Total
296157 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-19291 | 1 Dilicms | 1 Dilicms | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
An issue was discovered in DiliCMS 2.4.0. There is a CSRF vulnerability that can delete a user or group via an admin/index.php/user/del/1 or admin/index.php/role/del/2 URI. | |||||
CVE-2018-19290 | 1 Budabot | 1 Budabot | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
In modules/HELPBOT_MODULE in Budabot 0.6 through 4.0, lax syntax validation allows remote attackers to perform a command injection attack against the PHP daemon with a crafted command, resulting in a denial of service or possibly unspecified other impact, as demonstrated by the "!calc 5 x 5" command. In versions before 3.0, modules/HELPBOT_MODULE/calc.php has the vulnerable code; in 3.0 and above, modules/HELPBOT_MODULE/HelpbotController.class.php has the vulnerable code. | |||||
CVE-2018-19289 | 1 Valine.js | 1 Valine | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in Valine v1.3.3. It allows HTML injection, which can be exploited for JavaScript execution via an EMBED element in conjunction with a .pdf file. | |||||
CVE-2018-19288 | 1 Zohocorp | 1 Manageengine Opmanager | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the updateWidget API. | |||||
CVE-2018-19287 | 1 Ninjaforma | 1 Ninja Forms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter. | |||||
CVE-2018-19286 | 1 Mubu | 1 Curtain | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
The server in mubu note 2018-11-11 has XSS by configuring an account with a crafted name value (along with an arbitrary username value), and then creating and sharing a note. | |||||
CVE-2018-19282 | 1 Rockwellautomation | 2 Powerflex 525 Ac Drives, Powerflex 525 Ac Drives Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
Rockwell Automation PowerFlex 525 AC Drives 5.001 and earlier allow remote attackers to cause a denial of service by crashing the Common Industrial Protocol (CIP) network stack. The vulnerability allows the attacker to crash the CIP in a way that it does not accept new connections, but keeps the current connections active, which can prevent legitimate users from recovering control. | |||||
CVE-2018-19281 | 1 Centreon | 1 Centreon | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.27) allows SNMP trap SQL Injection. | |||||
CVE-2018-19280 | 1 Centreon | 1 Centreon | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
Centreon 3.4.x (fixed in Centreon 18.10.0) has XSS via the resource name or macro expression of a poller macro. | |||||
CVE-2018-19279 | 2 Microsoft, Primx | 2 Windows, Zonecentral | 2024-11-21 | 2.1 LOW | 4.3 MEDIUM |
PRIMX ZoneCentral before 6.1.2236 on Windows sometimes leaks the plaintext of NTFS files. On non-SSD devices, this is limited to a 5-second window and file sizes less than 600 bytes. The effect on SSD devices may be greater. | |||||
CVE-2018-19278 | 1 Digium | 1 Asterisk | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Buffer overflow in DNS SRV and NAPTR lookups in Digium Asterisk 15.x before 15.6.2 and 16.x before 16.0.1 allows remote attackers to crash Asterisk via a specially crafted DNS SRV or NAPTR response, because a buffer size is supposed to match an expanded length but actually matches a compressed length. | |||||
CVE-2018-19277 | 1 Phpoffice | 1 Phpspreadsheet | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file | |||||
CVE-2018-19276 | 1 Openmrs | 1 Openmrs | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body. | |||||
CVE-2018-19275 | 1 Mitel | 2 Cmg Suite, Inattend | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
The BluStar component in Mitel InAttend before 2.5 SP3 and CMG before 8.4 SP3 Suite Servers has a default password, which could allow remote attackers to gain unauthorized access and execute arbitrary scripts with potential impacts to the confidentiality, integrity and availability of the system. | |||||
CVE-2018-19274 | 2 Debian, Phpbb | 2 Debian Linux, Phpbb | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions. | |||||
CVE-2018-19271 | 1 Centreon | 1 Centreon | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.28) allows SQL Injection via the main.php searchH parameter. | |||||
CVE-2018-19249 | 1 Stripe | 1 Stripe Api | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
The Stripe API v1 allows remote attackers to bypass intended access restrictions by replaying api.stripe.com /v1/tokens XMLHttpRequest data, parsing the response under the object card{}, and reading the cvc_check information if the creation is successful without charging the actual card used in the transaction. | |||||
CVE-2018-19248 | 1 Epson | 2 Epson Workforce Wf-2861, Epson Workforce Wf-2861 Firmware | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
The web service on Epson WorkForce WF-2861 10.48 LQ22I3(Recovery-mode), WF-2861 10.51.LQ20I6, and WF-2861 10.52.LQ17IA devices allows remote attackers to upload a firmware file and reset the printer without authentication by making a request to the /DOWN/FIRMWAREUPDATE/ROM1 URI and a POST request to the /FIRMWAREUPDATE URI. | |||||
CVE-2018-19246 | 1 Php-proxy | 1 Php-proxy | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
PHP-Proxy 5.1.0 allows remote attackers to read local files if the default "pre-installed version" (intended for users who lack shell access to their web server) is used. This occurs because the aeb067ca0aa9a3193dce3a7264c90187 app_key value from the default config.php is in place, and this value can be easily used to calculate the authorization data needed for local file inclusion. | |||||
CVE-2018-19244 | 1 Charlesproxy | 1 Charles | 2024-11-21 | 5.0 MEDIUM | 8.6 HIGH |
An XML External Entity (XXE) vulnerability exists in the Charles 4.2.7 import/export setup option. If a user imports a "Charles Settings.xml" file from an attacker, an intranet network may be accessed and information may be leaked. |