Total
298674 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-3771 | 1 Statics-server Project | 1 Statics-server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser. | |||||
| CVE-2018-3770 | 1 Markdown-pdf Project | 1 Markdown-pdf | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files. | |||||
| CVE-2018-3769 | 1 Ruby-grape | 1 Grape | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| ruby-grape ruby gem suffers from a cross-site scripting (XSS) vulnerability via "format" parameter. | |||||
| CVE-2018-3767 | 1 Memcachier | 1 Memjs | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| `memjs` versions <= 1.1.0 allocates and stores buffers on typed input, resulting in DoS and uninitialized memory usage. | |||||
| CVE-2018-3766 | 1 Buttle Project | 1 Buttle | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Path traversal in buttle module versions <= 0.2.0 allows to read any file in the server. | |||||
| CVE-2018-3764 | 1 Nextcloud | 1 Contacts | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| In Nextcloud Contacts before 2.1.2, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins. | |||||
| CVE-2018-3763 | 1 Nextcloud | 1 Calendar | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| In Nextcloud Calendar before 1.5.8 and 1.6.1, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins. | |||||
| CVE-2018-3762 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to. | |||||
| CVE-2018-3761 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
| Nextcloud Server before 12.0.8 and 13.0.3 suffer from improper authentication on the OAuth2 token endpoint. Missing checks potentially allowed handing out new tokens in case the OAuth2 client was partly compromised. | |||||
| CVE-2018-3760 | 3 Debian, Redhat, Sprockets Project | 4 Debian Linux, Cloudforms, Enterprise Linux and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately. | |||||
| CVE-2018-3759 | 1 Private Address Check Project | 1 Private Address Check | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
| private_address_check ruby gem before 0.5.0 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to the address the socket uses not being checked. DNS entries with a TTL of 0 can trigger this case where the initial resolution is a public address but the subsequent resolution is a private address. | |||||
| CVE-2018-3758 | 1 Express-cart Project | 1 Express-cart | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting machine. | |||||
| CVE-2018-3757 | 1 Pdf-image Project | 1 Pdf-image | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Command injection exists in pdf-image v2.0.0 due to an unescaped string parameter. | |||||
| CVE-2018-3756 | 1 Hyperledger | 1 Iroha | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Hyperledger Iroha versions v1.0_beta and v1.0.0_beta-1 are vulnerable to transaction and block signature verification bypass in the transaction and block validator allowing a single node to sign a transaction and/or block multiple times, each with a random nonce, and have other validating nodes accept them as separate valid signatures. | |||||
| CVE-2018-3755 | 1 Sexstatic Project | 1 Sexstatic | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS in sexstatic <=0.6.2 causes HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name. | |||||
| CVE-2018-3754 | 1 Query-mysql Project | 1 Query-mysql | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Node.js third-party module query-mysql versions 0.0.0, 0.0.1, and 0.0.2 are vulnerable to an SQL injection vulnerability due to lack of user input sanitization. This may allow an attacker to run arbitrary SQL queries when fetching data from database. | |||||
| CVE-2018-3753 | 1 Merge-object Project | 1 Merge-object | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The utilities function in all versions <= 1.0.0 of the merge-objects node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects. | |||||
| CVE-2018-3752 | 1 Merge-options Project | 1 Merge-options | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The utilities function in all versions <= 1.0.0 of the merge-options node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects. | |||||
| CVE-2018-3751 | 1 Umbraengineering | 1 Merge-recursive | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The utilities function in all versions <= 0.3.0 of the merge-recursive node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects. | |||||
| CVE-2018-3750 | 1 Deep Extend Project | 1 Deep Extend | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects. | |||||