Total
322222 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-11640 | 1 Dialogic | 1 Powermedia Xms | 2024-11-21 | N/A |
| XML External Entity (XXE) vulnerability in the web service in Dialogic PowerMedia XMS before 3.5 SU2 allows remote attackers to read arbitrary files or cause a denial of service (resource consumption). | ||||
| CVE-2018-11639 | 1 Dialogic | 1 Powermedia Xms | 2024-11-21 | N/A |
| Plaintext Storage of Passwords within Cookies in /var/www/xms/application/controllers/verifyLogin.php in the administrative console in Dialogic PowerMedia XMS before 3.5 SU2 allows remote attackers to access a user's password in cleartext. | ||||
| CVE-2018-11638 | 1 Dialogic | 1 Powermedia Xms | 2024-11-21 | N/A |
| Unrestricted Upload of a File with a Dangerous Type in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote authenticated users to upload malicious code to the web root to gain code execution. | ||||
| CVE-2018-11637 | 1 Dialogic | 1 Powermedia Xms | 2024-11-21 | N/A |
| Information leakage vulnerability in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote attackers to read arbitrary files from the /var/ directory because a symlink exists under the web root. | ||||
| CVE-2018-11636 | 1 Dialogic | 1 Powermedia Xms | 2024-11-21 | N/A |
| Cross-site request forgery (CSRF) vulnerability in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote attackers to execute malicious and unauthorized actions. | ||||
| CVE-2018-11635 | 1 Dialogic | 1 Powermedia Xms | 2024-11-21 | N/A |
| Use of a Hard-coded Cryptographic Key used to protect cookie session data in /var/www/xms/application/config/config.php in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote attackers to bypass authentication. | ||||
| CVE-2018-11634 | 1 Dialogic | 1 Powermedia Xms | 2024-11-21 | N/A |
| Plaintext Storage of Passwords in the administrative console in Dialogic PowerMedia XMS before 3.5 SU2 allows local users to access the web application's user passwords in cleartext by reading /var/www/xms/xmsdb/default.db. | ||||
| CVE-2018-11633 | 1 Multidots | 1 Woo Checkout For Digital Goods | 2024-11-21 | N/A |
| An issue was discovered in the MULTIDOTS Woo Checkout for Digital Goods plugin 2.1 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings. The function woo_checkout_settings_page in the file class-woo-checkout-for-digital-goods-admin.php doesn't do any check against wp-admin/admin-post.php Cross-site request forgery (CSRF) and user capabilities. | ||||
| CVE-2018-11632 | 1 Multidots | 1 Add Social Share Messenger Buttons Whatsapp And Viber | 2024-11-21 | N/A |
| An issue was discovered in the MULTIDOTS Add Social Share Messenger Buttons Whatsapp and Viber plugin 1.0.8 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings via wp-admin/admin-post.php CSRF. There's no nonce or capability check in the whatsapp_share_setting_add_update() function. | ||||
| CVE-2018-11631 | 1 Rondaful Project | 2 Rondaful M1 Wristband Smart Band 1, Rondaful M1 Wristband Smart Band 1 Firmware | 2024-11-21 | N/A |
| Rondaful M1 Wristband Smart Band 1 devices allow remote attackers to send an arbitrary number of call or SMS notifications via crafted Bluetooth Low Energy (BLE) traffic. | ||||
| CVE-2018-11629 | 1 Lutron | 6 Homeworks Qs, Homeworks Qs Firmware, Radiora 2 and 3 more | 2024-11-21 | N/A |
| Default and unremovable support credentials (user:lutron password:integration) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the HomeWorks QS Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine | ||||
| CVE-2018-11628 | 1 Emssoftware | 1 Ems Master Calendar | 2024-11-21 | N/A |
| Data input into EMS Master Calendar before 8.0.0.201805210 via URL parameters is not properly sanitized, allowing malicious attackers to send a crafted URL for XSS. | ||||
| CVE-2018-11627 | 2 Redhat, Sinatrarb | 3 Cloudforms, Cloudforms Managementengine, Sinatra | 2024-11-21 | N/A |
| Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception. | ||||
| CVE-2018-11626 | 1 Simple Lossless Audio Project | 1 Simple Lossless Audio | 2024-11-21 | N/A |
| SELA (aka SimplE Lossless Audio) v0.1.2-alpha has a stack-based buffer overflow in the core/apev2.c init_apev2_keys function. | ||||
| CVE-2018-11625 | 2 Canonical, Imagemagick | 2 Ubuntu Linux, Imagemagick | 2024-11-21 | N/A |
| In ImageMagick 7.0.7-37 Q16, SetGrayscaleImage in the quantize.c file allows attackers to cause a heap-based buffer over-read via a crafted file. | ||||
| CVE-2018-11624 | 1 Imagemagick | 1 Imagemagick | 2024-11-21 | N/A |
| In ImageMagick 7.0.7-36 Q16, the ReadMATImage function in coders/mat.c allows attackers to cause a use after free via a crafted file. | ||||
| CVE-2018-11623 | 2 Foxitsoftware, Microsoft | 3 Foxit Reader, Phantompdf, Windows | 2024-11-21 | N/A |
| This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the addAdLayer method. By performing actions in JavaScript, an attacker can trigger a type confusion condition. The attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-6003. | ||||
| CVE-2018-11622 | 2 Foxitsoftware, Microsoft | 3 Foxit Reader, Phantompdf, Windows | 2024-11-21 | N/A |
| This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within ConvertToPDF_x86.dll. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-5873. | ||||
| CVE-2018-11621 | 2 Foxitsoftware, Microsoft | 3 Foxit Reader, Phantompdf, Windows | 2024-11-21 | N/A |
| This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within ConvertToPDF_x86.dll. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-5896. | ||||
| CVE-2018-11620 | 2 Foxitsoftware, Microsoft | 3 Foxit Reader, Phantompdf, Windows | 2024-11-21 | N/A |
| This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within ConvertToPDF_x86.dll. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-5756. | ||||