Total
23734 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-7602 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. | |||||
CVE-2018-1000881 | 1 Traccar | 1 Server | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability in ComputedAttributesHandler.java that can result in Remote Command Execution. This attack appear to be exploitable via Remote: web application request by a self-registered user. This vulnerability appears to have been fixed in 4.1 and later. | |||||
CVE-2018-7811 | 1 Schneider-electric | 8 Modicom Bmxnor0200h, Modicom Bmxnor0200h Firmware, Modicom M340 and 5 more | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an unauthenticated remote user to access the change password function of the web server | |||||
CVE-2018-16281 | 1 Deiser | 1 Profields-project Custom Fields | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The DEISER "Profields - Project Custom Fields" app before 6.0.2 for Jira has Incorrect Access Control. | |||||
CVE-2018-13821 | 1 Ca | 1 Unified Infrastructure Management | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
A lack of authentication, in CA Unified Infrastructure Management 8.5.1, 8.5, and 8.4.7, allows remote attackers to conduct a variety of attacks, including file reading/writing. | |||||
CVE-2018-3772 | 1 Whereis Project | 1 Whereis | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Concatenating unsanitized user input in the `whereis` npm module < 0.4.1 allowed an attacker to execute arbitrary commands. The `whereis` module is deprecated and it is recommended to use the `which` npm module instead. | |||||
CVE-2018-9356 | 1 Google | 1 Android | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
In bnep_data_ind of bnep_main.c, there is a possible remote code execution due to a double free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-74950468. | |||||
CVE-2018-16590 | 1 Furuno | 4 Felcom 250, Felcom 250 Firmware, Felcom 500 and 1 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
FURUNO FELCOM 250 and 500 devices use only client-side JavaScript in login.js for authentication. | |||||
CVE-2018-3779 | 1 Activesupport Project | 1 Activesupport | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
active-support ruby gem 5.2.0 could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system. | |||||
CVE-2018-14351 | 4 Canonical, Debian, Mutt and 1 more | 4 Ubuntu Linux, Debian Linux, Mutt and 1 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/command.c mishandles a long IMAP status mailbox literal count size. | |||||
CVE-2018-4013 | 2 Debian, Live555 | 2 Debian Linux, Live555 Media Server | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
An exploitable code execution vulnerability exists in the HTTP packet-parsing functionality of the LIVE555 RTSP server library version 0.92. A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability. | |||||
CVE-2018-18084 | 1 Comsenz | 1 Duomicms | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in DuomiCMS 3.0. SQL injection exists in the ajax.php file, as demonstrated by the uid parameter. | |||||
CVE-2018-12369 | 2 Canonical, Mozilla | 3 Ubuntu Linux, Firefox, Firefox Esr | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
WebExtensions bundled with embedded experiments were not correctly checked for proper authorization. This allowed a malicious WebExtension to gain full browser permissions. This vulnerability affects Firefox ESR < 60.1 and Firefox < 61. | |||||
CVE-2018-12671 | 1 Sv3c | 4 H.264 Poe Ip Camera Firmware, Sv-b01poe-1080p-l, Sv-b11vpoe-1080p-l and 1 more | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
An attacker with remote access to the SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) web interface can disclose information about the camera including all password sets set within the camera. This information can then be used to gain access to the web interface. | |||||
CVE-2018-14364 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
GitLab Community and Enterprise Edition before 10.7.7, 10.8.x before 10.8.6, and 11.x before 11.0.4 allows Directory Traversal with write access and resultant remote code execution via the GitLab projects import component. | |||||
CVE-2016-10727 | 2 Canonical, Gnome | 2 Ubuntu Linux, Evolution | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. The server code was intended to report an error and not proceed, but the code was written incorrectly. | |||||
CVE-2018-16669 | 1 Circontrol | 1 Open Charge Point Protocol | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
An issue was discovered in CIRCONTROL Open Charge Point Protocol (OCPP) before 1.5.0, as used in CirCarLife, PowerStudio, and other products. Due to storage of credentials in XML files, an unprivileged user can look at /services/config/config.xml for the admin credentials of the ocpp and circarlife panels. | |||||
CVE-2018-17376 | 1 Thephpfactory | 1 Reverse Auction Factory | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
SQL Injection exists in the Reverse Auction Factory 4.3.8 component for Joomla! via the filter_order_Dir, cat, or filter_letter parameter. | |||||
CVE-2019-7160 | 1 Idreamsoft | 1 Icms | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
idreamsoft iCMS 7.0.13 allows admincp.php?app=files ../ Directory Traversal via the udir parameter to files.admincp.php, resulting in execution of arbitrary PHP code from a ZIP file via the admincp.php?app=apps zipfile parameter to apps.admincp.php. | |||||
CVE-2018-18923 | 1 Abisoftgt | 1 Ticketly | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
AbiSoft Ticketly 1.0 is affected by multiple SQL Injection vulnerabilities through the parameters name, category_id and description in action/addproject.php; kind_id, priority_id, project_id, status_id and title in action/addticket.php; and kind_id and status_id in reports.php. |