Search Results (82977 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2018-25051 1 Pomash Project 1 Pomash 2024-11-21 2.4 Low
A vulnerability, which was classified as problematic, was found in JmPotato Pomash. This affects an unknown part of the file Pomash/theme/clean/templates/editor.html. The manipulation of the argument article.title/content.title/article.tag leads to cross site scripting. It is possible to initiate the attack remotely. The name of the patch is be1914ef0a6808e00f51618b2de92496a3604415. It is recommended to apply a patch to fix this issue. The identifier VDB-216957 was assigned to this vulnerability.
CVE-2018-25045 1 Django-rest-framework 1 Django Rest Framework 2024-11-21 6.1 Medium
Django REST framework (aka django-rest-framework) before 3.9.1 allows XSS because the default DRF Browsable API view templates disable autoescaping.
CVE-2018-25034 1 Technicolor 2 Thomson Tcw710, Thomson Tcw710 Firmware 2024-11-21 3.5 Low
A vulnerability, which was classified as problematic, has been found in Thomson TCW710 ST5D.10.05. This issue affects some unknown processing of the file /goform/wlanPrimaryNetwork. The manipulation of the argument ServiceSetIdentifier with the input ><script>alert(1)</script> as part of POST Request leads to basic cross site scripting (Persistent). The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-126695.
CVE-2018-25029 1 Silabs 10 Zgm130s037hgn, Zgm130s037hgn Firmware, Zgm2305a27hgn and 7 more 2024-11-21 8.1 High
The Z-Wave specification requires that S2 security can be downgraded to S0 or other less secure protocols, allowing an attacker within radio range during pairing to downgrade and then exploit a different vulnerability (CVE-2013-20003) to intercept and spoof traffic.
CVE-2018-25026 1 Actix 1 Actix-web 2024-11-21 9.8 Critical
An issue was discovered in the actix-web crate before 0.7.15 for Rust. It can add the Send marker trait to an object that cannot be sent between threads safely, leading to memory corruption.
CVE-2018-25025 1 Actix 1 Actix-web 2024-11-21 9.8 Critical
An issue was discovered in the actix-web crate before 0.7.15 for Rust. It can unsoundly extend the lifetime of a string, leading to memory corruption.
CVE-2018-25024 1 Actix 1 Actix-web 2024-11-21 9.8 Critical
An issue was discovered in the actix-web crate before 0.7.15 for Rust. It can unsoundly coerce an immutable reference into a mutable reference, leading to memory corruption.
CVE-2018-25018 2 Linux, Rarlab 2 Linux Kernel, Unrar 2024-11-21 7.8 High
UnRAR 5.6.1.7 through 5.7.4 and 6.0.3 has an out-of-bounds write during a memcpy in QuickOpen::ReadRaw when called from QuickOpen::ReadNext.
CVE-2018-25017 1 Rawspeed 1 Rawspeed 2024-11-21 9.8 Critical
RawSpeed (aka librawspeed) 3.1 has a heap-based buffer overflow in TableLookUp::setTable.
CVE-2018-25016 1 Greenbone 2 Greenbone Os, Greenbone Security Assistant 2024-11-21 9.8 Critical
Greenbone Security Assistant (GSA) before 7.0.3 and Greenbone OS (GOS) before 5.0.0 allow Host Header Injection.
CVE-2018-25011 2 Redhat, Webmproject 4 Enterprise Linux, Rhel Eus, Rhmt and 1 more 2024-11-21 9.8 Critical
A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in PutLE16().
CVE-2018-25007 1 Vaadin 2 Flow, Vaadin 2024-11-21 2.6 Low
Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.
CVE-2018-21268 1 Traceroute Project 1 Traceroute 2024-11-21 10 Critical
The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.
CVE-2018-21265 1 Mattermost 1 Mattermost Desktop 2024-11-21 5.3 Medium
An issue was discovered in Mattermost Desktop App before 4.0.0. It mishandled the Same Origin Policy for setPermissionRequestHandler (e.g., video, audio, and notifications).
CVE-2018-21261 1 Mattermost 1 Mattermost Server 2024-11-21 4.3 Medium
An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. An e-mail invite accidentally included the team invite_id, which leads to unintended excessive invitation privileges.
CVE-2018-21258 1 Mattermost 1 Mattermost Server 2024-11-21 7.5 High
An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash command.
CVE-2018-21256 1 Mattermost 1 Mattermost Server 2024-11-21 4.3 Medium
An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for group-message channel creation) via the Group message slash command.
CVE-2018-21255 1 Mattermost 1 Mattermost Server 2024-11-21 4.3 Medium
An issue was discovered in Mattermost Server before 5.1. Non-members of a channel could use the Channel PATCH API to modify that channel.
CVE-2018-21254 1 Mattermost 1 Mattermost Server 2024-11-21 4.3 Medium
An issue was discovered in Mattermost Server before 5.1. An attacker can bypass intended access control (for direct-message channel creation) via the Message slash command.
CVE-2018-21253 1 Mattermost 1 Mattermost Server 2024-11-21 4.3 Medium
An issue was discovered in Mattermost Server before 5.1, 5.0.2, and 4.10.2. An attacker could use the invite_people slash command to invite a non-permitted user.