Vulnerabilities (CVE)

Total 296157 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-19291 1 Dilicms 1 Dilicms 2024-11-21 5.8 MEDIUM 6.5 MEDIUM
An issue was discovered in DiliCMS 2.4.0. There is a CSRF vulnerability that can delete a user or group via an admin/index.php/user/del/1 or admin/index.php/role/del/2 URI.
CVE-2018-19290 1 Budabot 1 Budabot 2024-11-21 7.5 HIGH 9.8 CRITICAL
In modules/HELPBOT_MODULE in Budabot 0.6 through 4.0, lax syntax validation allows remote attackers to perform a command injection attack against the PHP daemon with a crafted command, resulting in a denial of service or possibly unspecified other impact, as demonstrated by the "!calc 5 x 5" command. In versions before 3.0, modules/HELPBOT_MODULE/calc.php has the vulnerable code; in 3.0 and above, modules/HELPBOT_MODULE/HelpbotController.class.php has the vulnerable code.
CVE-2018-19289 1 Valine.js 1 Valine 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Valine v1.3.3. It allows HTML injection, which can be exploited for JavaScript execution via an EMBED element in conjunction with a .pdf file.
CVE-2018-19288 1 Zohocorp 1 Manageengine Opmanager 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the updateWidget API.
CVE-2018-19287 1 Ninjaforma 1 Ninja Forms 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter.
CVE-2018-19286 1 Mubu 1 Curtain 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
The server in mubu note 2018-11-11 has XSS by configuring an account with a crafted name value (along with an arbitrary username value), and then creating and sharing a note.
CVE-2018-19282 1 Rockwellautomation 2 Powerflex 525 Ac Drives, Powerflex 525 Ac Drives Firmware 2024-11-21 10.0 HIGH 9.8 CRITICAL
Rockwell Automation PowerFlex 525 AC Drives 5.001 and earlier allow remote attackers to cause a denial of service by crashing the Common Industrial Protocol (CIP) network stack. The vulnerability allows the attacker to crash the CIP in a way that it does not accept new connections, but keeps the current connections active, which can prevent legitimate users from recovering control.
CVE-2018-19281 1 Centreon 1 Centreon 2024-11-21 7.5 HIGH 9.8 CRITICAL
Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.27) allows SNMP trap SQL Injection.
CVE-2018-19280 1 Centreon 1 Centreon 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Centreon 3.4.x (fixed in Centreon 18.10.0) has XSS via the resource name or macro expression of a poller macro.
CVE-2018-19279 2 Microsoft, Primx 2 Windows, Zonecentral 2024-11-21 2.1 LOW 4.3 MEDIUM
PRIMX ZoneCentral before 6.1.2236 on Windows sometimes leaks the plaintext of NTFS files. On non-SSD devices, this is limited to a 5-second window and file sizes less than 600 bytes. The effect on SSD devices may be greater.
CVE-2018-19278 1 Digium 1 Asterisk 2024-11-21 5.0 MEDIUM 7.5 HIGH
Buffer overflow in DNS SRV and NAPTR lookups in Digium Asterisk 15.x before 15.6.2 and 16.x before 16.0.1 allows remote attackers to crash Asterisk via a specially crafted DNS SRV or NAPTR response, because a buffer size is supposed to match an expanded length but actually matches a compressed length.
CVE-2018-19277 1 Phpoffice 1 Phpspreadsheet 2024-11-21 6.8 MEDIUM 8.8 HIGH
securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file
CVE-2018-19276 1 Openmrs 1 Openmrs 2024-11-21 10.0 HIGH 9.8 CRITICAL
OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.
CVE-2018-19275 1 Mitel 2 Cmg Suite, Inattend 2024-11-21 10.0 HIGH 9.8 CRITICAL
The BluStar component in Mitel InAttend before 2.5 SP3 and CMG before 8.4 SP3 Suite Servers has a default password, which could allow remote attackers to gain unauthorized access and execute arbitrary scripts with potential impacts to the confidentiality, integrity and availability of the system.
CVE-2018-19274 2 Debian, Phpbb 2 Debian Linux, Phpbb 2024-11-21 6.5 MEDIUM 7.2 HIGH
Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.
CVE-2018-19271 1 Centreon 1 Centreon 2024-11-21 6.5 MEDIUM 8.8 HIGH
Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.28) allows SQL Injection via the main.php searchH parameter.
CVE-2018-19249 1 Stripe 1 Stripe Api 2024-11-21 5.0 MEDIUM 7.5 HIGH
The Stripe API v1 allows remote attackers to bypass intended access restrictions by replaying api.stripe.com /v1/tokens XMLHttpRequest data, parsing the response under the object card{}, and reading the cvc_check information if the creation is successful without charging the actual card used in the transaction.
CVE-2018-19248 1 Epson 2 Epson Workforce Wf-2861, Epson Workforce Wf-2861 Firmware 2024-11-21 6.4 MEDIUM 9.1 CRITICAL
The web service on Epson WorkForce WF-2861 10.48 LQ22I3(Recovery-mode), WF-2861 10.51.LQ20I6, and WF-2861 10.52.LQ17IA devices allows remote attackers to upload a firmware file and reset the printer without authentication by making a request to the /DOWN/FIRMWAREUPDATE/ROM1 URI and a POST request to the /FIRMWAREUPDATE URI.
CVE-2018-19246 1 Php-proxy 1 Php-proxy 2024-11-21 5.0 MEDIUM 7.5 HIGH
PHP-Proxy 5.1.0 allows remote attackers to read local files if the default "pre-installed version" (intended for users who lack shell access to their web server) is used. This occurs because the aeb067ca0aa9a3193dce3a7264c90187 app_key value from the default config.php is in place, and this value can be easily used to calculate the authorization data needed for local file inclusion.
CVE-2018-19244 1 Charlesproxy 1 Charles 2024-11-21 5.0 MEDIUM 8.6 HIGH
An XML External Entity (XXE) vulnerability exists in the Charles 4.2.7 import/export setup option. If a user imports a "Charles Settings.xml" file from an attacker, an intranet network may be accessed and information may be leaked.