Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1000154 | 1 Zammad | 1 Zammad | 2018-05-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zammad GmbH Zammad version 2.3.0 and earlier contains a Improper Neutralization of Script-Related HTML Tags in a Web Page (CWE-80) vulnerability in the subject of emails which are not html quoted in certain cases. This can result in the embedding and execution of java script code on users browser. This attack appear to be exploitable via the victim openning a ticket. This vulnerability appears to have been fixed in 2.3.1, 2.2.2 and 2.1.3. | |||||
| CVE-2018-8813 | 1 Wolfcms | 1 Wolf Cms | 2018-05-10 | 4.9 MEDIUM | 4.8 MEDIUM |
| Open redirect vulnerability in the login[redirect] parameter login functionality in WolfCMS 0.8.3.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL. | |||||
| CVE-2018-9172 | 1 Iptanus | 1 Wordpress File Upload | 2018-05-10 | 3.5 LOW | 5.4 MEDIUM |
| The Iptanus WordPress File Upload plugin before 4.3.3 for WordPress mishandles shortcode attributes. | |||||
| CVE-2018-1091 | 1 Linux | 1 Linux Kernel | 2018-05-10 | 4.9 MEDIUM | 5.5 MEDIUM |
| In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c in the Linux kernel before 4.13.5, a guest kernel crash can be triggered from unprivileged userspace during a core dump on a POWER host due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path, leading to a denial of service. | |||||
| CVE-2016-9191 | 1 Linux | 1 Linux Kernel | 2018-05-10 | 4.9 MEDIUM | 5.5 MEDIUM |
| The cgroup offline implementation in the Linux kernel through 4.8.11 mishandles certain drain operations, which allows local users to cause a denial of service (system hang) by leveraging access to a container environment for executing a crafted application, as demonstrated by trinity. | |||||
| CVE-2018-8814 | 1 Wolfcms | 1 Wolf Cms | 2018-05-09 | 5.8 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in WolfCMS 0.8.3.1 allows remote attackers to hijack the authentication of users for requests that modify plugin/[pluginname]/settings by crafting a malicious request. | |||||
| CVE-2018-10051 | 1 Iscripts | 1 Supportdesk | 2018-05-09 | 3.5 LOW | 5.4 MEDIUM |
| iScripts SupportDesk v4.3 has XSS via the staff/inteligentsearchresult.php txtinteligentsearch parameter. | |||||
| CVE-2018-10052 | 1 Iscripts | 1 Supportdesk | 2018-05-09 | 3.5 LOW | 4.8 MEDIUM |
| iScripts SupportDesk v4.3 has XSS via the admin/inteligentsearchresult.php txtinteligentsearch parameter. | |||||
| CVE-2018-10049 | 1 Iscripts | 1 Eswap | 2018-05-09 | 3.5 LOW | 4.8 MEDIUM |
| iScripts eSwap v2.4 has XSS via the "registration_settings.php" txtDate parameter in the Admin Panel. | |||||
| CVE-2018-9857 | 1 Match Clone Script Project | 1 Match Clone Script | 2018-05-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHP Scripts Mall Match Clone Script 1.0.4 has XSS via the search field to searchbyid.php (aka the "View Search By Id" screen). | |||||
| CVE-2018-9328 | 1 Redbus Clone Script Project | 1 Redbus Clone Script | 2018-05-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHP Scripts Mall Redbus Clone Script 3.0.6 has XSS via the ter_from or tag parameter to results.php. | |||||
| CVE-2018-7035 | 1 Gleezcms | 1 Gleez Cms | 2018-05-09 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Gleez CMS 1.2.0 and 2.0 might allow remote attackers (users) to inject JavaScript via HTML content in an editor, which will result in Stored XSS when an Administrator tries to edit the same content, as demonstrated by use of the source editor for HTML mode in an Add Blog action. | |||||
| CVE-2017-18097 | 1 Atlassian | 1 Jira | 2018-05-09 | 3.5 LOW | 5.4 MEDIUM |
| The Trello board importer resource in Atlassian Jira before version 7.6.1 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the title of a Trello card. | |||||
| CVE-2017-18098 | 1 Atlassian | 1 Jira | 2018-05-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The searchrequest-xml resource in Atlassian Jira before version 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through various fields. | |||||
| CVE-2018-9034 | 1 Relevanssi | 1 Relevanssi | 2018-05-09 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in lib/interface.php of the Relevanssi plugin 4.0.4 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the tab GET parameter. | |||||
| CVE-2018-6905 | 1 Typo3 | 1 Typo3 | 2018-05-09 | 3.5 LOW | 4.8 MEDIUM |
| The page module in TYPO3 before 8.7.11, and 9.1.0, has XSS via $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'], as demonstrated by an admin entering a crafted site name during the installation process. | |||||
| CVE-2017-13275 | 1 Google | 1 Android | 2018-05-09 | 1.9 LOW | 5.5 MEDIUM |
| In getVSCoverage of CmapCoverage.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with no additional privileges needed. User interaction is needed for exploitation. Product: Android. Versions: 8.0, 8.1. Android ID: A-70808908. | |||||
| CVE-2017-13290 | 1 Google | 1 Android | 2018-05-09 | 2.1 LOW | 6.2 MEDIUM |
| In sdp_server_handle_client_req of sdp_server.cc, there is an out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-69384124. | |||||
| CVE-2017-13257 | 1 Google | 1 Android | 2018-05-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| In bta_pan_data_buf_ind_cback of bta_pan_act.cc there is a use after free that can result in an out of bounds read of memory allocated via malloc. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-67110692. | |||||
| CVE-2017-13262 | 1 Google | 1 Android | 2018-05-08 | 3.3 LOW | 6.5 MEDIUM |
| In bnep_data_ind of bnep_main.cc, there is a possible out of bounds read due to a missing length decrement operation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-69271284. | |||||
| CVE-2017-13304 | 1 Google | 1 Android | 2018-05-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| A information disclosure vulnerability in the Upstream kernel mnh_sm driver. Product: Android. Versions: Android kernel. Android ID: A-70576999. | |||||
| CVE-2017-13303 | 1 Google | 1 Android | 2018-05-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| A information disclosure vulnerability in the Broadcom bcmdhd driver. Product: Android. Versions: Android kernel. Android ID: A-71359108. References: B-V2018010501. | |||||
| CVE-2017-13298 | 1 Google | 1 Android | 2018-05-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| A information disclosure vulnerability in the Android media framework (libhavc). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-72117051. | |||||
| CVE-2017-13296 | 1 Google | 1 Android | 2018-05-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| A information disclosure vulnerability in the Android media framework (libavc). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-70897454. | |||||
| CVE-2017-13297 | 1 Google | 1 Android | 2018-05-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| A information disclosure vulnerability in the Android media framework (libhevc). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-71766721. | |||||
| CVE-2017-13294 | 1 Google | 1 Android | 2018-05-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| A information disclosure vulnerability in the Android framework (aosp email application). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-71814449. | |||||
| CVE-2017-13295 | 1 Google | 1 Android | 2018-05-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| A denial of service vulnerability in the Android framework (package installer). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-62537081. | |||||
| CVE-2017-13269 | 1 Google | 1 Android | 2018-05-08 | 3.3 LOW | 4.3 MEDIUM |
| A information disclosure vulnerability in the Android system (bluetooth). Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-68818034. | |||||
| CVE-2017-13268 | 1 Google | 1 Android | 2018-05-08 | 3.3 LOW | 4.3 MEDIUM |
| A information disclosure vulnerability in the Android system (bluetooth). Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-67058064. | |||||
| CVE-2017-18184 | 1 Qpdf Project | 1 Qpdf | 2018-05-08 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in QPDF before 7.0.0. There is a stack-based out-of-bounds read in the function iterate_rc4 in QPDF_encryption.cc. | |||||
| CVE-2017-18185 | 1 Qpdf Project | 1 Qpdf | 2018-05-08 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in QPDF before 7.0.0. There is a large heap-based out-of-bounds read in the Pl_Buffer::write function in Pl_Buffer.cc. It is caused by an integer overflow in the PNG filter. | |||||
| CVE-2015-9252 | 1 Qpdf Project | 1 Qpdf | 2018-05-08 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in QPDF before 7.0.0. Endless recursion causes stack exhaustion in QPDFTokenizer::resolveLiteral() in QPDFTokenizer.cc, related to the QPDF::resolve function in QPDF.cc. | |||||
| CVE-2016-10234 | 1 Google | 1 Android | 2018-05-04 | 4.3 MEDIUM | 5.5 MEDIUM |
| An information disclosure vulnerability in the Qualcomm IPA driver. Product: Android. Versions: Android kernel. Android ID: A-34390017. References: QC-CR#1069060. | |||||
| CVE-2018-4092 | 1 Apple | 4 Apple Tv, Iphone Os, Mac Os X and 1 more | 2018-05-04 | 2.6 LOW | 4.7 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Kernel" component. A race condition allows attackers to bypass intended memory-read restrictions via a crafted app. | |||||
| CVE-2017-13863 | 1 Apple | 1 Iphone Os | 2018-05-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "APNs" component. It allows man-in-the-middle attackers to track users by leveraging the transmission of client certificates. | |||||
| CVE-2018-4086 | 1 Apple | 4 Apple Tv, Iphone Os, Mac Os X and 1 more | 2018-05-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Security" component. It allows remote attackers to spoof certificate validation via crafted name constraints. | |||||
| CVE-2017-13839 | 1 Apple | 1 Mac Os X | 2018-05-04 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in certain Apple products. macOS before 10.13 is affected. The issue involves the "Spotlight" component. It allows local users to see results for other users' files. | |||||
| CVE-2018-4107 | 1 Apple | 1 Mac Os X | 2018-05-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "PDFKit" component. It allows remote attackers to bypass intended restrictions on visiting URLs within a PDF document. | |||||
| CVE-2018-4168 | 1 Apple | 1 Iphone Os | 2018-05-04 | 2.1 LOW | 4.6 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.3 is affected. The issue involves the "Files Widget" component. It allows physically proximate attackers to obtain sensitive information by leveraging the display of cached data on a locked device. | |||||
| CVE-2018-4176 | 1 Apple | 1 Mac Os X | 2018-05-04 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "Disk Images" component. It allows attackers to trigger an app launch upon mounting a crafted disk image. | |||||
| CVE-2017-15129 | 1 Linux | 1 Linux Kernel | 2018-05-04 | 4.9 MEDIUM | 5.5 MEDIUM |
| A use-after-free vulnerability was found in network namespaces code affecting the Linux kernel before 4.14.11. The function get_net_ns_by_id() in net/core/net_namespace.c does not check for the net::count value after it has found a peer network in netns_ids idr, which could lead to double free and memory corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is thought to be unlikely. | |||||
| CVE-2016-10167 | 1 Libgd | 1 Libgd | 2018-05-04 | 4.3 MEDIUM | 5.5 MEDIUM |
| The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file. | |||||
| CVE-2017-7890 | 1 Php | 1 Php | 2018-05-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use. A specially crafted GIF image could use the uninitialized tables to read ~700 bytes from the top of the stack, potentially disclosing sensitive information. | |||||
| CVE-2017-7075 | 1 Apple | 1 Iphone Os | 2018-05-03 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "Notes" component. It allows local users to obtain sensitive information by reading search results that contain locked-note content. | |||||
| CVE-2018-9238 | 1 Yahei | 1 Yahei Php Prober | 2018-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| proberv.php in Yahei-PHP Proberv 0.4.7 has XSS via the funName parameter. | |||||
| CVE-2017-18224 | 1 Linux | 1 Linux Kernel | 2018-05-03 | 1.9 LOW | 4.7 MEDIUM |
| In the Linux kernel before 4.15, fs/ocfs2/aops.c omits use of a semaphore and consequently has a race condition for access to the extent tree during read operations in DIRECT mode, which allows local users to cause a denial of service (BUG) by modifying a certain e_cpos field. | |||||
| CVE-2016-9731 | 1 Ibm | 1 Business Process Manager | 2018-05-02 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2017-6103 | 1 Anyvar Project | 1 Anyvar | 2018-05-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent XSS Vulnerability in Wordpress plugin AnyVar v0.1.1. | |||||
| CVE-2016-0204 | 1 Ibm | 1 Cloud Orchestrator | 2018-05-02 | 5.8 MEDIUM | 6.8 MEDIUM |
| Open redirect vulnerability in IBM Cloud Orchestrator 2.4.x before 2.4.0 FP3 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
| CVE-2016-5598 | 1 Oracle | 1 Mysql Connector\/python | 2018-05-02 | 6.8 MEDIUM | 5.6 MEDIUM |
| Unspecified vulnerability in the MySQL Connector component 2.1.3 and earlier and 2.0.4 and earlier in Oracle MySQL allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Connector/Python. | |||||