Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1000186 | 1 Jenkins | 1 Github Pull Request Builder | 2018-07-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| A exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin 1.41.0 and older in GhprbGitHubAuth.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2018-1000185 | 1 Jenkins | 1 Github Branch Source | 2018-07-18 | 4.0 MEDIUM | 4.3 MEDIUM |
| A server-side request forgery vulnerability exists in Jenkins GitHub Branch Source Plugin 2.3.4 and older in Endpoint.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. | |||||
| CVE-2018-1000184 | 1 Jenkins | 1 Github | 2018-07-18 | 5.5 MEDIUM | 5.4 MEDIUM |
| A server-side request forgery vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubPluginConfig.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. | |||||
| CVE-2018-1000183 | 1 Jenkins | 1 Github | 2018-07-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubServerConfig.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2018-1000182 | 1 Jenkins | 1 Git | 2018-07-18 | 5.5 MEDIUM | 6.4 MEDIUM |
| A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. | |||||
| CVE-2018-13303 | 1 Ffmpeg | 1 Ffmpeg | 2018-07-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| In FFmpeg 4.0.1, a missing check for failure of a call to init_get_bits8() in the avpriv_ac3_parse_header function in libavcodec/ac3_parser.c may trigger a NULL pointer dereference while converting a crafted AVI file to MPEG4, leading to a denial of service. | |||||
| CVE-2018-13301 | 1 Ffmpeg | 1 Ffmpeg | 2018-07-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| In FFmpeg 4.0.1, due to a missing check of a profile value before setting it, the ff_mpeg4_decode_picture_header function in libavcodec/mpeg4videodec.c may trigger a NULL pointer dereference while converting a crafted AVI file to MPEG4, leading to a denial of service. | |||||
| CVE-2018-3809 | 1 Zeit | 1 Serve | 2018-07-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| Information exposure through directory listings in serve 6.5.3 allows directory listing and file access even when they have been set to be ignored. | |||||
| CVE-2018-7747 | 1 Calderalabs | 1 Caldera Forms | 2018-07-17 | 3.5 LOW | 4.8 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the Caldera Forms plugin before 1.6.0-rc.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a greeting message, (2) the email transaction log, or (3) an imported form. | |||||
| CVE-2018-3562 | 1 Google | 1 Android | 2018-07-17 | 7.1 HIGH | 5.5 MEDIUM |
| Buffer over -read can occur while processing a FILS authentication frame in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. | |||||
| CVE-2018-4250 | 1 Apple | 1 Iphone Os | 2018-07-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.4 is affected. The issue involves the "Messages" component. It allows remote attackers to cause a denial of service via a crafted message. | |||||
| CVE-2018-4252 | 1 Apple | 1 Iphone Os | 2018-07-17 | 2.1 LOW | 4.6 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.4 is affected. The issue involves the "Siri" component. It allows physically proximate attackers to bypass the lock-screen protection mechanism and obtain private notification content via Siri. | |||||
| CVE-2018-4247 | 1 Apple | 2 Iphone Os, Safari | 2018-07-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. The issue involves the "Safari" component. It allows remote attackers to cause a denial of service (persistent Safari outage) via a crafted web site. | |||||
| CVE-2018-4244 | 1 Apple | 1 Iphone Os | 2018-07-17 | 2.1 LOW | 4.6 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.4 is affected. The issue involves the "Siri Contacts" component. It allows physically proximate attackers to discover private contact information via Siri. | |||||
| CVE-2018-4235 | 1 Apple | 4 Apple Tv, Iphone Os, Mac Os X and 1 more | 2018-07-17 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "Messages" component. It allows local users to perform impersonation attacks via an unspecified injection. | |||||
| CVE-2018-4239 | 1 Apple | 1 Iphone Os | 2018-07-17 | 2.1 LOW | 4.6 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.4 is affected. The issue involves the "Magnifier" component. It allows physically proximate attackers to bypass the lock-screen protection mechanism and see the most recent Magnifier image. | |||||
| CVE-2018-4224 | 2 Apple, Microsoft | 7 Apple Tv, Icloud, Iphone Os and 4 more | 2018-07-17 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "Security" component. It allows local users to bypass intended restrictions on the reading of a persistent device identifier. | |||||
| CVE-2018-4198 | 1 Apple | 4 Apple Tv, Iphone Os, Mac Os X and 1 more | 2018-07-17 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "UIKit" component. It allows remote attackers to cause a denial of service via a crafted text file. | |||||
| CVE-2018-4205 | 1 Apple | 1 Safari | 2018-07-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in certain Apple products. Safari before 11.1.1 is affected. The issue involves the "Safari" component. It allows remote attackers to spoof the address bar via a crafted web site. | |||||
| CVE-2018-4188 | 2 Apple, Microsoft | 6 Apple Tv, Icloud, Iphone Os and 3 more | 2018-07-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to spoof the address bar via a crafted web site. | |||||
| CVE-2018-4223 | 1 Apple | 4 Apple Tv, Iphone Os, Mac Os X and 1 more | 2018-07-17 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "Security" component. It allows local users to bypass intended restrictions on the reading of a persistent account identifier. | |||||
| CVE-2018-11709 | 1 Gvectors | 1 Wpforo Forum | 2018-07-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| wpforo_get_request_uri in wpf-includes/functions.php in the wpForo Forum plugin before 1.4.12 for WordPress allows Unauthenticated Reflected Cross-Site Scripting (XSS) via the URI. | |||||
| CVE-2015-9096 | 1 Ruby-lang | 1 Ruby | 2018-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring. | |||||
| CVE-2018-4141 | 1 Apple | 1 Mac Os X | 2018-07-13 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in certain Apple products. macOS before 10.13.5 is affected. The issue involves the "Intel Graphics Driver" component. It allows attackers to bypass intended memory-read restrictions via a crafted app. | |||||
| CVE-2018-4159 | 1 Apple | 1 Mac Os X | 2018-07-13 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in certain Apple products. macOS before 10.13.5 is affected. The issue involves the "Graphics Drivers" component. It allows attackers to bypass intended memory-read restrictions via a crafted app. | |||||
| CVE-2018-4171 | 1 Apple | 1 Mac Os X | 2018-07-13 | 7.1 HIGH | 5.5 MEDIUM |
| An issue was discovered in certain Apple products. macOS before 10.13.5 is affected. The issue involves the "Bluetooth" component. It allows attackers to obtain sensitive kernel memory-layout information via a crafted app that leverages device properties. | |||||
| CVE-2018-4253 | 1 Apple | 1 Mac Os X | 2018-07-13 | 7.1 HIGH | 5.5 MEDIUM |
| An issue was discovered in certain Apple products. macOS before 10.13.5 is affected. The issue involves the "AMD" component. It allows local users to bypass intended memory-read restrictions or cause a denial of service (out-of-bounds read of kernel memory) via a crafted app. | |||||
| CVE-2018-11568 | 1 Cactusthemes | 1 Gameplan-event And Gym Fitness | 2018-07-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS is possible in the GamePlan theme through 1.5.13.2 for WordPress because of insufficient input sanitization, as demonstrated by the s parameter. In some (but not all) cases, the '<' and '>' characters have < and > representations. | |||||
| CVE-2018-11578 | 1 Miniupnp Project | 1 Ngiflib | 2018-07-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| GifIndexToTrueColor in ngiflib.c in MiniUPnP ngiflib 0.4 has a Segmentation fault. | |||||
| CVE-2018-1332 | 1 Apache | 1 Storm | 2018-07-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons. | |||||
| CVE-2017-12193 | 1 Linux | 1 Linux Kernel | 2018-07-13 | 4.9 MEDIUM | 5.5 MEDIUM |
| The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations. | |||||
| CVE-2017-14106 | 1 Linux | 1 Linux Kernel | 2018-07-13 | 4.9 MEDIUM | 5.5 MEDIUM |
| The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path. | |||||
| CVE-2017-18248 | 1 Apple | 1 Cups | 2018-07-13 | 3.5 LOW | 5.3 MEDIUM |
| The add_job function in scheduler/ipp.c in CUPS before 2.2.6, when D-Bus support is enabled, can be crashed by remote attackers by sending print jobs with an invalid username, related to a D-Bus notification. | |||||
| CVE-2017-7639 | 1 Qnap | 1 Nas Proxy Server | 2018-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| QNAP NAS application Proxy Server through version 1.2.0 does not authenticate requests properly. Successful exploitation can lead to change of the settings of Proxy Server. | |||||
| CVE-2017-7636 | 1 Qnap | 1 Nas Proxy Server | 2018-07-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in QNAP NAS application Proxy Server through version 1.2.0 allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2018-12047 | 1 Ximdex | 1 Ximdex | 2018-07-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| xfind/search in Ximdex 4.0 has XSS via the filter[n][value] parameters for non-negative values of n, as demonstrated by n equal to 0 through 12. | |||||
| CVE-2018-9177 | 1 Lynxtechnology | 1 Twonky Server | 2018-07-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Twonky Server before 8.5.1 has XSS via a folder name on the Shared Folders screen. | |||||
| CVE-2018-12043 | 1 Getsymphony | 1 Symphony | 2018-07-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| content/content.blueprintspages.php in Symphony 2.7.6 has XSS via the pages content page. | |||||
| CVE-2014-9092 | 3 Canonical, Fedoraproject, Libjpeg-turbo | 3 Ubuntu Linux, Fedora, Libjpeg-turbo | 2018-07-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| libjpeg-turbo before 1.3.1 allows remote attackers to cause a denial of service (crash) via a crafted JPEG file, related to the Exif marker. | |||||
| CVE-2017-15232 | 1 Libjpeg-turbo | 1 Libjpeg-turbo | 2018-07-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file. | |||||
| CVE-2014-10067 | 1 Paypal-ipn Project | 1 Paypal-ipn | 2018-07-09 | 4.3 MEDIUM | 5.9 MEDIUM |
| paypal-ipn before 3.0.0 uses the `test_ipn` parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. With a bit of time, an attacker could craft a request using the simulator that would fool any application which does not explicitly check for test_ipn in production. | |||||
| CVE-2018-11680 | 1 Cmseasy | 1 Cmseasy | 2018-07-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in CmsEasy 6.1_20180508. There is a CSRF vulnerability in the rich text editor that can add an IFRAME element. This might be used in a DoS attack if a referenced remote URL is refreshed at a rapid rate. | |||||
| CVE-2017-7672 | 1 Apache | 1 Struts | 2018-07-08 | 4.3 MEDIUM | 5.9 MEDIUM |
| If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution is to upgrade to Apache Struts version 2.5.12. | |||||
| CVE-2016-6618 | 1 Phpmyadmin | 1 Phpmyadmin | 2018-07-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in phpMyAdmin. The transformation feature allows a user to trigger a denial-of-service (DoS) attack against the server. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | |||||
| CVE-2016-6622 | 1 Phpmyadmin | 1 Phpmyadmin | 2018-07-08 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in phpMyAdmin. An unauthenticated user is able to execute a denial-of-service (DoS) attack by forcing persistent connections when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | |||||
| CVE-2016-6614 | 1 Phpmyadmin | 1 Phpmyadmin | 2018-07-08 | 4.3 MEDIUM | 6.8 MEDIUM |
| An issue was discovered in phpMyAdmin involving the %u username replacement functionality of the SaveDir and UploadDir features. When the username substitution is configured, a specially-crafted user name can be used to circumvent restrictions to traverse the file system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | |||||
| CVE-2016-6615 | 1 Phpmyadmin | 1 Phpmyadmin | 2018-07-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS issues were discovered in phpMyAdmin. This affects navigation pane and database/table hiding feature (a specially-crafted database name can be used to trigger an XSS attack); the "Tracking" feature (a specially-crafted query can be used to trigger an XSS attack); and GIS visualization feature. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected. | |||||
| CVE-2018-11564 | 1 Pagekit | 1 Pagekit | 2018-07-05 | 3.5 LOW | 4.8 MEDIUM |
| Stored XSS in YOOtheme Pagekit 1.0.13 and earlier allows a user to upload malicious code via the picture upload feature. A user with elevated privileges could upload a photo to the system in an SVG format. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/poc.svg" that will point to http://localhost/pagekit/storage/poc.svg. When a user comes along to click that link, it will trigger a XSS attack. | |||||
| CVE-2018-7976 | 1 Huawei | 1 Espace Desktop | 2018-07-05 | 3.5 LOW | 5.4 MEDIUM |
| There is a stored cross-site scripting (XSS) vulnerability in Huawei eSpace Desktop V300R001C00 and V300R001C50 version. Due to the insufficient validation of the input, an authenticated, remote attacker could exploit this vulnerability to send abnormal messages to the system and perform a XSS attack. A successful exploit could cause the eSpace Desktop to hang up, and the function will restore to normal after restarting the eSpace Desktop. | |||||
| CVE-2018-11580 | 1 Multidots | 1 Mass Pages\/posts Creator | 2018-07-05 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in mass-pages-posts-creator.php in the MULTIDOTS Mass Pages/Posts Creator plugin 1.2.2 for WordPress. Any logged in user can launch Mass Pages/Posts creation with custom content. There is no nonce or user capability check, so anyone can launch a DoS attack against a site and create hundreds of thousands of posts with custom content. | |||||