG-IP 12.1.0-12.1.3.1, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1, carefully crafted URLs can be used to reflect arbitrary content into GeoIP lookup responses, potentially exposing clients to XSS. | |||||
| CVE-2018-5522 | 1 F5 | 13 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 10 more | 2018-08-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| On F5 BIG-IP 13.0.0, 12.0.0-12.1.2, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1, when processing DIAMETER transactions with carefully crafted attribute-value pairs, TMM may crash. | |||||
| CVE-2018-5525 | 1 F5 | 13 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 10 more | 2018-08-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| A local file vulnerability exists in the F5 BIG-IP Configuration utility on versions 13.0.0, 12.1.0-12.1.2, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1 that exposes files containing F5-provided data only and do not include any configuration data, proxied traffic, or other potentially sensitive customer data. | |||||
| CVE-2018-12094 | 1 Dimofinf | 1 Dimofinf Cms | 2018-08-01 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in news.php in Dimofinf CMS Version 3.0.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter. | |||||
| CVE-2018-12095 | 1 Oecms Project | 1 Oecms | 2018-08-01 | 3.5 LOW | 5.4 MEDIUM |
| A Reflected Cross-Site Scripting web vulnerability has been discovered in the OEcms v3.1 web-application. The vulnerability is located in the mod parameter of info.php. | |||||
| CVE-2016-9064 | 1 Mozilla | 2 Firefox, Firefox Esr | 2018-08-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could provide a malicious signed add-on instead of a valid update. This vulnerability affects Firefox ESR < 45.5 and Firefox < 50. | |||||
| CVE-2016-9903 | 1 Mozilla | 1 Firefox | 2018-08-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Mozilla's add-ons SDK had a world-accessible resource with an HTML injection vulnerability. If an additional vulnerability allowed this resource to be loaded as a document it could allow injecting content and script into an add-on's context. This vulnerability affects Firefox < 50.1. | |||||
| CVE-2018-12030 | 1 Chevereto | 1 Chevereto | 2018-08-01 | 3.5 LOW | 5.4 MEDIUM |
| Chevereto Free before 1.0.13 has XSS. | |||||
| CVE-2018-12102 | 1 Md4c Project | 1 Md4c | 2018-08-01 | 4.3 MEDIUM | 5.5 MEDIUM |
| md4c 0.2.6 has a NULL pointer dereference in the function md_process_line in md4c.c, related to ctx->current_block. | |||||
| CVE-2017-5407 | 3 Debian, Mozilla, Redhat | 10 Debian Linux, Firefox, Firefox Esr and 7 more | 2018-07-31 | 4.3 MEDIUM | 6.5 MEDIUM |
| Using SVG filters that don't use the fixed point math implementation on a target iframe, a malicious page can extract pixel values from a targeted user. This can be used to extract history information and read text values across domains. This violates same-origin policy and leads to information disclosure. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. | |||||
| CVE-2018-10198 | 1 Otrs | 1 Otrs | 2018-07-31 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in OTRS 6.0.x before 6.0.7. An attacker who is logged into OTRS as a customer can use the ticket overview screen to disclose internal article information of their customer tickets. | |||||
| CVE-2018-11553 | 1 Sgin | 1 Xiangyun Platform | 2018-07-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| SGIN.CN xiangyun platform V9.4.10 has XSS via the login_url parameter to /login.php. | |||||
| CVE-2017-18286 | 1 Nzedb | 1 Nzedb | 2018-07-31 | 3.5 LOW | 5.4 MEDIUM |
| nZEDb v0.7.3.3 has XSS in the 404 error page. | |||||
| CVE-2018-11409 | 1 Splunk | 1 Splunk | 2018-07-31 | 5.0 MEDIUM | 5.3 MEDIUM |
| Splunk through 7.0.1 allows information disclosure by appending __raw/services/server/info/server-info?output_mode=json to a query, as demonstrated by discovering a license key. | |||||
| CVE-2018-9182 | 1 Lynxtechnology | 1 Twonky Server | 2018-07-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Twonky Server before 8.5.1 has XSS via a modified "language" parameter in the Language section. | |||||
| CVE-2017-16126 | 1 Botbait Project | 1 Botbait | 2018-07-31 | 5.0 MEDIUM | 5.3 MEDIUM |
| The module botbait is a tool to be used to track bot and automated tools usage with-in the npm ecosystem. botbait is known to record and track user information. The module tracks the following information. Source IP process.versions process.platform How the module was invoked (test, require, pre-install) | |||||
| CVE-2016-5288 | 1 Mozilla | 1 Firefox | 2018-07-30 | 4.3 MEDIUM | 5.9 MEDIUM |
| Web content could access information in the HTTP cache if e10s is disabled. This can reveal some visited URLs and the contents of those pages. This issue affects Firefox 48 and 49. This vulnerability affects Firefox < 49.0.2. | |||||
| CVE-2018-12111 | 1 Canon | 1 Efi Printme | 2018-07-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Canon PrintMe EFI webinterface allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the /wt3/mydocs.php URI. | |||||
| CVE-2018-12108 | 1 Dropbox | 1 Lepton | 2018-07-30 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in Dropbox Lepton 1.2.1. The validateAndCompress function in validation.cc allows remote attackers to cause a denial of service (SIGFPE and application crash) via a malformed file. | |||||
| CVE-2016-9067 | 1 Mozilla | 1 Firefox | 2018-07-30 | 5.0 MEDIUM | 6.5 MEDIUM |
| Two use-after-free errors during DOM operations resulting in potentially exploitable crashes. This vulnerability affects Firefox < 50. | |||||
| CVE-2016-9071 | 1 Mozilla | 1 Firefox | 2018-07-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| Content Security Policy combined with HTTP to HTTPS redirection can be used by malicious server to verify whether a known site is within a user's browser history. This vulnerability affects Firefox < 50. | |||||
| CVE-2016-5298 | 2 Google, Mozilla | 2 Android, Firefox | 2018-07-30 | 4.3 MEDIUM | 6.5 MEDIUM |
| A mechanism where disruption of the loading of a new web page can cause the previous page's favicon and SSL indicator to not be reset when the new page is loaded. Note: this issue only affects Firefox for Android. Desktop Firefox is unaffected. This vulnerability affects Firefox < 50. | |||||
| CVE-2016-5294 | 2 Microsoft, Mozilla | 4 Windows, Firefox, Firefox Esr and 1 more | 2018-07-30 | 2.1 LOW | 5.5 MEDIUM |
| The Mozilla Updater can be made to choose an arbitrary target working directory for output files resulting from the update process. This vulnerability requires local system access. Note: this issue only affects Windows operating systems. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50. | |||||
| CVE-2016-5293 | 3 Debian, Microsoft, Mozilla | 4 Debian Linux, Windows, Firefox and 1 more | 2018-07-30 | 2.1 LOW | 5.5 MEDIUM |
| When the Mozilla Updater is run, if the Updater's log file in the working directory points to a hardlink, data can be appended to an arbitrary local file. This vulnerability requires local system access. Note: this issue only affects Windows operating systems. This vulnerability affects Firefox ESR < 45.5 and Firefox < 50. | |||||
| CVE-2016-5292 | 1 Mozilla | 1 Firefox | 2018-07-30 | 4.3 MEDIUM | 6.5 MEDIUM |
| During URL parsing, a maliciously crafted URL can cause a potentially exploitable crash. This vulnerability affects Firefox < 50. | |||||
| CVE-2016-5291 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2018-07-30 | 4.9 MEDIUM | 5.5 MEDIUM |
| A same-origin policy bypass with local shortcut files to load arbitrary local content from disk. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50. | |||||
| CVE-2017-0785 | 1 Google | 1 Android | 2018-07-28 | 3.3 LOW | 6.5 MEDIUM |
| A information disclosure vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63146698. | |||||
| CVE-2018-10506 | 1 Trendmicro | 1 Officescan | 2018-07-27 | 1.9 LOW | 4.7 MEDIUM |
| A out-of-bounds read information disclosure vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a local attacker to disclose sensitive information on vulnerable installations due to a flaw within the processing of IOCTL 0x220004 by the TMWFP driver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |||||
| CVE-2018-10057 | 2 Bfgminer, Cgminer Project | 2 Bfgminer, Cgminer | 2018-07-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| The remote management interface of cgminer 4.10.0 and bfgminer 5.5.0 allows an authenticated remote attacker to write the miner configuration file to arbitrary locations on the server due to missing basedir restrictions (absolute directory traversal). | |||||
| CVE-2018-0871 | 1 Microsoft | 2 Edge, Windows 10 | 2018-07-27 | 4.3 MEDIUM | 4.3 MEDIUM |
| An information disclosure vulnerability exists when Edge improperly marks files, aka "Microsoft Edge Information Disclosure Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8234. | |||||
| CVE-2017-17171 | 1 Huawei | 6 Mate 8, Mate 8 Firmware, P9 and 3 more | 2018-07-27 | 6.3 MEDIUM | 4.2 MEDIUM |
| Some Huawei smart phones have the denial of service (DoS) vulnerability due to the improper processing of malicious parameters. An attacker may trick a target user into installing a malicious APK and launch attacks using a pre-installed app with specific permissions. Successful exploit could allow the app to send specific parameters to the smart phone driver, which will result in system restart. | |||||
| CVE-2018-12266 | 1 Hongcms Project | 1 Hongcms | 2018-07-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| system\errors\404.php in HongCMS 3.0.0 has XSS via crafted input that triggers a 404 HTTP status code. | |||||
| CVE-2018-12353 | 1 Knowage-suite | 1 Knowage | 2018-07-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Knowage (formerly SpagoBI) 6.1.1 allows XSS via the name field to the "Business Model's Catalogue" catalogue. | |||||
| CVE-2018-11735 | 1 Ximdex | 1 Ximdex | 2018-07-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| index.php?action=createaccount in Ximdex 4.0 has XSS via the sname or fname parameter. | |||||
| CVE-2018-8008 | 1 Apache | 1 Storm | 2018-07-20 | 5.8 MEDIUM | 5.5 MEDIUM |
| Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder. | |||||
| CVE-2018-6591 | 1 Conversejs | 1 Converse.js | 2018-07-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| Converse.js and Inverse.js through 3.3 allow remote attackers to obtain sensitive information because it is too difficult to determine whether safe publication of private data was configured or even intended. For example, users might have an expectation that chatroom bookmarks are private, but the various interacting software components do not necessarily make that happen. | |||||
| CVE-2018-12066 | 1 Bird Project | 1 Bird | 2018-07-20 | 2.1 LOW | 5.5 MEDIUM |
| BIRD Internet Routing Daemon before 1.6.4 allows local users to cause a denial of service (stack consumption and daemon crash) via BGP mask expressions in birdc. | |||||
| CVE-2018-10751 | 1 Samsung | 1 Samsung Mobile | 2018-07-20 | 5.4 MEDIUM | 5.3 MEDIUM |
| A malformed OMACP WAP push message can cause memory corruption on a Samsung S7 Edge device when processing the String Extension portion of the WbXml payload. This is due to an integer overflow in memory allocation for this string. The Samsung ID is SVE-2018-11463. | |||||
| CVE-2014-2532 | 2 Openbsd, Oracle | 2 Openssh, Communications User Data Repository | 2018-07-19 | 5.8 MEDIUM | 4.9 MEDIUM |
| sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. | |||||
| CVE-2017-13218 | 1 Google | 1 Android | 2018-07-19 | 4.7 MEDIUM | 4.7 MEDIUM |
| Access to CNTVCT_EL0 in Small Cell SoC, Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear could be used for side channel attacks and this could lead to local information disclosure with no additional execution privileges needed in FSM9055, IPQ4019, IPQ8064, MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, MSM8909W, QCA4531, QCA9980, QCN5502, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845. | |||||
| CVE-2018-11715 | 1 Recent Threads Project | 1 Recent Threads | 2018-07-18 | 3.5 LOW | 5.4 MEDIUM |
| The Recent Threads plugin before 1.1 for MyBB allows XSS via a thread subject. | |||||
| CVE-2018-1000202 | 1 Jenkins | 1 Groovy Postbuild | 2018-07-18 | 3.5 LOW | 5.4 MEDIUM |
| A persisted cross-site scripting vulnerability exists in Jenkins Groovy Postbuild Plugin 2.3.1 and older in various Jelly files that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. | |||||
| CVE-2018-1000198 | 1 Jenkins | 1 Black Duck Hub | 2018-07-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| A XML external entity processing vulnerability exists in Jenkins Black Duck Hub Plugin 3.1.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read permission to make Jenkins process XML eternal entities in an XML document. | |||||
| CVE-2018-1000196 | 1 Jenkins | 1 Gitlab Hook | 2018-07-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| A exposure of sensitive information vulnerability exists in Jenkins Gitlab Hook Plugin 1.4.2 and older in gitlab_notifier.rb, views/gitlab_notifier/global.erb that allows attackers with local Jenkins master file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured Gitlab token. | |||||
| CVE-2018-1000190 | 1 Jenkins | 1 Black Duck Hub | 2018-07-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| A exposure of sensitive information vulnerability exists in Jenkins Black Duck Hub Plugin 4.0.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2018-1000188 | 1 Jenkins | 1 Cas | 2018-07-18 | 5.5 MEDIUM | 5.4 MEDIUM |
| A server-side request forgery vulnerability exists in Jenkins CAS Plugin 1.4.1 and older in CasSecurityRealm.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. | |||||
| CVE-2018-1000187 | 1 Jenkins | 1 Kubernetes | 2018-07-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| A exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.7.0 and older in ContainerExecDecorator.java that results in sensitive variables such as passwords being written to logs. | |||||