Search Results (82984 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2018-3820 1 Elastic 1 Kibana 2024-11-21 6.1 Medium
Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
CVE-2018-3818 1 Elastic 1 Kibana 2024-11-21 N/A
Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
CVE-2018-3786 1 Eggjs 1 Egg-scripts 2024-11-21 9.8 Critical
A command injection vulnerability in egg-scripts <v2.8.1 allows arbitrary shell command execution through a maliciously crafted command line argument.
CVE-2018-3785 1 Git-dummy-commit Project 1 Git-dummy-commit 2024-11-21 9.8 Critical
A command injection in git-dummy-commit v1.3.0 allows os level commands to be executed due to an unescaped parameter.
CVE-2018-3781 1 Nextcloud 1 Talk 2024-11-21 N/A
A missing sanitization of search results for an autocomplete field in NextCloud Talk <3.2.5 could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.
CVE-2018-3780 1 Nextcloud 1 Nextcloud Server 2024-11-21 N/A
A missing sanitization of search results for an autocomplete field in NextCloud Server <13.0.5 could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.
CVE-2018-3779 1 Activesupport Project 1 Activesupport 2024-11-21 N/A
active-support ruby gem 5.2.0 could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2018-3773 1 Metascraper Project 1 Metascraper 2024-11-21 6.1 Medium
There is a stored Cross-Site Scripting vulnerability in Open Graph meta properties read by the `metascrape` npm module <= 3.9.2.
CVE-2018-3772 1 Whereis Project 1 Whereis 2024-11-21 N/A
Concatenating unsanitized user input in the `whereis` npm module < 0.4.1 allowed an attacker to execute arbitrary commands. The `whereis` module is deprecated and it is recommended to use the `which` npm module instead.
CVE-2018-3771 1 Statics-server Project 1 Statics-server 2024-11-21 6.1 Medium
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-3769 1 Ruby-grape 1 Grape 2024-11-21 6.1 Medium
ruby-grape ruby gem suffers from a cross-site scripting (XSS) vulnerability via "format" parameter.
CVE-2018-3764 1 Nextcloud 1 Contacts 2024-11-21 4.8 Medium
In Nextcloud Contacts before 2.1.2, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.
CVE-2018-3763 1 Nextcloud 1 Calendar 2024-11-21 4.8 Medium
In Nextcloud Calendar before 1.5.8 and 1.6.1, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.
CVE-2018-3757 1 Pdf-image Project 1 Pdf-image 2024-11-21 9.8 Critical
Command injection exists in pdf-image v2.0.0 due to an unescaped string parameter.
CVE-2018-3755 1 Sexstatic Project 1 Sexstatic 2024-11-21 6.1 Medium
XSS in sexstatic <=0.6.2 causes HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name.
CVE-2018-3748 1 Glance Project 1 Glance 2024-11-21 N/A
There is a Stored XSS vulnerability in the glance node module versions <= 3.0.5. File name, which contains malicious HTML (eg. embedded iframe element or javascript: pseudo-protocol handler in <a> element) allows to execute JavaScript code against any user who opens a directory listing containing such crafted file name.
CVE-2018-3747 1 Public.js Project 1 Public.js 2024-11-21 N/A
The public node module versions <= 1.0.3 allows to embed HTML in file names, which (in certain conditions) might lead to execute malicious JavaScript.
CVE-2018-3746 1 Pdfinfojs Project 1 Pdfinfojs 2024-11-21 9.8 Critical
The pdfinfojs NPM module versions <= 0.3.6 has a command injection vulnerability that allows an attacker to execute arbitrary commands on the victim's machine.
CVE-2018-3741 2 Redhat, Rubyonrails 2 Cloudforms Managementengine, Html Sanitizer 2024-11-21 6.1 Medium
There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.
CVE-2018-3740 1 Sanitize Project 1 Sanitize 2024-11-21 N/A
A specially crafted HTML fragment can cause Sanitize gem for Ruby to allow non-whitelisted attributes to be used on a whitelisted HTML element.