Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-2848 | 1 Isc | 1 Bind | 2018-09-27 | 5.0 MEDIUM | 7.5 HIGH |
| ISC BIND 9.1.0 through 9.8.4-P2 and 9.9.0 through 9.9.2-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via malformed options data in an OPT resource record. | |||||
| CVE-2016-9147 | 1 Isc | 1 Bind | 2018-09-27 | 5.0 MEDIUM | 7.5 HIGH |
| named in ISC BIND 9.9.9-P4, 9.9.9-S6, 9.10.4-P4, and 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a response containing an inconsistency among the DNSSEC-related RRsets. | |||||
| CVE-2016-9444 | 1 Isc | 1 Bind | 2018-09-27 | 5.0 MEDIUM | 7.5 HIGH |
| named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9.11.x before 9.11.0-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted DS resource record in an answer. | |||||
| CVE-2015-8300 | 1 Polycom | 1 Btoe Connector | 2018-09-26 | 7.2 HIGH | 7.8 HIGH |
| Polycom BToE Connector before 3.0.0 uses weak permissions (Everyone: Full Control) for "Program Files (x86)\polycom\polycom btoe connector\plcmbtoesrv.exe," which allows local users to gain privileges via a Trojan horse file. | |||||
| CVE-2018-14905 | 1 3cx | 1 3cx Web Server | 2018-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Web server in 3CX version 15.5.8801.3 is vulnerable to Reflected XSS on the api/CallLog TimeZoneName parameter. | |||||
| CVE-2018-14906 | 1 3cx | 1 3cx Web Server | 2018-09-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Web server in 3CX version 15.5.8801.3 is vulnerable to Reflected XSS on all stack traces' propertyPath parameters. | |||||
| CVE-2002-1639 | 1 Oracle | 1 Configurator | 2018-09-26 | 7.5 HIGH | N/A |
| Oracle Configurator before 11.5.7.17.32 and 11.5.6.16.53 allows remote attackers to obtain sensitive information via a request to the oracle.apps.cz.servlet.UiServlet servlet with the test parameter set to "version" or "host". | |||||
| CVE-2002-1640 | 1 Oracle | 1 Configurator | 2018-09-26 | 6.8 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Oracle Configurator before 11.5.7.17.32 and 11.5.6.16.53 allows remote attackers to inject arbitrary web script or HTML via (1) Text Features in the DHTML UI or (2) the test parameter to the oracle.apps.cz.servlet.UiServlet servlet. | |||||
| CVE-2003-0098 | 2 Apcupsd, Debian | 2 Apcupsd, Debian Linux | 2018-09-26 | 10.0 HIGH | N/A |
| Unknown vulnerability in apcupsd before 3.8.6, and 3.10.x before 3.10.5, allows remote attackers to gain root privileges, possibly via format strings in a request to a slave server. | |||||
| CVE-2004-0167 | 1 Apple | 2 Mac Os X, Mac Os X Server | 2018-09-26 | 7.5 HIGH | N/A |
| DiskArbitration in Mac OS X 10.2.8 and 10.3.2 does not properly initialize writeable removable media. | |||||
| CVE-2004-0168 | 1 Apple | 2 Mac Os X, Mac Os X Server | 2018-09-26 | 10.0 HIGH | N/A |
| Unknown vulnerability in CoreFoundation for Mac OS X 10.3.2, related to "notification logging." | |||||
| CVE-2005-0597 | 1 Cisco | 1 Application And Content Networking Software | 2018-09-26 | 5.0 MEDIUM | N/A |
| Cisco devices running Application and Content Networking System (ACNS) 5.0 before 5.0.17.6 and 5.1 before 5.1.11.6 allow remote attackers to cause a denial of service (process restart) via a "crafted TCP connection." | |||||
| CVE-2005-1670 | 1 Extremenetworks | 3 Blackdiamond 10808, Blackdiamond 8800, Extremeware Xos | 2018-09-26 | 4.6 MEDIUM | N/A |
| Unknown vulnerability in Extreme BlackDiamond 10808 and 8800 switches running ExtremeWare XOS 11.1 before 11.1.3.3, 11.0 before 11.0.2.4, and 10.x allows remote authenticated users to execute arbitrary commands. | |||||
| CVE-2005-3498 | 1 Ibm | 1 Websphere Application Server | 2018-09-26 | 4.3 MEDIUM | N/A |
| IBM WebSphere Application Server 5.0.x before 5.02.15, 5.1.x before 5.1.1.8, and 6.x before fixpack V6.0.2.5, when session trace is enabled, records a full URL including the queryString in the trace logs when an application encodes a URL, which could allow attackers to obtain sensitive information. | |||||
| CVE-2018-14736 | 1 Pbc Project | 1 Pbc | 2018-09-26 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. A buffer over-read can occur in pbc_wmessage_string in wmessage.c for PTYPE_ENUM. | |||||
| CVE-2018-14737 | 1 Pbc Project | 1 Pbc | 2018-09-26 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. A NULL pointer dereference can occur in pbc_wmessage_string in wmessage.c. | |||||
| CVE-2018-14738 | 1 Pbc Project | 1 Pbc | 2018-09-26 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. A SEGV can occur in pbc_rmessage_message in rmessage.c. | |||||
| CVE-2018-14739 | 1 Pbc Project | 1 Pbc | 2018-09-26 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. A SEGV can occur in pbc_pattern_set_default in pattern.c. | |||||
| CVE-2018-14740 | 1 Pbc Project | 1 Pbc | 2018-09-26 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. A SEGV can occur in set_field_one in bootstrap.c while making a query. | |||||
| CVE-2018-14741 | 1 Pbc Project | 1 Pbc | 2018-09-26 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. A SEGV can occur in pbc_pattern_pack in pattern.c. | |||||
| CVE-2018-14742 | 1 Pbc Project | 1 Pbc | 2018-09-26 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. A SEGV can occur in set_field_one in bootstrap.c during a memcpy. | |||||
| CVE-2018-14743 | 1 Pbc Project | 1 Pbc | 2018-09-26 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. A SEGV can occur in wiretype_decode in context.c. | |||||
| CVE-2018-14744 | 1 Pbc Project | 1 Pbc | 2018-09-26 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. A use-after-free can occur in _pbcM_sp_query in map.c. | |||||
| CVE-2017-16347 | 1 Insteon | 2 Hub, Hub Firmware | 2018-09-26 | 8.0 HIGH | 9.9 CRITICAL |
| An attacker could send an authenticated HTTP request to trigger this vulnerability in Insteon Hub running firmware version 1012. At 0x9d01e7d4 the value for the s_vol key is copied using strcpy to the buffer at 0xa0001700. This buffer is maximum 12 bytes large (this is the maximum size it could be, it is possible other global variables are stored between this variable and the next one that we could identify), sending anything longer will cause a buffer overflow. | |||||
| CVE-2015-1922 | 1 Ibm | 1 Db2 | 2018-09-26 | 3.5 LOW | N/A |
| The Data Movement implementation in IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 through FP5 on Linux, UNIX, and Windows allows remote authenticated users to bypass intended access restrictions and delete table rows via unspecified vectors. | |||||
| CVE-2015-1935 | 1 Ibm | 1 Db2 | 2018-09-26 | 8.0 HIGH | N/A |
| The scalar-function implementation in IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 through FP5 on Linux, UNIX, and Windows allows remote attackers to cause a denial of service or execute arbitrary code via unspecified vectors. | |||||
| CVE-2017-18202 | 1 Linux | 1 Linux Kernel | 2018-09-26 | 6.9 MEDIUM | 7.0 HIGH |
| The __oom_reap_task_mm function in mm/oom_kill.c in the Linux kernel before 4.14.4 mishandles gather operations, which allows attackers to cause a denial of service (TLB entry leak or use-after-free) or possibly have unspecified other impact by triggering a copy_to_user call within a certain time window. | |||||
| CVE-2016-10593 | 1 Interactivebrokers | 1 Ibapi | 2018-09-25 | 9.3 HIGH | 8.1 HIGH |
| ibapi is an Interactive Brokers API addon for NodeJS. ibapi downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. Before 2.5.6, it may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server. | |||||
| CVE-2013-3475 | 1 Ibm | 3 Db2, Db2 Connect, Smart Analytics System 7600 | 2018-09-25 | 7.2 HIGH | N/A |
| Stack-based buffer overflow in db2aud in the Audit Facility in IBM DB2 and DB2 Connect 9.1, 9.5, 9.7, 9.8, and 10.1, as used in Smart Analytics System 7600 and other products, allows local users to gain privileges via unspecified vectors. | |||||
| CVE-2013-5466 | 1 Ibm | 3 Db2, Db2 Connect, Db2 Purescale Feature 9.8 | 2018-09-25 | 4.0 MEDIUM | N/A |
| The XSLT library in IBM DB2 and DB2 Connect 9.5 through 10.5, and the DB2 pureScale Feature 9.8 for Enterprise Server Edition, allows remote authenticated users to cause a denial of service via unspecified vectors. | |||||
| CVE-2013-6717 | 1 Ibm | 3 Db2, Db2 Connect, Db2 Purescale Feature 9.8 | 2018-09-25 | 4.0 MEDIUM | N/A |
| The OLAP query engine in IBM DB2 and DB2 Connect 9.7 through FP9, 9.8 through FP5, 10.1 through FP3, and 10.5 through FP2, and the DB2 pureScale Feature 9.8 for Enterprise Server Edition, allows remote authenticated users to cause a denial of service (database outage and deactivation) via unspecified vectors. | |||||
| CVE-2018-16771 | 1 Hoosk | 1 Hoosk | 2018-09-24 | 7.5 HIGH | 9.8 CRITICAL |
| Hoosk v1.7.0 allows PHP code execution via a SiteUrl that is provided during installation and mishandled in config.php. | |||||
| CVE-2018-16772 | 1 Hoosk | 1 Hoosk | 2018-09-24 | 3.5 LOW | 4.8 MEDIUM |
| Hoosk v1.7.0 allows XSS via the Navigation Title of a new page entered at admin/pages/new. | |||||
| CVE-2018-16773 | 1 Easycms | 1 Easycms | 2018-09-24 | 3.5 LOW | 4.8 MEDIUM |
| EasyCMS 1.5 allows XSS via the index.php?s=/admin/fields/update/navTabId/listfields/callbackType/closeCurrent content field. | |||||
| CVE-2018-16774 | 1 Hongcms Project | 1 Hongcms | 2018-09-24 | 6.4 MEDIUM | 7.5 HIGH |
| HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file parameter to admin/index.php/language/ajax?action=delete. | |||||
| CVE-2018-0607 | 1 Cybozu | 1 Garoon | 2018-09-24 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in the Notifications application in the Cybozu Garoon 3.5.0 to 4.6.2 allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2017-5639 | 2018-09-24 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none. | |||||
| CVE-2018-10860 | 3 Canonical, Debian, Perl-archive-zip Project | 3 Ubuntu Linux, Debian Linux, Perl-archive-zip | 2018-09-23 | 6.4 MEDIUM | 7.5 HIGH |
| perl-archive-zip is vulnerable to a directory traversal in Archive::Zip. It was found that the Archive::Zip module did not properly sanitize paths while extracting zip files. An attacker able to provide a specially crafted archive for processing could use this flaw to write or overwrite arbitrary files in the context of the perl interpreter. | |||||
| CVE-2018-0622 | 1 Dhc | 1 Dhc Online Shop | 2018-09-21 | 5.8 MEDIUM | 7.4 HIGH |
| The DHC Online Shop App for Android version 3.2.0 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2018-14493 | 1 Opmantek | 1 Open-audit | 2018-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Groups Page in Open-Audit Community 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the group name. | |||||
| CVE-2018-0654 | 1 Weseek | 1 Growi | 2018-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the modal for creating Wiki page. | |||||
| CVE-2018-0655 | 1 Weseek | 1 Growi | 2018-09-21 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the app settings section of admin page. | |||||
| CVE-2018-0652 | 1 Weseek | 1 Growi | 2018-09-21 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the UserGroup Management section of admin page. | |||||
| CVE-2018-0653 | 1 Weseek | 1 Growi | 2018-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via Wiki page view. | |||||
| CVE-2018-14066 | 3 Google, Infinixmobility, Lenovo | 3 Android, Infinix X571, Lenovo A7020 | 2018-09-21 | 7.5 HIGH | 9.8 CRITICAL |
| The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phones, allows SQL injection. One consequence is that an application without the READ_SMS permission can read SMS messages. This affects Infinix X571 phones, as well as various Lenovo phones (such as the A7020) that have since been fixed by Lenovo. | |||||
| CVE-2013-4276 | 1 Littlecms | 1 Little Cms Color Engine | 2018-09-21 | 4.3 MEDIUM | N/A |
| Multiple stack-based buffer overflows in LittleCMS (aka lcms or liblcms) 1.19 and earlier allow remote attackers to cause a denial of service (crash) via a crafted (1) ICC color profile to the icctrans utility or (2) TIFF image to the tiffdiff utility. | |||||
| CVE-2016-9877 | 1 Pivotal Software | 1 Rabbitmq | 2018-09-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected. | |||||
| CVE-2018-14328 | 1 Brynamics | 1 Online Trade | 2018-09-20 | 5.0 MEDIUM | 9.8 CRITICAL |
| Brynamics "Online Trade - Online trading and cryptocurrency investment system" allows remote attackers to obtain sensitive information via a direct request for /dashboard/addplan, /dashboard/paywithcard/charge, /dashboard/withdrawal, or /privacy&terms, as demonstrated by reading database username, database password, database_name, and IP address fields, related to CVE-2018-12908. | |||||
| CVE-2018-14570 | 1 Niushop | 1 B2b2c Multi-business | 2018-09-20 | 6.5 MEDIUM | 8.8 HIGH |
| A file upload vulnerability in application/shop/controller/member.php in Niushop B2B2C Multi-business basic version V1.11 allows any remote member to upload a .php file to the web server via a profile avatar field, by using an image Content-Type (e.g., image/jpeg) with a modified filename and file content. This results in arbitrary code execution by requesting that .php file. | |||||
| CVE-2017-18104 | 1 Atlassian | 1 Jira | 2018-09-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should not be sent because they are not contained within the results of a specified JQL query. | |||||