Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.
Max CVSS
9.8
EPSS Score
0.96%
Published
2018-09-18
Updated
2023-03-09
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get() that can result in CPU Page Fault (error code 0x00000010). This attack appear to be exploitable via a malicious application call the vulnerable kernel APIs (system sys_ring_buf_get() and sys_ring_buf_put).
Max CVSS
9.8
EPSS Score
0.21%
Published
2018-09-06
Updated
2020-05-13
WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time.
Max CVSS
8.8
EPSS Score
0.99%
Published
2018-09-06
Updated
2018-11-14
KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Request Forgery (CSRF) vulnerability in /cgi-bin/koha/members/paycollect.pl Parameters affected: borrowernumber, amount, amountoutstanding, paid that can result in Attackers can mark payments as paid for certain users on behalf of Administrators. This attack appear to be exploitable via The victim must be socially engineered into clicking a link, usually via email. This vulnerability appears to have been fixed in 17.11.
Max CVSS
8.8
EPSS Score
0.09%
Published
2018-09-06
Updated
2018-11-07
GIG Technology NV JumpScale Portal 7 version before commit 15443122ed2b1cbfd7bdefc048bf106f075becdb contains a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in method: notifySpaceModification; that can result in Improper validation of parameters results in command execution. This attack appear to be exploitable via Network connectivity, required minimal auth privileges (everyone can register an account). This vulnerability appears to have been fixed in After commit 15443122ed2b1cbfd7bdefc048bf106f075becdb.
Max CVSS
10.0
EPSS Score
0.94%
Published
2018-09-06
Updated
2019-03-07
LimeSurvey version 3.14.4 and earlier contains a directory traversal in file upload that allows upload of webshell vulnerability in file upload functionality that can result in remote code execution as authenticated user. This attack appear to be exploitable via An authenticated user can upload a specially crafted zip file to get remote code execution. This vulnerability appears to have been fixed in after commit 72a02ebaaf95a80e26127ee7ee2b123cccce05a7 / version 3.14.4.
Max CVSS
8.8
EPSS Score
0.25%
Published
2018-09-06
Updated
2018-10-26
LimeSurvey version prior to 3.14.4 contains a file upload vulnerability in upload functionality that can result in an attacker gaining code execution via webshell. This attack appear to be exploitable via an authenticated user uploading a zip archive which can contains malicious php files that can be called under certain circumstances. This vulnerability appears to have been fixed in after commit 91d143230eb357260a19c8424b3005deb49a47f7 / version 3.14.4.
Max CVSS
8.8
EPSS Score
0.12%
Published
2018-09-06
Updated
2018-10-26
An issue was discovered in MRCMS (aka mushroom) through 3.1.2. The WebParam.java file directly accepts the FIELD_T parameter in a request and uses it as a hash of SQL statements without filtering, resulting in a SQL injection vulnerability in getChannel() in the ChannelService.java file.
Max CVSS
9.8
EPSS Score
0.17%
Published
2018-09-30
Updated
2018-11-21
The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 and earlier allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935.
Max CVSS
8.8
EPSS Score
1.30%
Published
2018-09-30
Updated
2020-10-16
Telegram Desktop (aka tdesktop) 1.3.16 alpha, when "Use proxy" is enabled, sends credentials and application data in cleartext over the SOCKS5 protocol.
Max CVSS
9.8
EPSS Score
0.22%
Published
2018-09-28
Updated
2019-10-03
Foxit PhantomPDF and Reader before 9.3 allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) because properties of Annotation objects are mishandled. This relates to one of five distinct types of Annotation objects.
Max CVSS
9.8
EPSS Score
0.39%
Published
2018-09-28
Updated
2018-11-14
Foxit PhantomPDF and Reader before 9.3 allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) because properties of Annotation objects are mishandled. This relates to one of five distinct types of Annotation objects.
Max CVSS
9.8
EPSS Score
0.39%
Published
2018-09-28
Updated
2018-11-14
Foxit PhantomPDF and Reader before 9.3 allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) because properties of Annotation objects are mishandled. This relates to one of five distinct types of Annotation objects.
Max CVSS
9.8
EPSS Score
0.39%
Published
2018-09-28
Updated
2018-11-14
Foxit PhantomPDF and Reader before 9.3 allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) because properties of Annotation objects are mishandled. This relates to one of five distinct types of Annotation objects.
Max CVSS
9.8
EPSS Score
0.39%
Published
2018-09-28
Updated
2018-11-14
Foxit PhantomPDF and Reader before 9.3 allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) because properties of Annotation objects are mishandled. This relates to one of five distinct types of Annotation objects.
Max CVSS
9.8
EPSS Score
0.39%
Published
2018-09-28
Updated
2018-11-14
SWA SWA.JACAD 3.1.37 Build 024 has SQL Injection via the /academico/aluno/esqueci-minha-senha/ studentId parameter.
Max CVSS
9.8
EPSS Score
0.21%
Published
2018-09-28
Updated
2018-11-21
The Wp-Insert plugin through 2.4.2 for WordPress allows upload of arbitrary PHP code because of the exposure and configuration of FCKeditor under fckeditor/editor/filemanager/browser/default/browser.html, fckeditor/editor/filemanager/connectors/test.html, and fckeditor/editor/filemanager/connectors/uploadtest.html.
Max CVSS
9.8
EPSS Score
2.76%
Published
2018-09-28
Updated
2018-11-23
utils/ut_ws_svr.c in ViaBTC Exchange Server before 2018-08-21 has an integer overflow leading to memory corruption.
Max CVSS
9.8
EPSS Score
0.14%
Published
2018-09-26
Updated
2018-11-26
network/nw_buf.c in ViaBTC Exchange Server before 2018-08-21 has an integer overflow leading to memory corruption.
Max CVSS
9.8
EPSS Score
0.14%
Published
2018-09-26
Updated
2018-11-26
utils/ut_rpc.c in ViaBTC Exchange Server before 2018-08-21 has an integer overflow leading to memory corruption.
Max CVSS
9.8
EPSS Score
0.13%
Published
2018-09-26
Updated
2018-11-20
In ThinkPHP 5.1.24, the inner function delete can be used for SQL injection when its WHERE condition's value can be controlled by a user's request.
Max CVSS
9.8
EPSS Score
0.17%
Published
2018-09-26
Updated
2018-11-20
Axon (formerly TASER International) Evidence Sync 3.15.89 is vulnerable to process injection. NOTE: the vendor's position is that this CVE is not associated with information that supports any finding of any type of vulnerability
Max CVSS
9.8
EPSS Score
2.93%
Published
2018-09-26
Updated
2024-03-21
An XML External Entity (XXE) vulnerability exists in iWay Data Quality Suite Web Console 10.6.1.ga-2016-11-20.
Max CVSS
10.0
EPSS Score
0.66%
Published
2018-09-26
Updated
2018-12-17
Horus CMS allows SQL Injection, as demonstrated by a request to the /busca or /home URI.
Max CVSS
9.8
EPSS Score
0.13%
Published
2018-09-26
Updated
2020-04-14
The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to impersonate a user and set up their account without their knowledge. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots
Max CVSS
8.8
EPSS Score
0.20%
Published
2018-09-23
Updated
2024-03-21
385 vulnerabilities found
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!