Total
315243 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-20097 | 2 Debian, Exiv2 | 2 Debian Linux, Exiv2 | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| There is a SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroups of tiffimage_int.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack. | |||||
| CVE-2018-20096 | 1 Exiv2 | 1 Exiv2 | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| There is a heap-based buffer over-read in the Exiv2::tEXtToDataBuf function of pngimage.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack. | |||||
| CVE-2018-20095 | 1 Axiosys | 1 Bento4 | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in EnsureCapacity in Core/Ap4Array.h in Bento4 1.5.1-627. Crafted MP4 input triggers an attempt at excessive memory allocation, as demonstrated by mp42hls. | |||||
| CVE-2018-20094 | 1 Xuxueli | 1 Xxl-conf | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in XXL-CONF 1.6.0. There is a path traversal vulnerability via ../ in the keys parameter that can download any configuration file, related to ConfController.java and PropUtil.java. | |||||
| CVE-2018-20092 | 1 Ptc | 1 Thingworx Platform | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| PTC ThingWorx Platform through 8.3.0 is vulnerable to a directory traversal attack on ZIP files via a POST request. | |||||
| CVE-2018-20091 | 1 Cloudera | 1 Data Science Workbench | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
| An SQL injection vulnerability was found in Cloudera Data Science Workbench (CDSW) 1.4.0 through 1.4.2. This would allow any authenticated user to run arbitrary queries against CDSW's internal database. The database contains user contact information, encrypted CDSW passwords (in the case of local authentication), API keys, and stored Kerberos keytabs. | |||||
| CVE-2018-20090 | 1 Cloudera | 1 Data Science Workbench | 2024-11-21 | 6.5 MEDIUM | 8.3 HIGH |
| An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.4.0 through 1.4.2. Authenticated users can bypass project permission checks and gain read-write access to any project folder. | |||||
| CVE-2018-20073 | 1 Google | 1 Chrome | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| Use of extended attributes in downloads in Google Chrome prior to 72.0.3626.81 allowed a local attacker to read download URLs via the filesystem. | |||||
| CVE-2018-20071 | 1 Google | 1 Chrome | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficiently strict origin checks during JIT payment app installation in Payments in Google Chrome prior to 70.0.3538.67 allowed a remote attacker to install a service worker for a domain that can host attacker controled files via a crafted HTML page. | |||||
| CVE-2018-20070 | 1 Google | 1 Chrome | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. | |||||
| CVE-2018-20069 | 2 Apple, Google | 2 Iphone Os, Chrome | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| Failure to prevent navigation to top frame to data URLs in Navigation in Google Chrome on iOS prior to 71.0.3578.80 allowed a remote attacker to confuse the user about the origin of the current page via a crafted HTML page. | |||||
| CVE-2018-20068 | 1 Google | 1 Chrome | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| Incorrect handling of 304 status codes in Navigation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to confuse the user about the origin of the current page via a crafted HTML page. | |||||
| CVE-2018-20067 | 1 Google | 1 Chrome | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| A renderer initiated back navigation was incorrectly allowed to cancel a browser initiated one in Navigation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to confuse the user about the origin of the current page via a crafted HTML page. | |||||
| CVE-2018-20066 | 1 Google | 1 Chrome | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Incorrect object lifecycle in Extensions in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2018-20065 | 1 Google | 1 Chrome | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Handling of URI action in PDFium in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to initiate potentially unsafe navigations without a user gesture via a crafted PDF file. | |||||
| CVE-2018-20064 | 1 Doorgets | 1 Doorgets | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| doorGets 7.0 allows remote attackers to write to arbitrary files via directory traversal, as demonstrated by a dg-user/?controller=theme&action=edit&name=doorgets&file=../../1.txt%00 URI with content in the theme_content_nofi parameter. | |||||
| CVE-2018-20063 | 1 Gurock | 1 Testrail | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Gurock TestRail 5.6.0.3853. An "Unrestricted Upload of File" vulnerability exists in the image-upload form (available in the description editor), allowing remote authenticated users to execute arbitrary code by uploading an image file with an executable extension but a safe Content-Type value, and then accessing it via a direct request to the file in the file-upload directory (if it's accessible according to the server configuration). | |||||
| CVE-2018-20061 | 1 Frappe | 1 Erpnext | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call. | |||||
| CVE-2018-20059 | 1 Pippo | 1 Pippo | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE. | |||||
| CVE-2018-20058 | 1 Evernote | 1 Evernote | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Evernote before 7.6 on macOS, there is a local file path traversal issue in attachment previewing, aka MACOSNOTE-28634. | |||||