Total
324452 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-18014 | 1 Citrix | 1 Xenmobile Server | 2024-11-21 | 4.8 Medium |
| * Lack of authentication in Citrix Xen Mobile through 10.8 allows low-privileged local users to execute system commands as root by making requests to private services listening on ports 8000, 30000 and 30001. NOTE: the vendor disputes that this is a vulnerability, stating it is "already mitigated by the internal firewall that limits access to configuration services to localhost. | ||||
| CVE-2018-18013 | 1 Citrix | 1 Xenmobile Server | 2024-11-21 | N/A |
| * Xen Mobile through 10.8.0 includes a service listening on port 5001 within its firewall that accepts unauthenticated input. If this service is supplied with raw serialised Java objects, it deserialises them back into Java objects in memory, giving rise to a remote code execution vulnerability. NOTE: the vendor disputes that this is a vulnerability, stating it is "already mitigated by the internal firewall that limits access to configuration services to localhost. | ||||
| CVE-2018-18009 | 1 Dlink | 4 Dir-140l, Dir-140l Firmware, Dir-640l and 1 more | 2024-11-21 | 9.8 Critical |
| dirary0.js on D-Link DIR-140L, DIR-640L devices allows remote unauthenticated attackers to discover admin credentials. | ||||
| CVE-2018-18008 | 1 Dlink | 14 Dir-140l, Dir-140l Firmware, Dir-640l and 11 more | 2024-11-21 | N/A |
| spaces.htm on multiple D-Link devices (DSL, DIR, DWR) allows remote unauthenticated attackers to discover admin credentials. | ||||
| CVE-2018-18007 | 1 Dlink | 2 Dsl-2770l, Dsl-2770l Firmware | 2024-11-21 | 9.8 Critical |
| atbox.htm on D-Link DSL-2770L devices allows remote unauthenticated attackers to discover admin credentials. | ||||
| CVE-2018-18006 | 1 Ricoh | 1 Myprint | 2024-11-21 | N/A |
| Hardcoded credentials in the Ricoh myPrint application 2.9.2.4 for Windows and 2.2.7 for Android give access to any externally disclosed myPrint WSDL API, as demonstrated by discovering API secrets of related Google cloud printers, encrypted passwords of mail servers, and names of printed files. | ||||
| CVE-2018-18005 | 1 Vivotek | 1 Camera | 2024-11-21 | N/A |
| Cross-site scripting in event_script.js in VIVOTEK Network Camera Series products with firmware 0x06x to 0x08x allows remote attackers to execute arbitrary JavaScript via a URL query string parameter. | ||||
| CVE-2018-18004 | 1 Vivotek | 1 Camera | 2024-11-21 | N/A |
| Incorrect Access Control in mod_inetd.cgi in VIVOTEK Network Camera Series products with firmware before XXXXXX-VVTK-0X09a allows remote attackers to enable arbitrary system services via a URL parameter. | ||||
| CVE-2018-17997 | 1 Layerbb | 1 Layerbb | 2024-11-21 | N/A |
| LayerBB 1.1.1 allows XSS via the titles of conversations (PMs). | ||||
| CVE-2018-17996 | 1 Layerbb | 1 Layerbb | 2024-11-21 | N/A |
| LayerBB before 1.1.3 allows CSRF for adding a user via admin/new_user.php, deleting a user via admin/members.php/delete_user/, and deleting content via mod/delete.php/. | ||||
| CVE-2018-17990 | 1 Dlink | 2 Dsl-3782, Dsl-3782 Firmware | 2024-11-21 | N/A |
| An issue was discovered on D-Link DSL-3782 devices with firmware 1.01. An OS command injection vulnerability in Acl.asp allows a remote authenticated attacker to execute arbitrary OS commands via the ScrIPaddrEndTXT parameter. | ||||
| CVE-2018-17989 | 1 Dlink | 2 Dsl-3782, Dsl-3782 Firmware | 2024-11-21 | N/A |
| A stored XSS vulnerability exists in the web interface on D-Link DSL-3782 devices with firmware 1.01 that allows authenticated attackers to inject a JavaScript or HTML payload inside the ACL page. The injected payload would be executed in a user's browser when "/cgi-bin/New_GUI/Acl.asp" is requested. | ||||
| CVE-2018-17988 | 1 Layerbb | 1 Layerbb | 2024-11-21 | 9.8 Critical |
| LayerBB 1.1.1 and 1.1.3 has SQL Injection via the search.php search_query parameter. | ||||
| CVE-2018-17987 | 1 Hashheroes | 1 Hashheroes | 2024-11-21 | N/A |
| The determineWinner function of a smart contract implementation for HashHeroes Tiles, an Ethereum game, uses a certain blockhash value in an attempt to generate a random number for the case where NUM_TILES equals the number of people who purchased a tile, which allows an attacker to control the awarding of the prize by being the last person to purchase a tile. | ||||
| CVE-2018-17986 | 1 Razorcms | 1 Razorcms | 2024-11-21 | N/A |
| rars/user/data in razorCMS 3.4.8 allows CSRF for changing the password of an admin user. | ||||
| CVE-2018-17985 | 1 Gnu | 1 Binutils | 2024-11-21 | N/A |
| An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption problem caused by the cplus_demangle_type function making recursive calls to itself in certain scenarios involving many 'P' characters. | ||||
| CVE-2018-17984 | 1 Ispconfig | 1 Ispconfig | 2024-11-21 | N/A |
| An unanchored /[a-z]{2}/ regular expression in ISPConfig before 3.1.13 makes it possible to include arbitrary files, leading to code execution. This is exploitable by authenticated users who have local filesystem access. | ||||
| CVE-2018-17983 | 1 Mercurial | 1 Mercurial | 2024-11-21 | N/A |
| cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry. | ||||
| CVE-2018-17981 | 1 Lifesize | 4 Express 220, Express 220 Firmware, Room 220i and 1 more | 2024-11-21 | 6.1 Medium |
| Lifesize Express ls ex2_4.7.10 2000 (14) devices allow XSS via the interface/interface.php brand parameter. | ||||
| CVE-2018-17980 | 1 Nomachine | 1 Nomachine | 2024-11-21 | N/A |
| NoMachine before 5.3.27 and 6.x before 6.3.6 allows attackers to gain privileges via a Trojan horse wintab32.dll file located in the same directory as a .nxs file, as demonstrated by a scenario where the .nxs file and the DLL are in the current working directory, and the Trojan horse code is executed. (The directory could, in general, be on a local filesystem or a network share.). | ||||