| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-1000170 |
|
|
XSS |
2018-04-16 |
2018-04-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions. |
|
2 |
CVE-2018-1000163 |
|
|
XSS |
2018-04-18 |
2018-04-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Floodlight version 1.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in the web console that can result in javascript injections into the web page. This attack appears to be exploitable via the victim browsing the web console. |
|
3 |
CVE-2018-1000162 |
|
|
Exec Code XSS |
2018-04-18 |
2018-04-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Parsedown version prior to 1.7.0 contains a Cross Site Scripting (XSS) vulnerability in `setMarkupEscaped` for escaping HTML that can result in JavaScript code execution. This attack appears to be exploitable via specially crafted markdown that allows it to side step HTML escaping by breaking AST boundaries. This vulnerability appears to have been fixed in 1.7.0 and later. |
|
4 |
CVE-2018-1000161 |
|
|
Dir. Trav. |
2018-04-18 |
2018-04-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
nmap version 6.49BETA6 through 7.60, up to and including SVN revision 37147 contains a Directory Traversal vulnerability in NSE script http-fetch that can result in file overwrite as the user is running it. This attack appears to be exploitable via a victim that runs NSE script http-fetch against a malicious web site. This vulnerability appears to have been fixed in 7.7. |
|
5 |
CVE-2018-1000160 |
|
|
XSS |
2018-04-18 |
2018-04-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
RisingStack protect version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in isXss() function in lib/rules/xss.js that can result in dangerous XSS strings being validated as safe. This attack appears to be exploitable via A number of XSS strings(26) detailed in the GitHub issue #16. |
|
6 |
CVE-2018-1000153 |
|
|
DoS CSRF |
2018-04-05 |
2018-04-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server ("test connection"). |
|
7 |
CVE-2018-1000144 |
|
|
XSS |
2018-04-05 |
2018-04-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A cross site scripting vulnerability exists in Jenkins Cucumber Living Documentation Plugin 1.0.12 and older in CukedoctorBaseAction#doDynamic that disables the Content-Security-Policy protection for archived artifacts and workspace files, allowing attackers able to control the content of these files to attack Jenkins users. |
|
8 |
CVE-2018-1000139 |
79 |
|
XSS |
2018-03-23 |
2018-04-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
I, Librarian version 4.8 and earlier contains a Cross Site Scripting (XSS) vulnerability in "id" parameter in stable.php that can result in an attacker using the XSS to send a malicious script to an unsuspecting user. |
|
9 |
CVE-2018-1000137 |
352 |
|
CSRF |
2018-03-23 |
2018-04-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
I, Librarian version 4.8 and earlier contains a Cross site Request Forgery (CSRF) vulnerability in users.php that can result in the password of the admin being forced to be changed without the administrator's knowledge. |
|
10 |
CVE-2018-1000131 |
89 |
|
Sql |
2018-03-14 |
2018-04-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Pradeep Makone wordpress Support Plus Responsive Ticket System version 9.0.2 and earlier contains a SQL Injection vulnerability in the function to get tickets, the parameter email in cookie was injected that can result in filter the parameter. This attack appear to be exploitable via web site, without login. This vulnerability appears to have been fixed in 9.0.3 and later. |
|
11 |
CVE-2018-1000129 |
79 |
|
XSS |
2018-03-14 |
2018-04-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser. |
|
12 |
CVE-2018-1000119 |
200 |
|
+Info CSRF |
2018-03-07 |
2018-04-11 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0. |
|
13 |
CVE-2018-1000113 |
79 |
|
XSS |
2018-03-13 |
2018-04-04 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins TestLink Plugin 2.12 and earlier in TestLinkBuildAction/summary.jelly and others that allow an attacker who can control e.g. TestLink report names to have Jenkins serve arbitrary HTML and JavaScript |
|
14 |
CVE-2018-1000108 |
79 |
|
XSS |
2018-03-13 |
2018-04-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins CppNCSS Plugin 1.1 and earlier in AbstractProjectAction/index.jelly that allow an attacker to craft links to Jenkins URLs that run arbitrary JavaScript in the user's browser when accessed. |
|
15 |
CVE-2018-1000095 |
79 |
|
XSS |
2018-03-12 |
2018-04-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
oVirt version 4.2.0 to 4.2.2 contains a Cross Site Scripting (XSS) vulnerability in the name/description of VMs portion of the web admin application. This vulnerability appears to have been fixed in version 4.2.3. |
|
16 |
CVE-2018-1000092 |
352 |
|
CSRF |
2018-03-13 |
2018-04-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
CMS Made Simple version versions 2.2.5 contains a Cross ite Request Forgery (CSRF) vulnerability in Admin profile page that can result in Details can be found here http://dev.cmsmadesimple.org/bug/view/11715. This attack appear to be exploitable via A specially crafted web page. This vulnerability appears to have been fixed in 2.2.6. |
|
17 |
CVE-2018-1000088 |
79 |
|
XSS |
2018-03-13 |
2018-04-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view's OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client's name will cause users interacting with it will execute payload. This attack appear to be exploitable via The victim must be tricked to click an opaque link to the web view that runs the XSS payload. A malicious version virtually indistinguishable from a normal link.. This vulnerability appears to have been fixed in 4.2.6, 4.3.0. |
|
18 |
CVE-2018-1000087 |
79 |
|
XSS |
2018-03-13 |
2018-04-10 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
WolfCMS version version 0.8.3.1 contains a Reflected Cross Site Scripting vulnerability in "Create New File" and "Create New Directory" input box from 'files' Tab that can result in Session Hijacking, Spread Worms,Control the browser remotely. . This attack appear to be exploitable via Attacker can execute the JavaScript into the "Create New File" and "Create New Directory" input box from 'files'. |
|
19 |
CVE-2018-1000086 |
352 |
|
Exec Code CSRF |
2018-03-13 |
2018-04-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a Cross ite Request Forgery (CSRF) vulnerability in Pym.js _onNavigateToMessage function. https://github.com/nprapps/pym.js/blob/master/src/pym.js#L573 that can result in Arbitrary javascript code execution. This attack appear to be exploitable via Attacker gains full javascript access to pages with Pym.js embeds when user visits an attacker crafted page.. This vulnerability appears to have been fixed in versions 1.3.2 and later. |
|
20 |
CVE-2018-1000084 |
79 |
|
XSS |
2018-03-13 |
2018-04-06 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
WOlfCMS WolfCMS version version 0.8.3.1 contains a Stored Cross-Site Scripting vulnerability in Layout Name (from Layout tab) that can result in low privilege user can steal the cookie of admin user and compromise the admin account. This attack appear to be exploitable via Need to enter the Javascript code into Layout Name . |
|
21 |
CVE-2018-1000083 |
22 |
|
Dir. Trav. |
2018-03-13 |
2018-04-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Ajenti version version 2 contains a Improper Error Handling vulnerability in Login JSON request that can result in The requisition leaks a path of the server. This attack appear to be exploitable via By sending a malformed JSON, the tool responds with a traceback error that leaks a path of the server. |
|
22 |
CVE-2018-1000082 |
352 |
|
Exec Code CSRF |
2018-03-13 |
2018-04-06 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Ajenti version version 2 contains a Cross ite Request Forgery (CSRF) vulnerability in the command execution panel of the tool used to manage the server. that can result in Code execution on the server . This attack appear to be exploitable via Being a CSRF, victim interaction is needed, when the victim access the infected trigger of the CSRF any code that match the victim privledges on the server can be executed.. |
|
23 |
CVE-2018-1000079 |
22 |
|
Dir. Trav. |
2018-03-13 |
2018-04-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6. |
|
24 |
CVE-2018-1000078 |
79 |
|
XSS |
2018-03-13 |
2018-04-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6. |
|
25 |
CVE-2018-1000073 |
22 |
|
Dir. Trav. |
2018-03-13 |
2018-04-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6. |
|
26 |
CVE-2018-1000062 |
79 |
|
XSS |
2018-02-09 |
2018-03-05 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File Upload through SVG vulnerability in uploadFileAction(), 'svg' => 'image/svg+xml' that can result in An attacker can execute arbitrary script on an unsuspecting user's browser. This attack appear to be exploitable via Crafted SVG File. |
|
27 |
CVE-2018-1000053 |
352 |
|
CSRF |
2018-02-09 |
2018-03-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can result in CSRF causing LimeSurvey admins to delete all their themes, rendering the website unusable. This attack appear to be exploitable via Simple HTML markup can be used to send a GET request to the affected endpoint. |
|
28 |
CVE-2018-1000044 |
89 |
|
Exec Code Sql |
2018-02-09 |
2018-02-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Security Onion Solutions Squert version 1.1.1 through 1.6.7 contains a SQL Injection vulnerability in .inc/callback.php that can result in execution of SQL commands. This attack appear to be exploitable via Web request to .inc/callback.php with the payload in the sensors parameter, used in ec(). This vulnerability appears to have been fixed in 1.7.0. |
|
29 |
CVE-2018-1000029 |
79 |
|
XSS |
2018-02-09 |
2018-03-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
mcholste Enterprise Log Search and Archive (ELSA) version revision 1205, commit 2cc17f1 and earlier contains a Cross Site Scripting (XSS) vulnerability in index view (/) that can result in . This attack appear to be exploitable via Payload delivered via the type, name, and value parameters of /Query/set_preference and the name and value parameters of /Query/preference. Payload executed when the user visits the index view (/). |
|
30 |
CVE-2018-1000020 |
79 |
|
XSS |
2018-02-09 |
2018-03-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
OpenEMR version 5.0.0 contains a Cross Site Scripting (XSS) vulnerability in open-flash-chart.swf and _posteddata.php that can result in . This vulnerability appears to have been fixed in 5.0.0 Patch 2 or higher. |
|
31 |
CVE-2018-1000016 |
|
|
XSS |
2018-01-23 |
2018-01-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Ant Plugin 1.7 and earlier failed to escape tool names it shows on job configuration screens, resulting in a cross-site scripting vulnerability that is exploitable only by Jenkins administrators. |
|
32 |
CVE-2018-1000014 |
352 |
|
CSRF |
2018-01-23 |
2018-02-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins administrator. |
|
33 |
CVE-2018-1000013 |
352 |
|
CSRF |
2018-01-23 |
2018-02-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds. |
|
34 |
CVE-2018-10230 |
|
|
XSS |
2018-04-19 |
2018-04-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Zend Debugger in Zend Server before 9.1.3 has XSS, aka ZSR-2455. |
|
35 |
CVE-2018-10227 |
|
|
XSS |
2018-04-19 |
2018-04-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
MiniCMS v1.10 has XSS via the mc-admin/conf.php site_link parameter. |
|
36 |
CVE-2018-10225 |
|
|
Sql |
2018-04-19 |
2018-04-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
thinkphp 3.1.3 has SQL Injection via the index.php s parameter. |
|
37 |
CVE-2018-10224 |
|
|
CSRF |
2018-04-19 |
2018-04-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability that can add a tag via /index.php/admin/tag/add.html. |
|
38 |
CVE-2018-10223 |
|
|
CSRF |
2018-04-19 |
2018-04-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability that can add an admin account via /index.php/admin/admin_manage/add.html. |
|
39 |
CVE-2018-10222 |
|
|
CSRF |
2018-04-19 |
2018-04-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in idreamsoft iCMS V7.0. There is a CSRF vulnerability that can add a Column via /admincp.php?app=article_category&do=save&frame=iPHP. |
|
40 |
CVE-2018-10221 |
|
|
XSS |
2018-04-19 |
2018-04-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in WUZHI CMS V4.1.0. There is a persistent XSS vulnerability that can steal the administrator cookies via the tag[tag] parameter to the index.php?m=tags&f=index&v=add&&_su=wuzhicms URI. After a website editor (whose privilege is lower than the administrator) logs in, he can add a new TAGS with the XSS payload. |
|
41 |
CVE-2018-10188 |
|
|
CSRF |
2018-04-19 |
2018-04-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
phpMyAdmin 4.8.0 before 4.8.0-1 has CSRF, allowing an attacker to execute arbitrary SQL statements, related to js/db_operations.js, js/tbl_operations.js, libraries/classes/Operations.php, and sql.php. |
|
42 |
CVE-2018-10185 |
|
|
CSRF |
2018-04-17 |
2018-04-17 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in TuziCMS v2.0.6. There is a CSRF vulnerability that can add an admin account, as demonstrated by a history.pushState call. |
|
43 |
CVE-2018-10183 |
|
|
XSS |
2018-04-17 |
2018-04-17 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in BigTree 4.2.22. There is cross-site scripting (XSS) in /core/inc/lib/less.php/test/index.php because of a $_SERVER['REQUEST_URI'] echo, as demonstrated by the dir parameter in a file=charsets action. |
|
44 |
CVE-2018-10138 |
|
|
XSS |
2018-04-16 |
2018-04-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The CATALooK.netStore module through 7.2.8 for DNN (formerly DotNetNuke) allows XSS via the /ViewEditGoogleMaps.aspx PortalID or CATSkin parameter, or the /ImageViewer.aspx link or desc parameter. |
|
45 |
CVE-2018-10137 |
|
|
CSRF |
2018-04-16 |
2018-04-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
iScripts UberforX 2.2 has CSRF in the "manage_settings" section of the Admin Panel via the /cms?section=manage_settings&action=edit URI. |
|
46 |
CVE-2018-10136 |
|
|
XSS |
2018-04-16 |
2018-04-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
iScripts UberforX 2.2 has Stored XSS in the "manage_settings" section of the Admin Panel via a value field to the /cms?section=manage_settings&action=edit URI. |
|
47 |
CVE-2018-10135 |
|
|
XSS |
2018-04-16 |
2018-04-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
iScripts eSwap v2.4 has Reflected XSS via the "catwiseproducts.php" catid parameter in the User Panel. |
|
48 |
CVE-2018-10132 |
|
|
CSRF |
2018-04-16 |
2018-04-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
PbootCMS v0.9.8 has CSRF via an admin.php/Message/mod/id/19.html?backurl=/index.php request, resulting in PHP code injection in the recontent parameter. |
|
49 |
CVE-2018-10128 |
|
|
XSS |
2018-04-16 |
2018-04-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in XYHCMS 3.5. It has XSS via the test parameter to index.php. |
|
50 |
CVE-2018-10127 |
|
|
CSRF |
2018-04-16 |
2018-04-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in XYHCMS 3.5. It has CSRF via an index.php?g=Manage&m=Rbac&a=addUser request, resulting in addition of an account with the administrator role. |
