Total
323590 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-14707 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | N/A |
| Directory traversal in the Drobo Pix web application on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to upload files to arbitrary locations. | ||||
| CVE-2018-14706 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | N/A |
| System command injection in the /DroboPix/api/drobopix/demo endpoint on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the payload in a POST request. | ||||
| CVE-2018-14705 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | 9.8 Critical |
| In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validation. As a result, any user capable of accessing the device over the network may interact with and control these applications. This not only poses a severe risk to the availability of these applications, but also poses severe risks to the confidentiality and integrity of data stored within the applications and the device itself. | ||||
| CVE-2018-14704 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | N/A |
| Cross-site scripting in the MySQL API error page in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via a malformed URL path. | ||||
| CVE-2018-14703 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | N/A |
| Incorrect access control in the /mysql/api/droboapp/data endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve the MySQL database root password. | ||||
| CVE-2018-14702 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | N/A |
| Incorrect access control in the /drobopix/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information. | ||||
| CVE-2018-14701 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | N/A |
| System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter. | ||||
| CVE-2018-14700 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | N/A |
| Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the "name" URL parameter. | ||||
| CVE-2018-14699 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | N/A |
| System command injection in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter. | ||||
| CVE-2018-14698 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | N/A |
| Cross-site scripting in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the "username" URL parameter. | ||||
| CVE-2018-14697 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | N/A |
| Cross-site scripting in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the username URL parameter. | ||||
| CVE-2018-14696 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | N/A |
| Incorrect access control in the /mysql/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information. | ||||
| CVE-2018-14695 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | N/A |
| Incorrect access control in the /mysql/api/diags.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve diagnostic information via the "name" URL parameter. | ||||
| CVE-2018-14691 | 1 Subsonic | 1 Subsonic | 2024-11-21 | N/A |
| An issue was discovered in Subsonic 6.1.1. The music tags feature is affected by three stored cross-site scripting vulnerabilities in the c0-param2, c0-param3, and c0-param4 parameters to dwr/call/plaincall/tagService.setTags.dwr that could be used to steal session information of a victim. | ||||
| CVE-2018-14690 | 1 Subsonic | 1 Subsonic | 2024-11-21 | N/A |
| An issue was discovered in Subsonic 6.1.1. The general settings are affected by two stored cross-site scripting vulnerabilities in the title and subtitle parameters to generalSettings.view that could be used to steal session information of a victim. | ||||
| CVE-2018-14689 | 1 Subsonic | 1 Subsonic | 2024-11-21 | N/A |
| An issue was discovered in Subsonic 6.1.1. The transcoding settings are affected by five stored cross-site scripting vulnerabilities in the name[x], sourceformats[x], targetFormat[x], step1[x], and step2[x] parameters (where x is an integer) to transcodingSettings.view that could be used to steal session information of a victim. | ||||
| CVE-2018-14688 | 1 Subsonic | 1 Subsonic | 2024-11-21 | N/A |
| An issue was discovered in Subsonic 6.1.1. The radio settings are affected by three stored cross-site scripting vulnerabilities in the name[x], streamUrl[x], homepageUrl[x] parameters (where x is an integer) to internetRadioSettings.view that could be used to steal session information of a victim. | ||||
| CVE-2018-14686 | 1 Xycms Project | 1 Xycms | 2024-11-21 | N/A |
| system/edit_book.php in XYCMS 1.7 has stored XSS via a crafted add_do.php request, related to add_book.php. | ||||
| CVE-2018-14685 | 1 Gxlcms | 1 Gxlcms | 2024-11-21 | N/A |
| The add function in www/Lib/Lib/Action/Admin/TplAction.class.php in Gxlcms v1.1.4 allows remote attackers to read arbitrary files via a crafted index.php?s=Admin-Tpl-ADD-id request, related to Lib/Common/Admin/function.php. | ||||
| CVE-2018-14683 | 1 Paessler | 1 Prtg Network Monitor | 2024-11-21 | N/A |
| PRTG before 19.1.49.1966 has Cross Site Scripting (XSS) in the WEBGUI. | ||||