Vulnerabilities (CVE)

Total 292054 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-15904 1 A10networks 1 Acos Web Application Firewall 2024-11-21 7.5 HIGH 9.8 CRITICAL
A10 ACOS Web Application Firewall (WAF) 2.7.1 and 2.7.2 before 2.7.2-P12, 4.1.0 before 4.1.0-P11, 4.1.1 before 4.1.1-P8, and 4.1.2 before 4.1.2-P4 mishandles the configured rules for blocking SQL injection attacks, aka A10-2017-0008.
CVE-2018-15903 1 Claromentis 1 Claromentis 2024-11-21 3.5 LOW 5.4 MEDIUM
The Discuss v1.2.1 module in Claromentis 8.2.2 is vulnerable to stored Cross Site Scripting (XSS). An authenticated attacker will be able to place malicious JavaScript in the discussion forum, which is present in the login landing page. A low privilege user can use this to steal the session cookies from high privilege accounts and hijack these, enabling them to hijack the elevated session and perform actions in their security context.
CVE-2018-15901 1 E107 1 E107 2024-11-21 6.8 MEDIUM 8.8 HIGH
e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing details such as passwords of users including administrators.
CVE-2018-15899 1 1234n 1 Minicms 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in MiniCMS 1.10. There is a post.php?date= XSS vulnerability.
CVE-2018-15898 1 Subsonic 1 Music Streamer 2024-11-21 4.3 MEDIUM 5.9 MEDIUM
The Subsonic Music Streamer application 4.4 for Android has Improper Certificate Validation of the Subsonic server certificate, which might allow man-in-the-middle attackers to obtain interaction data.
CVE-2018-15897 1 Website Seller Script Project 1 Website Seller Script 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
PHP Scripts Mall Website Seller Script 2.0.5 allows remote attackers to cause a denial of service via crafted JavaScript code in the First Name, Last Name, Company Name, or Fax field, as demonstrated by crossPwn.
CVE-2018-15896 1 Website Seller Script Project 1 Website Seller Script 2024-11-21 3.5 LOW 5.4 MEDIUM
PHP Scripts Mall Website Seller Script 2.0.5 has XSS via Personal Address or Company Name.
CVE-2018-15895 1 Icmsdev 1 Icms 2024-11-21 5.0 MEDIUM 7.5 HIGH
An SSRF vulnerability was discovered in idreamsoft iCMS 7.0.11 because the remote function in app/spider/spider_tools.class.php does not block DNS hostnames associated with private and reserved IP addresses, as demonstrated by 127.0.0.1 in an A record. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-14858.
CVE-2018-15894 1 Wuzhi Cms Project 1 Wuzhi Cms 2024-11-21 7.5 HIGH 9.8 CRITICAL
A SQL injection was discovered in /coreframe/app/admin/pay/admin/index.php in WUZHI CMS 4.1.0 via the index.php?m=pay&f=index&v=listing keyValue parameter.
CVE-2018-15893 1 Wuzhi Cms Project 1 Wuzhi Cms 2024-11-21 7.5 HIGH 9.8 CRITICAL
A SQL injection was discovered in /coreframe/app/admin/copyfrom.php in WUZHI CMS 4.1.0 via the index.php?m=core&f=copyfrom&v=listing keywords parameter.
CVE-2018-15892 1 Freepbx 1 Disa 2024-11-21 6.0 MEDIUM 4.3 MEDIUM
FreePBX 13 and 14 has SQL Injection in the DISA module via the hangup variable on the /admin/config.php?display=disa&view=form page.
CVE-2018-15891 2 Freepbx, Sangoma 2 Freepbx, Freepbx 2024-11-21 3.5 LOW 4.8 MEDIUM
An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker is able to store JavaScript commands in a module name.
CVE-2018-15890 1 Ethereum 1 Ethereumj 2024-11-21 10.0 HIGH 9.8 CRITICAL
An issue was discovered in EthereumJ 1.8.2. There is Unsafe Deserialization in ois.readObject in mine/Ethash.java and decoder.readObject in crypto/ECKey.java. When a node syncs and mines a new block, arbitrary OS commands can be run on the server.
CVE-2018-15888 1 Aspcms 1 Aspcms 2024-11-21 7.5 HIGH 9.8 CRITICAL
An issue was discovered in ASPCMS 2.5.6. When registering ordinary users in the addUser function of the /member/reg.asp page, they can be registered with the super administrators GroupID directly.
CVE-2018-15887 1 Asus 2 Dsl-n12e C1, Dsl-n12e C1 Firmware 2024-11-21 6.5 MEDIUM 8.8 HIGH
Main_Analysis_Content.asp in ASUS DSL-N12E_C1 1.1.2.3_345 is prone to Authenticated Remote Command Execution, which allows a remote attacker to execute arbitrary OS commands via service parameters, such as shell metacharacters in the destIP parameter of a cmdMethod=ping request.
CVE-2018-15886 1 Monstra 1 Monstra 2024-11-21 6.5 MEDIUM 7.2 HIGH
Monstra CMS 3.0.4 does not properly restrict modified Snippet content, as demonstrated by the admin/index.php?id=snippets&action=edit_snippet&filename=google-analytics URI, which allows attackers to execute arbitrary PHP code by placing this code after a <?php substring.
CVE-2018-15885 1 Ovation 1 Findme 2024-11-21 5.0 MEDIUM 7.5 HIGH
Ovation FindMe 1.4-1083-1 is intended to support transmission of network traffic from covert video recorders but does not properly disrupt binary analysis for discovering the product's capabilities or purpose. This makes it easier for adversaries to detect the covert operation. Specifically, the product uses a compression technique to prevent the identification of certain libraries in the software by obfuscation. The software relies on a TLS callback and an additional executable file to enable these libraries and their access to certain websites. The unpacked software can be exploited by several different types of documented techniques.
CVE-2018-15884 1 Ricoh 2 Mp C4504ex, Mp C4504ex Firmware 2024-11-21 6.8 MEDIUM 8.8 HIGH
RICOH MP C4504ex devices allow HTML Injection via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter.
CVE-2018-15882 1 Joomla 1 Joomla\! 2024-11-21 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Joomla! before 3.8.12. Inadequate checks in the InputFilter class could allow specifically prepared phar files to pass the upload filter.
CVE-2018-15881 1 Joomla 1 Joomla\! 2024-11-21 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Joomla! before 3.8.12. Inadequate checks regarding disabled fields can lead to an ACL violation.