Total
315279 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-14730 | 1 Browserify-hot Module Replacement Project | 1 Browserify-hot Module Replacement | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/ connection from any origin. | |||||
| CVE-2018-14729 | 1 Comsenz | 1 Discuz\! | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| The database backup feature in upload/source/admincp/admincp_db.php in Discuz! 2.5 and 3.4 allows remote attackers to execute arbitrary PHP code. | |||||
| CVE-2018-14728 | 1 Tecrail | 1 Responsive Filemanager | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| upload.php in Responsive FileManager 9.13.1 allows SSRF via the url parameter. | |||||
| CVE-2018-14724 | 1 Mybb | 1 Ban List | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In the Ban List plugin 1.0 for MyBB, any forum user with mod privileges can ban users and input an XSS payload into the ban reason, which is executed on the bans.php page. | |||||
| CVE-2018-14722 | 1 Btrfsmaintenance Project | 1 Btrfsmaintenance | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
| An issue was discovered in evaluate_auto_mountpoint in btrfsmaintenance-functions in btrfsmaintenance through 0.4.1. Code execution as root can occur via a specially crafted filesystem label if btrfs-{scrub,balance,trim} are set to auto in /etc/sysconfig/btrfsmaintenance (this is not the default, though). | |||||
| CVE-2018-14721 | 4 Debian, Fasterxml, Oracle and 1 more | 12 Debian Linux, Jackson-databind, Banking Platform and 9 more | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
| FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization. | |||||
| CVE-2018-14720 | 4 Debian, Fasterxml, Oracle and 1 more | 12 Debian Linux, Jackson-databind, Banking Platform and 9 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. | |||||
| CVE-2018-14719 | 5 Debian, Fasterxml, Netapp and 2 more | 21 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 18 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. | |||||
| CVE-2018-14718 | 5 Debian, Fasterxml, Netapp and 2 more | 26 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 23 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. | |||||
| CVE-2018-14716 | 1 Nystudio107 | 1 Seomatic | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A Server Side Template Injection (SSTI) was discovered in the SEOmatic plugin before 3.1.4 for Craft CMS, because requests that don't match any elements incorrectly generate the canonicalUrl, and can lead to execution of Twig code. | |||||
| CVE-2018-14715 | 1 Cryptogs | 1 Cryptogs | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The endCoinFlip function and throwSlammer function of the smart contract implementations for Cryptogs, an Ethereum game, generate random numbers with an old block's hash. Therefore, attackers can predict the random number and always win the game. | |||||
| CVE-2018-14714 | 1 Asus | 2 Rt-ac3200, Rt-ac3200 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| System command injection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute system commands via the "load_script" URL parameter. | |||||
| CVE-2018-14713 | 1 Asus | 2 Rt-ac3200, Rt-ac3200 Firmware | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| Format string vulnerability in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to read arbitrary sections of memory and CPU registers via the "hook" URL parameter. | |||||
| CVE-2018-14712 | 1 Asus | 2 Rt-ac3200, Rt-ac3200 Firmware | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Buffer overflow in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to inject system commands via the "hook" URL parameter. | |||||
| CVE-2018-14711 | 1 Asus | 2 Rt-ac3200, Rt-ac3200 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Missing cross-site request forgery protection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to cause state-changing actions with specially crafted URLs. | |||||
| CVE-2018-14710 | 1 Asus | 2 Rt-ac3200, Rt-ac3200 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute JavaScript via the "hook" URL parameter. | |||||
| CVE-2018-14709 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token generation. | |||||
| CVE-2018-14708 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An insecure transport protocol used by Drobo Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to intercept network traffic. | |||||
| CVE-2018-14707 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| Directory traversal in the Drobo Pix web application on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to upload files to arbitrary locations. | |||||
| CVE-2018-14706 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| System command injection in the /DroboPix/api/drobopix/demo endpoint on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the payload in a POST request. | |||||