Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1000558 | 1 Ocsinventory-ng | 1 Ocsinventory Ng | 2018-08-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| OCS Inventory NG ocsreports 2.4 and ocsreports 2.3.1 version 2.4 and 2.3.1 contains a SQL Injection vulnerability in web search that can result in An authenticated attacker is able to gain full access to data stored within database. This attack appear to be exploitable via By sending crafted requests it is possible to gain database access. This vulnerability appears to have been fixed in 2.4.1. | |||||
| CVE-2018-1000557 | 1 Ocsinventory-ng | 1 Ocsinventory Ng | 2018-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| OCS Inventory OCS Inventory NG version ocsreports 2.4 contains a Cross Site Scripting (XSS) vulnerability in login form and search functionality that can result in An attacker is able to execute arbitrary (javascript) code within a victims' browser. This attack appear to be exploitable via Victim must open a crafted link to the application. This vulnerability appears to have been fixed in ocsreports 2.4.1. | |||||
| CVE-2018-1000556 | 1 Veronalabs | 1 Wp Statistics | 2018-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress version 4.8 + contains a Cross Site Scripting (XSS) vulnerability in plugins.php or core wordpress on delete function that can result in An attacker can perform client side attacks which could be from stealing a cookie to code injection. This attack appear to be exploitable via an attacker must craft an URL with payload and send to the user. Victim need to open the link to be affected by reflected XSS. . | |||||
| CVE-2018-1000548 | 1 Umlet | 1 Umlet | 2018-08-20 | 6.8 MEDIUM | 7.8 HIGH |
| Umlet version < 14.3 contains a XML External Entity (XXE) vulnerability in File parsing that can result in disclosure of confidential data, denial of service, server side request forgery. This attack appear to be exploitable via Specially crafted UXF file. This vulnerability appears to have been fixed in 14.3. | |||||
| CVE-2018-1000546 | 1 Triplea-game | 1 Triplea | 2018-08-20 | 6.8 MEDIUM | 7.8 HIGH |
| Triplea version <= 1.9.0.0.10291 contains a XML External Entity (XXE) vulnerability in Importing game data that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be exploitable via Specially crafted game data file (XML). | |||||
| CVE-2018-1000543 | 1 Rockiger | 1 Akiee | 2018-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Akiee version 0.0.3 contains a XSS leading to code execution due to the use of node integration vulnerability in "Details" of a task is not validated that can result in XSS leading to abritrary code execution. This attack appear to be exploitable via The attacker tricks the victim into opening a crafted markdown. | |||||
| CVE-2018-1000542 | 1 Netbeans-mmd-plugin Project | 1 Netbeans-mmd-plugin | 2018-08-20 | 6.8 MEDIUM | 7.8 HIGH |
| netbeans-mmd-plugin version <= 1.4.3 contains a XML External Entity (XXE) vulnerability in MMD file import that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be exploitable via Specially crafted MMD file. | |||||
| CVE-2018-13002 | 1 Weblication | 1 Cms Core \& Grid | 2018-08-20 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in Inhaltsprojekte in Weblication CMS Core & Grid v12.6.24. The vulnerability is located in the `wFilemanager.php` and `index.php` files of the `/grid5/scripts/` modules. The injection point is located in the Project `Title` and the execution point occurs in the `Inhaltsprojekte` output listing section. Remote attackers with privileged user accounts are able to inject their own malicious script code with a persistent attack vector to compromise user session credentials or to manipulate the affected web-application module output context. The request method to inject is POST. | |||||
| CVE-2018-13001 | 1 Sandoba | 1 Cp\ | 2018-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Sandoba CP:Shop v2016.1. The vulnerability is located in the `admin.php` file of the `./cpshop/` module. Remote attackers are able to inject their own script codes to the client-side requested vulnerable web-application parameters. The attack vector of the vulnerability is non-persistent and the request method to inject/execute is GET with the path, search, rename, or dir parameter. | |||||
| CVE-2018-13000 | 1 Anelectron | 1 Advanced Electron Forum | 2018-08-20 | 3.5 LOW | 4.8 MEDIUM |
| An XSS issue was discovered in Advanced Electron Forum (AEF) v1.0.9. A persistent XSS vulnerability is located in the `FTP Link` element of the `Private Message` module. The editor of the private message module allows inserting links without sanitizing the content. This allows remote attackers to inject malicious script code payloads as a private message (aka pmbody). The injection point is the editor ftp link element and the execution point occurs in the message body context on arrival. The request method to inject is POST with restricted user privileges. | |||||
| CVE-2018-12999 | 1 Zohocorp | 1 Manageengine Desktop Central | 2018-08-20 | 6.4 MEDIUM | 7.5 HIGH |
| Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10.0.255 allows attackers to delete certain files on the web server without login by sending a specially crafted request to the server with a computerName=../ substring to the /agenttrayicon URI. | |||||
| CVE-2018-12996 | 1 Zohocorp | 1 Manageengine Applications Manager | 2018-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do. | |||||
| CVE-2018-12995 | 1 Onefilecms | 1 Onefilecms | 2018-08-20 | 6.5 MEDIUM | 8.8 HIGH |
| onefilecms.php in OneFileCMS through 2012-04-14 might allow attackers to execute arbitrary PHP code via a .php filename on the Upload screen. | |||||
| CVE-2018-12994 | 1 Onefilecms | 1 Onefilecms | 2018-08-20 | 6.5 MEDIUM | 8.8 HIGH |
| onefilecms.php in OneFileCMS through 2012-04-14 might allow attackers to execute arbitrary PHP code via a .php filename on the New File screen. | |||||
| CVE-2018-12988 | 1 Greencms | 1 Greencms | 2018-08-20 | 5.0 MEDIUM | 7.5 HIGH |
| GreenCMS 2.3.0603 has an arbitrary file download vulnerability via an index.php?m=admin&c=media&a=downfile URI. | |||||
| CVE-2018-12984 | 1 Hycus Cms Project | 1 Hycus Cms | 2018-08-20 | 7.5 HIGH | 9.8 CRITICAL |
| Hycus CMS 1.0.4 allows Authentication Bypass via "'=' 'OR'" credentials. | |||||
| CVE-2018-12982 | 1 Podofo Project | 1 Podofo | 2018-08-20 | 4.3 MEDIUM | 5.5 MEDIUM |
| Invalid memory read in the PoDoFo::PdfVariant::DelayedLoad() function in PdfVariant.h in PoDoFo 0.9.6-rc1 allows remote attackers to have denial-of-service impact via a crafted file. | |||||
| CVE-2018-12971 | 1 Easycms | 1 Easycms | 2018-08-20 | 5.8 MEDIUM | 6.5 MEDIUM |
| EasyCMS 1.3 has CSRF via the index.php?s=/admin/user/delAll URI to delete users. | |||||
| CVE-2018-12919 | 1 Craftedweb Project | 1 Craftedweb | 2018-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| In CraftedWeb through 2013-09-24, aasp_includes/pages/notice.php allows XSS via the e parameter. | |||||
| CVE-2018-12914 | 1 Publiccms | 1 Publiccms | 2018-08-20 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution issue was discovered in PublicCMS V4.0.20180210. An attacker can upload a ZIP archive that contains a .jsp file with a directory traversal pathname. After an unzip operation, the attacker can execute arbitrary code by visiting a .jsp URI. | |||||
| CVE-2017-14650 | 1 Horde | 1 Horde Image Api | 2018-08-18 | 6.8 MEDIUM | 8.1 HIGH |
| A Remote Code Execution vulnerability has been found in the Horde_Image library when using the "Im" backend that utilizes ImageMagick's "convert" utility. It's not exploitable through any Horde application, because the code path to the vulnerability is not used by any Horde code. Custom applications using the Horde_Image library might be affected. This vulnerability affects all versions of Horde_Image from 2.0.0 to 2.5.1, and is fixed in 2.5.2. The problem is missing input validation of the index field in _raw() during construction of an ImageMagick command line. | |||||
| CVE-2017-9773 | 1 Horde | 1 Horde Image | 2018-08-18 | 4.3 MEDIUM | 5.7 MEDIUM |
| Denial of Service was found in Horde_Image 2.x before 2.5.0 via a crafted URL to the "Null" image driver. | |||||
| CVE-2017-9774 | 1 Horde | 1 Horde Image Api | 2018-08-18 | 6.5 MEDIUM | 8.8 HIGH |
| Remote Code Execution was found in Horde_Image 2.x before 2.5.0 via a crafted GET request. Exploitation requires authentication. | |||||
| CVE-2017-16837 | 1 Trusted Boot Project | 1 Trusted Boot | 2018-08-17 | 4.6 MEDIUM | 7.8 HIGH |
| Certain function pointers in Trusted Boot (tboot) through 1.9.6 are not validated and can cause arbitrary code execution, which allows local users to overwrite dynamic PCRs of Trusted Platform Module (TPM) by hooking these function pointers. | |||||
| CVE-2018-11085 | 2018-08-17 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2018. Notes: none. | |||||
| CVE-2018-1236 | 2018-08-17 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2018. Notes: none. | |||||
| CVE-2018-13155 | 1 Gemchain Project | 1 Gemchain | 2018-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for GEMCHAIN (GEM), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13156 | 1 Bonustoken Project | 1 Bonustoken | 2018-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for bonusToken (BNS), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13157 | 1 Cryptonitexcoin Project | 1 Cryptonitexcoin | 2018-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for CryptonitexCoin, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13158 | 1 Assettoken Project | 1 Assettoken | 2018-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for AssetToken, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13159 | 1 Bankcoin Project | 1 Bankcoin | 2018-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for bankcoin (BNK), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13160 | 1 Etktokens Project | 1 Etktokens | 2018-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for etktokens (ETK), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13161 | 1 Multigames Project | 1 Multigames | 2018-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for MultiGames (MLT), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13162 | 1 Alex Project | 1 Alex | 2018-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for ALEX, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13163 | 1 Ethernet Cash Project | 1 Ethernet Cash | 2018-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for Ethernet Cash (ENC), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13164 | 1 Eppcoin Project | 1 Eppcoin | 2018-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for EPPCOIN (EPP), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13165 | 1 Justdcoin Project | 1 Justdcoin | 2018-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for JustDCoin (JustD), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13166 | 1 Athleticoin Project | 1 Athleticoin | 2018-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for AthletiCoin (ATHA), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13167 | 1 Yu Gi Oh Project | 1 Yu Gi Oh | 2018-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for Yu Gi Oh (YGO), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13168 | 1 Netkillerbatchtoken Project | 1 Netkillerbatchtoken | 2018-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for Yu Gi Oh (YGO) (Contract Name: NetkillerBatchToken), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13171 | 1 Ladatoken Project | 1 Ladatoken | 2018-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for LadaToken (LDT), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13172 | 1 Bzxcoin Project | 1 Bzxcoin | 2018-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for bzxcoin (BZX), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13173 | 1 Eliteshippertoken Project | 1 Eliteshippertoken | 2018-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for EliteShipperToken (ESHIP), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13174 | 1 Cryptoabs Project | 1 Cryptoabs | 2018-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for CryptoABS (ABS), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13175 | 1 Aichain Project | 1 Aichain | 2018-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for AIChain, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-0599 | 1 Microsoft | 1 Windows | 2018-08-17 | 9.3 HIGH | 7.8 HIGH |
| Untrusted search path vulnerability in the installer of Visual C++ Redistributable allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | |||||
| CVE-2018-0609 | 1 Linecorp | 1 Line | 2018-08-17 | 6.8 MEDIUM | 7.8 HIGH |
| Untrusted search path vulnerability in LINE for Windows versions before 5.8.0 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | |||||
| CVE-2018-0606 | 1 Pixelpost | 1 Pixelpost | 2018-08-17 | 6.5 MEDIUM | 7.2 HIGH |
| SQL injection vulnerability in the Pixelpost v1.7.3 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2018-0598 | 1 Microsoft | 1 Windows | 2018-08-17 | 9.3 HIGH | 7.8 HIGH |
| Untrusted search path vulnerability in Self-extracting archive files created by IExpress bundled with Microsoft Windows allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | |||||
| CVE-2018-0600 | 2 Microsoft, Sony | 2 Windows, Playmemories Home | 2018-08-17 | 6.8 MEDIUM | 7.8 HIGH |
| Untrusted search path vulnerability in the installer of PlayMemories Home for Windows ver.5.5.01 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | |||||