Search Results (83038 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2018-5411 1 Pixar 1 Tractor 2024-11-21 N/A
Pixar's Tractor software, versions 2.2 and earlier, contain a stored cross-site scripting vulnerability in the field that allows a user to add a note to an existing node. The stored information is displayed when a user requests information about the node. An attacker could insert Javascript into this note field that is then saved and displayed to the end user. An attacker might include Javascript that could execute on an authenticated user's system that could lead to website redirects, session cookie hijacking, social engineering, etc. As this is stored with the information about the node, all other authenticated users with access to this data are also vulnerable.
CVE-2018-5405 1 Quest 2 Kace Systems Management Appliance, Kace Systems Management Appliance Firmware 2024-11-21 N/A
The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated least privileged user with 'User Console Only' rights to potentially inject arbitrary JavaScript code on the tickets page. Script execution could allow a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks. The software also does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other user. An authenticated user with 'user console only' rights may inject arbitrary JavaScript, which could result in an attacker taking over a session of others, including an Administrator.
CVE-2018-5403 1 Imperva 1 Securesphere 2024-11-21 N/A
Imperva SecureSphere gateway (GW) running v13, for both pre-First Time Login or post-First Time Login (FTL), if the attacker knows the basic authentication passwords, the GW may be vulnerable to RCE through specially crafted requests, from the web access management interface.
CVE-2018-5399 1 Auto-maskin 4 Dcu-210e, Dcu-210e Firmware, Rp-210e and 1 more 2024-11-21 N/A
The Auto-Maskin DCU 210E firmware contains an undocumented Dropbear SSH server, v2015.55, configured to listen on Port 22 while the DCU is running. The Dropbear server is configured with a hard-coded user name and password combination of root / amroot. The server is configured to use password only authentication not cryptographic keys, however the firmware image contains an RSA host-key for the server. An attacker can exploit this vulnerability to gain root access to the Angstrom Linux operating system and modify any binaries or configuration files in the firmware. Affected releases are Auto-Maskin DCU-210E RP-210E: Versions prior to 3.7 on ARMv7.
CVE-2018-5388 3 Canonical, Debian, Strongswan 3 Ubuntu Linux, Debian Linux, Strongswan 2024-11-21 N/A
In stroke_socket.c in strongSwan before 5.6.3, a missing packet length check could allow a buffer underflow, which may lead to resource exhaustion and denial of service while reading from the socket.
CVE-2018-5376 1 Discuz 1 Discuzx 2024-11-21 6.1 Medium
Discuz! DiscuzX X3.4 has XSS via the include\spacecp\spacecp_upload.php op parameter.
CVE-2018-5375 1 Discuz 1 Discuzx 2024-11-21 N/A
Discuz! DiscuzX X3.4 has XSS via the include\spacecp\spacecp_space.php appid parameter in a delete action.
CVE-2018-5371 2 D-link, Dlink 4 Dsl-2540u Firmware, Dsl-2640u Firmware, Dsl-2540u and 1 more 2024-11-21 N/A
diag_ping.cmd on D-Link DSL-2640U devices with firmware IM_1.00 and ME_1.00, and DSL-2540U devices with firmware ME_1.00, allows authenticated remote attackers to execute arbitrary OS commands via shell metacharacters in the ipaddr field of an HTTP GET request.
CVE-2018-5370 1 Bizlogicdev 1 Xnami 2024-11-21 N/A
BizLogic xnami 1.0 has XSS via the comment parameter in an addComment action to the /media/ajax URI.
CVE-2018-5369 1 Srbtranslatin Project 1 Srbtranslatin 2024-11-21 N/A
The SrbTransLatin plugin 1.46 for WordPress has XSS via an srbtranslatoptions action to wp-admin/options-general.php with a lang_identificator parameter.
CVE-2018-5367 1 Wpglobus 1 Wpglobus 2024-11-21 N/A
The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[post_type][post] parameter to wp-admin/options.php.
CVE-2018-5366 1 Wpglobus 1 Wpglobus 2024-11-21 N/A
The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[more_languages] parameter to wp-admin/options.php.
CVE-2018-5365 1 Wpglobus 1 Wpglobus 2024-11-21 N/A
The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[selector_wp_list_pages][show_selector] parameter to wp-admin/options.php.
CVE-2018-5364 1 Wpglobus 1 Wpglobus 2024-11-21 N/A
The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[browser_redirect][redirect_by_language] parameter to wp-admin/options.php.
CVE-2018-5363 1 Wpglobus 1 Wpglobus 2024-11-21 N/A
The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[enabled_languages][en] or wpglobus_option[enabled_languages][fr] (or any other language) parameter to wp-admin/options.php.
CVE-2018-5362 1 Wpglobus 1 Wpglobus 2024-11-21 N/A
The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[post_type][page] parameter to wp-admin/options.php.
CVE-2018-5358 2 Canonical, Imagemagick 2 Ubuntu Linux, Imagemagick 2024-11-21 N/A
ImageMagick 7.0.7-22 Q16 has memory leaks in the EncodeImageAttributes function in coders/json.c, as demonstrated by the ReadPSDLayersInternal function in coders/psd.c.
CVE-2018-5357 2 Canonical, Imagemagick 2 Ubuntu Linux, Imagemagick 2024-11-21 N/A
ImageMagick 7.0.7-22 Q16 has memory leaks in the ReadDCMImage function in coders/dcm.c.
CVE-2018-5349 1 Heimdalsecurity 1 Heimdal 2024-11-21 N/A
A vulnerability has been found in Heimdal PRO v2.2.190, but it is most likely also present in Heimdal FREE and Heimdal CORP. Faulty permissions on the directory "C:\ProgramData\Heimdal Security\Heimdal Agent" allow BUILTIN\Users to write new files to the directory. On startup, the process Heimdal.MonitorServices.exe running as SYSTEM will attempt to load version.dll from this directory. Placing a malicious version.dll in this directory will result in privilege escalation. NOTE: any affected Heimdal products are completely unrelated to the Heimdal vendor of a Kerberos 5 product on the h5l.org web site.
CVE-2018-5347 1 Seagate 2 Personal Cloud, Personal Cloud Firmware 2024-11-21 N/A
Seagate Media Server in Seagate Personal Cloud has unauthenticated command injection in the uploadTelemetry and getLogs functions in views.py because .psp URLs are handled by the fastcgi.server component and shell metacharacters are mishandled.