Total
296526 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-19795 | 1 Chipsbank | 1 Umptool | 2024-11-21 | 7.2 HIGH | 6.8 MEDIUM |
ChipsBank UMPTool saves the password to the NAND with a simple substitution cipher, which allows attackers to get full access when having physical access to the device. | |||||
CVE-2018-19794 | 1 Internet2 | 1 Grouper | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in UiV2Public.index in Internet2 Grouper 2.2 and 2.3 allows remote attackers to inject arbitrary web script or HTML via the code parameter. | |||||
CVE-2018-19793 | 1 Jiacrontab Project | 1 Jiacrontab | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
jiacrontab 1.4.5 allows remote attackers to execute arbitrary commands via the crontab/task/edit?addr=localhost%3a20001 command and args parameters, as demonstrated by command=cat&args=/etc/passwd in the POST data. | |||||
CVE-2018-19792 | 1 Litespeedtech | 1 Openlitespeed | 2024-11-21 | 4.6 MEDIUM | 6.7 MEDIUM |
The server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 allows local users to cause a denial of service (buffer overflow) or possibly have unspecified other impact by creating a symlink through which the openlitespeed program can be invoked with a long command name (involving ../ characters), which is mishandled in the LshttpdMain::getServerRootFromExecutablePath function. | |||||
CVE-2018-19791 | 1 Litespeedtech | 1 Openlitespeed | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
The server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 does not correctly handle requests for byte sequences, allowing an attacker to amplify the response size by requesting the entire response body repeatedly, as demonstrated by an HTTP Range header value beginning with the "bytes=0-,0-" substring. | |||||
CVE-2018-19790 | 3 Debian, Fedoraproject, Sensiolabs | 3 Debian Linux, Fedora, Symfony | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login. | |||||
CVE-2018-19789 | 2 Debian, Sensiolabs | 2 Debian Linux, Symfony | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint `string` in a setter method (e.g. `setName(string $name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution. | |||||
CVE-2018-19788 | 3 Canonical, Debian, Polkit Project | 3 Ubuntu Linux, Debian Linux, Polkit | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command. | |||||
CVE-2018-19787 | 3 Canonical, Debian, Lxml | 3 Ubuntu Linux, Debian Linux, Lxml | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. | |||||
CVE-2018-19786 | 1 Hashicorp | 1 Vault | 2024-11-21 | 4.3 MEDIUM | 8.1 HIGH |
HashiCorp Vault before 1.0.0 writes the master key to the server log in certain unusual or misconfigured scenarios in which incorrect data comes from the autoseal mechanism without an error being reported. | |||||
CVE-2018-19785 | 1 Php-proxy | 1 Php-proxy | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
PHP-Proxy through 5.1.0 has Cross-Site Scripting (XSS) via the URL field in index.php. | |||||
CVE-2018-19784 | 1 Php-proxy | 1 Php-proxy | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
The str_rot_pass function in vendor/atholn1600/php-proxy/src/helpers.php in PHP-Proxy 5.1.0 uses weak cryptography, which makes it easier for attackers to calculate the authorization data needed for local file inclusion. | |||||
CVE-2018-19783 | 1 Kentix | 2 Multisensor-lan, Multisensor-lan Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
Kentix MultiSensor-LAN 5.63.00 devices and previous allow Authentication Bypass via an Alternate Path or Channel. | |||||
CVE-2018-19782 | 1 Freshrss | 1 Freshrss | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in GET requests in FreshRSS 1.11.1 allow remote attackers to inject arbitrary web script or HTML via the (1) c parameter or (2) a parameter. | |||||
CVE-2018-19777 | 2 Artifex, Debian | 2 Mupdf, Debian Linux | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
In Artifex MuPDF 1.14.0, there is an infinite loop in the function svg_dev_end_tile in fitz/svg-device.c, as demonstrated by mutool. | |||||
CVE-2018-19775 | 1 Infovista | 1 Vistaportal | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The page "Variables.jsp" has reflected XSS via the ConnPoolName and GroupId parameters. | |||||
CVE-2018-19774 | 1 Infovista | 1 Vistaportal | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The page "PresentSpace.jsp" has reflected XSS via the GroupId and ConnPoolName parameters. | |||||
CVE-2018-19773 | 1 Infovista | 1 Vistaportal | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The page "EditCurrentUser.jsp" has reflected XSS via the GroupId and ConnPoolName parameters. | |||||
CVE-2018-19772 | 1 Infovista | 1 Vistaportal | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The page "EditCurrentPresentSpace.jsp" has reflected XSS via the ConnPoolName, GroupId, and ParentId parameters. | |||||
CVE-2018-19771 | 1 Infovista | 1 Vistaportal | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The page "EditCurrentPool.jsp" has reflected XSS via the PropName parameter. |