Total
23790 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-14709 | 1 Drobo | 2 5n2, 5n2 Firmware | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
| Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token generation. | |||||
| CVE-2018-3972 | 1 Getmonero | 1 Monero | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| An exploitable code execution vulnerability exists in the Levin deserialization functionality of the Epee library, as used in Monero 'Lithium Luna' (v0.12.2.0-master-ffab6700) and other cryptocurrencies. A specially crafted network packet can cause a logic flaw, resulting in code execution. An attacker can send a packet to trigger this vulnerability. | |||||
| CVE-2018-20716 | 1 Cubecart | 1 Cubecart | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| CubeCart before 6.1.13 has SQL Injection via the validate[] parameter of the "I forgot my Password!" feature. | |||||
| CVE-2018-3881 | 1 Focalscope | 1 Focalscope | 2023-12-10 | 7.5 HIGH | 9.4 CRITICAL |
| An exploitable unauthenticated XML external injection vulnerability was identified in FocalScope v2416. A unauthenticated attacker could submit a specially crafted web request to FocalScope's server that could cause an XXE, and potentially result in data compromise. | |||||
| CVE-2018-1000836 | 1 Apereo | 1 Bw-calendar-engine | 2023-12-10 | 6.8 MEDIUM | 9.0 CRITICAL |
| bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server. | |||||
| CVE-2018-16489 | 1 Just-extend Project | 1 Just-extend | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| A prototype pollution vulnerability was found in just-extend <4.0.0 that allows attack to inject properties onto Object.prototype through its functions. | |||||
| CVE-2018-16039 | 3 Adobe, Apple, Microsoft | 4 Acrobat Dc, Acrobat Reader Dc, Mac Os X and 1 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
| Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008.20080 and earlier, 2019.008.20081 and earlier, 2017.011.30106 and earlier version, 2017.011.30105 and earlier version, 2015.006.30457 and earlier, and 2015.006.30456 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2016-8628 | 1 Redhat | 1 Ansible | 2023-12-10 | 9.0 HIGH | 9.1 CRITICAL |
| Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as. | |||||
| CVE-2018-17385 | 1 Thephpfactory | 1 Social Factory | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in the Social Factory 3.8.3 component for Joomla! via the radius[lat], radius[lng], or radius[radius] parameter. | |||||
| CVE-2017-8988 | 1 Hp | 1 Xp Command View | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| A Remote Bypass of Security Restrictions vulnerability was identified in HPE XP Command View Advanced Edition Software Earlier than 8.5.3-00. The vulnerability impacts DevMgr Earlier than 8.5.3-00 (for Windows, Linux), RepMgr earlier than 8.5.3-00 (for Windows, Linux) and HDLM earlier than 8.5.3-00 (for Windows, Linux, Solaris, AIX). | |||||
| CVE-2018-11462 | 1 Siemens | 10 Sinumerik 808d V4.7, Sinumerik 808d V4.7 Firmware, Sinumerik 808d V4.8 and 7 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability has been identified in SINUMERIK 808D V4.7 (All versions), SINUMERIK 808D V4.8 (All versions), SINUMERIK 828D V4.7 (All versions < V4.7 SP6 HF1), SINUMERIK 840D sl V4.7 (All versions < V4.7 SP6 HF5), SINUMERIK 840D sl V4.8 (All versions < V4.8 SP3). By sending a specially crafted authentication request to the affected systems a remote attacker could escalate his privileges to an elevated user account but not to root. The security vulnerability could be exploited by an attacker with network access to the affected systems. Successful exploitation requires no privileges and no user interaction. The vulnerability could allow an attacker to compromise confidentiality, integrity and availability of the system. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2018-1160 | 3 Debian, Netatalk, Synology | 7 Debian Linux, Netatalk, Diskstation Manager and 4 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
| Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution. | |||||
| CVE-2018-17934 | 1 Nuuo | 1 Nuuo Cms | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| NUUO CMS All versions 3.3 and prior the application allows external input to construct a pathname that is able to be resolved outside the intended directory. This could allow an attacker to impersonate a legitimate user, obtain restricted information, or execute arbitrary code. | |||||
| CVE-2019-5748 | 1 Traccar | 1 Server | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks. | |||||
| CVE-2019-1000006 | 1 Riot-os | 1 Riot | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| RIOT RIOT-OS version after commit 7af03ab624db0412c727eed9ab7630a5282e2fd3 contains a Buffer Overflow vulnerability in sock_dns, an implementation of the DNS protocol utilizing the RIOT sock API that can result in Remote code executing. This attack appears to be exploitable via network connectivity. | |||||
| CVE-2018-18249 | 1 Icinga | 1 Icinga Web 2 | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to /icingaweb2/navigation/add or /icingaweb2/dashboard/new-dashlet. | |||||
| CVE-2018-14620 | 1 Redhat | 1 Openstack | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| The OpenStack RabbitMQ container image insecurely retrieves the rabbitmq_clusterer component over HTTP during the build stage. This could potentially allow an attacker to serve malicious code to the image builder and install in the resultant container image. Version of openstack-rabbitmq-container and openstack-containers as shipped with Red Hat Openstack 12, 13, 14 are believed to be vulnerable. | |||||
| CVE-2018-14957 | 1 Isweb | 1 Isweb | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| CMS ISWEB 3.5.3 is vulnerable to directory traversal and local file download, as demonstrated by moduli/downloadFile.php?file=oggetto_documenti/../.././inc/config.php (one can take the control of the application because credentials are present in that config.php file). | |||||
| CVE-2017-18318 | 1 Qualcomm | 24 Msm8996au, Msm8996au Firmware, Sd 410 and 21 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
| Missing validation check on CRL issuer name in Snapdragon Automobile, Snapdragon Mobile in versions MSM8996AU, SD 410/12, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 810, SD 820, SD 820A. | |||||
| CVE-2018-20664 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license. | |||||