Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-8482 | 1 Google | 1 Android | 2018-04-17 | 7.2 HIGH | 7.8 HIGH |
| An elevation of privilege vulnerability in the NVIDIA GPU driver. Product: Android. Versions: Android kernel. Android ID: A-31799863. References: N-CVE-2016-8482. | |||||
| CVE-2018-8073 | 1 Yiiframework | 1 Yii | 2018-04-17 | 7.5 HIGH | 9.8 CRITICAL |
| Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension. | |||||
| CVE-2018-8832 | 1 Enhavo | 1 Enhavo | 2018-04-17 | 3.5 LOW | 4.8 MEDIUM |
| enhavo 0.4.0 has XSS via a user-group that contains executable JavaScript code in the user-group name. The XSS attack launches when a victim visits the admin user group page. | |||||
| CVE-2014-1457 | 1 Openwebanalytics | 1 Open Web Analytics | 2018-04-17 | 6.8 MEDIUM | 8.8 HIGH |
| Open Web Analytics (OWA) before 1.5.6 improperly generates random nonce values, which makes it easier for remote attackers to bypass a CSRF protection mechanism by leveraging knowledge of an OWA user name. | |||||
| CVE-2017-17306 | 1 Huawei | 2 Vns-l21, Vns-l21 Firmware | 2018-04-17 | 4.3 MEDIUM | 5.5 MEDIUM |
| Some Huawei Smartphones with software of VNS-L21AUTC555B141, VNS-L21C10B160, VNS-L21C66B160, VNS-L21C703B140 have an array out-of-bounds read vulnerability. Due to the lack verification of array, an attacker tricks a user into installing a malicious application, and the application can exploit the vulnerability and make attacker to read out of bounds of array and possibly cause the device abnormal. | |||||
| CVE-2017-17307 | 1 Huawei | 2 Vns-l21, Vns-l21 Firmware | 2018-04-17 | 4.3 MEDIUM | 5.5 MEDIUM |
| Some Huawei Smartphones with software of VNS-L21AUTC555B141 have an out-of-bounds read vulnerability. Due to the lack string terminator of string, an attacker tricks a user into installing a malicious application, and the application can exploit the vulnerability and make attacker to read out of bounds and possibly cause the device abnormal. | |||||
| CVE-2018-5233 | 1 Getgrav | 1 Grav Cms | 2018-04-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools. | |||||
| CVE-2014-2550 | 1 Disable Comments | 1 Disable Comments Project | 2018-04-17 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the Disable Comments plugin before 1.0.4 for WordPress allows remote attackers to hijack the authentication of administrators for requests that enable comments via a request to the disable_comments_settings page to wp-admin/options-general.php. | |||||
| CVE-2018-0541 | 1 Tinyftp Project | 1 Tinyftp | 2018-04-17 | 10.0 HIGH | 9.8 CRITICAL |
| Buffer overflow in Tiny FTP Daemon Ver0.52d allows an attacker to cause a denial-of-service (DoS) condition or execute arbitrary code via unspecified vectors. | |||||
| CVE-2018-0534 | 1 Arsenol Project | 1 Arsenol | 2018-04-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in ArsenoL Version 0.5 allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-0538 | 1 Qqq Systems Project | 1 Qqq Systems | 2018-04-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in QQQ SYSTEMS ver2.24 allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-12169 | 1 Freeipa | 1 Freeipa | 2018-04-17 | 4.0 MEDIUM | 7.5 HIGH |
| It was found that FreeIPA 4.2.0 and later could disclose password hashes to users having the 'System: Read Stage Users' permission. A remote, authenticated attacker could potentially use this flaw to disclose the password hashes belonging to Stage Users. This security issue does not result in disclosure of password hashes belonging to active standard users. NOTE: some developers feel that this report is a suggestion for a design change to Stage User activation, not a statement of a vulnerability. | |||||
| CVE-2018-1000123 | 1 Ionicframework | 1 Ios Keychain | 2018-04-16 | 5.0 MEDIUM | 9.8 CRITICAL |
| Ionic Team Cordova plugin iOS Keychain version before commit 18233ca25dfa92cca018b9c0935f43f78fd77fbf contains an Information Exposure Through Log Files (CWE-532) vulnerability in CDVKeychain.m that can result in login, password and other sensitive data leakage. This attack appear to be exploitable via Attacker must have access to victim's iOS logs. This vulnerability appears to have been fixed in after commit 18233ca25dfa92cca018b9c0935f43f78fd77fbf. | |||||
| CVE-2018-1000125 | 1 Inversoft | 1 Prime-jwt | 2018-04-16 | 7.5 HIGH | 9.8 CRITICAL |
| inversoft prime-jwt version prior to version 1.3.0 or prior to commit 0d94dcef0133d699f21d217e922564adbb83a227 contains an input validation vulnerability in JWTDecoder.decode that can result in a JWT that is decoded and thus implicitly validated even if it lacks a valid signature. This attack appear to be exploitable via an attacker crafting a token with a valid header and body and then requests it to be validated. This vulnerability appears to have been fixed in 1.3.0 and later or after commit 0d94dcef0133d699f21d217e922564adbb83a227. | |||||
| CVE-2018-1000171 | 2018-04-13 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-9092. Reason: This candidate is a reservation duplicate of CVE-2018-9092. Notes: All CVE users should reference CVE-2018-9092 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2018-10031 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-04-13 | 6.8 MEDIUM | 8.8 HIGH |
| CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/moduleinterface.php. | |||||
| CVE-2018-10033 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-04-13 | 3.5 LOW | 4.8 MEDIUM |
| CMS Made Simple (aka CMSMS) 2.2.7 has Stored XSS in admin/siteprefs.php via the metadata parameter. | |||||
| CVE-2018-10082 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-04-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| CMS Made Simple (CMSMS) through 2.2.7 allows physical path leakage via an invalid /index.php?page= value, a crafted URI starting with /index.php?mact=Search, or a direct request to /admin/header.php, /admin/footer.php, /lib/tasks/class.ClearCache.task.php, or /lib/tasks/class.CmsSecurityCheck.task.php. | |||||
| CVE-2018-10083 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-04-13 | 6.4 MEDIUM | 7.5 HIGH |
| CMS Made Simple (CMSMS) through 2.2.7 contains an arbitrary file deletion vulnerability in the admin dashboard via directory traversal sequences in the val parameter within a cmd=del request, because code under modules\FilePicker does not restrict the val parameter. | |||||
| CVE-2018-10029 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-04-13 | 3.5 LOW | 4.8 MEDIUM |
| CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_name parameter, related to moduledepends, a different vulnerability than CVE-2017-16799. | |||||
| CVE-2018-10030 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-04-13 | 6.8 MEDIUM | 8.8 HIGH |
| CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/siteprefs.php. | |||||
| CVE-2018-10032 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-04-13 | 3.5 LOW | 4.8 MEDIUM |
| CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_version parameter. | |||||
| CVE-2018-8737 | 1 Bylancer | 1 Bookme | 2018-04-13 | 3.5 LOW | 5.4 MEDIUM |
| Bookme Control Panel 2.0 Application is vulnerable to stored XSS within the Customers "Book Me" function. Within the Name and Note (aka custName and custNote) sections of the Customers screen, the application does not sanitize user-supplied input and renders injected JavaScript code to the user's browser. | |||||
| CVE-2017-18247 | 1 Libav | 1 Libav | 2018-04-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| The av_audio_fifo_size function in libavutil/audio_fifo.c in Libav 12.2 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted media file. | |||||
| CVE-2018-8948 | 1 Misp-project | 1 Misp | 2018-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP module. | |||||
| CVE-2018-0535 | 1 Php 2chbbs Project | 1 Php 2chbbs | 2018-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in PHP 2chBBS version bbs18c allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-0542 | 1 Webproxy Project | 1 Webproxy | 2018-04-13 | 5.0 MEDIUM | 7.5 HIGH |
| Directory traversal vulnerability in WebProxy version 1.7.8 allows an attacker to read arbitrary files via unspecified vectors. | |||||
| CVE-2018-8805 | 1 Yxcms | 1 Yxcms | 2018-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Yxcms building system (compatible cell phone) v1.4.7 has XSS via the content parameter to protected\apps\default\view\default\extend_guestbook.php or protected\apps\default\view\mobile\extend_guestbook.php in an index.php?r=default/column/index&col=guestbook request. | |||||
| CVE-2018-8815 | 1 Alkacon | 1 Opencms | 2018-04-13 | 3.5 LOW | 4.6 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the gallery function in Alkacon OpenCMS 10.5.3 allows remote attackers to inject arbitrary web script or HTML via a malicious SVG image. | |||||
| CVE-2017-17319 | 1 Huawei | 2 P9, P9 Firmware | 2018-04-13 | 7.1 HIGH | 5.5 MEDIUM |
| Huawei P9 smartphones with the versions before EVA-AL10C00B399SP02 have an information disclosure vulnerability. The software does not properly protect certain resource which can be accessed by multithreading. An attacker tricks the user who has root privilege to install a crafted application, successful exploit could result in kernel information disclosure. | |||||
| CVE-2017-17320 | 1 Huawei | 2 Mate 9 Pro, Mate 9 Pro Firmware | 2018-04-13 | 9.3 HIGH | 7.8 HIGH |
| Huawei Mate 9 Pro smartphones with software of LON-AL00BC00B139D, LON-AL00BC00B229, LON-L29DC721B188 have a memory double free vulnerability. The system does not manage the memory properly, that frees on the same memory address twice. An attacker tricks the user who has root privilege to install a crafted application, successful exploit could result in malicious code execution. | |||||
| CVE-2014-1665 | 1 Owncloud | 1 Owncloud | 2018-04-13 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file. | |||||
| CVE-2015-7449 | 1 Ibm | 8 Rational Collaborative Lifecycle Management, Rational Doors Next Generation, Rational Engineering Lifecycle Manager and 5 more | 2018-04-13 | 2.1 LOW | 3.3 LOW |
| IBM Rational Collaborative Lifecycle Management (CLM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Quality Manager (RQM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Team Concert (RTC) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Requirements Composer (RRC) 4.0.x before 4.0.7 iFix10; Rational DOORS Next Generation (RDNG) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Engineering Lifecycle Manager (RELM) 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7 before iFix1, 5.0.x before 5.0.2 iFix1, and 6.0.x before 6.0.2; Rational Rhapsody Design Manager (Rhapsody DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Software Architect Design Manager (RSA DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2 allow local users to obtain sensitive information by leveraging weak encryption. IBM X-Force ID: 108221. | |||||
| CVE-2018-8767 | 1 Joyplus-cms Project | 1 Joyplus-cms | 2018-04-13 | 3.5 LOW | 4.8 MEDIUM |
| joyplus-cms 1.6.0 has XSS in manager/admin_ajax.php?action=save&tab={pre}vod_type via the t_name parameter. | |||||
| CVE-2018-8766 | 1 Joyplus-cms Project | 1 Joyplus-cms | 2018-04-13 | 7.5 HIGH | 9.8 CRITICAL |
| joyplus-cms 1.6.0 allows Remote Code Execution because of an Arbitrary File Upload issue in manager/editor/upload.php, related to manager/admin_vod.php?action=add. | |||||
| CVE-2018-1206 | 1 Emc | 1 Data Protection Advisor | 2018-04-13 | 7.2 HIGH | 7.8 HIGH |
| Dell EMC Data Protection Advisor versions prior to 6.3 Patch 159 and Dell EMC Data Protection Advisor versions prior to 6.4 Patch 110 contain a hardcoded database account with administrative privileges. The affected account is "apollosuperuser." An attacker with local access to the server where DPA Datastore Service is installed and knowledge of the password may potentially gain unauthorized access to the database. Note: The Datastore Service database cannot be accessed remotely using this account. | |||||
| CVE-2018-1000097 | 3 Canonical, Debian, Gnu | 3 Ubuntu Linux, Debian Linux, Sharutils | 2018-04-13 | 6.8 MEDIUM | 7.8 HIGH |
| Sharutils sharutils (unshar command) version 4.15.2 contains a Buffer Overflow vulnerability in Affected component on the file unshar.c at line 75, function looks_like_c_code. Failure to perform checking of the buffer containing input line. that can result in Could lead to code execution. This attack appear to be exploitable via Victim have to run unshar command on a specially crafted file.. | |||||
| CVE-2018-1000090 | 1 Textpattern | 1 Textpattern | 2018-04-13 | 7.8 HIGH | 7.5 HIGH |
| textpattern version version 4.6.2 contains a XML Injection vulnerability in Import XML feature that can result in Denial of service in context to the web server by exhausting server memory resources. This attack appear to be exploitable via Uploading a specially crafted XML file. | |||||
| CVE-2018-1000124 | 1 I-librarian | 1 I\, Librarian | 2018-04-13 | 7.5 HIGH | 10.0 CRITICAL |
| I Librarian I-librarian version 4.8 and earlier contains a XML External Entity (XXE) vulnerability in line 154 of importmetadata.php(simplexml_load_string) that can result in an attacker reading the contents of a file and SSRF. This attack appear to be exploitable via posting xml in the Parameter form_import_textarea. | |||||
| CVE-2018-1000131 | 1 Wpsupportplus | 1 Wp Support Plus Responsive Ticket System | 2018-04-13 | 7.5 HIGH | 9.8 CRITICAL |
| Pradeep Makone wordpress Support Plus Responsive Ticket System version 9.0.2 and earlier contains a SQL Injection vulnerability in the function to get tickets, the parameter email in cookie was injected that can result in filter the parameter. This attack appear to be exploitable via web site, without login. This vulnerability appears to have been fixed in 9.0.3 and later. | |||||
| CVE-2018-1000138 | 1 I-librarian | 1 I Librarian | 2018-04-13 | 6.4 MEDIUM | 9.1 CRITICAL |
| I, Librarian version 4.8 and earlier contains a SSRF vulnerability in "url" parameter of getFromWeb in functions.php that can result in the attacker abusing functionality on the server to read or update internal resources. | |||||
| CVE-2018-0539 | 1 Qqq Systems Project | 1 Qqq Systems | 2018-04-13 | 10.0 HIGH | 9.8 CRITICAL |
| QQQ SYSTEMS version 2.24 allows an attacker to execute arbitrary commands via unspecified vectors. | |||||
| CVE-2018-1000139 | 1 I-librarian | 1 I Librarian | 2018-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| I, Librarian version 4.8 and earlier contains a Cross Site Scripting (XSS) vulnerability in "id" parameter in stable.php that can result in an attacker using the XSS to send a malicious script to an unsuspecting user. | |||||
| CVE-2017-8013 | 1 Emc | 1 Data Protection Advisor | 2018-04-13 | 7.5 HIGH | 9.8 CRITICAL |
| EMC Data Protection Advisor 6.3.x before patch 67 and 6.4.x before patch 130 contains undocumented accounts with hard-coded passwords and various privileges. Affected accounts are: "Apollo System Test", "emc.dpa.agent.logon" and "emc.dpa.metrics.logon". An attacker with knowledge of the password could potentially use these accounts via REST APIs to gain unauthorized access to EMC Data Protection Advisor (including potentially access with administrative privileges). | |||||
| CVE-2012-2625 | 1 Xen | 2 Xen, Xen-unstable | 2018-04-13 | 2.7 LOW | N/A |
| The PyGrub boot loader in Xen unstable before changeset 25589:60f09d1ab1fe, 4.2.x, and 4.1.x allows local para-virtualized guest users to cause a denial of service (memory consumption) via a large (1) bzip2 or (2) lzma compressed kernel image. | |||||
| CVE-2016-1000009 | 1 Tp-link | 1 Tp-link | 2018-04-13 | 5.0 MEDIUM | 7.5 HIGH |
| TP-LINK lost control of two domains, www.tplinklogin.net and tplinkextender.net. Please note that these domains are physically printed on many of the devices. | |||||
| CVE-2017-17954 | 1 Php Multivendor Ecommerce Project | 1 Php Multivendor Ecommerce | 2018-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the seller-view.php usid parameter. | |||||
| CVE-2017-17955 | 1 Php Multivendor Ecommerce Project | 1 Php Multivendor Ecommerce | 2018-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the shopping-cart.php cusid parameter. | |||||
| CVE-2017-17956 | 1 Php Multivendor Ecommerce Project | 1 Php Multivendor Ecommerce | 2018-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the admin/sellerupd.php companyname parameter. | |||||
| CVE-2017-17957 | 1 Php Multivendor Ecommerce Project | 1 Php Multivendor Ecommerce | 2018-04-13 | 7.5 HIGH | 9.8 CRITICAL |
| PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the my_wishlist.php fid parameter. | |||||