Total
3863 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-8073 | 1 Yiiframework | 1 Yii | 2024-08-05 | N/A |
| Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension. | ||||
| CVE-2018-8074 | 1 Yiiframework | 1 Yii | 2024-08-05 | N/A |
| Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension. | ||||
| CVE-2018-7951 | 1 Huawei | 40 1288h V5, 1288h V5 Firmware, 2288h V5 and 37 more | 2024-08-05 | N/A |
| The iBMC (Intelligent Baseboard Management Controller) of some Huawei servers have a JSON injection vulnerability due to insufficient input validation. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Successful exploit may allow attackers to obtain the management privilege of the system. | ||||
| CVE-2018-7950 | 1 Huawei | 40 1288h V5, 1288h V5 Firmware, 2288h V5 and 37 more | 2024-08-05 | N/A |
| The iBMC (Intelligent Baseboard Management Controller) of some Huawei servers have a JSON injection vulnerability due to insufficient input validation. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Successful exploit may allow attackers to obtain the management privilege of the system. | ||||
| CVE-2018-7748 | 1 Servicenow | 1 Servicenow | 2024-08-05 | N/A |
| report_viewer.do in ServiceNow Release Jakarta Patch 8 and earlier allows remote attackers to execute arbitrary code via '${xyz}' Glide Scripting Injection in the sysparm_media parameter. | ||||
| CVE-2018-7801 | 1 Schneider-electric | 2 Evlink Parking, Evlink Parking Firmware | 2024-08-05 | 8.8 High |
| A Code Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could enable access with maximum privileges when a remote code execution is performed. | ||||
| CVE-2018-7756 | 1 Dewesoft | 1 Dewesoft | 2024-08-05 | N/A |
| RunExeFile.exe in the installer for DEWESoft X3 SP1 (64-bit) devices does not require authentication for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as demonstrated by a RUN command that launches a .EXE file located at an arbitrary external URL, or a "SETFIREWALL Off" command. | ||||
| CVE-2018-7633 | 1 Adbglobal | 1 Epicentro | 2024-08-05 | N/A |
| Code injection in the /ui/login form Language parameter in Epicentro E_7.3.2+ allows attackers to execute JavaScript code by making a user issue a manipulated POST request. | ||||
| CVE-2018-7466 | 1 Testlink | 1 Testlink | 2024-08-05 | N/A |
| install/installNewDB.php in TestLink through 1.9.16 allows remote attackers to conduct injection attacks by leveraging control over DB LOGIN NAMES data during installation to provide a long, crafted value. | ||||
| CVE-2018-7271 | 1 Metinfo | 1 Metinfo | 2024-08-05 | N/A |
| An issue was discovered in MetInfo 6.0.0. In install/install.php in the installation process, the config/config_db.php configuration file filtering is not rigorous: one can insert malicious code in the installation process to execute arbitrary commands or obtain a web shell. | ||||
| CVE-2018-6889 | 1 Typesettercms | 1 Typesetter | 2024-08-05 | N/A |
| An issue was discovered in Typesetter 5.1. It suffers from a Host header injection vulnerability, Using this attack, a malicious user can poison the web cache or perform advanced password reset attacks or even trigger arbitrary user re-direction. | ||||
| CVE-2018-6574 | 3 Debian, Golang, Redhat | 8 Debian Linux, Go, Devtools and 5 more | 2024-08-05 | N/A |
| Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. | ||||
| CVE-2018-6012 | 1 Rainmachine | 2 Mini-8, Mini-8 Firmware | 2024-08-05 | N/A |
| The 'Weather Service' feature of the Green Electronics RainMachine Mini-8 (2nd generation) allows an attacker to inject arbitrary Python code via the 'Add new weather data source' upload function. | ||||
| CVE-2018-5782 | 1 Mitel | 2 Connect Onsite, St14.2 | 2024-08-05 | N/A |
| A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to inject PHP code using specially crafted requests to the vsethost.php page. Successful exploit could allow an attacker to execute arbitrary PHP code within the context of the application. | ||||
| CVE-2018-5781 | 1 Mitel | 2 Connect Onsite, St14.2 | 2024-08-05 | N/A |
| A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to inject PHP code using specially crafted requests to the vendrecording.php page. Successful exploit could allow an attacker to execute arbitrary PHP code within the context of the application. | ||||
| CVE-2018-5779 | 1 Mitel | 2 Connect Onsite, St14.2 | 2024-08-05 | N/A |
| A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to copy a malicious script into a newly generated PHP file and then execute the generated file using specially crafted requests. Successful exploit could allow an attacker to execute arbitrary code within the context of the application. | ||||
| CVE-2018-5780 | 1 Mitel | 2 Connect Onsite, St14.2 | 2024-08-05 | N/A |
| A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to inject PHP code using specially crafted requests to the vnewmeeting.php page. Successful exploit could allow an attacker to execute arbitrary PHP code within the context of the application. | ||||
| CVE-2018-5158 | 4 Canonical, Debian, Mozilla and 1 more | 11 Ubuntu Linux, Debian Linux, Firefox and 8 more | 2024-08-05 | N/A |
| The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60. | ||||
| CVE-2018-4031 | 1 Getcujo | 1 Smart Firewall | 2024-08-05 | 10.0 Critical |
| An exploitable vulnerability exists in the safe browsing function of the CUJO Smart Firewall, version 7003. The flaw lies in the way the safe browsing function parses HTTP requests. The server hostname is extracted from captured HTTP/HTTPS requests and inserted as part of a Lua statement without prior sanitization, which results in arbitrary Lua script execution in the kernel. An attacker could send an HTTP request to exploit this vulnerability. | ||||
| CVE-2018-3784 | 1 Cryo Project | 1 Cryo | 2024-08-05 | 9.8 Critical |
| A code injection in cryo 0.0.6 allows an attacker to arbitrarily execute code due to insecure implementation of deserialization. | ||||