Vulnerabilities (CVE)

Total 298674 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-3771 1 Statics-server Project 1 Statics-server 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-3770 1 Markdown-pdf Project 1 Markdown-pdf 2024-11-21 2.1 LOW 5.5 MEDIUM
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3769 1 Ruby-grape 1 Grape 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
ruby-grape ruby gem suffers from a cross-site scripting (XSS) vulnerability via "format" parameter.
CVE-2018-3767 1 Memcachier 1 Memjs 2024-11-21 6.4 MEDIUM 9.1 CRITICAL
`memjs` versions <= 1.1.0 allocates and stores buffers on typed input, resulting in DoS and uninitialized memory usage.
CVE-2018-3766 1 Buttle Project 1 Buttle 2024-11-21 5.0 MEDIUM 7.5 HIGH
Path traversal in buttle module versions <= 0.2.0 allows to read any file in the server.
CVE-2018-3764 1 Nextcloud 1 Contacts 2024-11-21 3.5 LOW 4.8 MEDIUM
In Nextcloud Contacts before 2.1.2, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.
CVE-2018-3763 1 Nextcloud 1 Calendar 2024-11-21 3.5 LOW 4.8 MEDIUM
In Nextcloud Calendar before 1.5.8 and 1.6.1, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.
CVE-2018-3762 1 Nextcloud 1 Nextcloud Server 2024-11-21 4.0 MEDIUM 4.3 MEDIUM
Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to.
CVE-2018-3761 1 Nextcloud 1 Nextcloud Server 2024-11-21 5.8 MEDIUM 8.1 HIGH
Nextcloud Server before 12.0.8 and 13.0.3 suffer from improper authentication on the OAuth2 token endpoint. Missing checks potentially allowed handing out new tokens in case the OAuth2 client was partly compromised.
CVE-2018-3760 3 Debian, Redhat, Sprockets Project 4 Debian Linux, Cloudforms, Enterprise Linux and 1 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.
CVE-2018-3759 1 Private Address Check Project 1 Private Address Check 2024-11-21 4.3 MEDIUM 3.7 LOW
private_address_check ruby gem before 0.5.0 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to the address the socket uses not being checked. DNS entries with a TTL of 0 can trigger this case where the initial resolution is a public address but the subsequent resolution is a private address.
CVE-2018-3758 1 Express-cart Project 1 Express-cart 2024-11-21 9.0 HIGH 8.8 HIGH
Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting machine.
CVE-2018-3757 1 Pdf-image Project 1 Pdf-image 2024-11-21 10.0 HIGH 9.8 CRITICAL
Command injection exists in pdf-image v2.0.0 due to an unescaped string parameter.
CVE-2018-3756 1 Hyperledger 1 Iroha 2024-11-21 5.0 MEDIUM 7.5 HIGH
Hyperledger Iroha versions v1.0_beta and v1.0.0_beta-1 are vulnerable to transaction and block signature verification bypass in the transaction and block validator allowing a single node to sign a transaction and/or block multiple times, each with a random nonce, and have other validating nodes accept them as separate valid signatures.
CVE-2018-3755 1 Sexstatic Project 1 Sexstatic 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
XSS in sexstatic <=0.6.2 causes HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name.
CVE-2018-3754 1 Query-mysql Project 1 Query-mysql 2024-11-21 6.5 MEDIUM 8.8 HIGH
Node.js third-party module query-mysql versions 0.0.0, 0.0.1, and 0.0.2 are vulnerable to an SQL injection vulnerability due to lack of user input sanitization. This may allow an attacker to run arbitrary SQL queries when fetching data from database.
CVE-2018-3753 1 Merge-object Project 1 Merge-object 2024-11-21 7.5 HIGH 9.8 CRITICAL
The utilities function in all versions <= 1.0.0 of the merge-objects node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
CVE-2018-3752 1 Merge-options Project 1 Merge-options 2024-11-21 7.5 HIGH 9.8 CRITICAL
The utilities function in all versions <= 1.0.0 of the merge-options node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
CVE-2018-3751 1 Umbraengineering 1 Merge-recursive 2024-11-21 7.5 HIGH 9.8 CRITICAL
The utilities function in all versions <= 0.3.0 of the merge-recursive node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
CVE-2018-3750 1 Deep Extend Project 1 Deep Extend 2024-11-21 7.5 HIGH 9.8 CRITICAL
The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.