Total
23790 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-18903 | 1 Vanillaforums | 1 Vanilla | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Vanilla 2.6.x before 2.6.4 allows remote code execution. | |||||
| CVE-2018-19991 | 1 Verynginx Project | 1 Verynginx | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| VeryNginx 0.3.3 allows remote attackers to bypass the Web Application Firewall feature because there is no error handler (for get_uri_args or get_post_args) to block the API misuse described in CVE-2018-9230. | |||||
| CVE-2018-19076 | 2 Foscam, Opticam | 6 C2, C2 Application Firmware, C2 System Firmware and 3 more | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The FTP and RTSP services make it easier for attackers to conduct brute-force authentication attacks, because failed-authentication limits apply only to HTTP (not FTP or RTSP). | |||||
| CVE-2018-14943 | 1 Harmonicinc | 2 Nsg 9000, Nsg 9000 Firmware | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
| Harmonic NSG 9000 devices have a default password of nsgadmin for the admin account, a default password of nsgguest for the guest account, and a default password of nsgconfig for the config account. | |||||
| CVE-2018-17446 | 1 Citrix | 2 Netscaler Sd-wan, Sd-wan | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL Injection issue was discovered in Citrix SD-WAN 10.1.0 and NetScaler SD-WAN 9.3.x before 9.3.6 and 10.0.x before 10.0.4. | |||||
| CVE-2018-18556 | 1 Vyos | 1 Vyos | 2023-12-10 | 9.0 HIGH | 9.9 CRITICAL |
| A privilege escalation issue was discovered in VyOS 1.1.8. The default configuration also allows operator users to execute the pppd binary with elevated (sudo) permissions. Certain input parameters are not properly validated. A malicious operator user can run the binary with elevated permissions and leverage its improper input validation condition to spawn an attacker-controlled shell with root privileges. | |||||
| CVE-2019-7587 | 1 Bo-blog | 1 Bw | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Bo-blog Wind through 1.6.0-r allows SQL Injection via the admin.php/comments/batchdel/ comID parameter because this parameter is mishandled in the mode/admin.mode.php delBlockedBatch function. | |||||
| CVE-2018-20438 | 1 Technicolor | 2 Tc7110.ar, Tc7110.ar Firmware | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
| Technicolor TC7110.AR STD3.38.03 devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.2863.205.10.1.30.4.1.14.1.3.32 and iso.3.6.1.4.1.2863.205.10.1.30.4.2.4.1.2.32 SNMP requests. | |||||
| CVE-2018-16115 | 1 Lightbend | 1 Akka | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
| Lightbend Akka 2.5.x before 2.5.16 allows message disclosure and modification because of an RNG error. A random number generator is used in Akka Remoting for TLS (both classic and Artery Remoting). Akka allows configuration of custom random number generators. For historical reasons, Akka included the AES128CounterSecureRNG and AES256CounterSecureRNG random number generators. The implementations had a bug that caused the generated numbers to be repeated after only a few bytes. The custom RNG implementations were not configured by default but examples in the documentation showed (and therefore implicitly recommended) using the custom ones. This can be used by an attacker to compromise the communication if these random number generators are enabled in configuration. It would be possible to eavesdrop, replay, or modify the messages sent with Akka Remoting/Cluster. | |||||
| CVE-2018-15719 | 1 Opendental | 1 Opendental | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
| Open Dental before version 18.4 installs a mysql database and uses the default credentials of "root" with a blank password. This allows anyone on the network with access to the server to access all database information. | |||||
| CVE-2015-5243 | 1 Phpwhois Project | 1 Phpwhois | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| phpWhois allows remote attackers to execute arbitrary code via a crafted whois record. | |||||
| CVE-2016-1000271 | 1 Dthdevelopment | 1 Dt Register | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Joomla extension DT Register version before 3.1.12 (Joomla 3.x) / 2.8.18 (Joomla 2.5) contains an SQL injection in "/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events". This attack appears to be exploitable if the attacker can reach the web server. | |||||
| CVE-2018-1000827 | 1 Ubilling | 1 Ubilling | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Ubilling version <= 0.9.2 contains a Other/Unknown vulnerability in user-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution. | |||||
| CVE-2018-3919 | 1 Samsung | 2 Sth-eth-250, Sth-eth-250 Firmware | 2023-12-10 | 9.0 HIGH | 9.9 CRITICAL |
| An exploitable stack-based buffer overflow vulnerability exists in the retrieval of database fields in video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17. The video-core process insecurely extracts the fields from the "clips" table of its SQLite database, leading to a buffer overflow on the stack. An attacker can send a series of HTTP requests to trigger this vulnerability. | |||||
| CVE-2018-19601 | 1 Rhymix | 1 Rhymix | 2023-12-10 | 6.5 MEDIUM | 9.1 CRITICAL |
| Rhymix CMS 1.9.8.1 allows SSRF via an index.php?module=admin&act=dispModuleAdminFileBox SVG upload. | |||||
| CVE-2018-0670 | 1 Mnc | 1 Inplc-rt | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| INplc-RT 3.08 and earlier allows remote attackers to bypass authentication to execute an arbitrary command through the protocol-compliant traffic. This is a different vulnerability than CVE-2018-0669. | |||||
| CVE-2018-10635 | 1 Universal-robots | 2 Cb3.1, Cb3.1 Firmware | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
| In Universal Robots Robot Controllers Version CB 3.1, SW Version 3.4.5-100, ports 30001/TCP to 30003/TCP listen for arbitrary URScript code and execute the code. This enables a remote attacker who has access to the ports to remotely execute code that may allow root access to be obtained. | |||||
| CVE-2018-12410 | 1 Tibco | 1 Spotfire Statistics Services | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| The web server component of TIBCO Software Inc's Spotfire Statistics Services contains multiple vulnerabilities that may allow the remote execution of code. Without needing to authenticate, an attacker may be able to remotely execute code with the permissions of the system account used to run the web server component. Affected releases are TIBCO Software Inc. TIBCO Spotfire Statistics Services versions up to and including 7.11.0. | |||||
| CVE-2018-20248 | 1 Foxitsoftware | 1 Quick Pdf Library | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| In Foxit Quick PDF Library (all versions prior to 16.12), issue where loading a malformed or malicious PDF containing invalid xref table pointers or invalid xref table data using the LoadFromFile, LoadFromString, LoadFromStream, DAOpenFile or DAOpenFileReadOnly functions may result in an access violation caused by out of bounds memory access. | |||||
| CVE-2018-8788 | 3 Canonical, Debian, Freerdp | 3 Ubuntu Linux, Debian Linux, Freerdp | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| FreeRDP prior to version 2.0.0-rc4 contains an Out-Of-Bounds Write of up to 4 bytes in function nsc_rle_decode() that results in a memory corruption and possibly even a remote code execution. | |||||