Search Results (83071 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2018-7448 1 Cmsmadesimple 1 Cms Made Simple 2024-11-21 N/A
Remote code execution vulnerability in /cmsms-2.1.6-install.php/index.php in CMS Made Simple version 2.1.6 allows remote attackers to inject arbitrary PHP code via the "timezone" parameter in step 4 of a fresh installation procedure.
CVE-2018-7447 1 Mojoportal 1 Mojoportal 2024-11-21 N/A
mojoPortal through 2.6.0.0 is prone to multiple persistent cross-site scripting vulnerabilities because it fails to sanitize user-supplied input. The 'Title' and 'Subtitle' fields of the 'Blog' page are vulnerable. NOTE: The software maintainer disputes this as a vulnerability because the fields claimed to be vulnerable to XSS are only available to administrators who are supposed to have access to add scripts
CVE-2018-7443 3 Canonical, Debian, Imagemagick 3 Ubuntu Linux, Debian Linux, Imagemagick 2024-11-21 N/A
The ReadTIFFImage function in coders/tiff.c in ImageMagick 7.0.7-23 Q16 does not properly validate the amount of image data in a file, which allows remote attackers to cause a denial of service (memory allocation failure in the AcquireMagickMemory function in MagickCore/memory.c).
CVE-2018-7440 2 Debian, Leptonica 2 Debian Linux, Leptonica 2024-11-21 N/A
An issue was discovered in Leptonica through 1.75.3. The gplotMakeOutput function allows command injection via a $(command) approach in the gplot rootname argument. This issue exists because of an incomplete fix for CVE-2018-3836.
CVE-2018-7427 1 Splunk 1 Splunk 2024-11-21 N/A
Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.14, 6.3.x before 6.3.10, 6.4.x before 6.4.7, and 6.5.x before 6.5.3; and Splunk Light before 6.6.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2018-7420 2 Debian, Wireshark 2 Debian Linux, Wireshark 2024-11-21 N/A
In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the pcapng file parser could crash. This was addressed in wiretap/pcapng.c by adding a block-size check for sysdig event blocks.
CVE-2018-7408 1 Npmjs 1 Npm 2024-11-21 N/A
An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue.
CVE-2018-7407 1 Foxitsoftware 2 Phantompdf, Reader 2024-11-21 N/A
An issue was discovered in Foxit Reader before 9.1 and PhantomPDF before 9.1. This vulnerability allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists when rendering U3D images inside of pdf files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this to execute code in the context of the current process.
CVE-2018-7405 1 Zohocorp 1 Manageengine Eventlog Analyzer 2024-11-21 N/A
Cross-site scripting (XSS) in Zoho ManageEngine EventLog Analyzer before 11.12 Build 11120 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2018-7359 1 Zte 2 Zxhn F670, Zxhn F670 Firmware 2024-11-21 N/A
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by heap-based buffer overflow vulnerability, which may allow an attacker to execute arbitrary code.
CVE-2018-7355 1 Zte 4 Mf65, Mf65 Firmware, Mf65m1 and 1 more 2024-11-21 N/A
All versions up to V1.0.0B05 of ZTE MF65 and all versions up to V1.0.0B02 of ZTE MF65M1 are impacted by cross-site scripting vulnerability. Due to improper neutralization of input during web page generation, an attacker could exploit this vulnerability to conduct reflected XSS or HTML injection attacks on the devices.
CVE-2018-7311 1 Privatevpn 1 Privatevpn 2024-11-21 8.8 High
PrivateVPN 2.0.31 for macOS suffers from a root privilege escalation vulnerability. The software installs a privileged helper tool that runs as the root user. This privileged helper tool is installed as a LaunchDaemon and implements an XPC service. The XPC service is responsible for handling new VPN connection operations via the main PrivateVPN application. The privileged helper tool creates new VPN connections by executing the openvpn binary located in the /Applications/PrivateVPN.app/Contents/Resources directory. The openvpn binary can be overwritten by the default user, which allows an attacker that has already installed malicious software as the default user to replace the binary. When a new VPN connection is established, the privileged helper tool will launch this malicious binary, thus allowing an attacker to execute code as the root user. NOTE: the vendor has reportedly indicated that this behavior is "an acceptable part of their software.
CVE-2018-7303 1 Tiki 1 Tikiwiki Cms\/groupware 2024-11-21 N/A
The Calendar component in Tiki 17.1 allows HTML injection.
CVE-2018-7302 1 Tiki 1 Tiki 2024-11-21 N/A
Tiki 17.1 allows upload of a .PNG file that actually has SVG content, leading to XSS.
CVE-2018-7290 1 Tiki 1 Tikiwiki Cms\/groupware 2024-11-21 N/A
Cross Site Scripting (XSS) exists in Tiki before 12.13, 15.6, 17.2, and 18.1.
CVE-2018-7287 1 Digium 1 Asterisk 2024-11-21 N/A
An issue was discovered in res_http_websocket.c in Asterisk 15.x through 15.2.1. If the HTTP server is enabled (default is disabled), WebSocket payloads of size 0 are mishandled (with a busy loop).
CVE-2018-7280 1 Ninjaforms 1 Ninja Forms 2024-11-21 N/A
The Ninja Forms plugin before 3.2.14 for WordPress has XSS.
CVE-2018-7278 1 Rletech 4 Fds-pc, Fds-pc-dp, Fds-pc-dp Firmware and 1 more 2024-11-21 N/A
An issue was discovered on RLE Protocol Converter FDS-PC / FDS-PC-DP 2.1 devices. Persistent XSS exists in the web server. Remote attackers can inject malicious JavaScript code using the device's BACnet implementation. This is similar to a Cross Protocol Injection with SNMP.
CVE-2018-7277 1 Rletech 4 Fds-wi, Fds-wi Firmware, Wi-mgr and 1 more 2024-11-21 N/A
An issue was discovered on RLE Wi-MGR/FDS-Wi 6.2 devices. Persistent XSS exists in the web server. Remote attackers can inject malicious JavaScript code using the device's BACnet implementation. This is similar to a Cross Protocol Injection with SNMP.
CVE-2018-7274 1 Quarx Cms Project 1 Quarx Cms 2024-11-21 6.1 Medium
Yab Quarx through 2.4.3 is prone to multiple persistent cross-site scripting vulnerabilities: Blog (Title), FAQ (Question), Pages (Title), Widgets (Name), and Menus (Name).