Total
296681 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-11346 | 1 Asustor | 2 As6202t, As6202t Firmware | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An insecure direct object reference vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows the ability to reference the "download_sys_settings" action and then specify files arbitrarily throughout the system via the act parameter. | |||||
| CVE-2018-11345 | 1 Asustor | 2 As6202t, As6202t Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An unrestricted file upload vulnerability in upload.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data via the POST parameter filename. This can be used to place attacker controlled code on the file system that can then be executed. Further, the filename parameter is vulnerable to path traversal and allows the attacker to place the file anywhere on the system. | |||||
| CVE-2018-11344 | 1 Asustor | 2 As6202t, As6202t Firmware | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A path traversal vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to arbitrarily specify a file on the system to download via the file1 parameter. | |||||
| CVE-2018-11343 | 1 Asustor | 1 Soundsgood | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A persistent cross site scripting vulnerability in playlistmanger.cgi in the ASUSTOR SoundsGood application allows attackers to store cross site scripting payloads via the 'playlist' POST parameter. | |||||
| CVE-2018-11342 | 1 Asustor | 2 As6202t, As6202t Firmware | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A path traversal vulnerability in fileExplorer.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to arbitrarily specify a path to a file on the system to create folders via the dest_folder parameter. | |||||
| CVE-2018-11341 | 1 Asustor | 2 As6202t, As6202t Firmware | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Directory traversal in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to navigate the file system via the filename parameter. | |||||
| CVE-2018-11340 | 1 Asustor | 2 As6202t, As6202t Firmware | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| An unrestricted file upload vulnerability in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data to a specified filename. This can be used to place attacker controlled code on the file system that is then executed. | |||||
| CVE-2018-11339 | 1 Frappe | 1 Erpnext | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment. | |||||
| CVE-2018-11338 | 1 Intuit | 1 Lacerte | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Intuit Lacerte 2017 for Windows in a client/server environment transfers the entire customer list in cleartext over SMB, which allows attackers to (1) obtain sensitive information by sniffing the network or (2) conduct man-in-the-middle (MITM) attacks via unspecified vectors. The customer list contains each customer's full name, social security number (SSN), address, job title, phone number, Email address, spouse's phone/Email address, and other sensitive information. After the client software authenticates to the server database, the server sends the customer list. There is no need for further exploitation as all sensitive data is exposed. This vulnerability was validated on Intuit Lacerte 2017, however older versions of Lacerte may be vulnerable. | |||||
| CVE-2018-11335 | 1 Genesis Vision | 1 Gvtoken | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| GVToken Genesis Vision (GVT) is a smart contract running on Ethereum. The mint function has an integer overflow that allows minted tokens to be arbitrarily retrieved by the contract owner. | |||||
| CVE-2018-11334 | 1 Windscribe | 1 Windscribe | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Windscribe 1.81 creates a named pipe with a NULL DACL that allows Everyone users to gain privileges or cause a denial of service via \\.\pipe\WindscribeService. | |||||
| CVE-2018-11332 | 1 Clippercms | 1 Clippercms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Stored cross-site scripting (XSS) vulnerability in the "Site Name" field found in the "site" tab under configurations in ClipperCMS 1.3.3 allows remote attackers to inject arbitrary web script or HTML via a crafted site name to the manager/processors/save_settings.processor.php file. | |||||
| CVE-2018-11331 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess. | |||||
| CVE-2018-11330 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly restricted. | |||||
| CVE-2018-11329 | 1 Ethercartel | 1 Ether Cartel | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The DrugDealer function of a smart contract implementation for Ether Cartel, an Ethereum game, allows attackers to take over the contract's ownership, aka ceoAnyone. After that, all the digital assets (including Ether balance and tokens) might be manipulated by the attackers, as exploited in the wild in May 2018. | |||||
| CVE-2018-11328 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 2.6 LOW | 4.7 MEDIUM |
| An issue was discovered in Joomla! Core before 3.8.8. Under specific circumstances (a redirect issued with a URI containing a username and password when the Location: header cannot be used), a lack of escaping the user-info component of the URI could result in an XSS vulnerability. | |||||
| CVE-2018-11327 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to see the names of tags that were either unpublished or published with restricted view permission. | |||||
| CVE-2018-11326 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in Joomla! Core before 3.8.8. Inadequate input filtering leads to a multiple XSS vulnerabilities. Additionally, the default filtering settings could potentially allow users of the default Administrator user group to perform a XSS attack. | |||||
| CVE-2018-11325 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in Joomla! Core before 3.8.8. The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and display the plaintext password for the administrator account at the confirmation screen. | |||||
| CVE-2018-11324 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in Joomla! Core before 3.8.8. A long running background process, such as remote checks for core or extension updates, could create a race condition where a session that was expected to be destroyed would be recreated. | |||||