Total
326211 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-16491 | 1 Dreamerslab | 1 Node.extend | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A prototype pollution vulnerability was found in node.extend <1.1.7, ~<2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype. | |||||
| CVE-2018-16490 | 1 Mpath Project | 1 Mpath | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype. | |||||
| CVE-2018-16489 | 1 Just-extend Project | 1 Just-extend | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A prototype pollution vulnerability was found in just-extend <4.0.0 that allows attack to inject properties onto Object.prototype through its functions. | |||||
| CVE-2018-16487 | 1 Lodash | 1 Lodash | 2024-11-21 | 6.8 MEDIUM | 5.6 MEDIUM |
| A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype. | |||||
| CVE-2018-16486 | 1 Defaults-deep Project | 1 Defaults-deep | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A prototype pollution vulnerability was found in defaults-deep <=0.2.4 that would allow a malicious user to inject properties onto Object.prototype. | |||||
| CVE-2018-16485 | 1 M-server Project | 1 M-server | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Path Traversal vulnerability in module m-server <1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL request. | |||||
| CVE-2018-16484 | 1 M-server Project | 1 M-server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A XSS vulnerability was found in module m-server <1.4.2 that allows malicious Javascript code or HTML to be executed, due to the lack of escaping for special characters in folder names. | |||||
| CVE-2018-16483 | 1 Express-cart Project | 1 Express-cart | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators. | |||||
| CVE-2018-16482 | 1 Mcstatic Project | 1 Mcstatic | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A server directory traversal vulnerability was found on node module mcstatic <=0.0.20 that would allow an attack to access sensitive information in the file system by appending slashes in the URL path. | |||||
| CVE-2018-16481 | 1 Html-pages Project | 1 Html-pages | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A XSS vulnerability was found in html-page <=2.1.1 that allows malicious Javascript code to be executed in the user's browser due to the absence of sanitization of the paths before rendering. | |||||
| CVE-2018-16480 | 1 Public Project | 1 Public | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A XSS vulnerability was found in module public <0.1.4 that allows malicious Javascript code to run in the browser, due to the absence of sanitization of the file/folder names before rendering. | |||||
| CVE-2018-16479 | 1 Http-live-simulator Project | 1 Http-live-simulator | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Path traversal vulnerability in http-live-simulator <1.0.7 causes unauthorized access to arbitrary files on disk by appending extra slashes after the URL. | |||||
| CVE-2018-16478 | 1 Simplehttpserver Project | 1 Simplehttpserver | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A Path Traversal in simplehttpserver versions <=0.2.1 allows to list any file in another folder of web root. | |||||
| CVE-2018-16477 | 1 Rubyonrails | 1 Rails | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them executed inline. Additionally, if combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path. This vulnerability has been fixed in version 5.2.1.1. | |||||
| CVE-2018-16476 | 2 Redhat, Rubyonrails | 2 Cloudforms, Rails | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1. | |||||
| CVE-2018-16475 | 1 Knight Project | 1 Knight | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A Path Traversal in Knightjs versions <= 0.0.1 allows an attacker to read content of arbitrary files on a remote server. | |||||
| CVE-2018-16474 | 1 Tianma-static Project | 1 Tianma-static | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A stored xss in tianma-static module versions <=1.0.4 allows an attacker to execute arbitrary javascript. | |||||
| CVE-2018-16473 | 1 Takeapeek Project | 1 Takeapeek | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A path traversal in takeapeek module versions <=0.2.2 allows an attacker to list directory and files. | |||||
| CVE-2018-16472 | 1 Cached-path-relative Project | 1 Cached-path-relative | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A prototype pollution attack in cached-path-relative versions <=1.0.1 allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain causing a DoS attack. | |||||
| CVE-2018-16471 | 2 Debian, Rack Project | 2 Debian Linux, Rack | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable. | |||||