Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-5350 | 1 Cloudfoundry | 1 Garden | 2018-04-18 | 5.0 MEDIUM | 7.5 HIGH |
| In Garden versions 0.22.0-0.329.0, a vulnerability has been discovered in the garden-linux nstar executable that allows access to files on the host system. By staging an application on Cloud Foundry using Diego and Garden installations with a malicious custom buildpack an end user could read files on the host system that the BOSH-created vcap user has permissions to read and then package them into their app droplet. | |||||
| CVE-2018-8973 | 1 Otcms | 1 Otcms | 2018-04-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| OTCMS 3.20 allows XSS by adding a keyword or link to an article, as demonstrated by an admin/keyWord_deal.php?mudi=add request. | |||||
| CVE-2018-7719 | 2 Acrolinx, Microsoft | 2 Acrolinx Server, Windows | 2018-04-18 | 5.0 MEDIUM | 7.5 HIGH |
| Acrolinx Server before 5.2.5 on Windows allows Directory Traversal. | |||||
| CVE-2018-8978 | 1 Open-audit | 1 Open-audit | 2018-04-18 | 3.5 LOW | 5.4 MEDIUM |
| Open-AudIT Professional 2.1 has XSS via a crafted src attribute of an IMG element within a URI. | |||||
| CVE-2018-9130 | 1 Ibos | 1 Ibos | 2018-04-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBOS 4.4.3 has XSS via a company full name. | |||||
| CVE-2018-9020 | 1 Events Manager Project | 1 Events Manager | 2018-04-18 | 3.5 LOW | 5.4 MEDIUM |
| The Events Manager plugin before 5.8.1.2 for WordPress allows XSS via the events-manager.js mapTitle parameter in the Google Maps miniature. | |||||
| CVE-2015-9257 | 1 Bmc | 1 Remedy Action Request System | 2018-04-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| BMC Remedy Action Request (AR) System 9.0 before 9.0.00 Service Pack 2 hot fix 1 has persistent XSS. | |||||
| CVE-2018-8943 | 1 Phpshe | 1 Phpshe | 2018-04-18 | 7.5 HIGH | 9.8 CRITICAL |
| There is a SQL injection in the PHPSHE 1.6 userbank parameter. | |||||
| CVE-2018-3626 | 3 Intel, Linux, Microsoft | 3 Sgx Sdk, Linux Kernel, Windows | 2018-04-18 | 1.9 LOW | 4.7 MEDIUM |
| Edger8r tool in the Intel SGX SDK before version 2.1.2 (Linux) and 1.9.6 (Windows) may generate code that is susceptible to a side channel potentially allowing a local user to access unauthorized information. | |||||
| CVE-2018-5768 | 1 Tendacn | 2 Ac15, Ac15 Firmware | 2018-04-18 | 10.0 HIGH | 9.8 CRITICAL |
| A remote, unauthenticated attacker can gain remote code execution on the the Tenda AC15 router with a specially crafted password parameter for the COOKIE header. | |||||
| CVE-2017-18242 | 1 Libav | 1 Libav | 2018-04-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| The apply_dependent_coupling function in libavcodec/aacdec.c in Libav 12.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted aac file. | |||||
| CVE-2017-18243 | 1 Libav | 1 Libav | 2018-04-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| The unpack_parse_unit function in libavcodec/dirac_parser.c in Libav 12.2 allows remote attackers to cause a denial of service (segmentation fault) via a crafted file. | |||||
| CVE-2017-18244 | 1 Libav | 1 Libav | 2018-04-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| The stereo_processing function in libavcodec/aacps.c in Libav 12.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted aac file, related to ff_ps_apply. | |||||
| CVE-2016-10717 | 1 Malwarebytes | 1 Malwarebytes Anti-malware | 2018-04-18 | 4.6 MEDIUM | 7.8 HIGH |
| A vulnerability in the encryption and permission implementation of Malwarebytes Anti-Malware consumer version 2.2.1 and prior (fixed in 3.0.4) allows an attacker to take control of the whitelisting feature (exclusions.dat under %SYSTEMDRIVE%\ProgramData) to permit execution of unauthorized applications including malware and malicious websites. Files blacklisted by Malwarebytes Malware Protect can be executed, and domains blacklisted by Malwarebytes Web Protect can be reached through HTTP. | |||||
| CVE-2018-8957 | 1 Covercms Project | 1 Covercms | 2018-04-18 | 3.5 LOW | 5.4 MEDIUM |
| CoverCMS v1.1.6 has XSS via the fourth input box to index.php, related to admina/mconfigs.inc.php. | |||||
| CVE-2018-8942 | 1 Xiuno Bbs Project | 1 Xiuno Bbs | 2018-04-18 | 3.5 LOW | 5.4 MEDIUM |
| Xiuno BBS 4.0.0 has XSS in the adminpage sitename parameter. | |||||
| CVE-2018-8903 | 1 Open-audit | 1 Open-audit | 2018-04-18 | 3.5 LOW | 5.4 MEDIUM |
| Open-AudIT Professional 2.1 allows XSS via the Name or Description field on the Credentials screen. | |||||
| CVE-2014-2274 | 1 Subscribe To Comments Reloaded Project | 1 Subscribe To Comments Reloaded | 2018-04-18 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the Subscribe To Comments Reloaded plugin before 140219 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via a request to the subscribe-to-comments-reloaded/options/index.php page to wp-admin/admin.php. | |||||
| CVE-2016-10713 | 1 Gnu | 1 Patch | 2018-04-18 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in GNU patch before 2.7.6. Out-of-bounds access within pch_write_line() in pch.c can possibly lead to DoS via a crafted input file. | |||||
| CVE-2017-12110 | 1 Libxls Project | 1 Libxls | 2018-04-18 | 6.8 MEDIUM | 7.8 HIGH |
| An exploitable integer overflow vulnerability exists in the xls_appendSST function of libxls 1.4.A specially crafted XLS file can cause memory corruption resulting in remote code execution. | |||||
| CVE-2017-12111 | 1 Libxls Project | 1 Libxls | 2018-04-18 | 6.8 MEDIUM | 7.8 HIGH |
| An exploitable out-of-bounds vulnerability exists in the xls_addCell function of libxls 1.4. A specially crafted XLS file with a formula record can cause memory corruption resulting in remote code execution. An attacker can send a malicious XLS file to trigger this vulnerability. | |||||
| CVE-2018-8906 | 1 Dsmall Project | 1 Dsmall | 2018-04-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| dsmall v20180320 has XSS via a crafted street address to public/index.php/home/memberaddress/index.html, which is mishandled at public/index.php/home/memberaddress/edit/address_id/2.html. | |||||
| CVE-2017-18094 | 1 Atlassian | 2 Crucible, Fisheye | 2018-04-18 | 3.5 LOW | 4.8 MEDIUM |
| Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allow remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the base path setting of a configured file system repository. | |||||
| CVE-2018-8899 | 1 Identityserver | 1 Identityserver4 | 2018-04-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| IdentityServer IdentityServer4 1.x before 1.5.3 and 2.x before 2.1.3 does not encode the redirect URI on the authorization response page, which might lead to XSS in some configurations. | |||||
| CVE-2018-9016 | 1 Dsmall Project | 1 Dsmall | 2018-04-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| dsmall v20180320 allows XSS via the main page search box at the public/index.php/home URI. | |||||
| CVE-2018-9017 | 1 Dsmall Project | 1 Dsmall | 2018-04-18 | 3.5 LOW | 5.4 MEDIUM |
| dsmall v20180320 allows XSS via the member search box at the public/index.php/home/membersnsfriend/findlist.html URI. | |||||
| CVE-2018-9307 | 1 Dsmall Project | 1 Dsmall | 2018-04-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| dsmall v20180320 allows XSS via the pdr_sn parameter to public/index.php/home/predeposit/index.html. | |||||
| CVE-2018-9015 | 1 Dsmall Project | 1 Dsmall | 2018-04-18 | 3.5 LOW | 5.4 MEDIUM |
| dsmall v20180320 allows XSS via the public/index.php/home/predeposit/index.html pdr_sn parameter (aka the CMS search box). | |||||
| CVE-2015-7434 | 1 Ibm | 1 Capacity Management Analytics | 2018-04-18 | 2.1 LOW | 7.8 HIGH |
| IBM Capacity Management Analytics 2.1.0.0 allows local users to discover encrypted usernames and passwords by leveraging access to the CMA install machine. IBM X-Force ID: 107863. | |||||
| CVE-2015-7432 | 1 Ibm | 1 Capacity Management Analytics | 2018-04-18 | 2.1 LOW | 7.8 HIGH |
| IBM Capacity Management Analytics 2.1.0.0 allows local users to decrypt usernames and passwords by leveraging access to setenv.sh and parameter.txt. IBM X-Force ID: 107861. | |||||
| CVE-2015-7433 | 1 Ibm | 1 Capacity Management Analytics | 2018-04-18 | 2.1 LOW | 7.8 HIGH |
| IBM Capacity Management Analytics 2.1.0.0 allows local users to discover cleartext usernames and passwords by leveraging access to the CMA install machine. IBM X-Force ID: 107862. | |||||
| CVE-2018-9121 | 1 Crea8social | 1 Crea8social | 2018-04-18 | 3.5 LOW | 5.4 MEDIUM |
| In Crea8social 2018.2, there is Stored Cross-Site Scripting via a post comment. | |||||
| CVE-2018-9122 | 1 Crea8social | 1 Crea8social | 2018-04-18 | 3.5 LOW | 5.4 MEDIUM |
| In Crea8social 2018.2, there is Reflected Cross-Site Scripting via the term parameter to the /search URI. | |||||
| CVE-2018-9123 | 1 Crea8social | 1 Crea8social | 2018-04-18 | 3.5 LOW | 5.4 MEDIUM |
| In Crea8social 2018.2, there is Stored Cross-Site Scripting via a User Profile. | |||||
| CVE-2018-9120 | 1 Crea8social | 1 Crea8social | 2018-04-18 | 3.5 LOW | 5.4 MEDIUM |
| In Crea8social 2018.2, there is Stored Cross-Site Scripting via a post. | |||||
| CVE-2018-8968 | 1 Zzcms | 1 Zzcms | 2018-04-17 | 6.4 MEDIUM | 7.5 HIGH |
| An issue was discovered in zzcms 8.2. user/manage.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg or oldflv parameter in an action=modify request. This can be leveraged for database access by deleting install.lock. | |||||
| CVE-2018-8969 | 1 Zzcms | 1 Zzcms | 2018-04-17 | 6.4 MEDIUM | 7.5 HIGH |
| An issue was discovered in zzcms 8.2. user/licence_save.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock. | |||||
| CVE-2018-8965 | 1 Zzcms | 1 Zzcms | 2018-04-17 | 6.4 MEDIUM | 7.5 HIGH |
| An issue was discovered in zzcms 8.2. user/ppsave.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock. | |||||
| CVE-2018-8966 | 1 Zzcms | 1 Zzcms | 2018-04-17 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in zzcms 8.2. It allows PHP code injection via the siteurl parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php. | |||||
| CVE-2018-8967 | 1 Zzcms | 1 Zzcms | 2018-04-17 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in an adv2.php?action=modify request. | |||||
| CVE-2017-0748 | 1 Google | 1 Android | 2018-04-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| An information disclosure vulnerability in the Qualcomm audio driver. Product: Android. Versions: Android Kernel. Android ID: A-35764875. References: QC-CR#2029798. | |||||
| CVE-2018-7193 | 1 Osticket | 1 Osticket | 2018-04-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in /scp/directory.php in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the "order" parameter. | |||||
| CVE-2018-7194 | 1 Osticket | 1 Osticket | 2018-04-17 | 4.0 MEDIUM | 4.9 MEDIUM |
| Integer format vulnerability in the ticket number generator in Enhancesoft osTicket before 1.10.2 allows remote attackers to cause a denial-of-service (preventing the creation of new tickets) via a large number of digits in the ticket number format setting. | |||||
| CVE-2018-7196 | 1 Osticket | 1 Osticket | 2018-04-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in /scp/index.php in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the "sort" parameter. | |||||
| CVE-2018-7192 | 1 Osticket | 1 Osticket | 2018-04-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in /ajax.php/form/help-topic in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the "message" parameter. | |||||
| CVE-2018-10081 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-04-17 | 5.0 MEDIUM | 9.8 CRITICAL |
| CMS Made Simple (CMSMS) through 2.2.6 contains an admin password reset vulnerability because data values are improperly compared, as demonstrated by a hash beginning with the "0e" substring. | |||||
| CVE-2018-9923 | 1 Icmsdev | 1 Icms | 2018-04-17 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists in admincp.php, as demonstrated by adding an article via an app=article&do=save&frame=iPHP request. | |||||
| CVE-2018-9924 | 1 Icmsdev | 1 Icms | 2018-04-17 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in idreamsoft iCMS through 7.0.7. SQL injection exists via the pid array parameter in an admincp.php?app=tag&do=save&frame=iPHP request. | |||||
| CVE-2018-9925 | 1 Icmsdev | 1 Icms | 2018-04-17 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in idreamsoft iCMS through 7.0.7. XSS exists via the nickname field in an admincp.php?app=user&do=save&frame=iPHP request. | |||||
| CVE-2018-9922 | 1 Icmsdev | 1 Icms | 2018-04-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in idreamsoft iCMS through 7.0.7. Physical path leakage exists via an invalid nickname field that reveals a core/library/weixin.class.php pathname. | |||||