Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-9925 | 1 Icmsdev | 1 Icms | 2018-04-17 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in idreamsoft iCMS through 7.0.7. XSS exists via the nickname field in an admincp.php?app=user&do=save&frame=iPHP request. | |||||
| CVE-2018-9922 | 1 Icmsdev | 1 Icms | 2018-04-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in idreamsoft iCMS through 7.0.7. Physical path leakage exists via an invalid nickname field that reveals a core/library/weixin.class.php pathname. | |||||
| CVE-2018-8832 | 1 Enhavo | 1 Enhavo | 2018-04-17 | 3.5 LOW | 4.8 MEDIUM |
| enhavo 0.4.0 has XSS via a user-group that contains executable JavaScript code in the user-group name. The XSS attack launches when a victim visits the admin user group page. | |||||
| CVE-2017-17307 | 1 Huawei | 2 Vns-l21, Vns-l21 Firmware | 2018-04-17 | 4.3 MEDIUM | 5.5 MEDIUM |
| Some Huawei Smartphones with software of VNS-L21AUTC555B141 have an out-of-bounds read vulnerability. Due to the lack string terminator of string, an attacker tricks a user into installing a malicious application, and the application can exploit the vulnerability and make attacker to read out of bounds and possibly cause the device abnormal. | |||||
| CVE-2017-17306 | 1 Huawei | 2 Vns-l21, Vns-l21 Firmware | 2018-04-17 | 4.3 MEDIUM | 5.5 MEDIUM |
| Some Huawei Smartphones with software of VNS-L21AUTC555B141, VNS-L21C10B160, VNS-L21C66B160, VNS-L21C703B140 have an array out-of-bounds read vulnerability. Due to the lack verification of array, an attacker tricks a user into installing a malicious application, and the application can exploit the vulnerability and make attacker to read out of bounds of array and possibly cause the device abnormal. | |||||
| CVE-2018-5233 | 1 Getgrav | 1 Grav Cms | 2018-04-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools. | |||||
| CVE-2018-0538 | 1 Qqq Systems Project | 1 Qqq Systems | 2018-04-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in QQQ SYSTEMS ver2.24 allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-0534 | 1 Arsenol Project | 1 Arsenol | 2018-04-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in ArsenoL Version 0.5 allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-10082 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-04-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| CMS Made Simple (CMSMS) through 2.2.7 allows physical path leakage via an invalid /index.php?page= value, a crafted URI starting with /index.php?mact=Search, or a direct request to /admin/header.php, /admin/footer.php, /lib/tasks/class.ClearCache.task.php, or /lib/tasks/class.CmsSecurityCheck.task.php. | |||||
| CVE-2018-10033 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-04-13 | 3.5 LOW | 4.8 MEDIUM |
| CMS Made Simple (aka CMSMS) 2.2.7 has Stored XSS in admin/siteprefs.php via the metadata parameter. | |||||
| CVE-2018-10029 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-04-13 | 3.5 LOW | 4.8 MEDIUM |
| CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_name parameter, related to moduledepends, a different vulnerability than CVE-2017-16799. | |||||
| CVE-2018-10032 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-04-13 | 3.5 LOW | 4.8 MEDIUM |
| CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_version parameter. | |||||
| CVE-2018-8737 | 1 Bylancer | 1 Bookme | 2018-04-13 | 3.5 LOW | 5.4 MEDIUM |
| Bookme Control Panel 2.0 Application is vulnerable to stored XSS within the Customers "Book Me" function. Within the Name and Note (aka custName and custNote) sections of the Customers screen, the application does not sanitize user-supplied input and renders injected JavaScript code to the user's browser. | |||||
| CVE-2018-8948 | 1 Misp-project | 1 Misp | 2018-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP module. | |||||
| CVE-2017-18247 | 1 Libav | 1 Libav | 2018-04-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| The av_audio_fifo_size function in libavutil/audio_fifo.c in Libav 12.2 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted media file. | |||||
| CVE-2018-0535 | 1 Php 2chbbs Project | 1 Php 2chbbs | 2018-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in PHP 2chBBS version bbs18c allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-8805 | 1 Yxcms | 1 Yxcms | 2018-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Yxcms building system (compatible cell phone) v1.4.7 has XSS via the content parameter to protected\apps\default\view\default\extend_guestbook.php or protected\apps\default\view\mobile\extend_guestbook.php in an index.php?r=default/column/index&col=guestbook request. | |||||
| CVE-2018-8815 | 1 Alkacon | 1 Opencms | 2018-04-13 | 3.5 LOW | 4.6 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the gallery function in Alkacon OpenCMS 10.5.3 allows remote attackers to inject arbitrary web script or HTML via a malicious SVG image. | |||||
| CVE-2017-17319 | 1 Huawei | 2 P9, P9 Firmware | 2018-04-13 | 7.1 HIGH | 5.5 MEDIUM |
| Huawei P9 smartphones with the versions before EVA-AL10C00B399SP02 have an information disclosure vulnerability. The software does not properly protect certain resource which can be accessed by multithreading. An attacker tricks the user who has root privilege to install a crafted application, successful exploit could result in kernel information disclosure. | |||||
| CVE-2014-1665 | 1 Owncloud | 1 Owncloud | 2018-04-13 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file. | |||||
| CVE-2018-8767 | 1 Joyplus-cms Project | 1 Joyplus-cms | 2018-04-13 | 3.5 LOW | 4.8 MEDIUM |
| joyplus-cms 1.6.0 has XSS in manager/admin_ajax.php?action=save&tab={pre}vod_type via the t_name parameter. | |||||
| CVE-2018-1000139 | 1 I-librarian | 1 I Librarian | 2018-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| I, Librarian version 4.8 and earlier contains a Cross Site Scripting (XSS) vulnerability in "id" parameter in stable.php that can result in an attacker using the XSS to send a malicious script to an unsuspecting user. | |||||
| CVE-2017-17967 | 1 Ksosoft | 1 Wps Office | 2018-04-13 | 4.3 MEDIUM | 5.5 MEDIUM |
| pptreader.dll in Kingsoft WPS Office 10.1.0.6930 allows remote attackers to cause a denial of service via a crafted PPT file, aka CNVD-2017-35482. | |||||
| CVE-2017-17958 | 1 Php Multivendor Ecommerce Project | 1 Php Multivendor Ecommerce | 2018-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the my_wishlist.php fid parameter. | |||||
| CVE-2017-17956 | 1 Php Multivendor Ecommerce Project | 1 Php Multivendor Ecommerce | 2018-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the admin/sellerupd.php companyname parameter. | |||||
| CVE-2017-17955 | 1 Php Multivendor Ecommerce Project | 1 Php Multivendor Ecommerce | 2018-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the shopping-cart.php cusid parameter. | |||||
| CVE-2017-17954 | 1 Php Multivendor Ecommerce Project | 1 Php Multivendor Ecommerce | 2018-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the seller-view.php usid parameter. | |||||
| CVE-2017-17953 | 1 Php Multivendor Ecommerce Project | 1 Php Multivendor Ecommerce | 2018-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the category.php chid1 parameter. | |||||
| CVE-2017-17949 | 1 Cells | 1 Blog | 2018-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cells Blog 3.5 has XSS via the pub_readpost.php fmid parameter. | |||||
| CVE-2017-17948 | 1 Cells | 1 Blog | 2018-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cells Blog 3.5 has XSS via the jfdname parameter in an act=showpic request. | |||||
| CVE-2018-0536 | 1 Qqq Systems Project | 1 Qqq Systems | 2018-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in QQQ SYSTEMS ver2.24 allows an attacker to inject arbitrary web script or HTML via quiz.cgi. | |||||
| CVE-2018-0537 | 1 Qqq Systems Project | 1 Qqq Systems | 2018-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in QQQ SYSTEMS ver2.24 allows an attacker to inject arbitrary web script or HTML via quiz_op.cgi. | |||||
| CVE-2017-2585 | 1 Redhat | 3 Enterprise Linux Server, Keycloak, Single Sign On | 2018-04-12 | 4.3 MEDIUM | 5.9 MEDIUM |
| Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks. | |||||
| CVE-2018-8050 | 1 Afflib Project | 1 Afflib | 2018-04-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| The af_get_page() function in lib/afflib_pages.cpp in AFFLIB (aka AFFLIBv3) through 3.7.16 allows remote attackers to cause a denial of service (segmentation fault) via a corrupt AFF image that triggers an unexpected pagesize value. | |||||
| CVE-2015-7458 | 1 Ibm | 1 Connections | 2018-04-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in IBM Connections 3.0.1.1 and earlier, 4.0, 4.5, and 5.0 before CR4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 108354. | |||||
| CVE-2015-7461 | 1 Ibm | 1 Connections | 2018-04-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| XML external entity (XXE) vulnerability in IBM Connections 3.0.1.1 and earlier, 4.0, 4.5, and 5.0 before CR4 allows remote authenticated users to cause a denial of service (memory consumption) via crafted XML data. IBM X-Force ID: 108357. | |||||
| CVE-2018-8962 | 1 Libming | 1 Libming | 2018-04-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| In libming 0.4.8, the decompileSingleArgBuiltInFunctionCall function of decompile.c has a use-after-free. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted swf file. | |||||
| CVE-2018-8964 | 1 Libming | 1 Libming | 2018-04-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| In libming 0.4.8, the decompileDELETE function of decompile.c has a use-after-free. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted swf file. | |||||
| CVE-2018-8961 | 1 Libming | 1 Libming | 2018-04-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| In libming 0.4.8, the decompilePUSHPARAM function of decompile.c has a use-after-free. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted swf file. | |||||
| CVE-2018-8963 | 1 Libming | 1 Libming | 2018-04-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| In libming 0.4.8, the decompileGETVARIABLE function of decompile.c has a use-after-free. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted swf file. | |||||
| CVE-2018-8807 | 1 Libming | 1 Libming | 2018-04-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| In libming 0.4.8, these is a use-after-free in the function decompileCALLFUNCTION of decompile.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted swf file. | |||||
| CVE-2018-8806 | 1 Libming | 1 Libming | 2018-04-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| In libming 0.4.8, there is a use-after-free in the decompileArithmeticOp function of decompile.c. Remote attackers could use this vulnerability to cause a denial-of-service via a crafted swf file. | |||||
| CVE-2015-7460 | 1 Ibm | 1 Connections | 2018-04-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in IBM Connections 3.0.1.1 and earlier, 4.0, 4.5, and 5.0 before CR4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 108356. | |||||
| CVE-2015-7459 | 1 Ibm | 1 Connections | 2018-04-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in IBM Connections 3.0.1.1 and earlier, 4.0, 4.5, and 5.0 before CR4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 108355. | |||||
| CVE-2018-8732 | 1 Wampserver | 1 Wampserver | 2018-04-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in WampServer 3.1.1 allows remote attackers to inject arbitrary web script or HTML via the virtual_del parameter. | |||||
| CVE-2017-14384 | 1 Dell | 1 Storage Manager | 2018-04-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Dell Storage Manager versions earlier than 16.3.20, the EMConfigMigration service is affected by a directory traversal vulnerability. A remote malicious user could potentially exploit this vulnerability to read unauthorized files by supplying specially crafted strings in input parameters of the application. A malicious user cannot delete or modify any files via this vulnerability. | |||||
| CVE-2018-6842 | 1 Kentico | 1 Kentico Cms | 2018-04-12 | 3.5 LOW | 5.4 MEDIUM |
| Kentico 10 before 10.0.50 and 11 before 11.0.3 has XSS in which a crafted URL results in improper construction of a system page. | |||||
| CVE-2017-14140 | 1 Linux | 1 Linux Kernel | 2018-04-12 | 2.1 LOW | 5.5 MEDIUM |
| The move_pages system call in mm/migrate.c in the Linux kernel before 4.12.9 doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR. | |||||
| CVE-2017-15116 | 2 Linux, Redhat | 2 Linux Kernel, Enterprise Linux | 2018-04-12 | 4.9 MEDIUM | 5.5 MEDIUM |
| The rngapi_reset function in crypto/rng.c in the Linux kernel before 4.2 allows attackers to cause a denial of service (NULL pointer dereference). | |||||
| CVE-2017-11671 | 1 Gnu | 1 Gcc | 2018-04-12 | 2.1 LOW | 4.0 MEDIUM |
| Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation. | |||||