Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-0207 | 1 Ibm | 1 Algo Risk Application | 2018-02-01 | 3.5 LOW | 5.4 MEDIUM |
| IBM Algorithmics One-Algo Risk Application (ARA) 4.9.1 through 5.1.0 allows remote authenticated users to conduct clickjacking attacks via unspecified vectors. IBM X-Force ID: 109399. | |||||
| CVE-2015-2981 | 1 Yodobashi | 1 Yodobashi | 2018-02-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Yodobashi App for Android 1.2.1.0 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2015-7484 | 1 Ibm | 1 Rational Engineering Lifecycle Manager | 2018-02-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Rational Engineering Lifecycle Manager 3.0 before 3.0.1.6 iFix7 Interim Fix 1 and 4.0 before 4.0.7 iFix10 allow remote authenticated users with access to lifecycle projects to obtain sensitive information by sending a crafted URL to the Lifecycle Query Engine. IBM X-Force ID: 108619. | |||||
| CVE-2017-16514 | 1 Websitebaker | 1 Websitebaker | 2018-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple persistent stored Cross-Site-Scripting (XSS) vulnerabilities in the files /wb/admin/admintools/tool.php (Droplet Description) and /install/index.php (Site Title) in WebsiteBaker 2.10.0 allow attackers to insert persistent JavaScript code that gets reflected back to users in multiple areas in the application. | |||||
| CVE-2017-1000465 | 1 Sulu | 1 Sulu-standard | 2018-02-01 | 3.5 LOW | 5.4 MEDIUM |
| Sulu-standard version 1.6.6 is vulnerable to stored cross-site scripting vulnerability, within the page creation page, which can result in disruption of service and execution of javascript code. | |||||
| CVE-2017-18024 | 1 Avantfax | 1 Avantfax | 2018-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1. | |||||
| CVE-2017-14594 | 1 Atlassian | 1 Jira | 2018-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| The printable searchrequest issue resource in Atlassian Jira before version 7.2.12 and from version 7.3.0 before 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jqlQuery query parameter. | |||||
| CVE-2017-15883 | 1 Progress | 1 Sitefinity | 2018-02-01 | 7.5 HIGH | 9.8 CRITICAL |
| Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, and 10.x allow remote attackers to bypass authentication and consequently cause a denial of service on load balanced sites or gain privileges via vectors related to weak cryptography. | |||||
| CVE-2017-15662 | 1 Flexense | 1 Vx Search | 2018-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| In Flexense VX Search Enterprise v10.1.12, the Control Protocol suffers from a denial of service vulnerability. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9123. | |||||
| CVE-2017-15663 | 1 Flexense | 1 Disk Pulse | 2018-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| In Flexense Disk Pulse Enterprise v10.1.18, the Control Protocol suffers from a denial of service vulnerability. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9120. | |||||
| CVE-2017-15664 | 1 Flexense | 1 Syncbreeze | 2018-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| In Flexense Sync Breeze Enterprise v10.1.16, the Control Protocol suffers from a denial of service vulnerability. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9121. | |||||
| CVE-2017-15665 | 1 Flexense | 1 Diskboss | 2018-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| In Flexense DiskBoss Enterprise 8.5.12, the Control Protocol suffers from a denial of service vulnerability. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 8094. | |||||
| CVE-2017-7997 | 1 Gespage | 1 Gespage | 2018-02-01 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL injection vulnerabilities in Gespage before 7.4.9 allow remote attackers to execute arbitrary SQL commands via the (1) show_prn parameter to webapp/users/prnow.jsp or show_month parameter to (2) webapp/users/blhistory.jsp or (3) webapp/users/prhistory.jsp. | |||||
| CVE-2017-7998 | 1 Gespage | 1 Gespage | 2018-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Gespage before 7.4.9 allow remote attackers to inject arbitrary web script or HTML via the (1) printer name when adding a printer in the admin panel or (2) username parameter to webapp/users/user_reg.jsp. | |||||
| CVE-2017-12622 | 1 Apache | 1 Geode | 2018-02-01 | 5.5 MEDIUM | 7.1 HIGH |
| When an Apache Geode cluster before v1.3.0 is operating in secure mode and an authenticated user connects to a Geode cluster using the gfsh tool with HTTP, the user is able to obtain status information and control cluster members even without CLUSTER:MANAGE privileges. | |||||
| CVE-2014-4972 | 1 Ajax Upload For Gravity Forms Project | 1 Ajax Upload For Gravity Forms | 2018-02-01 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted file upload vulnerability in the Gravity Upload Ajax plugin 1.1 and earlier for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file under wp-content/uploads/gravity_forms. | |||||
| CVE-2013-4364 | 1 Redhat | 1 Openshift | 2018-02-01 | 7.2 HIGH | 7.8 HIGH |
| (1) oo-analytics-export and (2) oo-analytics-import in the openshift-origin-broker-util package in Red Hat OpenShift Enterprise 1 and 2 allow local users to have unspecified impact via a symlink attack on an unspecified file in /tmp. | |||||
| CVE-2017-5971 | 1 Newsbee Project | 1 Newsbee | 2018-02-01 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in NewsBee CMS allow remote attackers to execute arbitrary SQL commands. | |||||
| CVE-2018-5266 | 1 Cobham | 2 Sea Tel 121, Sea Tel 121 Firmware | 2018-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| Cobham Sea Tel 121 build 222701 devices allow remote attackers to obtain potentially sensitive information about valid usernames by reading the loginName lines at the js/userLogin.js URI. NOTE: default passwords for the standard usernames are listed in the product's documentation: Dealer with password seatel3, SysAdmin with password seatel2, and User with password seatel1. | |||||
| CVE-2017-18020 | 1 Samsung | 1 Samsung Mobile | 2018-02-01 | 7.2 HIGH | 8.4 HIGH |
| On Samsung mobile devices with L(5.x), M(6.x), and N(7.x) software and Exynos chipsets, attackers can execute arbitrary code in the bootloader because S Boot omits a size check during a copy of ramfs data to memory. The Samsung ID is SVE-2017-10598. | |||||
| CVE-2017-11879 | 1 Microsoft | 1 Asp.net Core | 2018-02-01 | 4.3 MEDIUM | 8.8 HIGH |
| ASP.NET Core 2.0 allows an attacker to steal log-in session information such as cookies or authentication tokens via a specially crafted URL aka "ASP.NET Core Elevation Of Privilege Vulnerability". | |||||
| CVE-2016-10207 | 2 Opensuse, Tigervnc | 2 Leap, Tigervnc | 2018-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| The Xvnc server in TigerVNC allows remote attackers to cause a denial of service (invalid memory access and crash) by terminating a TLS handshake early. | |||||
| CVE-2015-7485 | 1 Ibm | 1 Rational Engineering Lifecycle Manager | 2018-02-01 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in IBM Rational Engineering Lifecycle Manager 3.0 before 3.0.1.6 iFix7 Interim Fix 1, 4.0 before 4.0.7 iFix10, 5.0 before 5.0.2 iFix15, and 6.0 before 6.0.1 iFix4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 108626. | |||||
| CVE-2017-18023 | 1 Officetracker | 1 Officetracker | 2018-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Office Tracker 11.2.5 has XSS via the logincount parameter to the /otweb/OTPClientLogin URI. | |||||
| CVE-2017-14082 | 1 Trendmicro | 1 Mobile Security | 2018-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| An uninitialized pointer information disclosure vulnerability in Trend Micro Mobile Security (Enterprise) versions 9.7 and below could allow an unauthenticated remote attacker to disclosure sensitive information on a vulnerable system. | |||||
| CVE-2018-5696 | 1 Ijoomla | 1 Com Adagency | 2018-02-01 | 7.5 HIGH | 9.8 CRITICAL |
| The iJoomla com_adagency plugin 6.0.9 for Joomla! allows SQL injection via the `advertiser_status` and `status_select` parameters to index.php. | |||||
| CVE-2017-14096 | 1 Trendmicro | 1 Smart Protection Server | 2018-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored cross site scripting (XSS) vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to execute a malicious payload on vulnerable systems. | |||||
| CVE-2018-5695 | 1 Wpjobboard | 1 Wpjobboard | 2018-02-01 | 6.5 MEDIUM | 7.2 HIGH |
| The WpJobBoard plugin 4.4.4 for WordPress allows SQL injection via the order or sort parameter to the wpjb-job or wpjb-alerts module, with a request to wp-admin/admin.php. | |||||
| CVE-2015-7486 | 1 Ibm | 1 Rational Engineering Lifecycle Manager | 2018-02-01 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in IBM Rational Engineering Lifecycle Manager 3.0 before 3.0.1.6 iFix7 Interim Fix 1, 4.0 before 4.0.7 iFix10, 5.0 before 5.0.2 iFix15, and 6.0 before 6.0.1 iFix4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 108633. | |||||
| CVE-2018-5697 | 1 Icyphoenix | 1 Icyphoenix | 2018-02-01 | 6.5 MEDIUM | 7.2 HIGH |
| Icy Phoenix 2.2.0.105 allows SQL injection via an unapprove request to admin_kb_art.php or the order parameter to admin_jr_admin.php, related to functions_kb.php. | |||||
| CVE-2015-7474 | 1 Ibm | 1 Rational Engineering Lifecycle Manager | 2018-02-01 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Jazz Foundation in IBM Rational Engineering Lifecycle Manager 3.0 before 3.0.1.6 iFix7 Interim Fix 1, 4.0 before 4.0.7 iFix10, 5.0 before 5.0.2 iFix15, and 6.0 before 6.0.1 iFix4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 108501. | |||||
| CVE-2018-5776 | 1 Wordpress | 1 Wordpress | 2018-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). | |||||
| CVE-2017-16864 | 1 Atlassian | 1 Jira | 2018-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| The issue search resource in Atlassian Jira before version 7.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the orderby parameter. | |||||
| CVE-2018-5692 | 1 Piwigo | 1 Piwigo | 2018-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file. | |||||
| CVE-2018-5689 | 1 Dotclear | 1 Dotclear | 2018-01-31 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in admin/auth.php in Dotclear 2.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the malicious user's email. | |||||
| CVE-2018-5690 | 1 Dotclear | 1 Dotclear | 2018-01-31 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in admin/users.php in Dotclear 2.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the nb parameter (aka the page limit number). | |||||
| CVE-2017-17970 | 1 Muvikoscript | 1 Muviko | 2018-01-31 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL injection vulnerabilities in Muviko 1.1 allow remote attackers to execute arbitrary SQL commands via the (1) email parameter to login.php; the (2) season_id parameter to themes/flixer/ajax/load_season.php; the (3) movie_id parameter to themes/flixer/ajax/get_rating.php; the (4) rating or (5) movie_id parameter to themes/flixer/ajax/update_rating.php; or the (6) id parameter to themes/flixer/ajax/set_player_source.php. | |||||
| CVE-2017-16862 | 1 Atlassian | 1 Jira | 2018-01-31 | 4.3 MEDIUM | 4.3 MEDIUM |
| The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery (CSRF) vulnerability. | |||||
| CVE-2017-1739 | 1 Ibm | 1 Curam Social Program Management | 2018-01-31 | 3.5 LOW | 5.4 MEDIUM |
| IBM Curam Social Program Management 6.0.5, 6.1.1, 6.2.0, and 7.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134921. | |||||
| CVE-2017-1740 | 1 Ibm | 1 Curam Social Program Management | 2018-01-31 | 3.5 LOW | 5.4 MEDIUM |
| IBM Curam Social Program Management 6.0.5, 6.1.1, 6.2.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134922. | |||||
| CVE-2017-1670 | 1 Ibm | 1 Security Key Lifecycle Manager | 2018-01-31 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 133637. | |||||
| CVE-2017-1671 | 1 Ibm | 1 Security Key Lifecycle Manager | 2018-01-31 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 133638. | |||||
| CVE-2017-1666 | 1 Ibm | 1 Security Key Lifecycle Manager | 2018-01-31 | 5.5 MEDIUM | 8.1 HIGH |
| IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 133540. | |||||
| CVE-2017-1668 | 1 Ibm | 1 Security Key Lifecycle Manager | 2018-01-31 | 5.8 MEDIUM | 6.1 MEDIUM |
| IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 133562. | |||||
| CVE-2018-5682 | 1 Prestashop | 1 Prestashop | 2018-01-31 | 5.0 MEDIUM | 5.3 MEDIUM |
| PrestaShop 1.7.2.4 allows user enumeration via the Reset Password feature, by noticing which reset attempts do not produce a "This account does not exist" error message. | |||||
| CVE-2018-5681 | 1 Prestashop | 1 Prestashop | 2018-01-31 | 3.5 LOW | 5.4 MEDIUM |
| PrestaShop 1.7.2.4 has XSS via source-code editing on the "Pages > Edit page" screen. | |||||
| CVE-2018-5316 | 1 Patsatech | 1 Sagepay Server Gateway For Woocommerce | 2018-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| The "SagePay Server Gateway for WooCommerce" plugin before 1.0.9 for WordPress has XSS via the includes/pages/redirect.php page parameter. | |||||
| CVE-2018-5298 | 1 Pg | 1 Oral-b App | 2018-01-31 | 5.0 MEDIUM | 7.5 HIGH |
| In the Procter & Gamble "Oral-B App" (aka com.pg.oralb.oralbapp) application 5.0.0 for Android, AES encryption with static parameters is used to secure the locally stored shared preferences. An attacker can gain access to locally stored user data more easily by leveraging access to the preferences XML file. | |||||
| CVE-2018-5211 | 1 Phpsugar | 1 Php Melody | 2018-01-31 | 7.5 HIGH | 9.8 CRITICAL |
| PHP Melody version 2.7.1 suffer from SQL Injection Time-based attack on the page ajax.php with the parameter playlist. | |||||
| CVE-2014-6435 | 1 Aztech | 6 Adsl Dsl5018en \(1t1r\), Adsl Dsl5018en \(1t1r\) Firmware, Dsl705e and 3 more | 2018-01-31 | 5.0 MEDIUM | 7.5 HIGH |
| cgi-bin/AZ_Retrain.cgi in Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices does not check for authentication, which allows remote attackers to cause a denial of service (WAN connectivity reset) via a direct request. | |||||